posted 13 years ago
In addition to Ulf's links, here is how the process should work in general. Please compare these steps against your understanding.
1. Create a new keypair using keytool -genkeypair -alias pickagoodalias <...other options...>
This create both a private key and an associated public key. At no point will the private key ever leave the keystore. You will need to remember the alias you used.
2. Create a CSR using keytool -certreq -alias pickagoodalias <...other options...>
This creates a CSR. The CSR contains only the public key in addition to identifying information.
3. Give the CSR to a certificate authority (CA).
4. Retrieve the signed X509 certificate from the CA. This contains the same public key you created in step 1 and gave to the CA in step 3.
5. Install the certificate into the same keystore as in step 1, using the same alias you used in step 1, with keytool -importcert -alias pickagoodalias <...other options...>
This step will also double check that the public key in the certificate your are importing is the same as the one you created in step 1.