using the keytool command, i made a certificate request. there were some interesting quirks importing the certificate, of course not well documented.
the first note, is to always always always specify the keystore in all the commands, otherwise the command just references the keystore (or just creates a new keystore) in the users home directory (windows or unix).
the next issue is, that i got errors importing the signed certificate returned from the ca.
one error message was "invalid x.509" certificate
in this case, the solution is to save the cert as a ".cer" file: in windows, click on it (open it), click on details, then select "copy to file..." once the wizard opens specify the format 'base64 encoded x.509', and save the file. you might try that, in theory that should work. i did this but got the error message "failed to establish chain from reply".
our documentation in this case, said to perform the Base64 import -- which i had just completed. maybe another engineer here mucked up the keystore, i'm not sure.
so here's how i got around that - i used the same wizard to open the certificate, but saved it as a p7b file (PKCS#7) -- specifying the "export all certificates if possible". deleted the old key out of the keystore, and used the p7b file for the import into the keystore.
since you can't export the private key from the keystore, and importing the p7b returned an 'invalid x.509' error on the other machines -- i just copied the keystore file to the other machines in a web farm (along with a dependent kspass.dat file for our application).