elastic · jkakavas · Aug 28, 2019 · Aug 21, 2019 · Aug 28, 2019
diff --git a/docs/reference/commands/saml-metadata.asciidoc b/docs/reference/commands/saml-metadata.asciidoc
@@ -40,6 +40,10 @@ ensure its integrity and authenticity before sharing it with the Identity Provid
 The key used for signing the metadata file need not necessarily be the same as
 the keys already used in the saml realm configuration for SAML message signing.
 
+If your {es} keystore is password protected, you
+are prompted to enter the password when you run the
+`elasticsearch-saml-metadata` command.
+
 [float]
 === Parameters
 

diff --git a/docs/reference/commands/setup-passwords.asciidoc b/docs/reference/commands/setup-passwords.asciidoc
@@ -22,7 +22,9 @@ bin/elasticsearch-setup-passwords auto|interactive
 This command is intended for use only during the initial configuration of the
 {es} {security-features}. It uses the
 {stack-ov}/built-in-users.html#bootstrap-elastic-passwords[`elastic` bootstrap password]
-to run user management API requests. After you set a password for the `elastic`
+to run user management API requests. If your {es} keystore is password protected,
+before you can set the passwords for the built-in users, you must enter the keystore password.
+After you set a password for the `elastic`
 user, the bootstrap password is no longer active and you cannot use this command.
 Instead, you can change passwords by using the *Management > Users* UI in {kib}
 or the <<security-api-change-password,Change Password API>>.