(no title)

It should be a PGP or SSH key, absolutely not an X509 certificate (unless you allow self signed).

Personal identity keys should be fully autonomous and not contingent on the formal recognition of any external authority.