Create Java KeyStore

5min
This section shows how to use the Java keytool commands to generate a new key pair on the , create a Certificate Signing Request (CSR), issue a certificate through an internal or external CA, and import the signed certificate and its accompanying CA certificate into a Java keystore.
These steps ensure that you can use APKSigner and the signed certificate to sign an APK file in the next section.
The keytool application is included in the JDK installation, so you can run the keytool commands in this section with no additional configuration.
Generate a key pair and certificate
Perform the following steps to generate a server key pair and self-signed certificate:
1
Execute the following command:
Text
keytool -genkeypair -keyalg RSA -keysize 2048 -alias apksignerdemo -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -genkeypair -keyalg RSA -keysize 2048 -alias apksignerdemo -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
The -alias field sets a name to identify the key pair and certificate to be generated. It can be any name (for example, apksignerdemo).
2
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
3
When prompted, answer questions about the server certificate shown in the following example, which all keytool and jarsigner commands moving forward use:
Text
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
﻿
Generate and export a CSR
Perform the following steps to generate and export a Certificate Signing Request (CSR):
1
To generate and export a CSR, run the following command:
Text
keytool -certreq -alias apksignerdemo -file example.csr -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -certreq -alias apksignerdemo -file example.csr -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
3
Get the CSR signed by a CA, either third-party or internal.
After it is signed, the server certificate returned by the CA is imported along with the CA certificate.
Import a certificate
Perform the following steps to import a CA root certificate:
1
To import the CA root certificate, run the following command:
Text
keytool -import -trustcacerts -alias apksignerdemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -import -trustcacerts -alias apksignerdemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
3
When prompted to trust the certificate, enter Yes.
Text
Trust this certificate?
[no]: yes

Certificate was added to keystore.
Trust this certificate?
[no]: yes

Certificate was added to keystore.
﻿
Import a signed certificate
Perform the following steps to import a server certificate signed by a CA:
1
To import the signed server certificate, run the following command:
Text
keytool -importcert -alias KeytoolDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -importcert -alias KeytoolDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
If the command succeeds, you should see an output similar to the following:
 Certificate reply was installed in keystore.
﻿
Configure SunPKCS11 to use the Futurex PKCS11 Module
Sign APKs with Android APKSigner by using Futurex PKCS #11