you are not authorized to perform this operation: server returned 401.
Failed to add signer to: registry.example.com/user/repo
```
## Configuring the Notary client
Some of the more advanced features of DCT require the Notary CLI. To install and
configure the Notary CLI:
1. Download the [client](https://github.com/theupdateframework/notary/releases) and ensure that it is available on your path.
2. Create a configuration file at `~/.notary/config.json` with the following content:
```json
{
"trust_dir" : "~/.docker/trust",
"remote_server": {
"url": "https://registry.example.com",
"root_ca": "../.docker/ca.pem"
}
}
```
The newly created configuration file contains information about the location of your local Docker trust data and the notary server URL.
For more detailed information about how to use notary outside of the
Docker Content Trust use cases, refer to the Notary CLI documentation
[here](https://github.com/theupdateframework/notary/blob/master/docs/command_reference.md)
## Creating delegation keys
A prerequisite to adding your first contributor is a pair of delegation keys.
These keys can either be generated locally using `$ docker trust`, generated by
a certificate authority.
### Using Docker Trust to generate keys
Docker trust has a built-in generator for a delegation key pair,
`$ docker trust generate <name>`. Running this command will automatically load
the delegation private key in to the local Docker trust store.
```console
$ docker trust key generate jeff
Generating key for jeff...
Enter passphrase for new jeff key with ID 9deed25:
Repeat passphrase for new jeff key with ID 9deed25:
Successfully generated and loaded private key. Corresponding public key available: /home/ubuntu/Documents/mytrustdir/jeff.pub
```
### Manually generating keys
If you need to manually generate a private key (either RSA or ECDSA) and an X.509
certificate containing the public key, you can use local tools like openssl or
cfssl along with a local or company-wide Certificate Authority.
Here is an example of how to generate a 2048-bit RSA portion key (all RSA keys
must be at least 2048 bits):
```console
$ openssl genrsa -out delegation.key 2048
Generating RSA private key, 2048 bit long modulus
....................................................+++
............+++
e is 65537 (0x10001)
```
They should keep `delegation.key` private because it is used to sign tags.
Then they need to generate an x509 certificate containing the public key, which is
what you need from them. Here is the command to generate a CSR (certificate
signing request):
```console
$ openssl req -new -sha256 -key delegation.key -out delegation.csr
```
Then they can send it to whichever CA you trust to sign certificates, or they
can self-sign the certificate (in this example, creating a certificate that is
valid for 1 year):
```console
$ openssl x509 -req -sha256 -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt
```
Then they need to give you `delegation.crt`, whether it is self-signed or signed
by a CA.
Finally you will need to add the private key into your local Docker trust store.
```console
$ docker trust key load delegation.key --name jeff
Loading key from "delegation.key"...
Enter passphrase for new jeff key with ID 8ae710e:
Repeat passphrase for new jeff key with ID 8ae710e:
Successfully imported key from delegation.key
```
### Viewing local delegation keys
To list the keys that have been imported in to the local Docker trust store we
can use the Notary CLI.
```console
$ notary key list
ROLE GUN KEY ID LOCATION
---- --- ------ --------
root f6c6a4b00fefd8751f86194c7d87a3bede444540eb3378c4a11ce10852ab1f96 /home/ubuntu/.docker/trust/private
jeff 9deed251daa1aa6f9d5f9b752847647cf8d705da0763aa5467650d0987ed5306 /home/ubuntu/.docker/trust/private