1

I'm trying to switch my existing app to app signing by Google Play. There is a post with great instructions for those who use a keystore file: How to enable Google Play App Signing

My problem is that instead of a keystore I only have a .p12 file that I have not been able to import into a keystore file (long story).

The first step for using app signing by Google Play is "Export your app signing private key to a plaintext PEM file." I did that and now I have plaintext PEM file derived from my original .p12. From Google instructions it seems that they only need the PEM file with my private key, not keystore file.

My question is how do I use the pepk tool to create an encrypted app signing private key that Google requires from the PEM file.

user1566515
  • 1,637
  • 4
  • 17
  • 25

2 Answers2

3

Oracle has written complete instructions on converting PEM to keystore. It also covers p12. This will probably do what you want.

Unfortunately it isn't very findable by search engines as they call it "JKS" rather than keystore.

In short:

Convert the certificate from PEM to PKCS12, using the following command: openssl pkcs12 -export -out eneCert.pkcs12 -in eneCert.pem

You may ignore the warning message this command issues. Enter and repeat the export password. Create and then delete an empty truststore using the following commands:

keytool -genkey -keyalg RSA -alias endeca -keystore truststore.ks
keytool -delete -alias endeca -keystore truststore.ks

The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: 
What is the name of your organizational unit?
[Unknown]:  
What is the name of your organization?
[Unknown]:  
What is the name of your City or Locality?
[Unknown]: 
What is the name of your State or Province?
[Unknown]: 
What is the two-letter country code for this unit?
[Unknown]: 
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <endeca>
      (RETURN if same as keystore password):
Re-enter new password:

Import the CA into the truststore, using the following command: keytool -import -v -trustcacerts -alias endeca-ca -file eneCA.pem -keystore truststore.ks

Enter the keystore password. At the prompt, "Trust this certificate?" type yes. Create an empty Java KeyStore, using the following commands:

keytool -genkey -keyalg RSA -alias endeca -keystore keystore.ks
keytool -delete -alias endeca -keystore keystore.ks

The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: 
What is the name of your organizational unit?
[Unknown]:  
What is the name of your organization?
[Unknown]:  
What is the name of your City or Locality?
[Unknown]: 
What is the name of your State or Province?
[Unknown]: 
What is the two-letter country code for this unit?
[Unknown]: 
Is CN="Unknown", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Import your private key into the empty JKS, using the following command:

keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS
Nick Fortescue
  • 13,530
  • 1
  • 31
  • 37
  • Thank you Nick! I'm going to try this in a few days and will report on how it works out. – user1566515 Jun 07 '18 at 03:32
  • This saved my ass on an ancient app circa 2012 I was trying to update. Hardest part for me was remembering the password for my p12 cert – jmichas Apr 04 '22 at 13:39
0

Thx Nick, this was working perfectly. With the created keystore.ks i was able to use the pepk jar command. Maybe as extension to somebody which run in the same problem: the pepk jar wants an "alias" as parameter. To get the alias out of your keystore.ks you can use following command:

keytool -v  -list  -keystore keystore.ks

This will return you the information stored in your .ks file. You can see the property Alias name there. In my case the value was simply 1 because the original .p12 file didn't had an alias.

So my final pepk command looked like this:

java -jar pepk.jar --keystore=keystore.ks --alias=1 --output=encrypted_private_key_path --encryptionkey=SomeKeyWhichIsDisplayedInThePlayConsoleWindow
Stefan Habacher
  • 153
  • 1
  • 8