Hey 
I donât know off the top of my head where Debian stores the systemwide trust store. In CentOS/RHEL itâs /etc/ssl/ca-trust/anchors, after which you need to trigger an update of the actual keystores with a separate command.
I did not have to update any Java keystores with certs or keys; you wonât have to use keytool.
Now, I did not actually see you import the Root CA and Issuing CA certificate files. Those need to go into the systemwide trust store. Itâs not the Graylog cert that needs to be trusted, only the issuers.
Aside from that, most everything youâve done looks similar to my own setup. I assume that youâve setup the file locations in your server configuration correctly and that youâve also added the right passphrase 
EDIT:
My full instructions can be found here â
⊠I say âfull instructionsâ, but Iâve also skipped over the graylog server config file 