Submit the SSL cert at geocerts. When it is approved, download it again.
It will include an intermediate cert, so you have to combine the whole cert chain with the cert itself to have the cert be presented with its whole chain, e.g.:
Now, copy this to the application's conf directory, where it expects the keytool to be, and restart the java/tomcat daemon.
If the daemon does not stay running, then are you sure that your private key and keystore passwords are the same? If not, do this to change the password for the private key to match the keystore (and also note that your app will have to be configured to know what the keystore password is):
keytool -keypasswd -alias 1 -keystore keystore