Initial MS documentation on this topic can be found here. 

Self-Signed Certificates

For self-signed certificates, you will need to assign ProtectTo values in your ConfigTemplate.xml file. The onPremLocal agent certificate is reused for each environment and the thumbprint for this certificate is stored in Azure per tenant. Every environment will need to use this certificate. You will generate it with your first instance then reuse on later instances. On later instances, you will need to manually stage the .pfx file with the rest of the other certificates as well as update your ConfigTemlate.xml with the thumbprint value.

AD CS

Based on the planned DNS zones from step 1, you'll need to generate the certificate, stage the .pfx files into the InfrastructureScripts folder and update the ConfigTemplate.xml with the thumbprint values.

Third Party Provisioned

Similar to AD CS but provision them with an outside provider. 

Suggestions

AD CS for internal traffic is preferred as well as used a third party provisioned certificate for the shared OnPremLocalAgent certificate. The OnPremLocalAgent certificate will be used to encrypt communication between LCS and your instance. Self-signed certificates are ok for educational environments but shouldn't be used for a production environment unless there is no connectivity to the internet outside of the orchestrators. Orchestrator type machines communicate with LCS and are used to perform the deployment of D365 F&O from LCS onto your local hardware. Please refer to this reference for additional info on certificates.