Use provided upload_cert.der to sign a release Android APK file

I've just enrolled in the Google Play App Signing program, which required uploading an encrypted version of the release keystore and had an "optional" step for creating an upload keystore - optional is in quotes, because I think it should be a required step, but anyway, after a successful enrollment, I'm now left with an Upload certificate, which I should somehow use to sign my future app releases.

What I've done so far: I created a new keystore from Android Studio, set the store and alias passwords and tried to import the upload_cert.der to the existing alias - failed:

keytool -importcert -file upload_cert.der -alias upload -keystore upload-keystore.jks

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I've also tried to import the upload certificate without specifying an alias (or removing the existing alias and creating a new one), or with a different alias:

keytool -importcert -file upload_cert.der -keystore upload-keystore.jks

...failed as well: ended up creating a new alias called mykey, which wasn't password protected and failed with the message:

Caused by: java.lang.RuntimeException: com.android.ide.common.signing.KeytoolException: Failed to read key upload from store "/path/to/upload-keystore.jks": trusted certificate entries are not password-protected

...so naturally, I tried to set a password for the alias:

keytool -keypasswd -alias upload -keystore upload-keystore.jks

which failed as well with the message:

keytool error: java.lang.Exception: Alias has no key

...and now I've run out of ideas.

In the meantime, I've sent a question/request to Google Play Support to renew my upload key, but, I'm hoping there is a solution to this situation (the support is kinda slow to reply), since the documentation doesn't imply in any way that generating an upload keystore and uploading the encrypted private key of that key store is a requirement. So, either the documentation is vague/unclear/wrong, or there is a way to use the generated upload_cert.der. Any thoughts?

Edit:

Thanks to the answer and comment provided by Pierre, I realized that if you do not create/provide an upload key, your existing original signing key should be used, with the upload_cert.der. So, the only requirement would be to insert the upload certificate by running:

keytool -importcert -file upload_cert.der -keystore original-signing-keystore.jks

...and you should be able to continue publishing your applications to the Play Store.

Yes, this helps to make things more clear, but unfortunately doesn't solve my issue. The problem is that I didn't create an upload keystore before enrolling, because at the time it was an "optional" step and Google just created the upload certificate themselves, which is not connected to a keystore that I ever owned. Hope this makes my question a bit more clear... I'm trying to figure out why is this allowed if it's not possible to use the auto-generated upload_cert.der

If you didn't provide an upload certificate to Google Play when entolling, then Play considers your signing key as your upload key, and you should keep uploading APKs/Bundles signed with the same original key. If you want to sign your uploaded artifacts with a different key, then you need to reset it by contacting the support team as you've done.

If that's the case, great, if I can still use my old signing key, it's an option... Thanks, I'll try it out and accept the answer if it works.