Print View

How to create a keystore with a third party certificate for Android .APK signing


By default the Android Development Tools will use a self signed certificate to sign binaries.

A keystore may be required that uses third party certificates issued by a trusted Certificate Authority to sign binaries.


The keystore must be created with the private key, issue a certificate request, have a CA sign the request and issue a certificate, import the CA certificate and then import the issued certificate.

Google have a requirement that the certificate be valid for a minimum of 33 years.

If using an open ssl CA to sign the certificate, the default days may need to be updated in openssl.conf/openssl.cnf.
default_days    = 10000                 # how long to certify for

Create the keystone/private key
$ keytool -genkey -alias -keyalg RSA -keystore -keysize 2048 -validity 10000
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  The Ether        
What is the name of your organizational unit?
  [Unknown]:  Android
What is the name of your organization?
What is the name of your City or Locality?
  [Unknown]:  Perth
What is the name of your State or Province?
  [Unknown]:  WA
What is the two-letter country code for this unit?
  [Unknown]:  AU
Is CN=The Ether, OU=Android,, L=Perth, ST=WA, C=AU correct?
  [no]:  yes

Enter key password for <>
	(RETURN if same as keystore password):  

Creating the certificate request
$ keytool -certreq -alias -keystore -file
Enter keystore password:  

Signing the certificate request (using openssl CA in this example)
$ openssl ca -out -infiles
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for .//private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4098 (0x1002)
            Not Before: Jan  7 06:34:03 2013 GMT
            Not After : Jan  1 06:34:03 2041 GMT
            countryName               = AU
            stateOrProvinceName       = WA
            organizationName          =
            organizationalUnitName    = Android
            commonName                = The Ether
        X509v3 extensions:
            X509v3 Basic Constraints: 
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

Certificate is to be certified until Jan  1 06:34:03 2041 GMT (10221 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Import the trusted root CA certificate
$ keytool -import -keystore -file cacert.pem -alias root
Enter keystore password:  
Owner:,,, L=Perth, ST=WA, C=AU
Issuer:,,, L=Perth, ST=WA, C=AU
Serial number: 90cfa9d76c9d7096
Valid from: Mon Jan 07 07:28:33 WST 2013 until: Tue Jan 01 07:28:33 WST 2041
Certificate fingerprints:
	 MD5:  DA:DB:3A:F4:07:FC:80:AE:98:98:87:3F:E3:9A:22:F3
	 SHA1: EA:C8:2D:70:64:70:6A:9E:69:E2:AD:67:7D:3C:AC:02:80:AC:50:A5
	 Signature algorithm name: SHA1withRSA
	 Version: 3


#1: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 86 40 80 A0 EA 3D BC A6   02 6A CB 11 44 51 64 99  .@...=...j..DQd.
0010: C2 4E 6F 5F                                        .No_

#2: ObjectId: Criticality=false

#3: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 86 40 80 A0 EA 3D BC A6   02 6A CB 11 44 51 64 99  .@...=...j..DQd.
0010: C2 4E 6F 5F                                        .No_

[,,, L=Perth, ST=WA, C=AU]
SerialNumber: [    90cfa9d7 6c9d7096]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the issued certificate
$ keytool -import -keystore -file -alias
Enter keystore password:  
keytool error: invalid DER-encoded certificate data
uniform:Signing jamie$ mv
uniform:Signing jamie$ openssl x509 -outform der -in -out
uniform:Signing jamie$ keytool -import -keystore -file -alias
Enter keystore password:  
Certificate reply was installed in keystore

This certificate can now be used in the Eclipse ADT environment:

- Select the project in the Package Explorer
- Select File | Export
- Select Android | Export Android Application and click Next
- Confirm the project and click Next
- Specify location of the keystore create above, and the keystore password and click Next
- Select the appropriate certificate, enter the password for the private key, and click Next
- Click Finish to complete the export.



Google Android (any)

Created: 7th January 2013
Updated: 7th January 2013

Print View

© 2005-2024 Jamie Morrison