I've just enrolled in the Google Play App Signing program, which required uploading an encrypted version of the release keystore and had an "optional" step for creating an upload keystore - optional is in quotes, because I think it should be a required step, but anyway, after a successful enrollment, I'm now left with an Upload certificate, which I should somehow use to sign my future app releases.
What I've done so far: I created a new keystore from Android Studio, set the store and alias passwords and tried to import the upload_cert.der to the existing alias - failed:
keytool -importcert -file upload_cert.der -alias upload -keystore upload-keystore.jks
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
I've also tried to import the upload certificate without specifying an alias (or removing the existing alias and creating a new one), or with a different alias:
keytool -importcert -file upload_cert.der -keystore upload-keystore.jks
...failed as well: ended up creating a new alias called mykey, which wasn't password protected and failed with the message:
Caused by: java.lang.RuntimeException: com.android.ide.common.signing.KeytoolException: Failed to read key upload from store "/path/to/upload-keystore.jks": trusted certificate entries are not password-protected
...so naturally, I tried to set a password for the alias:
keytool -keypasswd -alias upload -keystore upload-keystore.jks
which failed as well with the message:
keytool error: java.lang.Exception: Alias has no key
...and now I've run out of ideas.
In the meantime, I've sent a question/request to Google Play Support to renew my upload key, but, I'm hoping there is a solution to this situation (the support is kinda slow to reply), since the documentation doesn't imply in any way that generating an upload keystore and uploading the encrypted private key of that key store is a requirement. So, either the documentation is vague/unclear/wrong, or there is a way to use the generated upload_cert.der. Any thoughts?
Edit:
Thanks to the answer and comment provided by Pierre, I realized that if you do not create/provide an upload key, your existing original signing key should be used, with the upload_cert.der. So, the only requirement would be to insert the upload certificate by running:
keytool -importcert -file upload_cert.der -keystore original-signing-keystore.jks
...and you should be able to continue publishing your applications to the Play Store.
The .der file you uploaded to the Play Console (and that is also available for download in the App Signing page in the Play Console) does not contain the private key, it only contains the public key, so you won't be able to sign anything with it.
Only the keystore you created to generate your upload certificate contains the private key and must be used to sign your APKs (or App Bundles).
In other words, you shouldn't create another keystore after enrollment in Play Signing, you should use the keystore you have created to generate the upload certificate to sign your future artifacts.
Hope that helps.