The fact is that for signing something (an applet, an executable, etc) it helps much to know what is a certificate, a digital signature (it is PKI stuff), and the true is that the topic is somehow dense. so I'll try to be concise.
You start with a public/private key pair (some bits mathematically related generated by keytool), you send the public part (public key/CSR) to a certification authority (one of the certification authorities that any java default installation has registered by default), they verify you are who you say you are (they could ask for a notarial letter), and if they verify your identity correctly they will sign your public key with their certification authority, this is, they generate a certificate for you.
You latter use your private key (which is private, never sent anywhere) to sign your applet and append your certificate to the signed code (jarsigner comes here), so a client (java plugin) that downloads your applet does the following verification:
1. Verify the signature is correct, this is that is has been generated with your private key.
2. Check if the certificate has been issued/generated by a certification authority included in the default java list.
3. Execute your code.
From Java 1.7.0_45 (or _51 not sure) Java Applets will require your code to be signed with a commercial certification authorities (one in the list java has by default), and well the price will depend on the certification authority, you can get them from $80/year and they work the same (http://stackoverflow.com/questions/155241/cheapest-java-code-signing-certificate-not-self-signed
Well, the procedure for signing your applet and get it working for all your clients like before could go as this:
1. Read http://www.youdzone.com/signature.html
and get sure to understand the basics of digital signature.
2. Using keytool (or a frontend like Portecle) generate a key pair (the result will be a keystore.jks file), then a CSR with your public key and send this CSR to the certification authority.
3. Install the certificate sent by the certification authority to your keystore.jks
4. Sign you .jar using jarsigner
5. Follow new requirements for MANIFEST.MF, include "Permissions" attribute, see https://www.java.com/en/download/help/java_blocked.xml
If you need any clarification on any part of the process I can detail it for you (e.g. commands involved)