As someone who frequently works with digital ids and signatures, keytool is a must have. Here are a few common commands I use when working with keytool. You can also find the complete documentation here.
Generate a new digital id:
keytool -genkey -keystore c:\test\keystore.p12 -storetype pkcs12 -storepass password -keypass password -alias myAlias -keyalg RSA -validity 3650
To create a chained certificate, generate both the parent and the child using the command above. Then use the command below to chain the two and export the child certificate:
keytool -alias child -keystore c:\test\child.p12 -storepass password -certreq |keytool -alias parent -keystore c:\test\parent.p12 -storepass password -gencert > child.cert
Or to add the chained certificate to the digital id, create both keys in chain.p12 as in the first example. Then chain the two together like this:
keytool -alias child -certreq -keystore chain.p12 -storepass password | keytool -alias parent -gencert -ext san=dns:child -keystore chain.p12 -storepass password | keytool -alias child -importcert -keystore chain.p12 -storepass password