There are two types of keystores that are supported by Java
JKS - Native Java archive, to be deprecated in favor of PKCS#12 standard
PKCS#12 - archive format containing multiple cryptographic objects (also referred to as PFX)
Tools
There are two tools with which are used when working with keystores and certificates
keytool - command line tool, part of the java distribution, for manipulating keystores (JKS and PKCS#12)
openssl - client tool for manipulating certificates in multiple formats
All of the required tasks can be accomplished with keytool, so we will limit the scope of keystore management to keytool.
Create a keystore
Create a keystore in PKCS#12 format - the command below will create a keystore with a self-signed certificate for the given server. Please note that in order to have a signed certificate, the common name of the certificate cannot be an IP address.
Also, please note that in this example, we are also creating 3 subject alternative names: 1 for the common name (fqdn), 1 for the host name (hostname), and one for the IP address of the server.
When you obtain your signed certificate, it may be provided in a variety of ways. One possibility is that it is a PKCS#7 chained certificate (contains the signed server certificate as well as the certificate chain). Another option is that it is that you were provided a single signed certificate and a set of certificates comprising the certificate chain. If you were provided a PKCS#7, you will import it into the PrivateKeyEnty alias. If you were provided separate certificates, you will import the server certificate into the PrivateKeyEntry alias, and then import each of the other certificates into a different alias - for example -alias intermediate1, -alias intermediate2, -alias caroot.