Anyway, here's how to get it to work with tomcat:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
The first question it will ask is "What is your first and last name?". Don't type your name. This should be the name of the server (eg. "www.yourcompany.com"). The rest of the questions you can answer as usual.
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.jks
Now, you fill out the PositiveSSL webform, putting your credit card and other details in. It's ask you to paste in the Certificate Signing Request as well - just copy and paste the contents of the certreq.csr file into that field. After a few minutes, you'll receive a couple of emails, the last of which will have a zip file attached, which has four crt files in it. Now you need to import these in a particular order.
$ keytool -import -alias root -keystore keystore.jks -trustcacerts -file AddTrustExternalCARoot.crt
This step may warn you saying "Certificate already exists in system-wide CA keystore under alias
Then add the rest of the certificates that were in the zip file in order:
$ keytool -import -trustcacerts -alias positive -keystore keystore.jks -file PositiveSSLCA.crt
$ keytool -import -alias tomcat -keystore keystore.jks -file www_yourcompany_com.crt