Certificate generation in Android page is too weak (SOLVED)

Pkeod · December 18, 2017, 9:56am

Google Play allows the ability to reset your signing cert for uploading now with them optionally managing the release certs. You contact them with new certificate in case you lose yours if you opt into this feature.

I was testing this reset process - only took 1 day to get a reply from them. Here is what they said based on a pem generated with the steps listed in the docs here https://www.defold.com/manuals/android/

$ openssl genrsa -out key.pem 1024
$ openssl req -new -key key.pem -out request.pem
$ openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
$ openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt

Hi There,
Thanks for contacting Google Play Developer Support.

I checked the .pem file and I noticed that the key in the upload certificate is too weak. RSA keys must be of at least 2048 bits.

Please note that I’m happy to help you reset your upload key. However, please follow the below instruction and provide me a new key and export it as .pem format.

Here’s how to generate and register a new upload key:
Follow the instructions in the Android Studio Help Center to generate a new key. It must be different from any previous keys. Alternatively, you can use the following command line to generate a new key:
keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
This key must be a 2048 bit RSA key and have 25-year validity.
Export the certificate for that key to PEM format:
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
Reply to this email and attach the upload_certificate.pem file.
I look forward to your response. Please let me know if you have any questions in the meantime.

I think just changing the 1024 to 2048 in the instructions would be enough?

britzl · December 16, 2017, 7:24am

Yes, changing from 1024 to 2048 should be enough. Ping @sicher.

sicher · December 18, 2017, 9:46am

Thanks! Fixed.

Pkeod · December 18, 2017, 9:04pm

Here is what update e-mail from Google looks like after you do send correct certificate:

Hello,
We received a request to reset your upload key for _. The new upload key will become valid on Dec 20, 2017 at 8:56 PM GMT. Until the new upload key becomes valid, you can’t upload any new APKs.

New upload certificate fingerprints:
MD5: 85:AB:6C:8C:DF:BD:91:11:1C:08:B8:16:8D:53:4B:FD
SHA1: 3C:91:F8:23:BA:AC:BF:2E:D6:D9:2A:0E:55:16:60:B3:3E:7B:8E:E4

If you didn’t request a reset, let us know.

Sincerely,
The Google Play team

So apparently once a certificate is accepted it takes ~2 days for it to be usable for uploading new apks. 3-4 business days for whole process assuming correct certificate is sent in the first place.