• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
1

How to move .p12 to a .keystore?

Engaged ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

Does anyone know how to move (convert?) .p12 to a .keystore? I'm migrating an app to Unity and Google Play requires existing apps to be signed with the same credentials. Thanks!

TOPICS
Development

Views

3.4K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Explorer , Jun 10, 2018 Jun 10, 2018

>My .p12 was created in 2012.

Use portecle to create a jks from your p12

Enroll in Google Key Signing and follow the instructions in the Play Developer Console - ie use pepk.jar to extract a pem from your new jks - and get a new upload key from Google for app signing on your side.

Although Google specify RSA2048 minimum they have a workaround in place to support legacy keys if you're enrolling an existing app for updates rather than creating a new key/app.

Simon

Votes

Translate

Translate
LEGEND ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

I don't know the exact command, but keytool is most likely what you'll need:

Java Keytool Commands

You have a different problem though, in that the app id starts with air. currently. You could perhaps use the same app id in Unity, but a different approach would be to do an update to the AIR app, that promotes the upcoming improved version. People would then buy your Unity app as a new game, with its own app id and certificate.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

I did try keytool. When attempting to do anything with my .p12, it throws this error:

keytool error: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): Redundant length bytes found

java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): Redundant length bytes found

        at sun.security.x509.X509CertImpl.<init>(Unknown Source)

        at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source)

        at java.security.cert.CertificateFactory.generateCertificate(Unknown Source)

        at sun.security.pkcs12.PKCS12KeyStore.loadSafeContents(Unknown Source)

        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)

        at java.security.KeyStore.load(Unknown Source)

        at sun.security.tools.keytool.Main.doCommands(Unknown Source)

        at sun.security.tools.keytool.Main.run(Unknown Source)

        at sun.security.tools.keytool.Main.main(Unknown Source)

Caused by: java.io.IOException: DerInputStream.getLength(): Redundant length bytes found

        at sun.security.util.DerInputStream.getLength(Unknown Source)

        at sun.security.util.DerValue.<init>(Unknown Source)

        at sun.security.util.DerInputStream.getDerValue(Unknown Source)

        at sun.security.x509.X509CertImpl.parse(Unknown Source)

        ... 9 more

I found several discussions on how to deal with it, none seems to be conclusive. There's also an option to sign up for Google managing keys. Hopefully it will accept this .p12.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

What was the line you typed, that led to the errors?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

keytool -v -list -storetype pkcs12 -keystore myfile.p12

or

keytool -v -importkeystore -srckeystore myfile.p12 -srcstoretype PKCS12 -destkeystore yourcertificate.jks -deststoretype JKS

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

I tried that second line, and it seemed to work. I ended up with a .jks file. I had done a cd to get into the folder where the p12 was, then pasted the line you gave, and changed the source p12 name. It asked for a password for the new file, then asked for the password for the p12, and it then made the file.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 06, 2018 Jun 06, 2018

Copy link to clipboard

Copied

My .p12 was created in 2012. I suspect the error that I'm getting is related to some incompatibility between JDK 8 and whatever old JDK that was used in 2012. Did you run your test with a relatively new .p12?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 10, 2018 Jun 10, 2018

Copy link to clipboard

Copied

>My .p12 was created in 2012.

Use portecle to create a jks from your p12

Enroll in Google Key Signing and follow the instructions in the Play Developer Console - ie use pepk.jar to extract a pem from your new jks - and get a new upload key from Google for app signing on your side.

Although Google specify RSA2048 minimum they have a workaround in place to support legacy keys if you're enrolling an existing app for updates rather than creating a new key/app.

Simon

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 11, 2018 Jun 11, 2018

Copy link to clipboard

Copied

Thank you Simon for the suggestion! I have converted the .p12 file into .jks and tried to use it with pepk.jar. Entered both passwords and then got

Error: Cannot recover key.

Tried the same with a .p12 created in 2017. No errors. But I need to use the 2012 .p12 Any ideas?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 11, 2018 Jun 11, 2018

Copy link to clipboard

Copied

>But I need to use the 2012 .p12  Any ideas?

Are you doing this?

Open the p12 in portecle

Go to tools | change keystore type - to jks

You should get a warning along lines of 'current keystore doesn't support key pairs....password is reset to 'password'

Save it as something.jks

Then use that with pepk.jar to extract/encrypt the pem for Google.

If that's not working, can you post the output of the keystore report after you change the type

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 11, 2018 Jun 11, 2018

Copy link to clipboard

Copied

Yes, that's what I did. The error appears at the last stage (when using pepk.jar).

Here is the keystore report:

keystore.PNG

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jun 11, 2018 Jun 11, 2018

Copy link to clipboard

Copied

Looks OK - are you using 'password' as the key password - the second one that pepk.jar asks for. (The first keystore password will be whatever you originally set)

Otherwise I'm at a loss unfortunately - sorry.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 19, 2018 Jun 19, 2018

Copy link to clipboard

Copied

LATEST

Thanks again Simon. Your instructions were correct. Tried again and was able to get the pem file.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jun 05, 2018 Jun 05, 2018

Copy link to clipboard

Copied

I'm not aware of Google play having changed their policy on app signing, good for you if it's the case. If it's not the case it's not the credentials that must remain the same but the certificate itself (the physical file). In that case I'm not sure a conversion will work but of course you can give it a try.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines