If a private key and certificate already exist in PEM-encoded format, they can replace
both the original private key and the self-signed certificate in
(instead of replacing the self-signed certificate associated with the original
server-generated private key). Use the manage-certificates tool that,
depending on your operating system, is located in the server's bin or
The following command imports existing certificates into a new keystore file named
manage-certificates import-certificate \ --keystore keystore.new \ --keystore-type JKS \ --keystore-password-file keystore.pin \ --alias server-cert \ --private-key-file existing.key \ --certificate-file existing.crt \ --certificate-file intermediate.crt \ --certificate-file root-ca.crt
Order the certificates that use the --certificate-file option in such a manner that each subsequent certificate functions as the issuer for the previous one. The server certificate is listed first, any intermediate certificates are listed next, and the root CA certificate is listed last. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.