diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go
index 91469c745a..6d86e93a1d 100644
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@@ -27,23 +27,15 @@ var cmdKeys = &cobra.Command{
 	Use:   "keys",
 	Short: "Operates on keys.",
 	Long:  "operations on signature keys and trusted certificate authorities.",
-	Run:   nil,
+	Run:   keysList,
 }
 
 func init() {
 	cmdKeys.AddCommand(cmdKeysTrust)
-	cmdKeys.AddCommand(cmdKeysList)
 	cmdKeys.AddCommand(cmdKeysRemove)
 	cmdKeys.AddCommand(cmdKeysGenerate)
 }
 
-var cmdKeysList = &cobra.Command{
-	Use:   "list",
-	Short: "List the currently trusted certificate authorities.",
-	Long:  "lists the currently trusted certificate authorities.",
-	Run:   keysList,
-}
-
 var cmdKeysRemove = &cobra.Command{
 	Use:   "remove [ Subject Key ID ]",
 	Short: "removes trust from a specific certificate authority or certificate.",
@@ -71,17 +63,33 @@ func keysRemove(cmd *cobra.Command, args []string) {
 		fatalf("must specify a SHA256 SubjectKeyID of the certificate")
 	}
 
+	failed := true
 	cert, err := caStore.GetCertificateBySKID(args[0])
-	if err != nil {
-		fatalf("certificate not found")
+	if err == nil {
+		fmt.Printf("Removing: ")
+		printCert(cert)
+
+		err = caStore.RemoveCert(cert)
+		if err != nil {
+			fatalf("failed to remove certificate for Root KeyStore")
+		}
+		failed = false
 	}
 
-	fmt.Printf("Removing: ")
-	printCert(cert)
+	cert, err = privStore.GetCertificateBySKID(args[0])
+	if err == nil {
+		fmt.Printf("Removing: ")
+		printCert(cert)
 
-	err = caStore.RemoveCert(cert)
-	if err != nil {
-		fatalf("failed to remove certificate for Key Store")
+		//TODO (diogo): remove associated private key
+		err = privStore.RemoveCert(cert)
+		if err != nil {
+			fatalf("failed to remove certificate for Private KeyStore")
+		}
+		failed = false
+	}
+	if failed {
+		fatalf("certificate not found in any store")
 	}
 }
 
@@ -121,13 +129,24 @@ func keysTrust(cmd *cobra.Command, args []string) {
 }
 
 func keysList(cmd *cobra.Command, args []string) {
-	// Load all the certificates
-	trustedCAs := caStore.GetCertificates()
+	if len(args) > 0 {
+		cmd.Usage()
+		os.Exit(1)
+	}
 
+	fmt.Println("# Trusted Root keys: ")
+	trustedCAs := caStore.GetCertificates()
 	for _, c := range trustedCAs {
 		printCert(c)
 	}
 
+	fmt.Println("")
+	fmt.Println("# Signing keys: ")
+	privateCerts := privStore.GetCertificates()
+	for _, c := range privateCerts {
+		printCert(c)
+	}
+
 }
 
 func keysGenerate(cmd *cobra.Command, args []string) {
diff --git a/cmd/notary/main.go b/cmd/notary/main.go
index 586f50f26a..7f27d05bc3 100644
--- a/cmd/notary/main.go
+++ b/cmd/notary/main.go
@@ -20,6 +20,7 @@ const caDir string = ".docker/trust/certificate_authorities/"
 const privDir string = ".docker/trust/private/"
 
 var caStore trustmanager.X509Store
+var privStore trustmanager.X509Store
 
 func init() {
 	// Retrieve current user to get home directory
@@ -69,6 +70,13 @@ func init() {
 			cert.SignatureAlgorithm != x509.DSAWithSHA1 &&
 			cert.SignatureAlgorithm != x509.ECDSAWithSHA1
 	})
+
+	privStore = trustmanager.NewX509FilteredFileStore(finalPrivDir, func(cert *x509.Certificate) bool {
+		return time.Now().Before(cert.NotAfter) &&
+			cert.SignatureAlgorithm != x509.SHA1WithRSA &&
+			cert.SignatureAlgorithm != x509.DSAWithSHA1 &&
+			cert.SignatureAlgorithm != x509.ECDSAWithSHA1
+	})
 }
 
 func main() {