If your server certificate is signed by an intermediate CA rather than by a root CA, you must add the intermediate certificate to the keystore before you add the server certificate.

Request and obtain an intermediate certificate from the intermediate CA.


Save the intermediate certificate as intermediateCA.p7 in the directory that contains the keystore file.


Import the intermediate certificate into the keystore file.

For example: keytool -importcert -keystore keys.jks -storepass secret -trustcacerts -alias intermediateCA -file intermediateCA.p7

If you downloaded a server certificate, import it into your keystore file. See Import a Signed Server Certificate into a Keystore File.