Using modern Java HTTP client to Tomcat 9; cannot get HTTPS to work though self-signed certs in place

Question

Tomcat configured for both 8080 and 8443:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1"
        connectionTimeout="20000"
        scheme="https"
        secure="true"
        SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeyAlias="tomcat"
                certificateKeystoreFile="certificates/tomcat.jks"
                certificateKeystorePassword="changeit"
                truststoreFile="certificates/tomcat.jks"
                truststorePassword="changeit" />
    </SSLHostConfig>
</Connector>

This code works:

HttpRequest request = HttpRequest.newBuilder()
        .uri( new URI( "http://localhost:8080/application/" ) )
        .headers( "Content-Type", "application/xml" )
        .headers( "Accept", "application/xml" )
        .POST( HttpRequest.BodyPublishers.ofString( PAYLOAD ) )
        .build();
HttpResponse< String > response = client.send( request, HttpResponse.BodyHandlers.ofString() );

while the HTTPS code fails with IOException: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target:

HttpRequest request = HttpRequest.newBuilder()
        .uri( new URI( "https://localhost:8443/application/" ) )
        .headers( "Content-Type", "application/xml" )
        .headers( "Accept", "application/xml" )
        .POST( HttpRequest.BodyPublishers.ofString( PAYLOAD ) )
        .build();

HttpResponse< String > response = client.send( request, HttpResponse.BodyHandlers.ofString() );

...despite running JVM with:

-Djavax.net.ssl.keyPassword=changeit
-Djavax.net.ssl.keyStore=/opt/tomcat/certificates/tomcat.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/opt/tomcat/certificates/trust.jks
-Djavax.net.ssl.trustStorePassword=changeit

Here's how I built the certificate artifacts:

$ keytool -genkeypair -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -validity 365 -keystore tomcat.jks -dname "cn=windofkeltia.com"
$ keytool -export -alias tomcat -file tomcat.crt -keystore tomcat.jks-storepass changeit
$ openssl genrsa -out trust.key 2048
$ openssl req -new -x509 -days 365 -key trust.key -out trust.crt -subj "/CN=windofkeltia.com/"
$ keytool -importcert -alias tomcat -file trust.crt -keystore trust.jks -storePass changeit
# ll
-rw-r--r--  1 tomcat tomcat  863 Jul 28 11:32 tomcat.crt
-rw-r--r--  1 tomcat tomcat 2697 Jul 28 11:31 tomcat.jks
-rw-r--r--  1 tomcat tomcat 1314 Jul 28 15:26 trust.crt
-rw-r--r--  1 tomcat tomcat 1287 Jul 28 15:26 trust.jks
-rw-------  1 tomcat tomcat 1679 Jul 28 15:26 trust.key