Help with keycloak as idp

I currently have a keycloak server set up with AD as an idp. I am able to login to the keycloak server and federate authentication to the AD server fine.
I would like to configure a similar setup using keycloak as the idp. I have two keycloak servers, one to do the login (keycloak1), one to act as the idp (keycloak2). I created a new realm on keycloak2. I created a new realm on keycloak and proceeded to add keycloak2 as an identity provider by importing the metadata using the url. When I do this, I get this error on keycloak:
Uncaught server error: PKIX path building failed: unable to find valid certification path to requested target
and this on keycloak2:
An IOException occurred: Received fatal alert: certificate_unknown

Does this mean that I need to have a certificate keystore on keycloak with the CA or certificate from the metadata from keycloak2? If so, can someone help me with how to do this? Also, I didn’t have to do anything special to get AD to work, can anyone shed light on why that was so easy and keycloak is giving errors? (I would have expected the opposite!)