Extract crt and key from jks file for HTTPS

I have vault server on production and it run by http right now. our company buy jks file for run vault by https:

so by keytool we make vault.crt and vault.key files and put them in


but when I restart vault I got this error

Error parsing listener configuration.
May 14 17:08:02 vault[64493]: Error initializing listener of type tcp: error loading TLS cert: x509: invalid certificate policies

and vault do not run by systemctl command.

I want know which output I must get from jks file and put it vault config.hcl?