diff --git a/certs/openssl.conf b/certs/openssl.conf
new file mode 100644
index 0000000..3ce1de5
--- /dev/null
+++ b/certs/openssl.conf
@@ -0,0 +1,34 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+countryName_default = US
+stateOrProvinceName = CA
+localityName = San Francisco
+organizationalUnitName = Platform Engineering
+commonName = Pivotal
+commonName_max = 64
+
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.system.{{ cf_ip }}.xip.io
+IP.1 = 40.118.242.176
+DNS.2 = *.login.system.{{ cf_ip }}.xip.io
+IP.2 = 40.118.242.176
+DNS.3 = *.uaa.system.{{ cf_ip }}.xip.io
+IP.3 = 40.118.242.176
+DNS.4 = *.app.{{ cf_ip }}.xip.io
+IP.4 = 40.118.242.176
+
+# openssl genrsa -out server.key 2048
+# openssl req -new -out sub1.csr -key server.key -config openssl.conf -subj "/C=US/ST=CA/L=San Francisco/O=Pivotal Labs/OU=Platform Engineering/CN={{ cf_ip }}.xip.io"
+# openssl req -text -noout -in sub1.csr
+# openssl x509 -req -days 3650 -in sub1.csr -signkey server.key -out sub1.crt -extensions v3_req -extfile openssl.conf
+# openssl x509 -in sub1.crt -text -noout