diff --git a/cmd/cosign/cli/options/trustedroot.go b/cmd/cosign/cli/options/trustedroot.go
index 70661a3f22b..a05805ae884 100644
--- a/cmd/cosign/cli/options/trustedroot.go
+++ b/cmd/cosign/cli/options/trustedroot.go
@@ -24,8 +24,8 @@ type TrustedRootCreateOptions struct {
 	CARoots          string
 	CertChain        string
 	IgnoreSCT        bool
+	IgnoreTlog       bool
 	Out              string
-	RekorURL         string
 	TSACertChainPath string
 }
 
@@ -58,12 +58,13 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 		"when set, do not include key for verifying certificate transparency "+
 			"log. Set this if you signed with a key instead of using Fulcio.")
 
+	cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
+		"when set, do not include key for verifying transparency. Set this if "+
+			"you did not sign with Rekor.")
+
 	cmd.Flags().StringVar(&o.Out, "out", "",
 		"path to output trusted root")
 
-	cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "",
-		"address of rekor STL server")
-
 	cmd.Flags().StringVar(&o.TSACertChainPath, "timestamp-certificate-chain", "",
 		"path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+
 			"Optionally may contain intermediate CA certificates")
diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go
index c0e9e905258..374451f8a22 100644
--- a/cmd/cosign/cli/trustedroot.go
+++ b/cmd/cosign/cli/trustedroot.go
@@ -49,8 +49,8 @@ func trustedRootCreate() *cobra.Command {
 				CARoots:          o.CARoots,
 				CertChain:        o.CertChain,
 				IgnoreSCT:        o.IgnoreSCT,
+				IgnoreTlog:       o.IgnoreTlog,
 				Out:              o.Out,
-				RekorURL:         o.RekorURL,
 				TSACertChainPath: o.TSACertChainPath,
 			}
 
diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
index f9df2d2f349..a0b56557a7d 100644
--- a/cmd/cosign/cli/trustedroot/trustedroot.go
+++ b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -18,18 +18,14 @@ package trustedroot
 import (
 	"context"
 	"crypto"
-	"crypto/sha256"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/hex"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"os"
 
 	"github.com/sigstore/sigstore-go/pkg/root"
 
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
 
@@ -38,8 +34,8 @@ type CreateCmd struct {
 	CARoots          string
 	CertChain        string
 	IgnoreSCT        bool
+	IgnoreTlog       bool
 	Out              string
-	RekorURL         string
 	TSACertChainPath string
 }
 
@@ -96,47 +92,32 @@ func (c *CreateCmd) Exec(ctx context.Context) error {
 				return err
 			}
 			ctLogs[id] = &root.TransparencyLog{
-				ID:                idBytes,
 				HashFunc:          crypto.SHA256,
+				ID:                idBytes,
 				PublicKey:         key.PubKey,
 				SignatureHashFunc: crypto.SHA256,
 			}
 		}
 	}
 
-	if c.RekorURL != "" {
-		rekorClient, err := rekor.NewClient(c.RekorURL)
-		if err != nil {
-			return fmt.Errorf("creating Rekor client: %w", err)
-		}
-
-		rekorPubKey, err := rekorClient.Pubkey.GetPublicKey(nil)
-		if err != nil {
-			return err
-		}
-
-		block, _ := pem.Decode([]byte(rekorPubKey.Payload))
-		if block == nil {
-			return errors.New("failed to decode public key of server")
-		}
-
-		pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if !c.IgnoreTlog {
+		tlogPubKeys, err := cosign.GetRekorPubs(ctx)
 		if err != nil {
 			return err
 		}
 
-		keyHash := sha256.Sum256(block.Bytes)
-		keyID := base64.StdEncoding.EncodeToString(keyHash[:])
-
-		rekorTransparencyLog := root.TransparencyLog{
-			BaseURL:           c.RekorURL,
-			HashFunc:          crypto.SHA256,
-			ID:                keyHash[:],
-			PublicKey:         pub,
-			SignatureHashFunc: crypto.SHA256,
+		for id, key := range tlogPubKeys.Keys {
+			idBytes, err := hex.DecodeString(id)
+			if err != nil {
+				return err
+			}
+			rekorTransparencyLogs[id] = &root.TransparencyLog{
+				HashFunc:          crypto.SHA256,
+				ID:                idBytes,
+				PublicKey:         key.PubKey,
+				SignatureHashFunc: crypto.SHA256,
+			}
 		}
-
-		rekorTransparencyLogs[keyID] = &rekorTransparencyLog
 	}
 
 	if c.TSACertChainPath != "" {
diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md
index c6aca66c159..bc052813961 100644
--- a/doc/cosign_trusted-root_create.md
+++ b/doc/cosign_trusted-root_create.md
@@ -18,8 +18,8 @@ cosign trusted-root create [flags]
       --certificate-chain string             path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.
   -h, --help                                 help for create
       --ignore-sct                           when set, do not include key for verifying certificate transparency log. Set this if you signed with a key instead of using Fulcio.
+      --ignore-tlog                          when set, do not include key for verifying transparency. Set this if you did not sign with Rekor.
       --out string                           path to output trusted root
-      --rekor-url string                     address of rekor STL server
       --timestamp-certificate-chain string   path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates
 ```