SSL certificate should be stored in /etc/cockpit/ws-certs.d with a .cert extension. The file should contain the certificate and its private key.
To check which certificate cockpit-ws will use:
$ remotectl certificate
See Cockpit Certificates.
SSL ciphers are defined in /etc/systemd/system/cockpit.service.d/ssl.conf, for example:
When running as a container cockpit will establish SSH to the underlying host.
Cockpit has API available for writing packages. There is no API available for external callers to invoke via HTTP, REST or otherwise.
See Cockpit Kubernetes.