ALIAS
To answer your immediate question, the alias field should be a unique string to identify the key entry. This applies to all types such a trusted and intermediate.
Documentation
Keytool
KeyStore Aliases
All keystore entries (key and trusted certificate
entries) are accessed via unique aliases.
An alias is specified when you add an entity to the keystore using the
-genseckey command to generate a secret key, -genkeypair command to generate a key pair (public and private key) or the -importcert
command to add a certificate or certificate chain to the list of
trusted certificates. Subsequent keytool commands must use this same
alias to refer to the entity.
For example, suppose you use the alias duke to generate a new
public/private key pair and wrap the public key into a self-signed
certificate (see Certificate Chains) via the following command:
keytool -genkeypair -alias duke -keypass dukekeypasswd
This specifies an initial password of "dukekeypasswd" required by subsequent
commands to access the private key assocated with the alias duke. If
you later want to change duke's private key password, you use a
command like the following:
`keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass`
This changes the password from "dukekeypasswd" to "newpass".
Please note: A password should not actually be specified on a command line or
in a script unless it is for testing purposes, or you are on a secure
system. If you don't specify a required password option on a command
line, you will be prompted for it
Standards and Practices
I don't think there is any set naming standard and I'm sure you can talk to 10 different people and get 10 different answers. You just want it unique and logical.
The API and Oracle's Keytool don't do a great job of checking for duplicates which is a particular oversight in my opinion considering it's used to identify each entry in a key store.
The best way to resolve duplicates is to generate a new keystore, and add each entry from the old keystore to the new one with unique alias'. You can iterate over the keystore and use its timestamp to identify different certs in a store.