diff --git a/core/java/src/net/i2p/crypto/SelfSignedGenerator.java b/core/java/src/net/i2p/crypto/SelfSignedGenerator.java
index 1f7e8b37b..241f1cfc8 100644
--- a/core/java/src/net/i2p/crypto/SelfSignedGenerator.java
+++ b/core/java/src/net/i2p/crypto/SelfSignedGenerator.java
@@ -233,7 +233,7 @@ public final class SelfSignedGenerator {
         } catch (IllegalArgumentException iae) {
             throw new GeneralSecurityException("cert error", iae);
         }
-        X509CRL crl = generateCRL(cert, validDays, 1, sigoid, jpriv);
+        X509CRL crl = generateCRL(cert, validDays, 1, sigoid, priv);
 
         // some simple tests
         PublicKey cpub = cert.getPublicKey();
@@ -281,10 +281,7 @@ public final class SelfSignedGenerator {
      *  Generate a CRL for the given cert, signed with the given private key
      */
     private static X509CRL generateCRL(X509Certificate cert, int validDays, int crlNum,
-                                       byte[] sigoid, PrivateKey jpriv) throws GeneralSecurityException {
-
-        SigningPrivateKey priv = SigUtil.fromJavaKey(jpriv);
-
+                                       byte[] sigoid, SigningPrivateKey priv) throws GeneralSecurityException {
         byte[] tbs = genTBSCRL(cert, validDays, crlNum, sigoid);
         int tbslen = tbs.length;
 
diff --git a/core/java/src/net/i2p/crypto/SigUtil.java b/core/java/src/net/i2p/crypto/SigUtil.java
index 32f9f9c6b..b19f63bef 100644
--- a/core/java/src/net/i2p/crypto/SigUtil.java
+++ b/core/java/src/net/i2p/crypto/SigUtil.java
@@ -189,8 +189,10 @@ public final class SigUtil {
                 type = SigType.ECDSA_SHA384_P384;
             else if (spec.equals(SigType.ECDSA_SHA512_P521.getParams()))
                 type = SigType.ECDSA_SHA512_P521;
-            else
+            else {
+                // failing on Android (ticket #2296)
                 throw new IllegalArgumentException("Unknown EC type: " + pk.getClass() + " spec: " + spec.getClass());
+            }
             return fromJavaKey(k, type);
         }
         if (pk instanceof EdDSAPrivateKey) {
diff --git a/history.txt b/history.txt
index 043a64207..f9a98881c 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,9 @@
+2018-09-26 zzz
+ * Crypto: Avoid privkey conversion when generating CRL,
+   failing on Android for unknown reasons (ticket #2296)
+ * IRC: Make inbound whitelist static
+ * Router: Don't add 'O' cap for P/X anymore
+
 2018-09-24 zzz
  * Build: Compile jsps in-order for reproducibility (ticket #2279)
 
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 74605163f..47667df53 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 8;
+    public final static long BUILD = 9;
 
     /** for example "-test" */
     public final static String EXTRA = "-rc";