diff --git a/java/app_import.go b/java/app_import.go
index d69dd10f9..d38f63e06 100644
--- a/java/app_import.go
+++ b/java/app_import.go
@@ -67,6 +67,9 @@ type AndroidAppImportProperties struct {
 	// module name in the form ":module". Should be empty if presigned or default_dev_cert is set.
 	Certificate *string
 
+	// Names of extra android_app_certificate modules to sign the apk with in the form ":module".
+	Additional_certificates []string
+
 	// Set this flag to true if the prebuilt apk is already signed. The certificate property must not
 	// be set for presigned modules.
 	Presigned *bool
@@ -156,6 +159,16 @@ func (a *AndroidAppImport) DepsMutator(ctx android.BottomUpMutatorContext) {
 		ctx.AddDependency(ctx.Module(), certificateTag, cert)
 	}
 
+	for _, cert := range a.properties.Additional_certificates {
+		cert = android.SrcIsModule(cert)
+		if cert != "" {
+			ctx.AddDependency(ctx.Module(), certificateTag, cert)
+		} else {
+			ctx.PropertyErrorf("additional_certificates",
+				`must be names of android_app_certificate modules in the form ":module"`)
+		}
+	}
+
 	a.usesLibrary.deps(ctx, !a.isPrebuiltFrameworkRes())
 }
 
@@ -303,9 +316,6 @@ func (a *AndroidAppImport) generateAndroidBuildActions(ctx android.ModuleContext
 		// If the certificate property is empty at this point, default_dev_cert must be set to true.
 		// Which makes processMainCert's behavior for the empty cert string WAI.
 		certificates = processMainCert(a.ModuleBase, String(a.properties.Certificate), certificates, ctx)
-		if len(certificates) != 1 {
-			ctx.ModuleErrorf("Unexpected number of certificates were extracted: %q", certificates)
-		}
 		a.certificate = certificates[0]
 		signed := android.PathForModuleOut(ctx, "signed", apkFilename)
 		var lineageFile android.Path
diff --git a/java/app_import_test.go b/java/app_import_test.go
index dc31d07c9..00406aa2e 100644
--- a/java/app_import_test.go
+++ b/java/app_import_test.go
@@ -109,16 +109,30 @@ func TestAndroidAppImport_SigningLineage(t *testing.T) {
 			name: "foo",
 			apk: "prebuilts/apk/app.apk",
 			certificate: "platform",
+			additional_certificates: [":additional_certificate"],
 			lineage: "lineage.bin",
 		}
+
+		android_app_certificate {
+			name: "additional_certificate",
+			certificate: "cert/additional_cert",
+		}
 	`)
 
 	variant := ctx.ModuleForTests("foo", "android_common")
 
-	// Check cert signing lineage flag.
 	signedApk := variant.Output("signed/foo.apk")
+	// Check certificates
+	certificatesFlag := signedApk.Args["certificates"]
+	expected := "build/make/target/product/security/platform.x509.pem " +
+		"build/make/target/product/security/platform.pk8 " +
+		"cert/additional_cert.x509.pem cert/additional_cert.pk8"
+	if expected != certificatesFlag {
+		t.Errorf("Incorrect certificates flags, expected: %q, got: %q", expected, certificatesFlag)
+	}
+	// Check cert signing lineage flag.
 	signingFlag := signedApk.Args["flags"]
-	expected := "--lineage lineage.bin"
+	expected = "--lineage lineage.bin"
 	if expected != signingFlag {
 		t.Errorf("Incorrect signing flags, expected: %q, got: %q", expected, signingFlag)
 	}