I cannot guarantee this will work for everyone, however, I have spent about 2 days laboring on this and finally came to the resolution. I know there are several posts in the forums citing various error messages from people trying to accomplish this so I hope you all come across this thread and it works for you as it worked for me. The answer is actually quite simple when you think about it and being a sysadmin I should know better than to use guis to make things work. At the end of the day, the command line always saves me. Stick with keytool and this should work for you.
Please be advised this applies to a Linux install but im sure it could be easily adapted for Windows.
Also, you should run these commands in the same directory where your “keystore” exists. In my install this is /opt/wildfire/resources/security
$ALIAS -> This can be any name you choose to identify your certificate
$CSR-FILE -> Absolute path and name to the signing request file
$CA-ALIAS -> This can be any name you choose to identify the CA root certificate
$CA-ROOT-CERT-FILE -> Absolute path and name to the CA root certificate
$SIGNED-CERT-FILE -> Absolute path and name to the CA signed certificate
GENERATE THE PRIVATE KEY
/opt/wildfire/jre/bin/keytool -genkey -alias $ALIAS -keyalg RSA -keystore keystore
GENERATE THE CSR
/opt/wildfire/jre/bin/keytool -certreq -alias $ALIAS -keystore keystore -file $CSR-FILE
GO TO CA OF CHOICE AND GET THE CA SIGNED. I used RapidSSL/GeoTrust which is signed by Equifax
IMPORT THE CA ROOT CERT INTO KEYSTORE ( I USE EQUIFAX CA-1 )
/opt/wildfire/jre/bin/keytool -import -alias $CA-ALIAS -keystore keystore -file $CA-ROOT-CERT-FILE
IMPORT THE CA SIGNED CERT INTO KEYSTORE
/opt/wildfire/jre/bin/keytool -import -alias $ALIAS -keystore keystore -file $SIGNED-CERT-FILE
Let me know if this works for you!