@stecino. You have to add DN of admin certificate to the admin_dn.
https://opensearch.org/docs/latest/security/configuration/tls/#configuring-node-certificates
Then you can use admin cert and key with every API call using curl or other client. Please keep in mind that the admin cert is very powerful and should be used only for security settings management.
If your admin cert was signed by a different RootCA than the nodes then you must add that RootCA to the file defined in the plugins.security.ssl.transport.pemtrustedcas_filepath and plugins.security.ssl.http.pemtrustedcas_filepath.