diff --git a/config.c b/config.c
index e0c11916..f756f8e6 100644
--- a/config.c
+++ b/config.c
@@ -2917,7 +2917,8 @@ void setup_config_box(struct controlbox *b, bool midsession,
                          FILTER_KEY_FILES, false, "Select private key file",
                          HELPCTX(ssh_auth_privkey),
                          conf_filesel_handler, I(CONF_keyfile));
-            ctrl_filesel(s, "Certificate to use with the private key:", 'e',
+            ctrl_filesel(s, "Certificate to use with the private key "
+                         "(optional):", 'e',
                          NULL, false, "Select certificate file",
                          HELPCTX(ssh_auth_cert),
                          conf_filesel_handler, I(CONF_detached_cert));
diff --git a/doc/config.but b/doc/config.but
index 1990a92a..8b3191fa 100644
--- a/doc/config.but
+++ b/doc/config.but
@@ -3033,6 +3033,9 @@ PuTTY can't fall back to using this file itself.
 
 \S{config-ssh-cert} \q{\ii{Certificate} to use with the private key}
 
+(This is optional. If you don't know you need it, you can leave this
+blank.)
+
 In some environments, user authentication keys can be signed in turn
 by a \q{certifying authority} (\q{CA} for short), and user accounts on
 an SSH server can be configured to automatically trust any key that's