diff --git a/certs/certificates.sh b/certs/certificates.sh
new file mode 100755
index 0000000..6ed2dd7
--- /dev/null
+++ b/certs/certificates.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# create CA keys and certificates
+openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \
+  -addext "keyUsage = keyCertSign" \
+  -keyout server-ca.key -out server-ca.crt 
+
+openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \
+  -addext "keyUsage = keyCertSign" \
+  -keyout client-ca.key -out client-ca.crt 
+
+
+# create keys and CSRs
+openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \
+  -addext "subjectAltName = DNS:localhost" \
+  -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
+  -keyout server-cert.key -out server-cert.csr 
+
+openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \
+  -addext "subjectAltName = DNS:localhost" \
+  -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
+  -keyout client-cert.key -out client-cert.csr 
+
+
+# sign certificate
+openssl x509 -req -extensions v3_req --extfile openssl-server.cnf -CAcreateserial \
+  -days 1825 \
+  -CA server-ca.crt -CAkey server-ca.key \
+  -in server-cert.csr -out server-cert.crt
+
+openssl x509 -req -extensions v3_req --extfile openssl-client.cnf -CAcreateserial \
+  -days 1825 \
+  -CA client-ca.crt -CAkey client-ca.key \
+  -in client-cert.csr -out client-cert.crt
+
+cat server-cert.crt > server-certchain.pem
+cat server-ca.crt >> server-certchain.pem
+
+cat client-cert.crt > client-certchain.pem
+cat client-ca.crt >> client-certchain.pem
+
+## converte to pkcs8
+#openssl pkcs8 -topk8 -nocrypt -in client-cert.key -out client-cert.key.pkcs8
+#openssl pkcs8 -topk8 -nocrypt -in server-cert.key -out server-cert.key.pkcs8
+
+
+## read certificate contents
+#openssl x509 -text -noout -in client-cert.crt
+#openssl x509 -text -noout -in server-cert.crt
diff --git a/certs/openssl-client.cnf b/certs/openssl-client.cnf
new file mode 100644
index 0000000..1552e68
--- /dev/null
+++ b/certs/openssl-client.cnf
@@ -0,0 +1,13 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+[req_distinguished_name]
+C = DE
+CN = localhost
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
diff --git a/certs/openssl-server.cnf b/certs/openssl-server.cnf
new file mode 100644
index 0000000..1552e68
--- /dev/null
+++ b/certs/openssl-server.cnf
@@ -0,0 +1,13 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+[req_distinguished_name]
+C = DE
+CN = localhost
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost