[[_saml-keystore]] === KeyStore element Within the `Key` element you can load your keys and certificates from a Java Keystore. This is declared within a `KeyStore` element. [source,xml] ---- ---- Here are the XML config attributes that are defined with the `KeyStore` element. file:: File path to the key store. This option is _OPTIONAL_. The file or resource attribute must be set. resource:: WAR resource path to the KeyStore. This is a path used in method call to ServletContext.getResourceAsStream(). This option is _OPTIONAL_. The file or resource attribute must be set. password:: The password of the KeyStore. This option is _REQUIRED_. If you are defining keys that the SP will use to sign document, you must also specify references to your private keys and certificates within the Java KeyStore. The `PrivateKey` and `Certificate` elements in the above example define an `alias` that points to the key or cert within the keystore. Keystores require an additional password to access private keys. In the `PrivateKey` element you must define this password within a `password` attribute.