diff --git a/src/main/java/org/elasticsearch/shield/ssl/SSLService.java b/src/main/java/org/elasticsearch/shield/ssl/SSLService.java
index dc684ee2426..2f587b5b0fc 100644
--- a/src/main/java/org/elasticsearch/shield/ssl/SSLService.java
+++ b/src/main/java/org/elasticsearch/shield/ssl/SSLService.java
@@ -58,6 +58,7 @@ public class SSLService extends AbstractComponent {
         String keyStorePath = settings.get("keystore.path", componentSettings.get("keystore.path", System.getProperty("javax.net.ssl.keyStore")));
         String keyStorePassword = settings.get("keystore.password", componentSettings.get("keystore.password", System.getProperty("javax.net.ssl.keyStorePassword")));
         String keyStoreAlgorithm = settings.get("keystore.algorithm", componentSettings.get("keystore.algorithm", System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm())));
+        String keyPassword = settings.get("keystore.key_password", componentSettings.get("keystore.key_password", keyStorePassword));
 
         String trustStorePath = settings.get("truststore.path", componentSettings.get("truststore.path", System.getProperty("javax.net.ssl.trustStore")));
         String trustStorePassword = settings.get("truststore.password", componentSettings.get("truststore.password", System.getProperty("javax.net.ssl.trustStorePassword")));
@@ -88,7 +89,7 @@ public class SSLService extends AbstractComponent {
                 keyStorePath, keyStoreAlgorithm, trustStorePath, trustStoreAlgorithm, sslProtocol);
 
             TrustManagerFactory trustFactory = getTrustFactory(trustStorePath, trustStorePassword, trustStoreAlgorithm);
-            KeyManagerFactory keyManagerFactory = createKeyManagerFactory(keyStorePath, keyStorePassword, keyStoreAlgorithm);
+            KeyManagerFactory keyManagerFactory = createKeyManagerFactory(keyStorePath, keyStorePassword, keyStoreAlgorithm, keyPassword);
             sslContext = createSslContext(keyManagerFactory, trustFactory, sslProtocol);
             sslContexts.put(key, sslContext);
         } else {
@@ -108,7 +109,7 @@ public class SSLService extends AbstractComponent {
         return sslEngine;
     }
 
-    private KeyManagerFactory createKeyManagerFactory(String keyStore, String keyStorePassword, String keyStoreAlgorithm) {
+    private KeyManagerFactory createKeyManagerFactory(String keyStore, String keyStorePassword, String keyStoreAlgorithm, String keyPassword) {
         try (FileInputStream in = new FileInputStream(keyStore)) {
             // Load KeyStore
             KeyStore ks = KeyStore.getInstance("jks");
@@ -116,7 +117,7 @@ public class SSLService extends AbstractComponent {
 
             // Initialize KeyManagerFactory
             KeyManagerFactory kmf = KeyManagerFactory.getInstance(keyStoreAlgorithm);
-            kmf.init(ks, keyStorePassword.toCharArray());
+            kmf.init(ks, keyPassword.toCharArray());
             return kmf;
         } catch (Exception e) {
             throw new ElasticsearchSSLException("Failed to initialize a KeyManagerFactory", e);
diff --git a/src/test/java/org/elasticsearch/shield/ssl/SSLServiceTests.java b/src/test/java/org/elasticsearch/shield/ssl/SSLServiceTests.java
index 817d4a69a0d..0de507ae371 100644
--- a/src/test/java/org/elasticsearch/shield/ssl/SSLServiceTests.java
+++ b/src/test/java/org/elasticsearch/shield/ssl/SSLServiceTests.java
@@ -12,42 +12,43 @@ import org.junit.Test;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
-import java.io.File;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 
 import static org.elasticsearch.common.settings.ImmutableSettings.settingsBuilder;
 import static org.hamcrest.Matchers.*;
 
 public class SSLServiceTests extends ElasticsearchTestCase {
 
-    File testnodeStore;
+    Path testnodeStore;
 
     @Before
     public void setup() throws Exception {
-        testnodeStore = new File(getClass().getResource("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks").toURI());
+        testnodeStore = Paths.get(getClass().getResource("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks").toURI());
     }
 
     @Test(expected = ElasticsearchSSLException.class)
     public void testThatInvalidProtocolThrowsException() throws Exception {
         new SSLService(settingsBuilder()
                             .put("shield.ssl.protocol", "non-existing")
-                            .put("shield.ssl.keystore.path", testnodeStore.getPath())
+                            .put("shield.ssl.keystore.path", testnodeStore)
                             .put("shield.ssl.keystore.password", "testnode")
-                            .put("shield.ssl.truststore.path", testnodeStore.getPath())
+                            .put("shield.ssl.truststore.path", testnodeStore)
                             .put("shield.ssl.truststore.password", "testnode")
                         .build()).createSSLEngine();
     }
 
     @Test
     public void testThatCustomTruststoreCanBeSpecified() throws Exception {
-        File testClientStore = new File(getClass().getResource("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.jks").toURI());
+        Path testClientStore = Paths.get(getClass().getResource("/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.jks").toURI());
 
         SSLService sslService = new SSLService(settingsBuilder()
-                .put("shield.ssl.keystore.path", testnodeStore.getPath())
+                .put("shield.ssl.keystore.path", testnodeStore)
                 .put("shield.ssl.keystore.password", "testnode")
                 .build());
 
         ImmutableSettings.Builder settingsBuilder = settingsBuilder()
-                .put("truststore.path", testClientStore.getPath())
+                .put("truststore.path", testClientStore)
                 .put("truststore.password", "testclient");
 
         SSLEngine sslEngineWithTruststore = sslService.createSSLEngine(settingsBuilder.build());
@@ -60,7 +61,7 @@ public class SSLServiceTests extends ElasticsearchTestCase {
     @Test
     public void testThatSslContextCachingWorks() throws Exception {
         SSLService sslService = new SSLService(settingsBuilder()
-            .put("shield.ssl.keystore.path", testnodeStore.getPath())
+            .put("shield.ssl.keystore.path", testnodeStore)
             .put("shield.ssl.keystore.password", "testnode")
             .build());
 
@@ -69,4 +70,23 @@ public class SSLServiceTests extends ElasticsearchTestCase {
 
         assertThat(sslContext, is(sameInstance(cachedSslContext)));
     }
+
+    @Test
+    public void testThatKeyStoreAndKeyCanHaveDifferentPasswords() throws Exception {
+        Path differentPasswordsStore = Paths.get(getClass().getResource("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks").toURI());
+        new SSLService(settingsBuilder()
+                .put("shield.ssl.keystore.path", differentPasswordsStore)
+                .put("shield.ssl.keystore.password", "testnode")
+                .put("shield.ssl.keystore.key_password", "testnode1")
+                .build()).createSSLEngine();
+    }
+
+    @Test(expected = ElasticsearchSSLException.class)
+    public void testIncorrectKeyPasswordThrowsException() throws Exception {
+        Path differentPasswordsStore = Paths.get(getClass().getResource("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks").toURI());
+        new SSLService(settingsBuilder()
+                .put("shield.ssl.keystore.path", differentPasswordsStore)
+                .put("shield.ssl.keystore.password", "testnode")
+                .build()).createSSLEngine();
+    }
 }
diff --git a/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks b/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks
new file mode 100644
index 00000000000..bbe83e2633f
Binary files /dev/null and b/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-different-passwords.jks differ