When building Android apps or Java-based applications, you’ll often need a keystore to sign your release builds. Java provides a built-in utility called keytool that lets you create key pairs, manage certificates, and export public keys safely and reliably.
In this post, we’ll walk through two common commands:
- Generating a new RSA key pair and storing it in a keystore
- Exporting the public certificate in PEM format for upload to third-party services
No magic, no shortcuts. Just the essentials, explained clearly.
Prerequisites
Before you start, make sure you have:
- Java JDK installed (Java 8 or newer)
- Access to a terminal or command prompt
- Basic familiarity with command-line tools
You can verify keytool is available by running:
keytool -help
If you see help output, you’re good to go.
Step 1: Generate a Release Keystore and Key Pair
The first command creates a new keystore file and generates an RSA key pair inside it.
keytool -genkeypair \
-v \
-keystore my-release-key.jks \
-keyalg RSA \
-keysize 2048 \
-validity 10000 \
-alias sample-key-alias
What This Command Does
Let’s break it down piece by piece.
-genkeypair
Generates a public and private key pair.-v
Enables verbose output so you can see what’s happening.-keystore my-release-key.jks
Creates (or updates) a keystore file namedmy-release-key.jks.-keyalg RSA
Uses the RSA encryption algorithm, which is widely supported.-keysize 2048
Sets the key length to 2048 bits. This is the current minimum recommended size.-validity 10000
Makes the key valid for 10,000 days (about 27 years).-alias sample-key-alias
Assigns a name to the key entry inside the keystore.
Interactive Prompts
During execution, you’ll be asked to:
- Set a keystore password
- Confirm the password
- Enter certificate details (name, organization, country, etc.)
- Set a key password (can be the same as the keystore password)
These values become part of the certificate’s identity. They don’t need to be perfect, but they should be accurate.
Once completed, you’ll have a keystore file that contains your private signing key.
Step 2: Export the Public Certificate (PEM Format)
Many services, such as Google Play App Signing, CI pipelines, or backend verification systems, require only the public certificate, not your private key.
This command exports the public certificate from the keystore.
keytool -export -rfc \
-keystore my-release-key.jks \
-alias sample-key-alias \
-file upload_certificate.pem
What This Command Does
-export
Exports the certificate associated with the alias.-rfc
Outputs the certificate in PEM format (Base64-encoded with headers).-keystore my-release-key.jks
Uses the keystore you created earlier.-alias sample-key-alias
Specifies which key’s certificate to export.-file upload_certificate.pem
Writes the certificate to a file namedupload_certificate.pem.
This file contains only the public certificate and is safe to share when required.
Important Security Notes
- Never share your
.jkskeystore file or private key - Store the keystore and passwords in a secure location
- Back up your keystore. Losing it can permanently prevent app updates
- Use environment variables or secret managers in CI systems
If someone gets your private key, they can sign apps or artifacts as you.
Common Use Cases
These commands are typically used for:
- Signing Android release builds
- Uploading certificates to Google Play App Signing
- Authenticating Java applications
- Verifying signed artifacts in CI/CD pipelines
They’re foundational tools, and once set up correctly, you won’t need to touch them often.
