diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go
index 24d271e3e33..fb10c7ad555 100644
--- a/cmd/cosign/cli/trustedroot.go
+++ b/cmd/cosign/cli/trustedroot.go
@@ -43,8 +43,8 @@ func trustedRootCreate() *cobra.Command {
 		Use:   "create",
 		Short: "Create a Sigstore protobuf trusted root",
 		Long:  "Create a Sigstore protobuf trusted root by supplying verification material",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			trCreateCmd := &trustedroot.TrustedRootCreateCmd{
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			trCreateCmd := &trustedroot.CreateCmd{
 				CAIntermediates:  o.CAIntermediates,
 				CARoots:          o.CARoots,
 				CertChain:        o.CertChain,
diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
index 125ed4f06c8..5cc6ad99818 100644
--- a/cmd/cosign/cli/trustedroot/trustedroot.go
+++ b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -32,7 +32,7 @@ import (
 	"github.com/sigstore/cosign/v2/internal/ui"
 )
 
-type TrustedRootCreateCmd struct {
+type CreateCmd struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
@@ -41,7 +41,7 @@ type TrustedRootCreateCmd struct {
 	TSACertChainPath string
 }
 
-func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error {
+func (c *CreateCmd) Exec(ctx context.Context) error {
 	var fulcioCertAuthorities []root.CertificateAuthority
 	var timestampAuthorities []root.CertificateAuthority
 	rekorTransparencyLogs := make(map[string]*root.TransparencyLog)
@@ -52,7 +52,6 @@ func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error {
 			return err
 		}
 		fulcioCertAuthorities = append(fulcioCertAuthorities, *fulcioAuthority)
-
 	} else if c.CARoots != "" {
 		roots, err := parseCerts(c.CARoots)
 		if err != nil {
@@ -108,10 +107,10 @@ func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error {
 
 		rekorTransparencyLog := root.TransparencyLog{
 			BaseURL:           c.RekorURL,
-			HashFunc:          crypto.Hash(crypto.SHA256),
+			HashFunc:          crypto.SHA256,
 			ID:                keyHash[:],
 			PublicKey:         pub,
-			SignatureHashFunc: crypto.Hash(crypto.SHA256),
+			SignatureHashFunc: crypto.SHA256,
 		}
 
 		rekorTransparencyLogs[keyID] = &rekorTransparencyLog
@@ -140,7 +139,7 @@ func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error {
 	}
 
 	if c.Out != "" {
-		err = os.WriteFile(c.Out, trBytes, 0640)
+		err = os.WriteFile(c.Out, trBytes, 0600)
 		if err != nil {
 			return err
 		}
@@ -187,7 +186,7 @@ func parseCerts(path string) ([]*x509.Certificate, error) {
 	}
 
 	if len(certs) == 0 {
-		return nil, fmt.Errorf("No certificates in file %s", path)
+		return nil, fmt.Errorf("no certificates in file %s", path)
 	}
 
 	return certs, nil
diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go
index 582b6cf7f29..3b2f4878af6 100644
--- a/cmd/cosign/cli/trustedroot/trustedroot_test.go
+++ b/cmd/cosign/cli/trustedroot/trustedroot_test.go
@@ -29,7 +29,7 @@ import (
 	"github.com/sigstore/sigstore-go/pkg/root"
 )
 
-func TestTrustedRootCreate(t *testing.T) {
+func TestCreateCmd(t *testing.T) {
 	ctx := context.Background()
 
 	// Make some certificate chains
@@ -43,7 +43,7 @@ func TestTrustedRootCreate(t *testing.T) {
 
 	outPath := filepath.Join(td, "trustedroot.json")
 
-	trustedrootCreate := TrustedRootCreateCmd{
+	trustedrootCreate := CreateCmd{
 		CertChain:        fulcioChainPath,
 		Out:              outPath,
 		TSACertChainPath: tsaChainPath,
diff --git a/doc/cosign.md b/doc/cosign.md
index d7f90aae469..bb2e39b15d7 100644
--- a/doc/cosign.md
+++ b/doc/cosign.md
@@ -37,6 +37,7 @@ A tool for Container Signing, Verification and Storage in an OCI registry.
 * [cosign sign-blob](cosign_sign-blob.md)	 - Sign the supplied blob, outputting the base64-encoded signature to stdout.
 * [cosign tree](cosign_tree.md)	 - Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations
 * [cosign triangulate](cosign_triangulate.md)	 - Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type.
+* [cosign trusted-root](cosign_trusted-root.md)	 - Interact with a Sigstore protobuf trusted root
 * [cosign upload](cosign_upload.md)	 - Provides utilities for uploading artifacts to a registry
 * [cosign verify](cosign_verify.md)	 - Verify a signature on the supplied container image
 * [cosign verify-attestation](cosign_verify-attestation.md)	 - Verify an attestation on the supplied container image
diff --git a/doc/cosign_trusted-root.md b/doc/cosign_trusted-root.md
new file mode 100644
index 00000000000..eb2dc15dfb9
--- /dev/null
+++ b/doc/cosign_trusted-root.md
@@ -0,0 +1,27 @@
+## cosign trusted-root
+
+Interact with a Sigstore protobuf trusted root
+
+### Synopsis
+
+Tools for interacting with a Sigstore protobuf trusted root
+
+### Options
+
+```
+  -h, --help   help for trusted-root
+```
+
+### Options inherited from parent commands
+
+```
+      --output-file string   log output to a file
+  -t, --timeout duration     timeout for commands (default 3m0s)
+  -d, --verbose              log debug output
+```
+
+### SEE ALSO
+
+* [cosign](cosign.md)	 - A tool for Container Signing, Verification and Storage in an OCI registry.
+* [cosign trusted-root create](cosign_trusted-root_create.md)	 - Create a Sigstore protobuf trusted root
+
diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md
new file mode 100644
index 00000000000..8c7e94bba37
--- /dev/null
+++ b/doc/cosign_trusted-root_create.md
@@ -0,0 +1,36 @@
+## cosign trusted-root create
+
+Create a Sigstore protobuf trusted root
+
+### Synopsis
+
+Create a Sigstore protobuf trusted root by supplying verification material
+
+```
+cosign trusted-root create [flags]
+```
+
+### Options
+
+```
+      --ca-intermediates string              path to a file of intermediate CA certificates in PEM format which will be needed when building the certificate chains for the signing certificate. The flag is optional and must be used together with --ca-roots, conflicts with --certificate-chain.
+      --ca-roots string                      path to a bundle file of CA certificates in PEM format which will be needed when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.
+      --certificate-chain string             path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.
+  -h, --help                                 help for create
+      --out string                           path to output trusted root
+      --rekor-url string                     address of rekor STL server
+      --timestamp-certificate-chain string   path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates
+```
+
+### Options inherited from parent commands
+
+```
+      --output-file string   log output to a file
+  -t, --timeout duration     timeout for commands (default 3m0s)
+  -d, --verbose              log debug output
+```
+
+### SEE ALSO
+
+* [cosign trusted-root](cosign_trusted-root.md)	 - Interact with a Sigstore protobuf trusted root
+