3.0.2 reached its EOL long ago, I'm not sure we can keep supporting it under Community Support, sorry. But, from the top of my head, here are the answers:
1. You need to add them to keystore as different Gluu component cross-talk to each other by accessing their APIs. and these requests pass through Apache front-end - and thus Apache's cert needs to be trusted by Java
2. If Apache's certificate isn't in the Java's store, and it's a, say, self-signed certificate, Java may refuse to establish SSL connection to Apache. If you'll be using a certificate signed by a proper trusted CA, you may not need this step - but I would still add it there, nevertheless, just in case. It's hard to recall for me how exactly everything was configured back in the days, it's been a while
3. Yes, you can update everything in one go, then start the services all at once
Hope this helps.