I switched our Metabase install from running on Jetty using a certificate wrapped in a Java keystore file, to using nginx to reverse proxy to normal Jetty and Let’s Encrypt for the SSL.
Seems more complicated but I guess I don’t like/understand .jks files. And I prefer traffic to go through nginx first. So works for me.