my guess would be that "PrivateKeyEntry" is one entry containing both the private key as well as the certificate. "3A:13:..." is listed as "Certificate fingerprint" and would then refer to the fingerprint of the certificate, not of the key.
The certificate validation path shown in browsers is a combination of certificates they have installed, cached or received from the server. Without any more information, it is therefore hard to say it is actually incorrect.
My preferred way of debugging these situations is issuing the command
and looking at the output.
Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=predic8.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
is saying that the server identified itself using the key corresponding to certificate 0, and transmitted not only certificate 0, but also 1 and 2.
If the client trusts the signer of any certificate in the chain (e.g. has the "AddTrust External CA Root" certificate in its (client-side) CA store), validation can proceed.
These chains are a bit of a headache to setup in the JKS format. I once saw a very good Java GUI program which could be used to explore and setup keystores, although I forgot its name. I would try to start there.
Best, Tobias