Home » Android » android – "Wrong version of key store" error. How can I create a version=1 keystore certificate?

android – "Wrong version of key store" error. How can I create a version=1 keystore certificate?

Posted by: admin June 15, 2020 Leave a comment


I am having trouble using SSL, as I am getting the following error related to my keystore (self-created and self-signed using keytool per: http://developer.android.com/tools/publishing/app-signing.html):

08-14 20:55:23.044: W/System.err(5430): java.io.IOException: Wrong
version of key store. 08-14 20:55:23.060: W/System.err(5430): at

The error thrown in the JDKKeyStore.java class arises in the following code:

From JDKKeyStore.java:
if (version != STORE_VERSION)
if (version != 0)
throw new IOException(“Wrong version of key store.”);


In this case STORE_VERSION = 1, and my version=3 based on reading the details of the certificate held by the keystore I have created. I do not know how to generate a keystore containing a version=1 certificate.

I found this answer helpful:
wrong version keystore when doing https call

however it calls for creating the keystore using the following parameters:

-storetype BKS
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath /path/to/bouncycastle.jar

However, when I try to create the keytool (using the terminal app on Mac) using these parameters:

keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize
2048 -validity 10000 -keypass android -keystore
/Users/djames/dropbox/bc146keystore/debug.keystore -storepass android
-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/

(where /Users/djames/dropbox/bc146keystore/ is the path to the bouncy castle jar: bcprov-jdk16-146.jar)

I get the following error:

keytool error: java.lang.RuntimeException: Usage error, ?providerpath
is not a legal command java.lang.RuntimeException: Usage error,
?providerpath is not a legal command at
sun.security.tools.KeyTool.parseArgs(KeyTool.java:375) at
sun.security.tools.KeyTool.run(KeyTool.java:171) at

I do not understand what this is telling me. If I use: keytool -help it tells me that the following are valid options for the -genkeypair option:

-genkeypair [-v] [-protected] [-alias ] [-keyalg ] [-keysize ] [-sigalg ] [-dname ] [-validity ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providername ] [-providerclass [-providerarg ]] …
[-providerpath ]

But in the Oracle docs java version 6 that I am using
it tells me that these are the options:

-genkeypair {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays}
{-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v}
{-protected} {-Jjavaoption}

which does not include the -providerpath option. Why the discordance?
(If I do not use the -providerpath option, then I get an unknown class exception at the option: "-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider"…)

When I google: keytool -providerpath
I get nothing helpful to resolve this.

I am not sure how to solve my keystore version problem without solving my keytool problem. Any suggestions appreciated.


(Mac OSX 10.6.8 if relevant)
How to&Answers:

My problem was using a version of bouncy castle that was too new. I had to use 146 – any later and it gave me this error.


I was able to get past this problem with the version of keystore. see: keytool error when creating BKS keystore: providerpath is not a legal command


The version mismatch is for the key store version, not the certificate version (which should have the value 2 for a v3 X.509 certificate).

What version of the JDK did you use keytool from? Did you specify a full path to the command, or use what was in your PATH? Are you sure that you are using JKS key stores, and not JCEKS stores?


In order to complete Ryan answer as I had to dig in to find out how to generate a BKS with Bouncy Castle 1.46, you can use Portecle to generate the BKS.

  1. Download Boucycastle Provider 1.46
  2. Install or unzip it.
  3. Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
  4. Restart Portecle and generate your BKS truststore.

This explained here.


Since Portecle 1.8, you can use BKS-V1 type to generate your truststore without to replace bcprov.jar.

You can select it after clicking on New keystore or change the type via the menu Tools -> Change KeyStore Type.