How to create an Android keystore RSA key with infinite validity?
"1000 years" example:
I have created "1000 years" JKS keystore without problem as well:
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 365000
Then, checked for expiration period:
keytool -list -v -keystore my-release-key.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
...
Valid from: Tue Aug 04 15:28:01 BST 2015 until: Mon Dec 05 14:28:01 GMT 3014
So, the key is valid until Mon Dec 05 14:28:01 GMT 3014
You should be able to create a key that will be valid for 292 billion years, if I did the math correctly.
I looked at the source for keytool, http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/tools/KeyTool.java, and it looks like the validity period is stored in seconds, as a long. The largest value a long can hold 263 - 1 is 9223372036854776000 seconds which equals 106751991167300 days which equals 292,271,023,045 years. There may be other factors that disallow such a large value, but this seems to be the max amount the tool can generate.
Doing some trial-and-error, I'm seeing a practical maximum around the year 9999. As of today, with two keys created this way:
keytool -genkey -v -keystore year-9998.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 2914760
keytool -genkey -v -keystore year-10002.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 2916223
While both keys seem to create successfully, inspecting these keys with commands:
keytool -list -v -keystore year-9998.keystore
Runs OK, giving "Valid from: Tue Aug 29 11:12:45 CDT 2017 until: Thu Jan 01 10:12:45 CST 9998"
keytool -list -v -keystore year-10002.keystore
Crashes with "keytool error: java.security.cert.CertificateParsingException: java.io.IOException: Parse Generalized time, invalid format"
So I think a practical maximum expiration is just before year 10000.