diff --git a/README.md b/README.md
index 9f17b6d..4aebf2f 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@
 Our SDK is available on Maven Central.
 
 ```groovy
-implementation 'de.contentpass:contentpass-android:2.2.7'
+implementation 'de.contentpass:contentpass-android:2.2.8'
 ```
 
 Add this to your app's `build.gradle` file's `dependencies` element.
diff --git a/lib/build.gradle.kts b/lib/build.gradle.kts
index 2523bba..0aff01a 100644
--- a/lib/build.gradle.kts
+++ b/lib/build.gradle.kts
@@ -58,7 +58,7 @@ kapt {
 extra.apply{
     set("PUBLISH_GROUP_ID", "de.contentpass")
     set("PUBLISH_ARTIFACT_ID", "contentpass-android")
-    set("PUBLISH_VERSION", "2.2.7")
+    set("PUBLISH_VERSION", "2.2.8")
 }
 
 apply("${rootProject.projectDir}/scripts/publish-module.gradle")
diff --git a/lib/src/main/java/de/contentpass/lib/KeyStore.kt b/lib/src/main/java/de/contentpass/lib/KeyStore.kt
index 6006415..ff1b9e3 100644
--- a/lib/src/main/java/de/contentpass/lib/KeyStore.kt
+++ b/lib/src/main/java/de/contentpass/lib/KeyStore.kt
@@ -50,18 +50,27 @@ internal class KeyStore(private val context: Context, private val propertyId: St
         if (!keystore.containsAlias(keyPairAlias)) {
             createKeyPair()
         }
-        val pair = try {
-            keystore.getEntry(keyPairAlias, null) as? VendorKeyStore.PrivateKeyEntry
+        val recovered = try {
+            val key = keystore.getKey(keyPairAlias, null) as? PrivateKey
+            val cert = keystore.getCertificate(keyPairAlias)
+            if (key != null && cert != null) {
+                key to cert.publicKey
+            } else {
+                null
+            }
         } catch (e: Exception) {
             null
         } ?: run {
             // Android 8 can throw when the entry is invalidated/corrupted; recreate it.
             keystore.deleteEntry(keyPairAlias)
             createKeyPair()
-            keystore.getEntry(keyPairAlias, null) as VendorKeyStore.PrivateKeyEntry
+            val key = keystore.getKey(keyPairAlias, null) as PrivateKey
+            val cert = keystore.getCertificate(keyPairAlias)
+                ?: throw IllegalStateException("Failed to load keystore certificate after regeneration.")
+            key to cert.publicKey
         }
-        privateKey = pair.privateKey
-        publicKey = pair.certificate.publicKey
+        privateKey = recovered.first
+        publicKey = recovered.second
     }
 
     private fun createKeyPair(): KeyPair {