By default the Android Development Tools will use a self signed certificate to sign binaries.

A keystore may be required that uses third party certificates issued by a trusted Certificate Authority to sign binaries.

The keystore must be created with the private key, issue a certificate request, have a CA sign the request and issue a certificate, import the CA certificate and then import the issued certificate.

Google have a requirement that the certificate be valid for a minimum of 33 years.

If using an open ssl CA to sign the certificate, the default days may need to be updated in openssl.conf/openssl.cnf.

default_days    = 10000                 # how long to certify for

Create the keystone/private key

$ keytool -genkey -alias android.thether.net -keyalg RSA -keystore android.thether.net.jks -keysize 2048 -validity 10000
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  The Ether        
What is the name of your organizational unit?
  [Unknown]:  Android
What is the name of your organization?
  [Unknown]:  thether.net
What is the name of your City or Locality?
  [Unknown]:  Perth
What is the name of your State or Province?
  [Unknown]:  WA
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=The Ether, OU=Android, O=thether.net, L=Perth, ST=WA, C=AU correct?
  [no]:  yes

Enter key password for <android.thether.net>
	(RETURN if same as keystore password):  

Creating the certificate request

$ keytool -certreq -alias android.thether.net -keystore android.thether.net.jks -file android.thether.net.csr
Enter keystore password:  

Signing the certificate request (using openssl CA in this example)

$ openssl ca -out android.thether.net.cer -infiles android.thether.net.csr
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for .//private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
        Validity
            Not Before: Jan  7 06:34:03 2013 GMT
            Not After : Jan  1 06:34:03 2041 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = WA
            organizationName          = thether.net
            organizationalUnitName    = Android
            commonName                = The Ether
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                89:C6:7C:30:59:D8:F6:EF:34:5B:AE:7C:CE:4E:1F:DB:77:68:0A:7C
            X509v3 Authority Key Identifier: 
                keyid:86:40:80:A0:EA:3D:BC:A6:02:6A:CB:11:44:51:64:99:C2:4E:6F:5F

Certificate is to be certified until Jan  1 06:34:03 2041 GMT (10221 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Import the trusted root CA certificate

$ keytool -import -keystore android.thether.net.jks -file cacert.pem -alias root
Enter keystore password:  
Owner: EMAILADDRESS=support@thether.net, CN=ca.thether.net, O=thether.net, L=Perth, ST=WA, C=AU
Issuer: EMAILADDRESS=support@thether.net, CN=ca.thether.net, O=thether.net, L=Perth, ST=WA, C=AU
Serial number: 90cfa9d76c9d7096
Valid from: Mon Jan 07 07:28:33 WST 2013 until: Tue Jan 01 07:28:33 WST 2041
Certificate fingerprints:
	 MD5:  DA:DB:3A:F4:07:FC:80:AE:98:98:87:3F:E3:9A:22:F3
	 SHA1: EA:C8:2D:70:64:70:6A:9E:69:E2:AD:67:7D:3C:AC:02:80:AC:50:A5
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 86 40 80 A0 EA 3D BC A6   02 6A CB 11 44 51 64 99  .@...=...j..DQd.
0010: C2 4E 6F 5F                                        .No_
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 86 40 80 A0 EA 3D BC A6   02 6A CB 11 44 51 64 99  .@...=...j..DQd.
0010: C2 4E 6F 5F                                        .No_
]

[EMAILADDRESS=support@thether.net, CN=ca.thether.net, O=thether.net, L=Perth, ST=WA, C=AU]
SerialNumber: [    90cfa9d7 6c9d7096]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the issued certificate

$ keytool -import -keystore android.thether.net.jks -file android.thether.net.cer -alias android.thether.net
Enter keystore password:  
keytool error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data
uniform:Signing jamie$ mv android.thether.net.cer android.thether.net.pem
uniform:Signing jamie$ openssl x509 -outform der -in android.thether.net.pem -out android.thether.net.cer
uniform:Signing jamie$ keytool -import -keystore android.thether.net.jks -file android.thether.net.cer -alias android.thether.net
Enter keystore password:  
Certificate reply was installed in keystore

This certificate can now be used in the Eclipse ADT environment:

- Select the project in the Package Explorer
- Select File | Export
- Select Android | Export Android Application and click Next
- Confirm the project and click Next
- Specify location of the keystore create above, and the keystore password and click Next
- Select the appropriate certificate, enter the password for the private key, and click Next
- Click Finish to complete the export.