...
For all the required descriptors, generate keypairs and Certification Signing Requests (CSRs) and request the certificates or create your own. If you want to store the keys in a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs. Note that getting certificates from a CA may take some time - there might be , e.g. due to manual verification steps involved. Thus it is recommended to plan accordingly, so you have enough time to acquire all necessary keys and certificates before beginning the bootstrapping procedure.
...