How to convert Unity Keystore to PK8 format?

Dev diaries
#1

Hello,

When your team is porting game to another engine / technology, it will always encounter some difficulty. One of them is certification. As you can guess, not all game engines / applications use the same certificate format. In our scenario, Unity Game Engine use *.keystore format, but Defold Engine require *.PK8 and *.PEM. How to extract it from the *.keystore file?

Before we start we need to get the tools below:
(a) OpenSSL’s homepage and OpenSSL
(b) KeyStore Explorer

Once you’ve installed everything correctly, we can go through the format conversion.

STEP 1: Inport UNITY KEYSTORE in KeyStore Explorer
In KeyStore Explorer, you can easily import Unity Keystore. When importing, just enter the password you signed the key.

STEP 2: Convert UNITY KEYSTORE to PKCS12
The imported key will appear in the list. With the right mouse button you can export it to PCKS12. You will be prompted again to enter the password for which you have signed the key.

STEP 3: Open Terminal
Next, using openssl we will convert the keys. You will need to have OpenSSL installed. It works on either Windows, Mac OS X or Linux.

STEP 4: Convert PKCS12 to PEM
openssl pkcs12 -in path.p12 -passin pass:password -out certificatename.pem

  • The -in option specifies file to read the key
  • The -passin option specifies password protecting the source
  • The -out option specifies file to save the result. The default output format is PEM.

STEP 5: Convert PEM to PKCS8
openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8

Excellently! We managed to get the keys that we can sign our application. If you have any questions, feel free to ask.

University of Games Team

12 Likes
How do I get a private key and certificate for a release?
PPReader - library for reading Unity PlayerPrefs file as a Lua table
#2

Why so complicated? You can export the key as PKCS#8 directly from KeyStore Explorer:

Right click on the key entry, select “Export Private Key”, confirm PKCS#8 format and in the dialog with the export options uncheck “Encrypt” and make sure that “PEM” is checked. That’s it.

2 Likes
#3

What’s the KeyStore Explorer? I’m assuming this: http://keystore-explorer.org/ ?

1 Like
#4

Yes, the link is in the first post.

1 Like
#5

@kai.kramer This is also an option, however we can not upload *.apk file to Google Developer Console :wink: That’s why we do it another way.

Also, It is good to mention that this *.keystore file was created in Unity 4.

#6

@universityofgames Okay, but you understand what my point is? You can do the conversion to PKCS#8 with KeyStore Explorer alone instead of using both KeyStore Explorer and OpenSSL. And you can do it in two steps instead of five.

Basically your instructions are:

  1. Open keystore in KeyStore Explorer
  2. Export to PKCS#12 with KeyStore Explorer
  3. to 5. Use OpenSSL to convert PKCS#12 to PKCS#8

You can shorten this to:

  1. Open keystore in KeyStore Explorer
  2. Export to PKCS#8 with KeyStore Explorer

Sorry if I’m being annoying. :smiley:

3 Likes
#7

Adding here the Keystore explorer detailed parameters to export the certificate PEM and the key PK8 as i had an hard time finding the correct combination

Import the java/android/jks keystore in Keystore explorer

PEM
Right click the key and select export certificate chain
Export length: entire chain
Format: X.509
PEM: checked

PK8:
Right click the key and select export private key
Type: PKCS8
Encrypt: NOT checked
PEM: NOT checked
Change save extension to PK8

BEWARE: the key saved this way is NOT encrypted, that is, no password neeeded to use it if someone gets access to it

2 Likes