Retrieve x509 certificate for the root key

[ghost]

in the section Key Rotations of Best Practices for Using Docker Notary, it mentions that:

Currently the Root key is published as a self signed x509 certificate with an expiry set 10 years in the future.

Where is this certificate and how can I retrieve it? This actually is linked to the question about with what is a root key generated?

It is useful to get this x509 certificate which contains the Root's public key so that people can boostrap trust.