Using JDK 6 Keytool would create V3 certs. Also note that you do not need certs with KeyIdentifier Extension in general. You can modify the X509Token policy in your WSDL to have an <sp:RequireIssuerSerialReference /> child assertion and then you no longer need the KeyIdentifier extension.
If you are using NB 6.5 it automatically generates the above child assertion.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=349256