For your internal Certificate Authority (such as Active Directory Certificate Services) create or edit an existing Configuration Profile. There is a certificates section. You'll edit the certificates payload, upload your crt file to the JSS, and it will be distributed it to the enrolled devices. This should add your internal CA to the System keychain.
If it's a user certificate, you'd have to create a user level Configuration Profile, assign the profile to a user or group, and the certificate would get pushed into the user's logon keychain.
Sorry I can't be more specific, I don't have a JSS or Profile Manager instance available to me at the moment.
Thought this might be helpful to share with others who run into the same issue.
In JSS, I add a new computer configuration policy. I add a certificate payload. I click on the Upload Certificate button, browse to the certificate I want to distribute, and then click upload. This produces the error message: "The file must use .cer, .der, .p12 or .pfx format" because I my certificate has a .crt file extension.
I did some research online and found that a .crt is interchangable with a .cer file extension. So I exported the installed .crt as a .cer and was then able to upload it and distribute it.