Tomcat fails to find a key entry in keystore
For anyone else who stumbles upon this: The key (pun not intended) is to import your certificate using the same alias as the one you used to originally create they keystore (along with its private key) when you ran 'keytool -genkey-alias myalias ...' -- this is how Tomcat ties the private key with your new certificate when it is imported.
Basically, like other commenters said, in the end your own cert should NOT show as a "trustedCertEntry" in a 'keytool -list' -- it needs to be a "PrivateKeyEntry", see below example:
keytool -list -keystore sample.keystore
Your keystore contains 1 entry
example, Aug 28, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 12:E0:20:64:92:8A(...)
You can find out the original alias by running 'keytool -list', and looking for the PrivateKeyEntry entry. If all goes well when you import your new CA-provided cert (i.e., you use the same alias and your keys match), the new cert will be automagically absorbed into the PrivateKeyEntry. This is the alias you'll need to refer to in Tomcat's server.xml file.