It just needs to be a valid X.509 certificate. Web Preferences needs to the SAML messages to be signed with SHA256, so the requirements would be that it’s a valid self or CA signed certificate capable of being used in the generation of a SHA256 signature.

We recommend to use a 2048 bit SSL certificate, these can be purchased from any certification authority.