Howdy,

Problem solved.

Here's what I did not know.

The Keystore file (which I named .keystore) has to be the same Keystore
file you generated the CSR from, and that same file is the one you
install the certificate into.

Verisign revoked my old certificate and issued me a new one. Here are
the exact steps I took to make it work.

1. I stopped Tomcat
2. I deleted my .keystore file
3. I deleted all certs (the intermediate and my old one).
4. I then:

keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
-storepass changeit
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
-keystore .keystore -storepass changeit


5. I used the revoke/renew on Verisign's website to get a new cert (was
fast - took less than 30 minutes), using the certreq.csr file I
generated above. [NOTE: I made sure to leave the .keystore file alone.]
6. Next I took the cert and copied it down and then ran:

keytool -import -alias tomcat -keyalg RSA -keystore .keystore
-trustcacerts -file cert.cer -storepass changeit


7. I started Tomcat

It all worked perfectly

TC