Yes there is a way you can do this.   What you would need to do though would be to install Oracle Java separately from Jira.  Please see our documentation on Installing Java.

Jira exe and bin installation files bundle with them an Oracle JRE (java runtime environment).   If your operating system does not have defined a $JAVA_HOME or a $JRE_HOME then Jira will default to using this bundled version of Java so that it can run.   What you can do though is to install your own Java, AND set the $JAVA_HOME variable per that document above to be this other Java installation path.   This way, every time Jira starts up, it will use this same Java installation, and in turn this Java installation will centralize the trust store being used by Java applications like Jira.

Later upgrades to Jira won't require you to import these ssl certs again each time, unless of course you reach a Jira version upgrade that requires an upgraded version of Java which is not that common relatively.

Granted when you set this up for the first time, you are going to need to import the certs again once more.  And it is still possible that upgrades to Jira can overwrite the $JIRAINSTALL folder which includes the /conf/server.xml file that defines how Jira's Tomcat instance is configured.  But by setting up Java this way on the operating system, you can save yourself some considerable effort of needing to always reimport these kinds of certs.

No, you need to do the full upgrades.

But re-installing a certificate in a key store only takes a few seconds, so I'm not sure why you have to spend days on it.  A bit longer if you have to extract it from the old store of course.