[[_saml-keystore]]

====== KeyStore element

Within the `Key` element you can load your keys and certificates from a Java Keystore.  This is declared within
a `KeyStore` element.

[source,xml]
----

        <Keys>
            <Key signing="true" >
                <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
                    <PrivateKey alias="myPrivate" password="test123"/>
                    <Certificate alias="myCertAlias"/>
                </KeyStore>
            </Key>
        </Keys>
----

Here are the XML config attributes that are defined with the `KeyStore` element.

file::
  File path to the key store. _OPTIONAL._  The file or resource attribute must be set. 

resource::
  WAR resource path to the KeyStore.
  This is a path used in method call to ServletContext.getResourceAsStream(). _OPTIONAL._  The file or resource attribute must be set. 

password::
  The password of the KeyStore _REQUIRED._                                        

If you are defining keys that the SP will use to sign document, you must also specify references to your private keys
and certificates within the Java KeyStore.
The `PrivateKey` and `Certificate` elements in the above example define an `alias` that points to the key or cert
within the keystore.  Keystores require an additional password to access private keys.
In the `PrivateKey` element you must define this password within a `password` attribute.