If your server certificate is signed by an intermediate CA rather than by a root CA, you must add the intermediate certificate to the keystore before you add the server certificate.

Request and obtain an intermediate certificate from the intermediate CA.

1

Save the intermediate certificate as intermediateCA.p7 in the directory that contains the keystore file.

2

Import the intermediate certificate into the keystore file.

For example: keytool -importcert -keystore keys.jks -storepass secret -trustcacerts -alias intermediateCA -file intermediateCA.p7

If you downloaded a server certificate, import it into your keystore file. See Import a Signed Server Certificate into a Keystore File.