you will only need an HTTPS-Port configured for your IS.
For this it is sufficient to provide the certificates under Security -> Certificates in IS-Admin.
These files are der-formatted and are valid in the IS globally.
There is a possibility to provide different certificates on the Port-Config itself.
We have never been working with wM 8.2.
We are currently migrating from wM 7.1.3 to wM 9.5 SP1.
In 9.5 we have imported a PKCS12-Keystore and a JKS-Truststore under Security -> Keystore and then have those assigned to the IS globally under Security -> Certificates.
This is sufficient to enable HTTPS-TransportLayerSecurity.
We are not yet using signing and decryption keys.
These will apply only if you plan to encrypt the payload (the data) in addition to the secured transport layer.
As long as this is not really requested by our partner systems we avoid using this to keep testing efforts at a minimum.
About the question with the conversion:
There is no need to convert the files to DER before adding them to a JKS.
See “keytool -help” for details. This tool is part of the JDK.