Ok, problem solved. It all boiled down to not properly handling the keystore.
The thing that I missed is that keystores contain 2 types of entries, trusted certs and keys. I was just importing the cert from GeoTrust to a new keystore, which created a trusted cert entry. Instead, I need to import to the original keystore that was used for the CSR, so that the GeoTrust cert would attach to my key pair.
So if you're having this kind of trouble, study up on keytool!