Skip to content

Generate Signing Keys

Before you can certify any agent, you’ll need to create a signing key. This key will be used to sign the certificate for each agent and verify its authenticity.

How to Generate Keys

Use the following command to create a new keypair:

dokugent keygen

You’ll be prompted to:

  • Enter the owner's name (used as the identity label)
  • Enter a contact email (for audit or registry systems)
  • Optionally add an organization
  • Optionally define a trust level (e.g., founder, admin, reviewer)
  • Confirm and save the key metadata

Each identity will be stored and selectable during certification steps.

Where Keys Are Stored

Signing keys are stored in:

.dokugent/keys/owners/{name}/latest/
├── {name}.public.pem
├── {name}.private.pem
└── {name}.meta.json

The private key and public key are both stored under the latest/ directory for each owner. These are automatically used by dokugent certify.

Best Practices

  • Use one key per organization or creator. This improves traceability and helps manage revocation and trust.
  • Avoid reusing keys across multiple unrelated agent families. Treat the signing key like a notary stamp.
  • Keep owner keys safe. The private key should never be shared. Only distribute the public .pub.json version.

Once your keys are created, they’ll be selectable during the certify flow. No manual editing needed.