Here is a link to the TeamCity v8 documentation on the keytool.

I was doing this on a Windows Build Agent and had a self-signed SSL cert on my Amazon Linux Build Server. Here were the steps I took:

1. Went to build server in browser on Build Agent i.e. https://teamcity.example.com
2. Clicked on the certificate error in the URL and downloaded the cert to the local machine
3. Exported the certificate from the certificate explorer in windows into a cer file.

4. Used the keytool exactly as specified in the documentation

   > keytool -importcert -file <cert file where it was exported to> 
     -keystore <path to JRE installation>/lib/security/cacerts
   password: changeit
   

5. Restarted the build agent and viola!

The build agent works as a client to the build server and communicates with it using http/https, and it turns out that when you add a self-signed certificate the build agent does not accept it.

I needed to

1. Let the build agent know the new path for communicating with the server
2. Let the build agent know that it could trust the self-signed certificate

To change the path I did the following (see this post for more details )

Locate the file:
$TEAMCITY_HOME/buildAgent/conf/buildAgent.properties

Change the property
serverUrl=http:\://localhost\:8080 to your new url

To let the build agent know that it could trust the new certificate I had to import it into the build agent's key store.This was done using keytool:

keytool -importcert -file <cert file>  
        -keystore <agent installation path>/jre/lib/security/cacerts

( unless you've changed it, the keystore is protected by password: changeit)

The TeamCity team describes this process in slightly more details here

NOTE
If you need to retrieve your certificate from the TeamCity buildserver keystore, you can also use keytool to do this :

keytool -export -alias <alias name>  
        -file <certificate file name> 
        -keystore <Teamcity keystore path>