To use an existing key pair, use the manage-certificates tool that is located in the server's bin or bat directory, depending on your operating system.
keystore, instead of replacing the
self-signed certificate associated with the original server-generated private
key.manage-certificates
import-certificate.
Order the certificates that use the --certificate-file option so that each subsequent certificate functions as the issuer for the previous one.
List the server certificate first, then any intermediate certificates, and then list the root certificate authority (CA) certificate. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.
keystore.new.manage-certificates import-certificate \
--keystore keystore.new \
--keystore-type JKS \
--keystore-password-file keystore.pin \
--alias server-cert \
--private-key-file existing.key \
--certificate-file existing.crt \
--certificate-file intermediate.crt \
--certificate-file root-ca.crt