Generating a Self Signed Certificate Using the Keytool

The keytool utility manages a database of private keys and their corresponding X.509 certificates (a standard for digital certificates). This utility ships with the JRE and resides under the JRE bin directory.


In this section, we'll show you how to generate a keystore with a single entry, which you'll later use to sign an Android .apk file. To generate a keystore entry, do the following:

1. Create a folder to hold the keystore at c:\android\release\.

2. Open a command window to the JRE bin directory and execute the keytool utility with the parameters shown in Listing 7-1.

Listing 7-1. Generating a Keystore Entry Using the Keytool keytool -genkey -v -keystore c:\android\release\release.keystore -alias androidbook -storepass paxxword -keypass paxxword -keyalg RSA -validity 14000

All of the arguments passed to the keytool are summarized in Table 7-1.

Table 7-1. Arguments Passed to the Keytool




Tells the keytool to generate a public/private key pair.


Tells the keytool to emit verbose output during key generation.


Path to the keystore database (in this case, a file).


A unique name for the keystore entry. The alias is used later to refer to the keystore



The password for the keystore.


The password used to access the private key.


The algorithm.


The validity period.

The keytool will prompt you for the passwords listed in Table 7-1 if you do not provide them on the command line. The command in Listing 7-1 will generate a keystore database at c:\android\release\. The database will be a file named release.keystore. The validity of the entry will be 14,000 days (or approximately 38 years)—which is a long time from now. You should understand the reason for this. The Android documentation recommends that you specify a validity period long enough to surpass the entire lifespan of the application, which will include many updates to the application. It recommends that the validity be at least 25 years. Moreover, if you plan to publish the application on Android Market (http://www., your certificate will need to be valid through October 22, 2033.

Going back to the keytool, the argument alias is a unique name given to the entry in the keystore database; you can later use this name to refer to the entry. When you run the keytool command in Listing 7-1, keytool will ask you a few questions (see Figure 7-1) and then generate the keystore database and entry.

C : VW INDOWSlsystem 3 2Ycm d. exe

C:\Program Files\Jaua\jrel. 6 .0_07\bin>keytoo 1 —genkey —u —keystore c :\android\re leaseSrelease.keystore -alias androidbook —storepass paxxword —keypass paxxword —keyalg RSA -validity 14000 What is your first and last name?

[Unknown]: sayed What is the name of your organisational unit?

[Unknown]: IT fUhat is the name of your organisation?

[Unknown]: sayedhashimi What is the name of your City or Locality?

[Unknown]: Jacksonville fUhat is the name of your State or Province?

[Unknown]: FL What is the two-letter country code for this unit? [Unknown]: US

Is CN=sayed, OU=IT, 0=sayedhashimi, L=Jacksonuille, ST=FL, C=US correct? [no]: yes

Generating 1,024 bit RSA key pair and self—signed certificate <SHAlwithRSA> with a validity of 14,000 days for: CN=sayed, OU=IT, 0=sayedhashimi, L=Jacksonuille, ST=FL, C=US [Storing c:\android\release\release.keystore]

Figure 7-1. Additional questions asked by the keytool

Now you have a digital certificate that you can use to sign your .apk file. To sign an .apk file with the certificate, you use the jarsigner tool. Here's how to do that.

0 0

Post a comment