You can use a keystore other than the default (sessionserver/etc/keystore.bcfks) to store your CA-signed certificates.
Specify the following properties in sessionserver/conf/container.properties:
server.ssl.key-store server.ssl.key-store-password
Where the keystore path is set to the non-default keystore file name and the keystore password is set to the obfuscated value generated by the following command from the sessionserver directory:
../java/jre/bin/java -cp ./lib/jetty-util-<version>.jar org.eclipse.jetty.util.security.Password passwordToObfuscate
For example:
server.ssl.key-store=${server.home}/etc/custom.bcfks server.ssl.key-store-password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
To avoid confusion, delete the default keystore.
To prevent the default keystore from being generated when the server starts up, open /conf/product-core-ctx.xml in a text editor and either remove or comment out the servletEngineKeystoreGenerator section. Restart the session server.