Free tool

Extract upload certificate from JKS

Generate upload_certificate.pem from your Android keystore (.jks) — no keytool or terminal required.

Maximum file size: 100 KB. Your keystore is processed in memory and not stored.

What is an upload certificate?

When you publish on Google Play with Play App Signing, Google holds your app signing key and you sign releases with a separate upload key. That upload key lives in a Java keystore file (.jks or .keystore).

The upload certificate is the public half of that key, exported as a PEM file (upload_certificate.pem). Google Play uses it to verify that APKs and AABs you upload were signed with your upload key — without you ever sending the private key to Google.

When developers need this tool

Most indie and low-code developers have a .jks file from their app builder but have never run keytool or opened Android Studio’s signing UI. Play Console then asks for an upload certificate PEM — and the docs assume you know how to export one.

Common situations where you need upload_certificate.pem:

  • First-time Play App Signing setup — register your upload key with Google.
  • Reset upload key in Google Play Console — if you lost access to your old upload keystore but still have (or recreate) a key, Google asks for the new upload certificate PEM to approve the change.
  • Support or agency handoff — prove which upload key signs your builds without sharing the keystore password in email.

Reset upload key in Google Play Console

If you cannot sign new releases because the upload key is lost or compromised, Google lets you request an upload key reset (under Setup → App signing in Play Console). You generate a new upload keystore, export its certificate as PEM, and submit that file to Google.

  1. Create or locate your new upload .jks file.
  2. Use this tool to download upload_certificate.pem.
  3. In Play Console, open the upload key reset flow and upload the PEM when prompted.
  4. After Google approves the reset, sign future AAB/APK builds with the new keystore.

Read more in our guide: How to upload your app on Google Play.

How this tool works

Upload your keystore and passwords above. The server writes the file temporarily, runs the same keytool export a developer would run locally, returns the PEM, and deletes all temp files. Your keystore is not stored on our servers.

Equivalent manual command (for reference):

keytool -exportcert -rfc -keystore release.jks -alias your_alias -file upload_certificate.pem

Frequently asked questions

What is the difference between upload key and app signing key?
The upload key signs bundles you upload to Play. Google re-signs with the app signing key before users install. This tool exports the certificate for your upload key only.
Can I use this PEM to reset my upload key?
Yes. Google Play’s upload key reset request accepts the PEM exported from your new upload keystore. This tool generates that file from your .jks.
Do I need Android Studio or the JDK installed?
No. If you only have the .jks file and passwords, this browser tool returns upload_certificate.pem without installing Java or learning keytool.
Is my keystore saved?
No. The keystore is processed in a temporary file, the certificate is extracted, and both are removed immediately after the response is sent.