diff --git a/README.md b/README.md
index 79d0363eeb04ffc6e6d4d59b226cc6d780d26b9f..26a9b2d4c8376939d47989f39209261502a1b16b 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ You may want to run the script once a day to update the IdPs, e.g. via cron or s
  - `SAML2_METADATA_URL` (URL to SAML 2.0 Metadata document)
  - `SAML2_METADATA_CRT_FILE` (path to the X.509 certificate to use for XML Signature verification of the Metadata)
  - `SAML2_METADATA_INSECURE` (if no XML Signature verification and no `validUntil` expiration check should be performed; NOT RECOMMENDED)
+ - `SAML2_METADATA_EXCLUDE_JSON_PATH` (path ending with /, default is ./)
  - `KEYCLOAK_URL` (URL to Keycloak instance)
  - `KEYCLOAK_REALM` (Keycloak realm)
  - `KEYCLOAK_USER` (Keycloak user)
diff --git a/main.py b/main.py
index ba9e46b0a791aff0f84ebf5e663826db6c262d06..26f395a0a70409a694ea416c5134ad0ce7f244c3 100644
--- a/main.py
+++ b/main.py
@@ -57,6 +57,7 @@ class Metadata_importer():
         self.__get_excluded()
 
     def __get_settings(self):
+        self.metadata_exclude_json_path = os.getenv('SAML2_METADATA_EXCLUDE_JSON_PATH','./')
         self.metadata_feed_url = os.getenv('SAML2_METADATA_URL')
         self.metadata_feed_crt = os.getenv('SAML2_METADATA_CRT_FILE')
         self.metadata_feed_insecure = os.getenv('SAML2_METADATA_INSECURE', False)
@@ -88,7 +89,7 @@ class Metadata_importer():
             self.NS = json.load(f)
 
     def __get_excluded(self):
-        with open("./exclude.json") as f:
+        with open(self.metadata_exclude_json_path+"exclude.json") as f:
             self.excluded = json.load(f)
 
     def __get_sync_db(self):
@@ -471,7 +472,7 @@ class Metadata_importer():
         keys=jdata["keys"]
         key_to_use=None
         for k in keys:
-            if k['use']=='enc':
+            if k['use']=='sig':
                 key_to_use=k["x5c"][0]
                 break
         if not key_to_use: