tomcat doesn't deliver intermediate certificate (https)
I had to create a CA file by finding the root cert for my issuer and then putting the intermediate cert above it in the same file. Then I ran:
openssl pkcs12 -export -chain -inkey mykey.key -in mye.crt -name "tomcat" -CAfile intermediate_plus_root.crt -out key_and_cert.p12
There is even a more simple solution as asked for in some comments (without saving root and intermediate certs in /etc/ssl/certs)
First copy all the needed root and intermediate certificates in a folder (in our example the folder is '~/certs' and our two certificates are named 'PrimaryCA.pem' and 'SecondaryCA.pem'):
mkdir ~/certs
mv PrimaryCA.pem ~/certs/PrimaryCA.pem
mv SecondaryCA.pem ~/certs/SecondaryCA.pem
Then 'c_rehash' the folder:
c_rehash ~/certs
Now the certs folder will contain two new symlinks named regarding the following scheme '{hash-value}.{n}' where {hash-value} is an 8 symbol hash value and {n} is an integer. If that's the case for you continue to the following command which creates your .p12 using '-CApath' instead of going the long way round copying the certificates to /etc/ssl/certs:
openssl pkcs12 -export -in cert.pem -inkey key.key -out key_and_cert.p12 -chain -CApath ~/certs
Finally convert it to jks as Heinzi already perfectly described in his answer:
keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]
Finally I got it working. It's not a clean solution, but it works. I added the intermediate certificate to my local /etc/ssl/certs and then called
openssl pkcs12 -export -in cert.pem -inkey key.key -out key_and_cert.p12 -chain
The resulting pkcs12 certificate I converted to jks via
keytool -importkeystore -deststorepass [password] -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass [password]
This resulting file seems to work now, tomcat delivers the certificate chain also to clients that don't have the intermediate certificate in their /etc/ssl/certs directory. But I think there must also be a way without changing /etc/ssl/certs.