...
The first step is to go through the list of all descriptors, and fill out this table for all the descriptors.
set up required: Is this descriptor required in your installation? Most descriptors are required. However, a few are only required if you use the feature they support. See use-case
placeholder: Will you use a placeholder? If a descriptor is required but you don’t need its use case, use a placeholder with some dummy certificate. See use-case
HSM: Where will you store the keys/certificates? Most keys/certificates can be stored in an HSM. An HSM is much more secure than a file. See storage
Key type / size: RSA or ECC? What keysize? See key requirements
Key usage: in most cases this is not required but recommended. See certificate requirements
Validity: See certificate requirements
Trusted by: who needs to trust the certificate. You may need to install the certificate or the issuer’s certificate to a machine. See general requirements and certificate requirements
Issuer: Who will issue this certificate? This will depend on who needs to trust it. You can use more than one CA. Choices are:
any CA, e.g. your own SmartID Certificate Manager or a public CA
a trusted S/MIME CA. This is needed in case you want IDM to sign emails, otherwise clients may fail to validate the emails
for placeholders or certificates that don’t require trust you can create your own keypairs and certificates with any suitable tool you like. See certificate requirements
...