You are both kinda right.
Certification, by definition, is just something which produces a certificate, which is just an arbitrary document which someone decided to call a certificate. I can start selling certificates that your product uses GOTO statement in a socially responsible way.
Declaration of conformity is the only legal requirement, and it is not a certificate. This does not mean there are no such thing as certificates on RED compliance.
The only legal requirements are (1) actual conformity to standards, (2) declaration of conformity document saying this. You don't have to outsource any of it, you can do it all in-house, but there are many finely grained service levels how much and what exactly you would outsource, some may be called "certificates", some not. Generally, the more you pay, the less you have to do yourself. I'm not afraid of doing things, but I have found it is quite difficult to know what to do. And finally, of course, you can always try to push your luck and just do "something". You can, for example, pay for the measurements ("pre-compliance") alone and just look at the plots and get a confident feeling that your product likely causes no problems and thus no one will ask for your compliance documentation. If you want to build the proper documentation to support your declaration of conformity, then these fuller reports, or "certificates", simply save your time.