Hey 
I don’t know off the top of my head where Debian stores the systemwide trust store. In CentOS/RHEL it’s /etc/ssl/ca-trust/anchors, after which you need to trigger an update of the actual keystores with a separate command.
I did not have to update any Java keystores with certs or keys; you won’t have to use keytool.
Now, I did not actually see you import the Root CA and Issuing CA certificate files. Those need to go into the systemwide trust store. It’s not the Graylog cert that needs to be trusted, only the issuers.
Aside from that, most everything you’ve done looks similar to my own setup. I assume that you’ve setup the file locations in your server configuration correctly and that you’ve also added the right passphrase 
EDIT:
My full instructions can be found here →
… I say “full instructions”, but I’ve also skipped over the graylog server config file 