Well, you can load certs into the engine in any way. For example, using pkcs12 or directly from Microsoft Certs store. In general, cert is associated with a private key and the key is referenced from signature template. It is the application responsibility to load key into xmlsec and make cert->key association. Aleksey