Currently large companies implement the standard security controls for the SYSVIEW REST API, using the keystore as per the config instructions in TechDocs, however this causes a problem as documented below when rolling out across a large number of LPARs:

It's needed to update each single certificate in our system to be able to connect to the API’s on every LPAR.

15 LPARS means 15 certificates to add into servers doing the calls.

When a certificate gets updated by Mainframe, the server needs to be updated too. If not done, then it's not possible to connect to the API.

The appropriate way is to request certificates from the certificate center by creating a key on the server, generating a certificate request from that key, and send this certificate request to the certification center.

Returning the certificate in PEM format. As these are signed by the root.

For every added LPAR or renewal of the certificate, the Mainframe teams requests the certificate from the certification center and those will be trusted by the server using the certificate chain already installed.

How to address this?

Release : 16.0

Component : SYSVIEW

Check this page in the manual, step 7 !! 

Configure and Deploy the SYSVIEW Application Server

It says : Generate KeyStores. Use the following steps to generate KeyStores with self-signed certificates. 

If your organization has its own process for generating KeyStore Certificates, it's recommend to refer to your internal procedures to create the KeyStore Certificates.

Additional comment :