> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Java KeyStore

> Step-by-step guide to generate keys and certificates in CryptoHub and import them into a Java keystore.

This section demonstrates how to use CryptoHub to create a private key and an Android APK signing certificate for use with the Java Keystore. Finally, the `keytool` utility will be used to list the signing certificate, confirming that the private key and certificate were successfully imported into the keystore.

These steps ensure that you can use APKSigner and the self-certificate to sign an APK file in the next section.

Perform the following tasks to create a CA for the Android APK Signing key pair:

1. Create a new X.509 certificate container.
2. Generate a new key pair for the Android APK Signing client.
3. Create an approval group for APK signing.
4. Add an issuance policy to the Android APK Signing client certificate.

## Create a certificate container

Perform the following steps to create a new X.509 certificate container:

<Steps>
  <Step>
    Open the CryptoHub web dashboard in a browser.
  </Step>

  <Step>
    Log in under dual-control using the administrator identities.
  </Step>

  <Step>
    Select **PKI and CA** on the left hand side > **Certificate Management**.
  </Step>

  <Step>
    Select **\[ Add CA ]** at the bottom of the page or right-click anywhere in the window and select **Add CA**.
  </Step>

  <Step>
    In the pop-up menu, specify the following information for the Certificate Container:

    * **Name**: Enter **Android APK Signer**.
    * **Host**: Select **None**.
    * **Type**: Select **X.509**.
    * **Owner group**: In the drop-down menu, select the role automatically created for the Android APK Signer service you deployed.
  </Step>

  <Step>
    Select **\[ OK ]**.
  </Step>
</Steps>

## Generate a key pair

Perform the following steps to generate a new key pair for the Android APK signing client:

<Steps>
  <Step>
    Right-click the X.509 certificate container you created and select **Add Certificate** > **New Certificate**.
  </Step>

  <Step>
    In the **Subject DN** tab of the certificate creation wizard, select the **Classic** **Preset** in the drop-down menu and specify `apksignerdemo` as the **Common Name** for the certificate.
  </Step>

  <Step>
    In the **Basic Info** tab, you can leave the values set to the defaults.
  </Step>

  <Step>
    In the **V3 Extensions** tab, do not change the default value of **None** in the **Profile** drop-down list.
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the Android APK Signing client key pair.
  </Step>
</Steps>

## Create an approval group

Perform the following steps to create an approval group for PKI signing:

<Steps>
  <Step>
    On the **PKI and CA** page, select **PKI Signing Approvals** at the top
  </Step>

  <Step>
    Select **\[ Add Approval Group ]** at the bottom of the page or right-click anywhere in the window and select **Add Approval Group**.
  </Step>

  <Step>
    Specify `Android APK Signer` as the **Name** for the approval group and select **\[ OK ]**.
  </Step>

  <Step>
    Right-click the newly created approval group and select **Permission**.
  </Step>

  <Step>
    In the first drop-down list, select the role automatically created for the Android APK Signer service you deployed, and select **\[ Add ]**.
  </Step>

  <Step>
    In the **Permission** drop-down menu for the Android APK Signer role, select the **Use** permission.
  </Step>

  <Step>
    Select **\[ Save ]**.
  </Step>
</Steps>

## Add an issuance policy

Perform the following steps to add an issuance policy to the Android APK Signing client certificate:

<Steps>
  <Step>
    On the **PKI and CA** page, select **Certificate Management** at the top
  </Step>

  <Step>
    Expand the **Android APK Signer** certificate container view by selecting the plus (+) icon next to it.
  </Step>

  <Step>
    Right-click the **apksignerdemo** certificate and select **Issuance Policy** > **Add**.
  </Step>

  <Step>
    In the **Basic Info** tab, configure the following settings:

    * **Approvals**: Select **0**. The *Zero approval policy requires Anonymous Signing, which will be enabled in a future step.*
    * **Allowed hashes**: Select **SHA1** and **SHA-256**.
  </Step>

  <Step>
    In the **X.509** tab, set the **Default approval group** to **Android APK Signer**.
  </Step>

  <Step>
    In the **Object Signing** tab, select the **Allow object signing** checkbox.
  </Step>

  <Step>
    Select **\[ OK ]** to apply the Issuance Policy to the **apksignerdemo** client certificate.
  </Step>

  <Step>
    Right-click the **apksignerdemo** certificate and select **Change Security Usage**.
  </Step>

  <Step>
    In the **Security Usage** drop-down menu, select **Anonymous Signing**.
  </Step>

  <Step>
    Select **\[ OK ]** to apply the change.
  </Step>
</Steps>

## Verifying the Private Key and Certificate in the Java Keystore

<Note>
  The `keytool` application is included in the JDK installation, so you can run the `keytool` command in this section with no additional configuration.
</Note>

In a terminal of the device that will be signing APKs, run the following command:

```shell expandable lines wrap title="Shell" theme={null}
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
```

When prompted for the keystore password, enter the identity password configured inside the `<CRYPTO-OPR-PASS>` tag in the `fxpkcs11.cfg` file.

<Check>
  If the command succeeds, you should see an output similar to the following:

  ```none expandable lines wrap title="None" theme={null}
  Keystore type: PKCS11
  Keystore provider: SunPKCS11-Futurex

  Your keystore contains 1 entry

  Android APK Signer:apksignerdemo:C, PrivateKeyEntry, 
  Certificate fingerprint (SHA-256): 31:25:8E:83:D8:D9:DA:A3:03:33:E8:1B:27:29:B8:E4:B4:24:18:1E:17:7C:A0:CE:6A:3D:C0:E3:D1:97:71:0D
  ```

  Important: Take note of the title (in this example, `Android APK Signer:apksignerdemo:C`) of the entry as that will be needed for the signing command in the next section.
</Check>
