The Credential object holds the login information for SQL Server to use when communicating with the KMS. "Identity" is the user name on the KMS, and "SECRET" is the password. I'll provide a little detail, then answer your questions.
CREATE CREDENTIAL MyCredentialName
WITH IDENTITY ='User name on KMS device',
/* omit the SECRET parameter if KMS authentication is with certificate files */
SECRET = 'Password for that user'
FOR CRYPTOGRAPHIC PROVIDER MyProviderName
Once you have created the Credential, you will associate it with your SQL Server Login so you may create a reference in SQL Server that points to a key in the KMS. The Credential info will be used to log in to KMS when you make the call. After you have created the Asymmetric Key, you will switch the Credential from your Login to one created from the Asymmetric Key.
/* 1. If you are using an AD login, that login must be explicitly created on the instance.
If you gain access via AD Group membership, then first create your personal login
and add it to the sysadmin role. */
CREATE LOGIN [MyDomain\MyUsername] FROM WINDOWS;
ALTER SERVER ROLE sysadmin ADD MEMBER [MyDomain\MyUsername];
/* 2. Create the Credential with the KMS user/password */
CREATE CREDENTIAL [new_cred_name] WITH IDENTITY = 'KMS_Login_name',
SECRET = 'KMS password' FOR CRYPTOGRAPHIC PROVIDER [crypto_provider_name];
/* 3. Assign the Credential to your Login */
ALTER LOGIN [your_login_name] ADD CREDENTIAL [new_cred_name];
/* 4. Create the Asymmetric Key */
CREATE ASYMMETRIC KEY [...]
/* 5. So SQL Server may communicate with KMS, create a SQL Server Login
from the Asymmetric Key, and switch the Credential from your Login
to the Login created from the key */
/* 5a: Create a Login from the Key */
CREATE LOGIN [new_key_login_name] FROM ASYMMETRIC KEY [key_name_from_step_#4];
/* 5b: remove the Credential from your login and add it to the Key's Login */
ALTER LOGIN [your_login_name] DROP CREDENTIAL [new_cred_name];
/* 5c: assign the Credntial to the Login created from the Key */
ALTER LOGIN [new_key_login_name] ADD CREDENTIAL [new_cred_name];
/* Key is now ready to use for TDE. */
Note that the Login created from the Key in Step #4 is not an AD user, nor is it a traditional SQL Server Login; it has no password and cannot be used to log in to the instance. It exists to hold the Credential necessary to communicate with KMS.
And for the second question:
Second question, we have two standalone servers that I'm encrypting, one of which gets backups restored from the other. I know I need to install the credentials from server A to server B, but I read somewhere that a user can't have multiple credentials assigned to it. Am I going to need multiple AD accounts on server B to manage this or can I have server B's credentials and server A's assigned to the same user on server B?
You will need one Credential for each Asymmetric Key on each instance.
You will create one SQL Server Login from each Asymmetric Key and assign a Credential to it. No AD accounts are used. The only things that need to match between the two servers in order for Server B to read and decrypt backups from Server A are the Asymmetric Keys from KMS. The Credential and Login names on Server B do not have to match Server A, just the Asymmetric Keys. As long as Server B can access the same keys, everything just works.