IBM Apar OA45324 states the following:
With the installation of this PTF, System SSL will no longer
allow Version 1, Version 2 or Version 3 Intermediate Certificate
Authority certificates created without the basic constraints
extension to be validated as untrusted certificates. Untrusted
certificates are certificates that are provided outside of the
supported certificate stores that flow during the establishment
of SSL/TLS secure connections and passed directly by
applications that perform certificate validation. These
certificates will continued to be allowed when stored in a
trusted certificate store (ie. key database file, SAF key ring
and z/OS PKCS #11 Tokens).
Are there any fixes that need to be applied or any changes that need to be made in Top Secret for SSL certificates with this apar applied?
All Top Secret certificates are fine. They are created with 'Basic Constraints' extension.
Top Secret certificates are 'X509v3 Basic Constraints' extension which the apar OA45324 states are fine. Applying IBM apar OA45324 will have no effect on your certificates created in Top Secret.
You can run the SAF certificate utility SAFCRRPT with 'RECORDID(-) DETAIL EXT' and look for 'X509v3 Basic Constraints'.
Link to the CA Top Secret Report and Tracking Guide and the Certificate Utility SAFCRRPT: