diff --git a/cmd/cosign/cli/options/trustedroot.go b/cmd/cosign/cli/options/trustedroot.go
index 89f3810a409..70661a3f22b 100644
--- a/cmd/cosign/cli/options/trustedroot.go
+++ b/cmd/cosign/cli/options/trustedroot.go
@@ -23,6 +23,7 @@ type TrustedRootCreateOptions struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
+	IgnoreSCT        bool
 	Out              string
 	RekorURL         string
 	TSACertChainPath string
@@ -53,6 +54,10 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
 	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
+	cmd.Flags().BoolVar(&o.IgnoreSCT, "ignore-sct", false,
+		"when set, do not include key for verifying certificate transparency "+
+			"log. Set this if you signed with a key instead of using Fulcio.")
+
 	cmd.Flags().StringVar(&o.Out, "out", "",
 		"path to output trusted root")
 
diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go
index fb10c7ad555..c0e9e905258 100644
--- a/cmd/cosign/cli/trustedroot.go
+++ b/cmd/cosign/cli/trustedroot.go
@@ -48,6 +48,7 @@ func trustedRootCreate() *cobra.Command {
 				CAIntermediates:  o.CAIntermediates,
 				CARoots:          o.CARoots,
 				CertChain:        o.CertChain,
+				IgnoreSCT:        o.IgnoreSCT,
 				Out:              o.Out,
 				RekorURL:         o.RekorURL,
 				TSACertChainPath: o.TSACertChainPath,
diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
index e254f506ea6..f9df2d2f349 100644
--- a/cmd/cosign/cli/trustedroot/trustedroot.go
+++ b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -21,6 +21,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -29,19 +30,22 @@ import (
 	"github.com/sigstore/sigstore-go/pkg/root"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
 
 type CreateCmd struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
+	IgnoreSCT        bool
 	Out              string
 	RekorURL         string
 	TSACertChainPath string
 }
 
-func (c *CreateCmd) Exec(_ context.Context) error {
+func (c *CreateCmd) Exec(ctx context.Context) error {
 	var fulcioCertAuthorities []root.CertificateAuthority
+	ctLogs := make(map[string]*root.TransparencyLog)
 	var timestampAuthorities []root.CertificateAuthority
 	rekorTransparencyLogs := make(map[string]*root.TransparencyLog)
 
@@ -80,6 +84,26 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 		}
 	}
 
+	if !c.IgnoreSCT {
+		ctLogPubKeys, err := cosign.GetCTLogPubs(ctx)
+		if err != nil {
+			return err
+		}
+
+		for id, key := range ctLogPubKeys.Keys {
+			idBytes, err := hex.DecodeString(id)
+			if err != nil {
+				return err
+			}
+			ctLogs[id] = &root.TransparencyLog{
+				ID:                idBytes,
+				HashFunc:          crypto.SHA256,
+				PublicKey:         key.PubKey,
+				SignatureHashFunc: crypto.SHA256,
+			}
+		}
+	}
+
 	if c.RekorURL != "" {
 		rekorClient, err := rekor.NewClient(c.RekorURL)
 		if err != nil {
@@ -124,7 +148,8 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 	}
 
 	newTrustedRoot, err := root.NewTrustedRoot(root.TrustedRootMediaType01,
-		fulcioCertAuthorities, nil, timestampAuthorities, rekorTransparencyLogs,
+		fulcioCertAuthorities, ctLogs, timestampAuthorities,
+		rekorTransparencyLogs,
 	)
 	if err != nil {
 		return err
diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go
index b5e56f9225e..236d81a6afd 100644
--- a/cmd/cosign/cli/trustedroot/trustedroot_test.go
+++ b/cmd/cosign/cli/trustedroot/trustedroot_test.go
@@ -45,6 +45,7 @@ func TestCreateCmd(t *testing.T) {
 
 	trustedrootCreate := CreateCmd{
 		CertChain:        fulcioChainPath,
+		IgnoreSCT:        true,
 		Out:              outPath,
 		TSACertChainPath: tsaChainPath,
 	}
diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md
index 8c7e94bba37..c6aca66c159 100644
--- a/doc/cosign_trusted-root_create.md
+++ b/doc/cosign_trusted-root_create.md
@@ -17,6 +17,7 @@ cosign trusted-root create [flags]
       --ca-roots string                      path to a bundle file of CA certificates in PEM format which will be needed when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.
       --certificate-chain string             path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.
   -h, --help                                 help for create
+      --ignore-sct                           when set, do not include key for verifying certificate transparency log. Set this if you signed with a key instead of using Fulcio.
       --out string                           path to output trusted root
       --rekor-url string                     address of rekor STL server
       --timestamp-certificate-chain string   path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates