That's pretty much it in a nutshell.
I think you may have had a problem in generating a CSR externally because the CSR
must match the private key. If you generate a CSR from outside keytool, you'd have to import not only the cert chain but also the private key used to generate that CSR.
The
Tomcat docs, on the other hand, start out assuming that you'll be constructing a brand-new keystore AND creating a private key (the "keygen" option) and that therefore you will be using keytool to generate CSRs that pair with that key.
SSL is basically just public/private encryption and like SSH, requires a public key to be sent to the client and a private key to decrypt what the client sent after encrypting with the public key. The main difference is that in SSL, you also have digitally-signed tokens that assert that the server is what you think it is and not some random hijacking of data streams for evil purposes.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.