graylog-certificate.pem had information appended to the top of the cert, graylog.crt was just the cert itself in pem format, that may have been an issue, but not the one I am currently facing I suppose.
Perhaps I did put the wrong cert in, the commands I posted above are exactly what I did in terminal, so if its written there, then thats what I did, no more no less.
In fairness, I was just following the quicker tutorial here:
I am a little confused by the imports in that tutorial, It has graylog.jks as where the self signed is imported into, but then points the java server to graylog-key.jks which the tutorial never had you import anything into it??