The distributor needs to have their own KDM distribution system (it could be their own DCP-o-matic installation/KDM creator, or any other suitable software). This system must be able to export a certificate (.pem file) which they will have to send to you. You need to import this .pem file into your DCP-o-matic installation. From then on, you are able to create (D)KDMs for THEIR system. These DKDMs then allow them to create further KDMs towards cinema screens.
Once you start creating encrypted DCPs, you have to keep a special discipline maintaining your own certs and keys. They are part of the DCP-o-matic prefs. DCP-o-matic will give you some hints when enabling encryption.
I suggest to always start with the latest stable release (2.14.x currently). For the first time you create an encrypted DCP, first go to 'Preferences'-> 'Keys'->'Advanced'->'Remake certificates and key', to recreate all keys and certs once. This is to make sure you have a clean start. Make sure your computer is on current date at least.
Then, restart DCP-o-matic and immediately backup your certs and keys, individually from within DCP-o-matic (name them in a useful way), and additionally, create a full backup of your prefs folder (this is the easiest way to backup your certs). e.g. you can right-click on your DCP-o-matic prefs/settings folder and choose 'Send to compressed (ZIP) folder' (WIN) or 'Archive' (Mac), or whatever Linux offers you. Then store away this ZIP to a (better multiple) safe place. This will allow you to recreate your config easily in the future (e.g. after a fresh DCP-o-matic installation, disc crash, etc.).
I usually rename this Backup ZIP by adding the DCP-o-matic version number to it, so I may end up with a couple of backups over time. (e.g. dcpomatic_2_14_26.zip). This could become handy if prefs don't survive and update, or you need to supply a specific prefs file to a specific installation. I am just overcautious here, but, it costs you nothing.
Also, for every feature you create encrypted, you should always and immediately create a DKDM for your own installation (under 'Jobs'-> 'Make DKDM for DCP-o-matic...') . That will allow you to create new (D)KDMs even if your DCP project files are lost/deleted. These DKDMs are stored within those mentioned prefs that you will hopefully backup regularly.