.kep files contain passphrase generated during the private key encryption process. .kef is related to FIPS standard and may not be present.
You can generate .kep file, put unencrypted .key and .crt files in \master\bin\auth directory then start BCM service : a new \master\bin\auth\<checksum> directory is created and contains both crypted .key, .crt and .kep files.
A wildcard certificate can be used on all BCM agents, other possibility is to have dedicated certificate on each computer, thi sis much more complicated to implement.
One thing about BCM certificate, each BCM Master create its own and unique bcm certificate : communication with BCM agent issued from another BCM MAster is not possible because certificates are different. I just indicate this because sometimes customers want to change certificates in order to be sure to use an unique certificate : this is already an unique certificate.