I've done following steps
Create keystore:
keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks -keysize 2048
Crete certificate request:
keytool -certreq -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Bought Comodo PositiveSSL certificate
Import all certificates to newly created keystore - wso2carbon.jks:
keytool -import -alias root -keystore wso2carbon.jks -trustcacerts -file AddTrustExternalCARoot.crt -storepass wso2carbon
keytool -import -alias intermediate1 -keystore wso2carbon.jks -trustcacerts -file COMODORSAAddTrustCA.crt -storepass wso2carbon
keytool -import -alias intermediate2 -keystore wso2carbon.jks -trustcacerts -file COMODORSADomainValidationSecureServerCA.crt -storepass wso2carbon
keytool -import -alias domain.com -keystore wso2carbon.jks -trustcacerts -file domain_com.crt -storepass wso2carbon
Copied wso2carbon.jks to {CARBON_HOME}/repository/resources/security/ and overwrite the old one.
Restarted WSO2 IS. WHen I inspect with prowser it says in Certificate hiararchy only domain.com is present.
In general I followed this tutorial https://docs.wso2.com/display/AS521/Creating+New+Keystores#CreatingNewKeystores-Creatingakeystoreusinganewcertificate
I've found the solution:
At point 3 I needed to put the same alias like in point 1 for last import - domain.com:
keytool -import -alias wso2carbon -keystore wso2carbon.jks -trustcacerts -file domain_com.crt -storepass wso2carbon
Now it works great with web browsers but when access with Android it is still not trusted, but that is for another topic.