At the top of the Advanced dialogue for signing DCPs and KDMs is the chain of certificates that will be used to sign DCPs and KDMs. DCP-o-matic creates a random chain when you first run it and if you are happy to use this chain you can ignore the preferences. Otherwise, you can add or remove certificates from the chain using the Add... and Remove buttons.
If you want DCP-o-matic to re-create the certificate chain (using new, random certificates) click Re-make certificates and key... and specify your organisation and common names in the dialogue box that opens.
Underneath the certificate chain is the private key that corresponds to the leaf certificate in the chain. You can specify your own private key by clicking Import.... You must do this if you change the leaf certificate, so that the leaf private key corresponds to the public key held in the leaf certificate.
At the top of the Advanced dialogue for decrypting DCPs is the chain and key which is used by DCP-o-matic when you import an encrypted DCP as a piece of content. The leaf certificate of this chain contains the public key that should be used when targeting a KDM at DCP-o-matic.
Clicking Export chain... will export the whole certificate chain.