The Listener certificates are to be purchased from a third party certificate authority. The certificate’s Common or Alternate name values should match the Hostnames whenever they will be accessed.
Keep in mind that while requesting certificates, you may need separate certificates for backup/failover nodes, or you can be able to request a cert with the common name as the primary host, and the backup/failover nodes in the certificates with alternative name values.
In order to use all of Cert Managers functionality, Cert Manager will need to be deployed on all machines which host WebLogic or Tomcat and the Token Proxy Service. It is not designed to deploy certificates on remote machines. Cert Manager Tool needs to be run as an administrator.
In some environments Database, Tomcat or WebLogic and the Token Proxy may reside on the same host, however if your environment has the Database, Tomcat or WebLogic and the Token Proxy on different machines, the Cert Manager will need to be deployed on each host separately.
Cert Manager will check the presence of WebLogic and the Token Proxy on the host, and will restrict certain functionality if it does not find WebLogic or the Token Proxy Service installations.
Cert Manager requires Java to be installed, but since both WebLogic and the Token Proxy Service also requires Java, there should be no additional Java prerequisite to run Cert Manager.