In keystore we want to import:

• the certificate chain
• the private key

We can't do this directly in keytool.
A PKCS12 file should be created which then will be imported in keystore.

Concatenate (manually) all intermediary CA certificates into a single file: all_cert.crt. Then run the above command. The snt.key is the private key of the certificate (the last one in the chain). Enter a password for the p12 file.

openssl pkcs12 -export -in snt_full.crt -inkey snt.key -name snt -out snt.p12

Replace the password123 with the private key password supplied when it was created.

keytool -importkeystore -deststorepass password123 -destkeystore keystore_custom.jks -srckeystore snt.p12 -srcstoretype PKCS12

Output:

Importing keystore snt.p12 to keystore_custom.jks...
Enter source keystore password:
Entry for alias sentinel successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore_custom.jks -destkeystore keystore_custom.jks -deststoretype pkcs12".

keytool.exe -list -rfc -keystore keystore.jks | openssl x509 -text

Output:

  Enter keystore password:  test*
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 20 (0x14)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = FR, O = Test, CN = Test CA
        Validity
            Not Before: Oct 22 14:36:00 2017 GMT
            Not After : Aug  9 13:17:00 2019 GMT
        Subject: C = FR, O = Test, CN = Test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b6:18:c9:2a:f8:01:a3:86:e6:32:63
        ...............