I’ve had a few run-ins with Java Keystores at work so I have a basic knowledge. A bit of googling threw me on the right track.
OpenHAB is using the keystore bundled with the jre. For me it’s /usr/lib/jvm/zulu-8-amd64/jre/lib/security/cacerts. On OpenHABian it’s in /usr/lib/jvm/zulu-embedded-8-armhf/jre/lib/security as detailed here
You can see what’s in the keystore by using keytool -v -list -keystore cacerts and the password is changeit by default
Now we know which keystore OpenHAB is relying on we can copy our self-signed certificate from the server it’s hosted on and move it onto the OpenHAB server.
Then the following command imports your crt into the jks:
sudo keytool -trustcacerts -keystore "cacerts" -storepass changeit -importcert -alias zoneminder -file "apache-selfsigned.crt"
I restarted OpenHAB for good measure and now my server is online 