Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section shows how to use the Java keytool commands to generate a new key pair on the Vectera Plus, create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and its accompanying CA certificate into a Java keystore. These steps ensure that you can use APKSigner and the signed certificate to sign an APK file in the next section.
The JDK 8 installation includes the keytool application, so you can run the keytool commands in this section with no additional configuration.

Generate a key pair and certificate

Perform the following steps to generate a server key pair and self-signed certificate:
1
Execute the following command:
The -alias field sets a name to identify the key pair and certificate to be generated. It can be any name (for example, apksignerdemo).
Shell
keytool -genkeypair -keyalg RSA -keysize 2048 -alias apksignerdemo -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
When prompted, answer questions about the server certificate shown in the following example and enter the keystore password, which all keytool and jarsigner commands use moving forward:
None
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes

Generate and export a CSR

Perform the following steps to generate and export a CSR:
1
To generate and export a CSR, run the following command:
Shell
keytool -certreq -alias apksignerdemo -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
Enter the keystore password.
3
Get the CSR signed by a CA, either third-party or internal.
After it is signed, the server certificate returned by the CA is imported along with the CA certificate.

Import a CA root certificate

Perform the following steps to import a CA root certificate:
1
To import the CA root certificate, run the following command:
Shell
keytool -import -trustcacerts -alias apksignerdemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
Enter the keystore password.
3
When prompted to trust the certificate, enter Yes.
Shell
Trust this certificate?
[no]: yes

Certificate was added to keystore.

Import a server certificate

Perform the following steps to import a server certificate signed by a CA:
1
To import the signed server certificate, run the following command:
Shell
keytool -importcert -alias KeytoolDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
Enter the keystore password.
If the command succeeds, you should see an output similar to the following:Certificate reply was installed in keystore.