I am not 100% clear how you created your keypair, but let me tell you what has worked for me, based on using keytool from JDK5. I have added Java_Home to the environment variables and path in Win2003, so keytool is recognized in all directories. Let me know if this makes sense, or if not, any questions.
1. Using Command Prompt, cd \glassfish\domains\domain1\config
2. keytool -list -v -keystore keystore.jks ==> shows that there is one keyEntry "s1as"
3. Generate new keypair "myalias" in the keystore.jks
keytool -genkey -keyalg rsa -keysize 1024 -alias myalias -keypass changeit -keystore keystore.jks -storepass changeit -validity 3650
4. keytool -list -v -keystore keystore.jks ==> shows that there are 2 keyEntry values - "s1as" and "myalias"
5. Now create the CSR...
keytool -certreq -alias myalias -keystore keystore.jks -file c:\certreq.pem
==> you can view certreq.pem in a text editor and will see the certificate output
6. Submit the contents of certreq.pem to your CA. They will append the file, which will now be much longer. Save the new signed "myalias" certificate as signedreq.pem
7. Import the Root and Class certificates into the local keystore
keytool -import -alias rootcert -keystore keystore.jks -file c:\rootcert.pem -trustcacerts
keytool -import -alias classcert -keystore keystore.jks -file c:\classcert.pem -trustcacerts
8. Import the signed certificate from the CA into the keystore
keytool -import -alias myalias -keystore keystore.jks -file c:\signedcert.pem -trustcacerts
9. View the contents of the keystore, verifying that the Certificate Chain Length = 3:
Keytool -list -v -keystore keystore.jks
10. Import the Root and Class certificates into the cacerts.jks keystore
keytool -import -alias rootcert -keystore cacerts.jks -file c:\rootcert.pem -trustcacerts
keytool -import -alias classcert -keystore cacerts.jks -file c:\classcert.pem -trustcacerts
So to answer your earlier question, you import the signed cert, class cert and root cert into the keystore.jks and import the root cert and class cert into the cacerts.jks keystore.
Now if you didn't do the above steps in the keystore.jks to start with, but created a new keystore, then I would recommend generating a new s1as keypair in your new keystore.
Hope this helps.
Derek
[Message sent by forum member 'djsceats' (djsceats)]
http://forums.java.net/jive/thread.jspa?messageID=354929