I have already tried to use the command

keytool -import -keystore *.jks -alias alias_name -keypass alias_passwd -file *.x509.pem` (no *.pk8 file)

but when I use the jks to sign the APK, a

trusted certificate entries are not password-protected

error occures.

openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out platform.priv.pem -nocrypt

openssl pkcs12 -export -in platform.x509.pem -inkey platform.priv.pem -out platform.pk12 -name android

keytool -importkeystore -destkeystore platform.jks -srckeystore platform.pk12 -srcstoretype PKCS12 -srcstorepass android -alias android

Fang's answer is correct, but was lacking explanation. I had to figure out a couple things to make sense of it, and although I'm not 100% sure of everything I derived from my experience, I'm pretty sure it could help people, so here goes.

Beforehand, make sure you have openssl and keytool installed and added to your PATH, otherwise the commands won't work, of course.

openssl pkcs8 -in platform.pk8 -inform DER -outform PEM -out platform.priv.pem -nocrypt

This will generate a file, "platform.priv.pem" from you pk8 file.

openssl pkcs12 -export -in platform.x509.pem -inkey platform.priv.pem -out platform.pk12 -name {{KEY_ALIAS}}

This will generate "platform.pk12" file using both your "platform.x509.pem" file and the previously generated "platform.priv.pem". The key alias is a String value you provide, it can be anything you want, but you'll need to remember it.

After entering this command, you will be prompted for a password (and a password confirmation). You will be defining this password yourself. It will be your "key password", and, of course, you'll need to rember it too.

keytool -importkeystore -destkeystore {{STORE_FILE_NAME}}.jks -srckeystore platform.pk12 -srcstoretype PKCS12 -srcstorepass {{KEY_PASSWORD}} -alias {{KEY_ALIAS}}

The final command will actually do one of two things :

• if the specified jks file already exists, it will import (or override if it exists) the key with the given alias
• if the file doesn't exist yet, it will create a brand new jks file, and import your key with the given alias
  Anyway, the command takes in the previously defined key password and key alias.

Once the command is entered, you will be prompted for the store password. If it's an already existing JKS file, you will have to give the already existing JKS store password.

Otherwise, it is a new JKS you define a new password. Remember the value you give it.

At the end of the day, you have defined 4 values :

1. key alias
2. key password
3. store password
4. store file name

And that's exactly what your Android project's Gradle file will need to sign your APK

File : [Android Project Root]/app/build.graddle

[...]
android {
    [...]
    signingConfigs {
        release {
            storeFile file("{{STORE_FILE_PATH*}}/{{STORE_FILE_NAME}}.jks")
            storePassword "{{STORE_PASSWORD}}"
            keyAlias "{{KEY_ALIAS}}"
            keyPassword "{{KEY_PASSWORD}}"
        }
    }
    [...]
}
[...]

* : the JKS file should probably be placed within your project, for versioning, but also for simplicity. Provide the relative path from your build.graddle location.

Given that the keytool-importkeypair works only with a keystore already existing you can use this other version of the script, which will work by creating and importing your .x509.pem and .pk8 in a new keystore.

Here the script platform_import_keystore