Jenkins plugin updates are failing with unable to find valid certification path to requested target after adding certs to truststore

Question

PS C:\Program Files (x86)\Jenkins\.cacerts> java -version                                                                                                                         java version "11.0.10" 2021-01-19 LTS
Java(TM) SE Runtime Environment GraalVM EE 21.0.0 (build 11.0.10+8-LTS-jvmci-21.0-b06)
Java HotSpot(TM) 64-Bit Server VM GraalVM EE 21.0.0 (build 11.0.10+8-LTS-jvmci-21.0-b06, mixed mode, sharing)

Jenkins on Windows10 : version: 2.263.1

I have added certs for updates.jenkins-ci.org:443. Install fails with

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)

My jenkins xml

<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -Djavax.net.debug=all -Djavax.net.ssl.trustStore="C:\Program Files (x86)\Jenkins\.cacerts\jssecacerts"  -Djavax.net.ssl.trustStorePassword=changeit  -jar "%BASE%\jenkins.war" --httpPort=8080  --httpsPort=443 --httpsKeyStore="C:\Program Files (x86)\Jenkins\.cacerts\keystore.jks" --httpsKeyStorePassword=changeit --webroot="%BASE%\war" </arguments>

PS C:\Program Files (x86)\Jenkins\.cacerts> keytool -list -keystore .\jssecacerts -alias  updates.jenkins-ci.org-1                                                                Enter keystore password:
updates.jenkins-ci.org-1, Jul 29, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): EB:EB:2C:AA:6F:EC:17:12:97:04:EC:C3:77:E8:77:2F:9D:E1:AC:B4:54:2D:F8:FE:99:98:6C:3F:0C:EB:90:95

Why Java is not trusting though I have given truststore and added cert. I do see the logs, it is reading truststore

javax.net.ssl|DEBUG|01 AD|Update center installer thread [#1]|2021-07-29 19:58:38.469 EDT|TrustStoreManager.java:112|trustStore is: C:\Program Files (x86)\Jenkins\.cacerts\jssecacerts
trustStore type is: pkcs12
trustStore provider is:

Jenkins error log

javax.net.ssl|ERROR|05 89|Update center installer thread [#2]|2021-07-29 20:18:58.818 EDT|TransportContext.java:344|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target