Getting certificate for setting up SharePoint 2013 add-in environment
In order to set up SharePoint 2013 add-in environment, follow the guide Configuring User Impersonation in Microsoft SharePoint 2013 and 2016. For the production environment, you need a domain-issued or commercial certificate. This guide will help you obtain such a certificate and install it to all your WPS servers.
Each keypair (certificate) you want to be able to sign SharePoint access tokens with needs to be registered on SharePoint. The easiest way is to generate one keypair, register it and distribute it over all WPS servers.
Obtain a key/certificate in an appropriate format - Personal Information Exchange (.pfx file) containing the private key and whole certificate chain.
In case your key/certificate is in a different format than Personal Information Exchange, you can convert it following the guide in Conversions between different keystores and certificate types.
In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Personal Information Exchange format chapter in System communication hardening .
Copy your key/certificate in the Personal Information exchange format to the server where the Workflow Processing System is installed.
Import the key with the corresponding signed certificate to Windows Certificate store of all your WPS servers.
In Windows Server 2012 use the following command:
certutil.exe -importpfx "My" "safeqcertificate.pfx"
In the Windows Server 2008 use the following command:
certutil.exe -importpfx "safeqcertificate.pfx"
Once you have this domain-issued or commercial certificate, you may configure SharePoint 2013 as described in Complete debugging with a domain issued or commercial certificate.