The CSR (Certificate Signing Request) is the prototype certificate that you generate with keytool, OpenSSL or some similar tool. Since it has not been signed, it cannot be used as an actual SSL cert.
So you must either send it to a recognized signing agent (CA) or sign it yourself.
The actual SSL process requires BOTH a cert (sent to the client) and a related Private Key (kept hidden on the server). The
Tomcat SSL docs tell how to generate both items for a self-signed certificate and store them in the keystore using keytool. Their examples mostly combine the function of creating a new keystore and the private key by using the "-genkey" option.
You can use OpenSSL to generate the CSR, which you would send to the CA of your choice to be signed. The CA will typically then provide you with the signed cert and any upstream certs needed to establish the Chain of Trust. Tomcat's docs cover this under the heading "Installing a Certificate from a Certificate Authority".
So your keystore needs a Private Key entry, the signed cert, and any parent certs that the CA provides.
I mentioned elsewhere that Tomcat and Apache use different file formats for their certs, even though the actual cert information is the same. Tomcat uses JKS format. Apache uses X509, I believe. Portecle is a nice GUI tool that can be used to convert cert formats. Plus it also can do many of the keytool functions graphically.