I'm renewing a certificate used by my Hadoop cluster. Current JKS has one entry:

Your keystore contains 1 entry

Alias name: myalias
Creation date: Jan 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1

I'm trying to create a new keystore from the new cert:

keytool -importcert -alias myalias  -file newcertfile.crt -keystore newkeystore.jks

But I get asked about whether I trust this certificate (If I say no, keytool quits):

Trust this certificate? [no]:  yes

And when I look at the result, it's no longer a PrivateKeyEntry but a trustedCertEntry:

keytool -list -v -keystore newkeystore.jks
...
...
Your keystore contains 1 entry

Alias name: myalias
Creation date: Feb 20, 2019
Entry type: trustedCertEntry
...
...

What am I missing here? Should I just use the JKS with the trustedCertEntry or is there a way to make it just like the old JKS (with PrivateKeyEntry)?

I eventually figured out that I have to supply the private key as well (As Roshith mentioned in the link he supplied).

So I started with first creating a pfx file:

openssl pkcs12 -export -out newcertbundle.pfx -inkey myprivate.key -in newcertfile.crt

And then converted it to jks:

keytool -importkeystore -srckeystore newcertbundle.pfx -srcstoretype PKCS12 -srcstorepass mypass -deststorepass mypass -destkeypass mypass -destkeystore newkeystore.jks

The only thing I couldn't figure out (but wasn't too important to me) was how to use an alias, so I went with a default one (when I tried specifying one I got: Alias does not exist. This is discussed here).