If a private key and certificate already exist in PEM-encoded format, they can replace both the original private key and the self-signed certificate in keystore (instead of replacing the self-signed certificate associated with the original server-generated private key). Use the manage-certificates tool that, depending on your operating system, is located in the server's bin or bat directory.

The following command imports existing certificates into a new keystore file named keystore.new:

manage-certificates import-certificate \
  --keystore keystore.new \
  --keystore-type JKS \
  --keystore-password-file keystore.pin \
  --alias server-cert \
  --private-key-file existing.key \
  --certificate-file existing.crt \
  --certificate-file intermediate.crt \
  --certificate-file root-ca.crt

Order the certificates that use the --certificate-file option in such a manner that each subsequent certificate functions as the issuer for the previous one. The server certificate is listed first, any intermediate certificates are listed next, and the root CA certificate is listed last. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.