I have spent hours finding a solution to this problem. Tried five different JDKs and nothing worked. I have an old PKCS12 certificate for a very popular playstore app that I have "inherited" from the previous developer, and JDK 8 + 9 will not use it. Olexandr's solution didn't help either.

Finally, almost by shear luck, I managed to find a solution here, in Weijung Wang's reponse. It involves exporting and reimporting the certificate using openssl. I then reimported the P12 keystore in the JKS keystore and it now works with JDK 8.

Quote:

weijun Weijun Wang added a comment - 2017-02-28 15:55
Openssl is able to remove the redundant 0s when extracting the private key. We can use the following 2 commands to normalize an affected pkcs12 file:

1. openssl pkcs12 -in pkcs12-file -out key-and-cert -nodes -passin pass:abcXYZ

2. openssl pkcs12 -in key-and-cert -export -out new-pkcs12-file -passout pass:abcXYZ

I have keystore generated with JDK6. As workaround, I have been using JDK 1.8.0_112 by setting JDK under [Project Structure] - [SDK Location] - [JDK location].

I have solved with steps below (using macOS).

Convert to PKCS12 using JDK 1.8.0_112

/Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/bin/keytool -importkeystore -srckeystore original.keystore -destkeystore 1.8.0_112.p12 -deststoretype PKCS12 -storepass ***** -destkeypass *****

Process with OpenSSL (Thanks to Weijung Wang and Anders Emil)

openssl pkcs12 -in 1.8.0_112.p12 -out 1.8.0_112.cert -nodes -passin pass:*****
openssl pkcs12 -in 1.8.0_112.cert -export -out 1.8.0_112.export.p12 -passout pass:*****

Convert to JKS using JDK 1.8.0_161.

Here I need to specify -destkeypass, -srcalias, and -destalias. Note that alias is "1" after openSSL commands, so needed to set alias.

/Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/bin/keytool -importkeystore -srckeystore 1.8.0_112.export.p12 -srcstoretype pkcs12 -destkeystore 1.8.0_112.keystore -deststoretype jks -deststorepass ***** -destkeypass ***** -srcalias 1 -destalias youralias

So the results of fingerprints shows like this.

Original keystore:
     SHA1: 6C:9E:...:C5:8A

Original apk:
     SHA1: DA:4C:...:3F:02

Modified keystore:
     SHA1: C8:4A:...:2A:23

Modified apk:
     SHA1: DA:4C:...:3F:02

I have been having the same error, and Olexandr's solution wouldn't work, as using keytool on JDK8 (update 151) would throw an error while reading the certificate, which was generated with JDK7. As from Anders answer, using OpenSSL worked with (pasting the command lines for future reference) :

openssl pkcs12 -in android.p12 -out android_fixed.cert -nodes -passin pass:your_p12_password
openssl pkcs12 -in android_fixed.cert -export -out android_cert.p12 -passout pass:your_p12_password

We had the same problem. We have found that JDK 1.8.0_112 doesn't have the bug that you're talking about. So we resolved the problem in this way:

At first we converted temp_keystore.p12 into mycert.keystore by using the following command (Java\jdk1.8.0_112\bin\keytool.exe):

keytool -importkeystore -srckeystore temp_keystore.p12 -destkeystore mycert.keystore -srcstoretype pkcs12

Then we use the following command (Java\jdk1.8.0_112\bin\jarsigner.exe):

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mycert.keystore ReadyForSigning.apk 1

to sign apk. ("1" at the end of command is the alias)

PS.: Converting from .p12 to .keystore may be not necessary.