Once you have finished the process, you will see the new certificate:

Open the certificate store by searching for Manage computer certificates or running mmc and adding the Certificates snap-in for the Computer.

Right click on the private certificate and choose to export the public certificate in Cryptographic Message Syntax Standard PKCS#7 format and choose to include all certificates in the certificate path. A *.p7b file will be created containing the public certificate and all certificates in the certificate chain:

When adding the Recovery certificate to an Endpoint Encryption policy, it is the *.p7b file that is required:

The private certificate can either be installed on Endpoint Encryption Management Server or on a separate Windows machine. It is required in case an end user forgets the password that they used to encrypt files on removable media. 

If an end user needs files to be decrypted they do not have to supply the administrator with the removable media. Instead they can right click on the encrypted file and under the Symantec Encryption context menu there are options to attach the file to an email message or copy the encrypted files: 

If the user chooses to copy the encrypted file they can, for example, navigate to a shared network folder and paste it there for the administrator to decrypt:

Endpoint Encryption can use almost any certificate as the recovery certificate. A certificate issued by the organization's internal Certificate Authority would be a good choice; However, a certificate issued by a public Certificate Authority can also be used.

Symantec Enterprise Division does not recommend using Self-Signed Certificates as these certificates are not considered valid certs by nature and make it difficult to manage. Self-Signed certs can never be renewed, and have other limitations, so using an Internal Certificate Authority is recommended or using a cert from a Trusted Certificate Authority.

The best way to create these certs is to create an initial root cert, install it in a local cert store and then export it twice so you have a client cert type PKCS #7 and then a server side cert type PKCS #12. The server side cert can be installed on any desired machine to perform the recovery feature and the client side will be need to be embedded during the RME MSI creation process.
 
To create the root cert using Microsoft's Certificate Services you can pick one of the default templates such as User, Basic EFS or Administrator which are all valid for a Recovery certificate. The Basic EFS template is recommended. It contains the following Key Usage attributes:
 
Basic EFS Template Attributes
Key Usage: Key Encipherment
Enhanced Key Usage: Encrypting File System
 
For key size, please use 2048 as a minimum.
 
When decrypting a file using the Recovery certificate, Endpoint Encryption will not prompt for any information providing it can locate the private recovery certificate in the local certificate store. Note that the Removable Media Access Utility can be used to decrypt files using the recovery certificate.

To use the Recovery Certificate to decrypt files.

All you need is to have the Recovery Certificate (i.e. the one with the private key) in the currently logged on user's personal certificate store.  In this case, it should be your admin user.  The SEE-RME Client automatically looks for certs when opening encrypted files, and should just find it.  This is just like how the Removable Access Utility behaves, and also how the SEE-RME client behaves when user certs are available.

In summary, the Admin would:

1. Receive encrypted file, and put it onto a USB stick via a machine that does not have SEE-RME
2. Install the Recovery cert to machine with SEE-RME installed (i.e. Recovery Machine)
3. Plug USB into machine with SEE-RME installed
4. Open/Recover file, and save decrypted copy
5. Remove Recovery Cert from Recovery Machine

Remember, it is best practice to securely store, and audit access to, the Recovery Certificate.