...
Determine which certificate you want to use to enable your org to communicate with the service provider. You can use the default certificate or create your own. See Certificates and Keys.
By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you want to use the default certificate, proceed to step 2.
To create a new self-signed certificate, follow the instructions in Generate a Self-Signed Certificate, then proceed to step 2. These instructions will be using a self-signed certificate.
To create a CA-signed certificate, follow the instructions in Generate a Certificate Signed by a Certificate Authority, then proceed to step 2.
From Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.
Click Enable Identity Provider.
Select a certificate from the dropdown menu.
Save your changes.
Click Download Certificate. This is typically .crt file. FlexDeploy will use the certificate to connect to Salesforce.
Copy or make a note of the Salesforce Identity value, this is the Metadata URL. FlexDeploy will use the Metadata URL to connect to Salesforce.
...