23

Here is how Google suggests creating an Android keystore:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name \
  -keyalg RSA -keysize 2048 -validity 10000

While 10000 days may seem like eternity, 27 years could pass quicker than you think, and RSA might still be in use.
If tweaking a command-line argument now has a 0.01% chance of saving my market share in the future, I am willing to do it.

QUESTION: How to make this validity period as long as possible?

BartoszKP
  • 32,105
  • 13
  • 92
  • 123
Nicolas Raoul
  • 55,003
  • 52
  • 197
  • 338

3 Answers3

21

"1000 years" example:

I have created "1000 years" JKS keystore without problem as well:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 365000

Then, checked for expiration period:

keytool -list -v -keystore my-release-key.keystore

Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry
...
Valid from: Tue Aug 04 15:28:01 BST 2015 until: Mon Dec 05 14:28:01 GMT 3014

So, the key is valid until Mon Dec 05 14:28:01 GMT 3014

Danail
  • 1,647
  • 14
  • 19
20

You should be able to create a key that will be valid for 292 billion years, if I did the math correctly.

I looked at the source for keytool, http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/tools/KeyTool.java, and it looks like the validity period is stored in seconds, as a long. The largest value a long can hold 263 - 1 is 9223372036854776000 seconds which equals 106751991167300 days which equals 292,271,023,045 years. There may be other factors that disallow such a large value, but this seems to be the max amount the tool can generate.

EJK
  • 11,784
  • 3
  • 34
  • 53
  • Python tells me that 2**63 - 1 is 9223372036854775807 (seconds), which equals 106751991167300 days. – President James K. Polk Jan 12 '13 at 02:07
  • 1
    `jarsigner` (the "official" command-line tool) crashes on a keystore I just created with a validity of 10,000,000 days. So while theoretically true, the practical answer is probably less. – Nicolas Raoul Sep 07 '15 at 07:32
3

Doing some trial-and-error, I'm seeing a practical maximum around the year 9999. As of today, with two keys created this way:

keytool -genkey -v -keystore year-9998.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 2914760

keytool -genkey -v -keystore year-10002.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 2916223

While both keys seem to create successfully, inspecting these keys with commands:

keytool -list -v -keystore year-9998.keystore

Runs OK, giving "Valid from: Tue Aug 29 11:12:45 CDT 2017 until: Thu Jan 01 10:12:45 CST 9998"

keytool -list -v -keystore year-10002.keystore

Crashes with "keytool error: java.security.cert.CertificateParsingException: java.io.IOException: Parse Generalized time, invalid format"

So I think a practical maximum expiration is just before year 10000.

Milad Bahmanabadi
  • 1,043
  • 11
  • 21