most likely you are missing something. Either a root or intermediate certificate. If the internal CA is Microsoft, when you download the CA root cert make sure to get the correct one.
the general process is
make a .ks with your http and consoleproxy cert
make a CSR based off of this .ks for each cert
get them signed by the internal CA
import all required root/intermediate certificates into the .ks
import the signed certificates into the .ks
then the reconfigure should work.
I also have a habit of using the keytool provided by vCloud Director to make sure it's the corresponding version for the application.