It's confusing that keystore generated by keytool contains a self-signed certificate using following command:
keytool -genkey -keyalg RSA -keysize 1024 -keystore bob.keystore
It doesn't make sense to generate self-signed certs because you want a trusted CA to sign your cert request. How to generate a non self-signed keystore?
keytool -genkey is a dual operation: it generates a key-pair, and wraps it in a self-signed certificate.
Having this self-signed certificate really is just a convenience, partly linked to the storage format, that is just temporary if you want to use that key-pair for a CA-issued certificate.
You'll need to extract the certificate request from that key-pair, using the information you've entered when using -genkey (this information ended up in the self-signed cert). Re-use the alias name you've used with -genkey:
keytool -certreq -alias somename -file somename.csr -keystore mykeystore.jks
Send the CSR to your CA and, when you get the certificate back, re-import it against the same alias. This will overwrite the self-signed certificate that was generated initially, using keytool -importcert. Beware you may need to import the whole chain at once, if there are intermediate certificates, as described at the end of this answer.
Self-signed certs are valuable in many contexts, such as communications between instances of an application. It can be prohibitively expensive to pay a CA to sign certs in that situation.
If you want a recognized CA's signature, though, you will need to get your cert from the CA. You can't create a cert signed by a recognized CA simply using keytool. Search the search engine of your choice for "SSL certificate." Most certs are paid, like GeoTrust. Others, like StartSSL or the forthcoming LetsEncrypt, either are free or have a free option.
