Conceptually, a keystore (created by keytool), exists to store the information about one server. In our case, it should probably have two entries

• The initial key, created by keytool
• The “certified” key, generated by a Certificate Authority, and then added to the keyustore by reading the .pem file (The cut and paste from the BEGIN to END parts)

These appear to be the most helpful articles I’ve found so far:

• Configuring Identity and Trust http://docs.oracle.com/cd/E11035_01/wls100/secmanage/identity_trust.html
• keytool – Key and Certificate Management Tool http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html