How to create a common pub key for all repositories in the same domain

Hi
According to the following tutorial:
https://cvmfs-contrib.github.io/cvmfs-tutorial-2021/02_stratum0_client/#215-repository-keys

Although you can use a different master key per repository, it is recommended to use the same master key for all repositories under a single domain, so that clients only need a single public master key to access all repositories under this domain. For more information, see the CernVM-FS documentation: Creating a Repository (Stratum 0) — CernVM-FS 2.10.1 documentation.

However I have also read the official documentation about creating a master key. I don’t find more information about how a common pub key can be created for several repositories.
Once I create a new repository with the following command:
sudo cvmfs_server mkfs -o $USER repo.organization.tld
It is creating 4 several key files in /etc/cvmfs/keys, and once I create another new repository, it is generating 4 new several keys files again in /etc/cvmfs/keys.
Is there a more “clean” way how a common pub key can be used for several repositories.

I have something like this in mind:
moving the 4 several key files to
/etc/cvmfs/keys/organization.tld and then the same pub key can be used ?
I have tried to modify the following environment variables (added in /etc/cvmfs/config.d/repo.organization.tld)

CVMFS_PUBLIC_KEY
CVMFS_KEYS_DIR

but without succes.

Once I try to resign the the new key, it is giving me the following error message:
Neither masterkey nor masterkeycard is available to sign whitelist!

Rather than changing those environment variables, the easiest thing to do is to copy the .pub and .masterkey files from one repository name to another in /etc/cvmfs/keys and then do cvmfs_server resign.

Or, I think that if you create the key files before running mkfs, it will just use them. I don’t have much experience with it because I prefer using the masterkeycard feature, which automatically shares the signing key between all the repositories.

Dave

hmm that still means that several .pub and .masterkeys need to stay in /etc/cvmfs/keys .
Currently I will work this way.

If someone have more experience with creating a common pub key for all repositories, let me know.