html2app docs

    Create Android Keystores

    This guide explains how to create and manage Android keystores for signing your applications. Learn about the differences between JKS and PKCS#12 formats, and how to generate keystores using the keytool command-line utility.

    Understanding JKS vs PKCS#12

    In Java 8 and earlier, the default was JKS. In Java 9 and later, it is PKCS#12.

    JKS (Java KeyStore) enforces using a separate password for the alias:

    • The Keystore Password (-storepass) protects the entire file.
    • The Key Password (-keypass) protects the private key stored under an alias.

    PKCS#12 (.p12 or .pfx) is an industry standard. However, Java tools enforce the following:

    • The password used to protect the entire file must be the same as the password used to protect the private key entry.

    Creating a Keystore (CLI)

    To ensure consistent behavior, explicitly specify the desired store type using the -storetype option.

    Create a JKS file

    keytool -genkeypair -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 20000 -alias my-alias -storetype JKS

    Create a PKCS#12 file

    keytool -genkeypair -v -keystore my-release-key.p12 -keyalg RSA -keysize 2048 -validity 20000 -alias my-alias -storetype PKCS12

    Verifying Keystore Type

    ⚠️ Caution: The file extension is just a label. Use the keytool -list command to check reliably:

    keytool -list -v -keystore <your-keystore-file>

    Advanced: keytool -genkeypair parameters

    Advanced: keytool -genkeypair parameters

    The keytool -genkeypair command creates a new public/private keypair and stores it in a keystore under an alias. Here's what the common flags mean.

    Core flags

    • -genkeypair: Generate a key pair (modern replacement for older -genkey).
    • -v: Verbose output (shows details while creating/listing entries).
    • -keystore <file>: Path to the keystore file to create/update.
    • -alias <name>: Entry name inside the keystore (how build tools reference the key).

    Crypto and validity

    • -keyalg RSA: Key algorithm (RSA is common for Android signing).
    • -keysize 2048: Key size in bits (2048 is a typical baseline).
    • -validity 20000: Certificate validity in days (≈ 54.8 years).

    Store format (JKS vs PKCS#12)

    • -storetype JKS: Creates a Java KeyStore file (historical default in Java 8 and earlier).
    • -storetype PKCS12: Creates a PKCS#12 keystore (.p12/.pfx; default in Java 9+).

    Tip: With PKCS#12, Java tooling expects the keystore password and key password to match.