At the top of the Advanced dialogue for signing DCPs and KDMs is the chain of certificates that will be used to sign DCPs and KDMs. DCP-o-matic creates a random chain when you first run it and if you are happy to use this chain you can ignore the preferences. Otherwise, you can add or remove certificates from the chain using the Add... and Remove buttons.
If you want DCP-o-matic to re-create the certificate chain (using new, random certificates) click Re-make certificates... and specify your organisation and common names in the dialogue box that opens.
Underneath the certificate chain is the private key that corresponds to the leaf certificate in the chain. You can specify your own private key by clicking Load.... You must do this if you change the leaf certificate, so that the leaf private key corresponds to the public key held in the leaf certificate.
At the top of the Advanced dialogue for decrypting DCPs is the chain and key which is used by DCP-o-matic when you import an encrypted DCP as a piece of content. The leaf certificate of this chain contains the public key that should be used when targeting a KDM at DCP-o-matic.
If you want to import an encrypted DCP you will need to give the decryption certificate to the distributor of the DCP so that they can generate a DKDM for you. You can save this certificate to disk by clicking Export DCP decryption certificate.... As with the signing chain, DCP-o-matic will create a certificate chain and private key for you. You can also choose to load your own certificates and key or re-make the chain and key with new, random values.
Clicking Export DCP decryption chain... will export the whole certificate chain, rather than just the leaf certificate.