Institutions connected to WAYF must each deliver a X.509 certificate to WAYF, for signature checking. The certificate may be self-signed, and thus does not need to have been issued by a CA. The key must be at least 2048 bits long. Other properties of the certificate are of no significance to WAYF; it may, e.g., be expired. Take care not to expose the private key to WAYF or other unauthorised parties.
Service providers are not required to deliver a signing certificate for their services; a service is not required to sign the SAML requests it sends to WAYF. Request signing is entirely optional for services. A signing certificate could be relevant if the service is to be published in inter-federation.
The certificate must be pasted into the certData field in WAYF's metadata self-service tool, JANUS. The certificate must be PEM encoded; but those lines with the many hyphens (i.e., the first line and the last one) must be omitted – only the lines in between (i.e., the actual base64 encoded sequence) should be pasted into the field.