OK, found out my problem.
The password to use for the embedded cert stores is your glassfish admin password which these days is different than changeit.
When I use the default admin user password for glassfish, the keystore commands work.
It's all so obvious when you know the answer.
[Message sent by forum member 'jjsban' (jjsban)]
http://forums.java.net/jive/thread.jspa?messageID=209955