How to create a keystore file for Android development using the command line environment

TL;DR: Run keytool -genkey -alias MyReleaseKeyAlias1 -keystore mykeystore.pfx -storetype PKCS12 -keyalg RSA -validity 1095 -keysize 2048 and respond to the prompts to generate a keystore file which is good for 1095 days (3 years).

Even the long answer is pretty straightforward 🙂 I am using a Linux environment, Ubuntu 18.04.

You may need to install the JDK. Make sure that JDK version 8 is installed (if the JDK is already installed, this command will not do any harm, so you need not be afraid to run it):

sudo apt-get install openjdk-8-jdk

Next, create a directory for your keystore, and go into it. For example,

mkdir ~/AndroidKeystores
cd ~/AndroidKeystores/

(The tilde ~/ is a shorthand for your home directory, for example /home/fullstackdev.)

Finally, generate the keystore by using keytool

keytool -genkey -v -keystore my.keystore -alias MyReleaseKeyAlias1 -keyalg RSA -keysize 2048 -validity 1095

You will have to answer a few, fairly straightforward, questions. In my example, below, I just made up some silly answers; you should use your own information instead. But you can also make up anything – as long as you are just using the keystore for development work, it doesn’t matter what you use.

keytool -genkey -v -keystore my.keystore -alias MyReleaseKeyAlias1 -keyalg RSA -keysize 2048 -validity 1095
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Full Stack Dev
What is the name of your organizational unit?
  [Unknown]:  Full Stack Oasis
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]:  Whitehorse Ledge
What is the name of your State or Province?
  [Unknown]:  New Hampshire
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Full Stack Dev, OU=Full Stack Oasis, O=Unknown, L=Whitehorse Ledge, ST=New Hampshire, C=US correct?
    [no]:  yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 1,095 days
	for: CN=Full Stack Dev, OU=Full Stack Oasis, O=Unknown, L=Whitehorse Ledge, ST=New Hampshire, C=US
Enter key password for <MyReleaseKeyAlias1>
	(RETURN if same as keystore password):  
Re-enter new password: 
[Storing my.keystore]

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore my.keystore -destkeystore my.keystore -deststoretype pkcs12".

Now, notice that the output tells me that JKS is proprietary. So let’s use the recommended solution:

keytool -importkeystore -srckeystore my.keystore -destkeystore my.keystore -deststoretype pkcs12

Here’s the output:

Enter source keystore password:  
Entry for alias myreleasekeyalias1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "my.keystore" to Non JKS/JCEKS. The JKS keystore is backed up as "my.keystore.old".

Since I migrated the key to PKCS12, I might as well have created the key that way, too. Here’s how that’s done:

keytool -genkey -alias MyReleaseKeyAlias1 -keystore mykeystore.pfx -storetype PKCS12 -keyalg RSA -validity 1095 -keysize 2048
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Full Stack Dev
What is the name of your organizational unit?
  [Unknown]:  Full Stack Oasis
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]:  Whitehorse Ledge
What is the name of your State or Province?
  [Unknown]:  NH
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Full Stack Dev, OU=Full Stack Oasis, O=Unknown, L=Whitehorse Ledge, ST=NH, C=US correct?
    [no]:  yes

I did the same thing this time as I did before. But now I’ve generated a PKCS12 keystore, and got no complaints from keytool. Now I can use the output keystore file, mykeystore.pfx, for signing Android apps. Task complete!

Here’s one last hint. If you build your Android APK using gradlew, make sure that you delete your release build APK prior to rebuilding, if the only thing you’ve changed is the keystore file. Gradle will only build your APK if it sees a change in the source, and your keystore file is not in your source code. So Gradle won’t rebuild when you’ve only changed the keystore, unless the APK is gone. You may be fooled into thinking that the APK was built, until you notice that the timestamp on your APK is old. This happened to me 🙂

If you found this interesting, click the subscribe button below! I write a new post about once a week.

Leave a Reply

Your email address will not be published. Required fields are marked *