The default key algorithm when generating a key pair with keytool seems to be DSA.
The cipher suites used in production mode are restricted to EC and RSA.
So if you bring your own keystore but you did not set the key algorithm when generating the key pair to EC or RSA, the server won't be able to set up secure connections. It refuses the SSL handshake.
The install doc does not yet mention this crucial point.