If you read the first page of the PI Web API Configuration chapter from the PI Web API 2016 User Guide, you would find under the Configuration with PI Web API Utility the following description:
"Enables an SSL certificate to be selected or changed to encrypt traffic between the server and clients on the selected listen port. If no SSL certificate is selected or set on the port, PI Web API creates and uses a self-signed certificate.
API Service Specifies the account under which the API Windows service will run."
The comment above refers to the Certificate component of the PI Web API Admin Utility.
Please let me know if you still have any questions,