Safari requires that Tomcat not send the root, as it wants to use its own root from the browser
Unknown Safari bug
Import the certificate with its intermediates, but leave out the -trustcacerts switch when importing.
keytool -import -alias tomcat -file cert.p7b -keystore [keystorename]
Keytool will then prompt with "... is not trusted. Install reply anyway? [no]:"
Type "y" and hit enter and keytool should then say:
Certificate reply was installed in keystore
That means only the certificate and its intermediate will be in the chain, and all browsers will use the root they already have, to build the chain and trust the certificate.