How to setup certificate for zowe API per zowe documentation:
* Ensure that you have an external Certificate Authority and signed client certificates, or generate these certificates in SAF. The client certificate has to have correct Extended Key Usage metadata to allow being used for TLS client authentication. (OID: 220.127.116.11.18.104.22.168.2)
Answer: Top Secret cannot generate a certificate with Extended Key Usage metadata. Use an external certificate utility that can generate a certificate with one then import the certificate into Top Secret.
* Import the client certificates to SAF, or add them to a user profile. (Examples: RACDCERT ADD or RACDCERT GENCERT). For more information, see your security system documentation.
To add the client certificate generated externally from a 3rd party certificate utility: