diff --git a/install.sh b/install.sh
index 77108f7..243c77b 100755
--- a/install.sh
+++ b/install.sh
@@ -955,6 +955,7 @@ _path_configuration = $CONFIG_DIR
 ; (absolute or relative to _path_configuration)
 _path_PEM_key = key.pem
 _path_PEM_certificate = cert.pem
+; You can run 'make' in the 'utility/gencert' folder to create a pair
 
 ; Path to the TLS trust directory where certs are kept.
 ; If unset this will default to your system installation's defaults.
diff --git a/utility/gencert/Makefile b/utility/gencert/Makefile
new file mode 100644
index 0000000..57bd015
--- /dev/null
+++ b/utility/gencert/Makefile
@@ -0,0 +1,32 @@
+# taken from prosody.im, originally written by zash. MIT license
+#
+.DEFAULT: localhost.cert
+keysize=2048
+
+# How to:
+# First, `make yourhost.cnf` which creates a openssl config file.
+# Then edit this file and fill in the details you want it to have,
+# and add or change hosts and components it should cover.
+# Then `make yourhost.key` to create your private key, you can
+# include keysize=number to change the size of the key.
+# Then you can either `make yourhost.csr` to generate a certificate
+# signing request that you can submit to a CA, or `make yourhost.cert`
+# to generate a self signed certificate.
+
+.PRECIOUS: %.cnf %.key
+
+# To request a cert
+%.csr: %.cnf %.key
+	openssl req -new -key $(lastword $^) -out $@ -utf8 -config $(firstword $^)
+
+# Self signed
+%.cert: %.cnf %.key
+	openssl req -new -x509 -nodes -key $(lastword $^) -days 365 \
+		-sha1 -out $@ -utf8 -config $(firstword $^)
+
+%.cnf:
+	sed 's,example\.com,$*,g' openssl.cnf > $@
+
+%.key:
+	openssl genrsa $(keysize) > $@
+	@chmod 400 -c $@
diff --git a/utility/gencert/openssl.cnf b/utility/gencert/openssl.cnf
new file mode 100644
index 0000000..49e5305
--- /dev/null
+++ b/utility/gencert/openssl.cnf
@@ -0,0 +1,53 @@
+# based on the prosody certs/openssl.cnf by zash - MIT license
+#
+# note: if you have an internationalized domain name, be very careful
+# about encoding it properly. 
+oid_section = new_oids
+
+[ new_oids ]
+
+# RFC 3920 section 5.1.1 defines this OID
+xmppAddr = 1.3.6.1.5.5.7.8.5
+
+# RFC 4985 defines this OID
+SRVName  = 1.3.6.1.5.5.7.8.7
+
+[ req ]
+
+default_bits       = 4096
+default_keyfile    = example.com.key
+distinguished_name = distinguished_name
+req_extensions     = v3_extensions
+x509_extensions    = v3_extensions
+string_mask        = utf8only
+
+# ask about the DN?
+prompt = no
+
+[ distinguished_name ]
+
+commonName             = example.com
+countryName            = GB
+localityName           = The Internet
+organizationName       = Your Organisation
+organizationalUnitName = IT Department
+emailAddress           = psycmaster@example.com
+
+[ v3_extensions ]
+
+# for certificate requests (req_extensions)
+# and self-signed certificates (x509_extensions)
+# note: setting keyUsage does not work for self-signed certs
+basicConstraints = CA:FALSE
+keyUsage         = digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName   = @subject_alternative_name
+
+[ subject_alternative_name ]
+
+# See http://tools.ietf.org/html/rfc6120#section-13.7.1.2 for more info
+
+DNS.0       =                                           example.com
+otherName.0 =            SRVName;IA5STRING:_xmpp-client.example.com
+otherName.1 =            SRVName;IA5STRING:_xmpp-server.example.com
+otherName.2 =            SRVName;IA5STRING:_psyc.example.com