diff --git a/bin/commands/certificate/keyring-jcl/connect/.parameters b/bin/commands/certificate/keyring-jcl/connect/.parameters
index 8ae86cb266..1160a03958 100644
--- a/bin/commands/certificate/keyring-jcl/connect/.parameters
+++ b/bin/commands/certificate/keyring-jcl/connect/.parameters
@@ -8,6 +8,6 @@ trust-cas||string|||||Labels of extra certificate authorities should be trusted,
 connect-user||string|required||||Certificate owner. Can be `SITE` or a user ID.
 connect-label||string|required||||Certificate label to connect.
 trust-zosmf||boolean|||||Whether to trust z/OSMF CA.
-zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify "_auto_" to let Zowe to detect automatically. This only works for RACF.
+zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify `_auto_` to let Zowe to detect automatically. This works for RACF and TSS.
 zosmf-user||string||IZUSVR|||z/OSMF user name. This is used to automatically detect z/OSMF root certificate authorities.
 ignore-security-failures||boolean|||||Whether to ignore security setup job failures.
diff --git a/bin/commands/certificate/keyring-jcl/generate/.parameters b/bin/commands/certificate/keyring-jcl/generate/.parameters
index 6017cd675d..5a16628783 100644
--- a/bin/commands/certificate/keyring-jcl/generate/.parameters
+++ b/bin/commands/certificate/keyring-jcl/generate/.parameters
@@ -16,6 +16,6 @@ country||string|||||Country of certificate and certificate authority.
 validity||string|||||Validity days of certificate.
 trust-cas||string|||||Labels of extra certificate authorities should be trusted, separated by comma (Maximum 2).
 trust-zosmf||boolean|||||Whether to trust z/OSMF CA.
-zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify "_auto_" to let Zowe to detect automatically. This only works for RACF.
+zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify `_auto_` to let Zowe to detect automatically. This works for RACF and TSS.
 zosmf-user||string||IZUSVR|||z/OSMF user name. This is used to automatically detect z/OSMF root certificate authorities.
 ignore-security-failures||boolean|||||Whether to ignore security setup job failures.
diff --git a/bin/commands/certificate/keyring-jcl/import-ds/.parameters b/bin/commands/certificate/keyring-jcl/import-ds/.parameters
index f0cb41275a..801991dcce 100644
--- a/bin/commands/certificate/keyring-jcl/import-ds/.parameters
+++ b/bin/commands/certificate/keyring-jcl/import-ds/.parameters
@@ -7,7 +7,7 @@ keyring-name||string|required||||Name of the keyring.
 alias|a|string|required|localhost|||Certificate alias name.
 trust-cas||string|||||Labels of extra certificate authorities should be trusted, separated by comma (Maximum 2).
 trust-zosmf||boolean|||||Whether to trust z/OSMF CA.
-zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify "_auto_" to let Zowe to detect automatically. This only works for RACF.
+zosmf-ca||string||_auto_|||Labels of z/OSMF root certificate authorities. Specify `_auto_` to let Zowe to detect automatically. This works for RACF and TSS.
 zosmf-user||string||IZUSVR|||z/OSMF user name. This is used to automatically detect z/OSMF root certificate authorities.
 import-ds-name||string|required||||Name of the data set holds certificate to import into keyring.
 import-ds-password||string|required||||Password of the data set holds certificate to import.
diff --git a/bin/libs/certificate.sh b/bin/libs/certificate.sh
index 49fcc232ef..13dec5e1d4 100644
--- a/bin/libs/certificate.sh
+++ b/bin/libs/certificate.sh
@@ -876,7 +876,15 @@ EOF
 
   if [ "${trust_zosmf}" = "1" ]; then
     if [ "${zosmf_root_ca}" = "_auto_" ]; then
-      zosmf_root_ca=$(detect_zosmf_root_ca "${ZWE_PRIVATE_ZOSMF_USER}")
+      if [ "${security_product}" = "RACF" ]; then
+        zosmf_root_ca=$(detect_zosmf_root_ca_racf "${ZWE_PRIVATE_ZOSMF_USER}")
+      fi
+      if [ "${security_product}" = "TSS" ]; then
+        zosmf_root_ca=$(detect_zosmf_root_ca_tss "${ZWE_PRIVATE_ZOSMF_USER}")
+      fi
+      if [ "${security_product}" = "ACF2" ]; then
+        zosmf_root_ca=$(detect_zosmf_root_ca_acf2 "${ZWE_PRIVATE_ZOSMF_USER}")
+      fi
     fi
     if [ -z "${zosmf_root_ca}" ]; then
       print_error_and_exit "Error ZWEL0137E: z/OSMF root certificate authority is not provided (or cannot be detected) with trusting z/OSMF option enabled." "" 137
@@ -1397,12 +1405,76 @@ EOF
     "${labels_with_private_key}"
 }
 
-# this only works for RACF
-detect_zosmf_root_ca() {
+# FIXME
+#   - Support for multiple? | long | special characters entries
+detect_zosmf_root_ca_tss() {
+  zosmf_user=${1:-IZUSVR}
+  zosmf_root_ca=
+
+  print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user}) [TSS]"
+  zosmf_certs=$(tsocmd "TSS LIST(${zosmf_user}) KEYRING(ALL)" 2>&1)
+  code=$?
+  if [ ${code} -ne 0 ]; then
+    print_trace "  * Exit code: ${code}"
+    print_trace "  * Output:"
+    if [ -n "${zosmf_certs}" ]; then
+      print_trace "$(padding_left "${zosmf_certs}" "    ")"
+    fi
+    return 1
+  fi
+
+  # Output example:
+  # KEYRING LABEL = KEYRING.IZUDFLT
+  zosmf_keyring_name=$(echo "${zosmf_certs}" | grep "KEYRING LABEL = " | awk -F= '{ print $2 }'  | head -n 1)
+  if [ -n "${zosmf_keyring_name}" ]; then
+    print_trace "  * z/OSMF keyring name is ${zosmf_keyring_name}"
+    # Output example:
+    #   ACID(CERTAUTH)  DIGICERT(ABCDEFGH)  DEFAULT(NO )  USAGE(CERTAUTH)
+    #   LABLCERT(ZOSMF_ROOT_CA                   )
+    zosmf_root_ca=$(echo "${zosmf_certs}" | grep -A 1 "ACID(CERTAUTH)" | grep "LABLCERT(" | head -n 1)
+    zosmf_root_ca=$(echo "${zosmf_root_ca}" | awk '{ print substr( $0, 12, length($0)-13) }')
+    zosmf_root_ca=$(echo "${zosmf_root_ca}" | sed -e 's/^[[:space:]]*//;s/[[:space:]]*$//')
+    if [ -n "${zosmf_root_ca}" ]; then
+      print_trace "  * z/OSMF root certificate authority found: ${zosmf_root_ca}"
+      echo "${zosmf_root_ca}"
+      return 0
+    else
+      print_trace "  * Error: cannot detect z/OSMF root certificate authority"
+      return 2
+    fi
+  else
+    print_trace "  * Error: failed to detect z/OSMF keyring name"
+    return 3
+  fi
+}
+
+# FIXME
+#   - add similar code using ACFUNIX instead of tsocmd
+#   - or use JCLs to be sure it will always works
+detect_zosmf_root_ca_acf2() {
+  zosmf_user=${1:-IZUSVR}
+  zosmf_root_ca=
+
+  print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user}) [ACF2]"
+  echo "${zosmf_root_ca}"
+  return 1
+}
+
+# FIXME
+#   - Support for multiple? | long | special characters entries
+#   - RACDCERT LISTRING will be confused if label contains 'CERTAUTH' word:
+#
+#  Certificate Label Name             Cert Owner     USAGE      DEFAULT
+#  --------------------------------   ------------   --------   -------
+#  CERTAUTH_FOR_T800                  ID(SKYNET)     DEADLY       YES
+#  JOHN_CONNOR                        CERTAUTH       CERTAUTH     NO
+#
+#  Will return CERTAUTH_FOR_T800 instead of JOHN_CONNOR
+detect_zosmf_root_ca_racf() {
   zosmf_user=${1:-IZUSVR}
   zosmf_root_ca=
 
-  print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user})"
+  print_trace "- Detect z/OSMF keyring by listing ID(${zosmf_user}) [RACF]"
   zosmf_certs=$(tsocmd "RACDCERT LIST ID(${zosmf_user})" 2>&1)
   code=$?
   if [ ${code} -ne 0 ]; then