Choosing keystore


For my android app which connects to a letsencrypt-enabled website, I need a keystore file in order to generate a signed APK.

I actually need the following things

Key store password
Key alias
Key password

What should I do? I already have obtained some pem files.


After searching the web and gathering some information, I ran the following commands

# cd /etc/letsencrypt/live/DOMAIN/
# cat *.pem > fullcert.pem
# openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
# keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks

That will create the keystore file “keystore.jks”. The default alias is “1”. That can be verified by

# keytool -v -list -keystore keystore.jks

Hope that helps others too.


I’m not sure exactly what this is used for or why it’s required, but it might be good to check documentation (or perform some tests) to confirm whether this needs to be changed when the site’s Let’s Encrypt certificate changes. Remember that Let’s Encrypt certificates are only valid for 90 days and are usually replaced after 60 days, so if the certificate is hard-coded in some way in the app, the app might need to be updated that frequently as well.

I hadn’t heard of the requirement to hard-code certificates in apps this way, so it might be good to find out whether there’s some alternative to this. I don’t believe that most Android apps that connect to an API endpoint (for example) over HTTPS contain hard-coded certificates of this kind.