diff --git a/tools/ecdsa-verify.c b/tools/ecdsa-verify.c
deleted file mode 100644
index 2fe0e20..0000000
--- a/tools/ecdsa-verify.c
+++ /dev/null
@@ -1,126 +0,0 @@
-
-#include <openssl/obj_mac.h>
-#include <openssl/ecdsa.h>
-#include <openssl/sha.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <assert.h>
-#include <unistd.h>
-
-
-int verify(char * digest, char * pubxy, char * rs )
-{
-    EC_KEY * key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-
-    ECDSA_SIG sig;
-    BIGNUM * bnx = NULL, * bny = NULL;
-
-    char r[65], s[65], x[65], y[65];
-
-    memmove(x, pubxy, 64);
-    memmove(y, pubxy+64, 64);
-    memmove(r, rs, 64);
-    memmove(s, rs+64, 64);
-    memset(&sig, 0, sizeof(ECDSA_SIG));
-
-    r[64] = s[64] = x[64] = y[64] = 0;
-    
-    if (!BN_hex2bn(&bnx, x))
-    {   return -1;  }
-    if (!BN_hex2bn(&bny, y))
-    {   return -1;  }
-
-    if (!BN_hex2bn(&sig.r, r))
-    {   return -1;  }
-    if (!BN_hex2bn(&sig.s, s))
-    {   return -1;  }
-
-    if (!EC_KEY_set_public_key_affine_coordinates(key,bnx,bny))
-    {   return -1;  }
-
-    int ret = ECDSA_do_verify(digest, SHA256_DIGEST_LENGTH, &sig, key);
-
-    EC_KEY_free(key);
-    BN_free(bnx);
-    BN_free(bny);
-    BN_free(sig.r);
-    BN_free(sig.s);
-
-    return ret;
-}
-
-
-int main(int argc, char * argv[])
-{
-    
-    char buf[256], c;
-    char digest[SHA256_DIGEST_LENGTH];
-    int take_digest = 1;
-
-    SHA256_CTX sha256;
-    int n, ret;
-
-    char * pubkey, * sig;
-
-    if (argc != 3 && argc != 4)
-    {
-        fprintf(stderr, "usage: %s <public-key-hex> <signature-hex> [-d]\n"
-                        "   -d: don't take sha256sum of stdin input\n",argv[0]);
-        return 1;
-    }
-
-    ERR_load_crypto_strings();
-
-    pubkey = argv[1];
-    sig = argv[2];
-
-    while ( (c = getopt(argc, argv, "d") ) != -1) 
-    {
-        switch (c) 
-        {
-            case 'd':
-                take_digest = 0;
-                break;
-        }
-    }
-
-    if (take_digest)
-    {
-        SHA256_Init(&sha256);
-
-        while ((n = read(STDIN_FILENO, buf, sizeof(buf)))>0)
-        {
-            SHA256_Update(&sha256, buf, n);
-        }
-
-        SHA256_Final(digest, &sha256);
-    }
-    else
-    {
-        read(STDIN_FILENO, digest, sizeof(digest));
-    }
-
-    ret = verify(digest, 
-            pubkey,
-            sig);
-
-    switch(ret)
-    {
-        case -1:
-            fprintf(stderr,"signature error: %s\n", ERR_error_string(ERR_get_error(),NULL) );
-            break;
-        case 0:
-            printf("signature incorrect\n");
-            break;
-        case 1:
-            printf("signature correct\n");
-            break;
-    }
-
-    ERR_free_strings();
-    return 0;
-}
diff --git a/tools/Makefile b/tools/gencert/Makefile
similarity index 68%
rename from tools/Makefile
rename to tools/gencert/Makefile
index 072f16a..6299622 100644
--- a/tools/Makefile
+++ b/tools/gencert/Makefile
@@ -3,8 +3,10 @@ obj = $(src:.c=.o)
 
 LDFLAGS = -lcrypto
 
-verify: $(obj)
+name=gencert
+
+$(name): $(obj)
 	$(CC) -O3 -Wall -Werror -o $@ $^ $(LDFLAGS)
 
 clean:
-	rm -f $(obj) verify
+	rm -f $(obj) $(name)
diff --git a/tools/gencert/gencert.c b/tools/gencert/gencert.c
new file mode 100644
index 0000000..7f19188
--- /dev/null
+++ b/tools/gencert/gencert.c
@@ -0,0 +1,150 @@
+
+#include <openssl/obj_mac.h>
+#include <openssl/ecdsa.h>
+#include <openssl/x509.h>
+#include <openssl/sha.h>
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <assert.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+int generate_cert(EVP_PKEY * signer, EVP_PKEY ** outpriv, X509 ** outcert)
+{
+    int ret;
+    EC_KEY * key;
+    EVP_PKEY * pkey;
+    X509 * x509;
+    X509_NAME * name;
+
+    key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+    pkey = EVP_PKEY_new();
+    x509 = X509_new();
+
+    if (key == NULL || pkey == NULL || x509 == NULL)
+    {   return 0;  }
+
+    if (!EC_KEY_generate_key(key))
+    {   return 0;   }
+
+    if (!EVP_PKEY_assign_EC_KEY(pkey, key))
+    {   return 0;  }
+    
+    if (!ASN1_INTEGER_set(X509_get_serialNumber(x509), 1))
+    {   return 0;  }
+
+    if (!X509_gmtime_adj(X509_get_notBefore(x509), 0))
+    {   return 0;  }
+    if (!X509_gmtime_adj(X509_get_notAfter(x509), 189216000L)) // 6 yrs
+    {   return 0;  }
+    if (!X509_set_pubkey(x509, pkey))
+    {   return 0;  }
+    
+    name = X509_get_subject_name(x509);
+    X509_NAME_add_entry_by_txt(name, "C",  MBSTRING_ASC,
+            (unsigned char *)"VA", -1, -1, 0);
+    X509_NAME_add_entry_by_txt(name, "O",  MBSTRING_ASC,
+            (unsigned char *)"ConorCo LLC", -1, -1, 0);
+    X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+            (unsigned char *)"u2fzero.com", -1, -1, 0);
+
+    if (!X509_set_issuer_name(x509, name))
+    {   return 0;  }
+
+    if (!X509_sign(x509, pkey, EVP_sha256()))
+    {   return 0;  }
+
+    *outpriv = pkey;
+    *outcert = x509;
+    return 1;
+}
+
+static void openssl_die()
+{
+
+    fprintf(stderr,"signature error: %s\n",
+            ERR_error_string(ERR_get_error(),NULL) );
+    exit(2);
+}
+
+
+int main(int argc, char * argv[])
+{
+
+    if (argc != 4)
+    {
+        fprintf(stderr, "usage: %s <in-privkey> <outcert> <outprivkey>\n", argv[0]);
+
+        return 1;
+    }
+
+    X509 * gencert = NULL;
+    EVP_PKEY * privkey = NULL, * genprivkey = NULL;
+    FILE* f = fopen(argv[1], "r");
+
+    if (f == NULL)
+    {
+        perror("fopen");
+        return 2;
+    }
+
+    ERR_load_crypto_strings();
+
+    PEM_read_PrivateKey(f, &privkey, NULL, NULL);
+
+    if (!generate_cert(privkey, &genprivkey, &gencert))
+    {   openssl_die();  }
+
+    FILE * fcert;
+    fcert = fopen(argv[2], "wb");
+    if (fcert == NULL)
+    {
+        perror("fopen");
+        return 2;
+    }
+
+    if (!PEM_write_X509(
+            fcert,
+            gencert
+    ))
+    { openssl_die(); }
+
+
+    FILE * fpriv;
+    fpriv = fopen(argv[3], "wb");
+    if (fpriv == NULL)
+    {
+        perror("fopen");
+        return 2;
+    }
+
+    if (!PEM_write_PrivateKey(
+            fpriv,
+            genprivkey,
+            NULL,
+            NULL,
+            0,
+            NULL,
+            NULL
+    ))
+    { openssl_die(); }
+
+    fclose(fcert);
+    fclose(fpriv);
+    X509_free(gencert);
+    EVP_PKEY_free(genprivkey);
+    EVP_PKEY_free(privkey);
+    ERR_free_strings();
+    fclose(f);
+
+    return 0;
+}
+
+