diff --git a/bare_minimum_crypto/cpp/Makefile b/bare_minimum_crypto/cpp/Makefile
index 82410ba..577e448 100644
--- a/bare_minimum_crypto/cpp/Makefile
+++ b/bare_minimum_crypto/cpp/Makefile
@@ -14,7 +14,7 @@ bmc_main.o: bmc_main.cpp expiring_signature.h receiver.h sender.h signing_key.h
 base64.o: cpp-base64/base64.cpp cpp-base64/base64.h
 	$(CXX) -o $@ $(CXX_FLAGS) $<
 
-expiring_signature.o: expiring_signature.cpp expiring_signature.h
+expiring_signature.o: expiring_signature.cpp expiring_signature.h time_helpers.h
 	$(CXX) -o $@ $(CXX_FLAGS) $<
 
 receiver.o: receiver.cpp receiver.h expiring_signature.h sodium_helpers.h string_helpers.h time_helpers.h
diff --git a/bare_minimum_crypto/cpp/bmc_main.cpp b/bare_minimum_crypto/cpp/bmc_main.cpp
index 8582d9a..8aec328 100644
--- a/bare_minimum_crypto/cpp/bmc_main.cpp
+++ b/bare_minimum_crypto/cpp/bmc_main.cpp
@@ -215,6 +215,13 @@ int main (int argc, char ** argv) {
 		auto pubkey_opt = base64_decode (pubkey_b64);
 		const auto pubkey = std::move (*pubkey_opt);
 		
+		auto sig_opt = key.sign (pubkey, TimeRange::from_start_and_dur (Instant::now (), about_3_months));
+		if (! sig_opt) {
+			cerr << "Error, could not sign pubkey." << endl;
+			return 1;
+		}
+		const auto sig = std::move (*sig_opt);
+		
 		
 	}
 	else if (result.count ("test")) {
diff --git a/bare_minimum_crypto/cpp/expiring_signature.cpp b/bare_minimum_crypto/cpp/expiring_signature.cpp
index 85efdbc..8853a0b 100644
--- a/bare_minimum_crypto/cpp/expiring_signature.cpp
+++ b/bare_minimum_crypto/cpp/expiring_signature.cpp
@@ -12,4 +12,26 @@ namespace BareMinimumCrypto {
 	bool ExpiringSignature::operator != (const ExpiringSignature & o) const {
 		return ! (*this == o);
 	}
+	
+	Bytes KeyCertFile::to_msgpack () const {
+		const json cert_j {
+			{"pubkey", json::binary (pubkey)},
+			{"not_before", valid_time.not_before},
+			{"not_after", valid_time.not_after},
+		};
+		
+		const auto cert = json::to_msgpack (cert_j);
+		
+		const json j {
+			{"sig", json::binary (sig)},
+			{"cert", json::binary (cert)},
+		};
+		
+		return json::to_msgpack (j);
+	}
+	
+	optional <KeyCertFile> KeyCertFile::try_from_msgpack (const json & msg) 
+	{
+		return nullopt;
+	}
 }
diff --git a/bare_minimum_crypto/cpp/expiring_signature.h b/bare_minimum_crypto/cpp/expiring_signature.h
index fc3a3d5..16a7ce1 100644
--- a/bare_minimum_crypto/cpp/expiring_signature.h
+++ b/bare_minimum_crypto/cpp/expiring_signature.h
@@ -6,8 +6,11 @@
 
 #include "json.hpp"
 
+#include "time_helpers.h"
+
 namespace BareMinimumCrypto {
 	using namespace std;
+	using nlohmann::json;
 	
 	typedef vector <uint8_t> Bytes;
 	
@@ -19,4 +22,15 @@ namespace BareMinimumCrypto {
 		bool operator == (const ExpiringSignature & o) const;
 		bool operator != (const ExpiringSignature & o) const;
 	};
+	
+	struct KeyCertFile {
+		Bytes sig;
+		
+		// The rest of the fields are inside a nested msgpack that gets signed
+		Bytes pubkey;
+		TimeRange valid_time;
+		
+		Bytes to_msgpack () const;
+		static optional <KeyCertFile> try_from_msgpack (const json & msg);
+	};
 }