Usually, on the cinema server manufacturers' FTP servers you can find both the public server certificates and the signature chain that were used to sign the certificates.

If you decide to trust the certificate by examining the signature chain, you only need the server certificate to create a KDM. The server certificate usually has either a *.pem or a *.crt suffix.

easyDCP KDM Generator will accept either, but do not use both.

Furthermore, there may be pairs of certificate and chain that state "mpeg", "sha1" and "sha256".
Like with DCPs, there are SMPTE ("sha256") and Interop ("sha1" / "mpeg") KDMs.

Almost all modern cinema servers prefer SMPTE KDMs - even for Interop DCPs. So mostly the "sha256" version is used.

Only if you surely know your recipient only accepts Interop KDMs, use the "sha1" certificate and remember to check the "Enable Interop mode" option in the easyDCP KDM Generator's options tab.

Please see also: Where can I get the server certificates needed to create the KDMs?