After much frustration I finally figured out how to get my existing private key and certificate into glassfish’ keystore so that it worked. You see, I did something that the makers of java keytool never thought of – I didn’t use keytool to generate my private key! Unfortunately, keytool doesn’t allow you to import an existing private key, you can only import the certificates (e.g. the public keys). It took me a few hours to figure out this bit of idiocy, and kudos to this blog post for enlightening me:
I followed his steps to convert the keys into DER format and generate a keystore file from that. Then I used keytool’s -importkeystore command to merge that new keystore into glassfish’ keystore, and used keytool to change the key’s password to match the keystore’s password. Fixed!