diff --git a/tools/gen_cap_cert.sh b/tools/gen_cap_cert.sh
new file mode 100755
index 0000000..73a9191
--- /dev/null
+++ b/tools/gen_cap_cert.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+CAP=$1
+
+if [ "$CAP" = "" ]; then
+  echo "usage: $0 <cap-name>"
+  exit 1
+fi
+
+CAP_KEY="${CAP}.key"
+CAP_CERT="${CAP}.crt"
+
+if [ -e "$CAP_KEY" ]; then
+  echo "$CAP_KEY already exists"
+  exit 1
+fi
+
+openssl genrsa -out "${CAP_KEY}" 2048
+openssl req -new -sha256 -key "${CAP_KEY}" -subj "/CN=$CAP" -out "${CAP_CERT}.csr" \
+   -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment"
+openssl x509 -req -in "${CAP_CERT}.csr" -CA capsman-ca.crt -CAkey capsman-ca.key -out "${CAP_CERT}" -days 10000 -copy_extensions "copyall"
+rm -f "${CAP_CERT}.csr"
diff --git a/tools/gen_capsman_ca.sh b/tools/gen_capsman_ca.sh
new file mode 100755
index 0000000..ccda7c2
--- /dev/null
+++ b/tools/gen_capsman_ca.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ -e capsman-ca.key ]; then
+  echo "capsman-ca.key already exists"
+  exit 1
+fi
+
+openssl genrsa -out capsman-ca.key 2048
+openssl req -x509 -new -nodes -key capsman-ca.key -sha256 -days 10000 -out capsman-ca.crt -subj "/CN=capsman-ca" \
+   -addext "basicConstraints = critical,CA:true" \
+   -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign"
diff --git a/tools/gen_capsman_cert.sh b/tools/gen_capsman_cert.sh
new file mode 100755
index 0000000..a10b1c9
--- /dev/null
+++ b/tools/gen_capsman_cert.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ -e capsman.key ]; then
+  echo "capsman.key already exists"
+  exit 1
+fi
+
+openssl genrsa -out capsman.key 2048
+openssl req -new -sha256 -key capsman.key -subj "/CN=capsman" -out capsman.csr \
+   -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment"
+openssl x509 -req -in capsman.csr -CA capsman-ca.crt -CAkey capsman-ca.key -out capsman.crt -days 10000 -sha256 -copy_extensions "copyall"
+rm -f capsman.csr