I'll answer my own question as it got worked out eventually.
It seems that the service-user+keystore package that I created in the lower environments didn't import properly into the Prod environment Author due to security checks.
In the end, I created the system user manually using crx/explorer/index.jsp in the Prod Author environment, uploaded the keystore file (from security/users.html) , made sure /home/users/system/blah... directory was ticked for all permissions incl replications. (useradmin)
Then I created an ACL Packager packer with the system user, and its principal, built the package and replicated to publish servers. This seemed to work o.k. at least the keystore information showed up correctly when I viewed it from (security/users.html)