How to import x509.pem pk8 file into jks-keystore?

Fang's answer is correct, but was lacking explanation. I had to figure out a couple things to make sense of it, and although I'm not 100% sure of everything I derived from my experience, I'm pretty sure it could help people, so here goes.

Beforehand, make sure you have openssl and keytool installed and added to your PATH, otherwise the commands won't work, of course.

openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out platform.priv.pem -nocrypt

This will generate a file, "platform.priv.pem" from you pk8 file.

openssl pkcs12 -export -in platform.x509.pem -inkey platform.priv.pem -out platform.pk12 -name {{KEY_ALIAS}}

This will generate "platform.pk12" file using both your "platform.x509.pem" file and the previously generated "platform.priv.pem". The key alias is a String value you provide, it can be anything you want, but you'll need to remember it.

After entering this command, you will be prompted for a password (and a password confirmation). You will be defining this password yourself. It will be your "key password", and, of course, you'll need to rember it too.

keytool -importkeystore -destkeystore {{STORE_FILE_NAME}}.jks -srckeystore platform.pk12 -srcstoretype PKCS12 -srcstorepass {{KEY_PASSWORD}} -alias {{KEY_ALIAS}}

The final command will actually do one of two things :

  • if the specified jks file already exists, it will import (or override if it exists) the key with the given alias
  • if the file doesn't exist yet, it will create a brand new jks file, and import your key with the given alias
    Anyway, the command takes in the previously defined key password and key alias.

Once the command is entered, you will be prompted for the store password. If it's an already existing JKS file, you will have to give the already existing JKS store password.

Otherwise, it is a new JKS you define a new password. Remember the value you give it.

At the end of the day, you have defined 4 values :

  1. key alias
  2. key password
  3. store password
  4. store file name

And that's exactly what your Android project's Gradle file will need to sign your APK

File : [Android Project Root]/app/build.graddle

[...]
android {
    [...]
    signingConfigs {
        release {
            storeFile file("{{STORE_FILE_PATH*}}/{{STORE_FILE_NAME}}.jks")
            storePassword "{{STORE_PASSWORD}}"
            keyAlias "{{KEY_ALIAS}}"
            keyPassword "{{KEY_PASSWORD}}"
        }
    }
    [...]
}
[...]

* : the JKS file should probably be placed within your project, for versioning, but also for simplicity. Provide the relative path from your build.graddle location.

Hope this helps!


openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out platform.priv.pem -nocrypt

openssl pkcs12 -export -in platform.x509.pem -inkey platform.priv.pem -out platform.pk12 -name android

keytool -importkeystore -destkeystore platform.jks -srckeystore platform.pk12 -srcstoretype PKCS12 -srcstorepass android -alias android

Tags:

Keystore

Jks