Skip to main content
Version: Early Access

Android Signing Requirements

To sign an Android app using either the Admin Portal or signing package, you need:

  • A private key pair stored in a Java keystore (JKS).
    • To sign an Android app with the Portal, you need to provide the private key in PKCS (Personal Information Exchange File) #12 format with a .p12 extension.

An Android app must be signed with a certificate that is paired with a private key. Android uses the certificate to identify the author of an app and to establish trust relationships between applications. Unlike with an iOS app, the certificate does not need to be signed by a CA. It is typical for an Android app to use a self-signed certificate. Also, there is no need for a provisioning profile or other mechanism to control who can install the app.

A suitable private key meets this criteria:

  • Is in your possession.
  • Represents the personal, corporate, or organizational entity to be identified with the application.
  • Has a validity period that exceeds the expected lifespan of the application or application suite. Google recommends a validity period of more than 25 years.
  • Is not the debug key generated by the Android SDK tools.

For general information on signing Android applications, including more detailed instructions on using Keytool, see the Android documentation.

Create a Keystore to Store the Private Key

Before you can create a keystore, you must ensure that the Keytool utility is installed on your computer.

Keytool is installed with both the Java Runtime Environment (JRE) and Java Development Kit (JDK) packages. The JDK includes the JRE, so you do not have to install both. If you do not have either of these installed, you can download the JRE (the smaller package) from the following link: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155

To generate a private key and store it in a JKS

  1. On your computer, open a terminal or command window.

  2. Type the following command. Text in bold indicates variables that you must replace.

    keytool -genkey -v -keystore **filename.keystore** -alias **aliasname** -keyalg RSA -keysize 2048 -validity``** ofdays

    Where:

    filename.keystoreThe name of the keystore that will be created.
    aliasnameThe alias for the private key. Only the first eight characters of the alias are used.
    #ofdaysThe validity period for the key, in days. A value of 10000 (27.4 years) or greater is recommended.
info

Keytool prompts you to provide passwords for the keystore and key, and to provide information for the Distinguished Name fields for your key. Note that different store and key passwords are not supported for PKCS12 keystores, so you should enter RETURN when prompted to enter a separate key password (the last prompt); this will direct keytool to use the same password for both the keystore and the key.

Example:

`$ keytool -genkey -v -keystore myjks.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000`

`Enter keystore password:  `**`topsecret`**
`Re-enter new password: `**`topsecret`**

`What is your first and last name?`
`  [Unknown]:  `**`Michael Harrison`**

`What is the name of your organizational unit?`
`  [Unknown]:  `**`Engineering`**

`What is the name of your organization?`
`  [Unknown]:  `**`Example Company`**

`What is the name of your City or Locality?`
`  [Unknown]:  `**`Boston`**

`What is the name of your State or Province?`
`  [Unknown]:  `**`MA`**

`What is the two-letter country code for this unit?`
`  [Unknown]:  `**`US`**

`Is CN=Michael Harrison, OU=Engineering, O=Example Company, L=Boston, ST=MA, C=US correct?`
`  [no]:  `**`Yes`**

`Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days`

`    for: CN=Michael Harrison, OU=Engineering, O=Example Company, L=Boston, ST=MA, C=US`

`Enter key password for <myalias>`
`  (RETURN if same as keystore password):  `

`[Storing myjks.keystore]`

Back to Top

Import a Java Keystore to a PKCS #12 File

Before you can complete the following procedure, you must:

  • Ensure that you have a private key stored in a Java keystore. For instructions, see the procedure above.
  • Ensure that the Keytool utility is installed on your computer. Keytool is installed with both the Java Runtime Environment (JRE) and Java Development Kit (JDK) packages.

To import a JKS to a PKCS #12 file

  1. On your computer, open a terminal or command window.

  2. Type the following command. The arguments highlighted in blue specify information about the Java keystore. The arguments highlighted in green create the .p12 file. Text in bold indicate variables that you must replace.

keytool -importkeystore -srckeystore filename.keystore -srcstoretype jks -srcstorepass password -srcalias aliasname -destkeystore filename.p12 -deststoretype pkcs12 -deststorepass password

Where:

-srckeystore filename.keystoreThe location of the original keystore.
-srcstoretype jksThe type of keystore you are importing. JKS is the default.
-srcstorepass passwordThe password for the keystore.
-srcalias aliasnameThe alias of the certificate/key pair you want to import to the .p12 file.
destkeystore filename.p12The destination and file name of the file you are creating. Be sure to include a .p12 extension.
-deststoretype pkcs12The format in which the file will be created. This must be set to pkcs12.
-deststorepass passwordA password for the .p12 file you are creating. It must be at least 6 characters.

Example:

keytool -importkeystore -srckeystore myjks.keystore -srcstoretype jks -srcstorepass topsecret -srcalias myalias -destkeystore mycert.p12 -deststoretype pkcs12 -deststorepass topsecret

Back to Top