How to Recover a Lost Android Keystore by Creating a New Upload Key

A step-by-step MDX guide for developers who forgot their Android keystore or password and need to replace the upload key in Google Play Console.

Published on March 22, 2026Fazle Rabbie

androidkeystoregoogle-playapp-signingreact-native

Losing your Android keystore or forgetting its password is a common problem. The important thing to understand first is this:

In most cases, you cannot recover the old keystore password or rebuild the exact same keystore file.

If your app is using Google Play App Signing, the practical solution is to generate a new upload keystore, export its certificate, submit that certificate to Google Play Console, wait for approval, and then upload your next app bundle with the new key.

This guide explains the full process in a way that is easy to follow.

What this process actually does

There are two keys involved in many Play Store apps:

  • App signing key: Managed by Google Play if Play App Signing is enabled.
  • Upload key: The key you use locally to sign the app before uploading.

If you forgot the password for your local upload keystore, you usually do not recover the old one. Instead, you replace the upload key with a new one.

That is why the steps below focus on generating a new keystore and sending its certificate to Google.

Before you start

Make sure:

  • Your app is already enrolled in Google Play App Signing
  • You have access to the Google Play Console
  • keytool is available on your machine
  • You store the new keystore file and password in a safe place after creating them

If keytool is not found, install or configure your Java JDK first.

Step 1: Generate a new keystore

Copy and run:

keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 20000 -keystore upload-keystore.jks

This command will create a new file named upload-keystore.jks.

During the process, keytool will ask for:

  • A new keystore password
  • A new key password
  • Your name, organization, city, country, and related certificate details

Use a password you can store securely. If you lose this new password too, you will have to repeat the reset process again.

What each part means

  • -genkeypair: Generates a public/private key pair
  • -alias mykey: Creates the key with the alias mykey
  • -keyalg RSA: Uses RSA encryption
  • -keysize 2048: Sets the key size to 2048 bits
  • -validity 20000: Makes the certificate valid for a long time
  • -keystore upload-keystore.jks: Saves the keystore with this file name

Step 2: Export the certificate from the new keystore

Copy and run:

keytool -export -rfc -keystore upload-keystore.jks -alias mykey -file certificate.pem

This creates a file named certificate.pem.

Google Play does not need your private keystore file during the reset request. It needs the certificate generated from that keystore so it can verify the new upload key.

Step 3: Upload the certificate in Google Play Console

Now go to your app in Google Play Console and open the section related to App Integrity or App Signing.

From there:

  • Find the option to reset or replace the upload key
  • Upload the certificate.pem file
  • Submit the request

Depending on the current Play Console interface, the wording may differ slightly, but the goal is the same: upload the certificate for your new upload key.

Step 4: Wait for Google to process the request

After submitting the certificate, you need to wait for Google to approve and update the upload key.

In your workflow, the safe instruction is:

  • Wait for 2 days

Do not try to upload a new release immediately with the new keystore before the reset is processed. If you do, the upload will usually fail because Google Play is still expecting the previous upload key.

Step 5: Upload the app with the new keystore

Once the upload key reset has been processed, sign your app with the new upload-keystore.jks and upload the new build.

At that point, the new keystore becomes your active upload key for future releases.

Important note about the password

The password is not generated and shown separately by Google. You create it yourself while running the keytool -genkeypair command.

That means:

  • The new keystore password is the one you enter during keystore creation
  • The new key password is also set during that same process
  • You must save both securely

If your question is specifically, "How do I recover the old password?" the honest answer is:

You normally do not recover the old password. You create a new upload keystore and register its certificate in Google Play Console.

After generating the new key, store these safely:

  • upload-keystore.jks
  • Keystore password
  • Key alias such as mykey
  • Key password
  • A backup copy in secure storage

Good options include:

  • A password manager
  • An encrypted company vault
  • Secure cloud storage with restricted access

Common mistakes to avoid

  • Deleting upload-keystore.jks after generating it
  • Forgetting the password again
  • Uploading the .jks file instead of the certificate.pem file in Play Console
  • Trying to upload a new app bundle before Google finishes updating the upload key
  • Using the wrong alias when exporting the certificate

Quick summary

If you forgot your Android keystore password, the practical recovery process is:

  1. Generate a new keystore
  2. Export its certificate
  3. Upload the certificate in Google Play Console
  4. Wait around 2 days
  5. Upload the app signed with the new keystore

Copy-paste commands

Generate a new keystore

keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 20000 -keystore upload-keystore.jks

Export the certificate

keytool -export -rfc -keystore upload-keystore.jks -alias mykey -file certificate.pem

Final advice

This process is less about recovering the old file and more about replacing the lost upload key correctly. Once the new key is accepted by Google Play, keep the new keystore and passwords backed up in at least two secure places.

Continue reading: all blog posts, services, portfolio case studies.