I had to convert ssl private key + cert chain from the format nginx understands to a format which jetty/tomcat understands.
Sounds pretty simple, but... well, I'd come up with so many ways to break the certificate chain that it deserves a separate post of its own.
So, that's the magic:
openssl pkcs12 -export -in mysite.pem -inkey mysite.key -out mysite.p12 -name "jetty"
And then you open the .p12 file with Portecle and simply do Tools > Change Keystore Type > JKS.
Don't forget to reset both key and keystore passwords: jetty/tomcat expect both passwords to be equal.
AFAIK there's no one-shot command to import .p12 into java keystore. At least with java 5 keytool. So I'd prefer to keep things more or less simple by using Portecle.
...oh, and this cool collection of examples for openssl/keytool simply has to be bookmarked: Not so few frequently used SSL commands