diff --git a/README.md b/README.md
index 443b85f..3bd31d8 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,58 @@
-签发证书用于各组件间加密通信
+# 自签发证书用于TSG各组件间加密通信
+
+**注意**
+
+* 证书有效 20 年
+* 为了前向保密使用椭圆曲线prime256v1，而未使用RSA
+
+**证书信息**
+
+```
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 15951331750435990784 (0xdd5e83b69725ad00)
+    Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C=US, ST=California, L=San Francisco, O=Gdnt-cloud, CN=*.gdnt-cloud.com
+        Validity
+            Not Before: Aug 31 05:59:42 2021 GMT
+            Not After : Aug 29 05:59:42 2031 GMT
+        Subject: C=US, ST=California, L=San Francisco, O=Gdnt-cloud, CN=*.gdnt-cloud.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:49:70:50:9d:7b:57:ad:f3:61:99:8d:99:ab:ec:
+                    cf:27:b3:1e:dd:42:48:b7:48:9e:af:11:f5:71:ad:
+                    13:ba:01:a0:24:81:ee:9e:ab:59:a0:d0:cc:98:44:
+                    27:36:8f:c4:3e:5b:87:e8:cb:6b:65:57:0c:b0:44:
+                    90:a2:2a:7b:f3
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Basic Constraints:
+                CA:FALSE
+            X509v3 Subject Alternative Name:
+                DNS:*.gdnt-cloud.com, DNS:gdnt-cloud.com
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:18:b9:48:84:e3:34:6e:cf:ff:9a:95:b3:a1:32:
+         27:61:3d:eb:4d:8a:88:d5:12:d4:46:d8:dc:22:77:df:3d:18:
+         02:21:00:c9:24:3e:30:eb:53:11:2c:51:cd:18:24:c6:e4:07:
+         16:4b:72:08:6c:91:5a:6a:ab:90:e1:03:11:2d:63:f9:04
+-----BEGIN CERTIFICATE-----
+MIICBTCCAaugAwIBAgIJAN1eg7aXJa0AMAoGCCqGSM49BAMCMGoxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
+MRMwEQYDVQQKDApHZG50LWNsb3VkMRkwFwYDVQQDDBAqLmdkbnQtY2xvdWQuY29t
+MB4XDTIxMDgzMTA1NTk0MloXDTMxMDgyOTA1NTk0MlowajELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR
+BgNVBAoMCkdkbnQtY2xvdWQxGTAXBgNVBAMMECouZ2RudC1jbG91ZC5jb20wWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAARJcFCde1et82GZjZmr7M8nsx7dQki3SJ6v
+EfVxrRO6AaAkge6eq1mg0MyYRCc2j8Q+W4foy2tlVwywRJCiKnvzozowODAJBgNV
+HRMEAjAAMCsGA1UdEQQkMCKCECouZ2RudC1jbG91ZC5jb22CDmdkbnQtY2xvdWQu
+Y29tMAoGCCqGSM49BAMCA0gAMEUCIBi5SITjNG7P/5qVs6EyJ2E9602KiNUS1EbY
+3CJ33z0YAiEAySQ+MOtTESxRzRgkxuQHFktyCGyRWmqrkOEDES1j+QQ=
+-----END CERTIFICATE-----
+
+Not Before: Aug 31 05:59:42 2021 GMT
+Not After : Aug 29 05:59:42 2031 GMT
+```
diff --git a/conf/wildcard.conf b/conf/wildcard.conf
new file mode 100644
index 0000000..df63ef0
--- /dev/null
+++ b/conf/wildcard.conf
@@ -0,0 +1,21 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+encrypt_key         = no
+prompt              = no
+req_extensions      = req_v3_usr
+
+[ req_distinguished_name ]
+countryName         = US
+stateOrProvinceName = California
+localityName        = San Francisco
+organizationName    = Gdnt-cloud
+commonName          = *.__DOMAIN__
+
+[ req_v3_usr ]
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = *.__DOMAIN__
+DNS.2 = __DOMAIN__
diff --git a/crt/self-sign.crt b/crt/self-sign.crt
new file mode 100644
index 0000000..8cb6bd7
--- /dev/null
+++ b/crt/self-sign.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICBTCCAaugAwIBAgIJAN1eg7aXJa0AMAoGCCqGSM49BAMCMGoxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
+MRMwEQYDVQQKDApHZG50LWNsb3VkMRkwFwYDVQQDDBAqLmdkbnQtY2xvdWQuY29t
+MB4XDTIxMDgzMTA1NTk0MloXDTMxMDgyOTA1NTk0MlowajELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR
+BgNVBAoMCkdkbnQtY2xvdWQxGTAXBgNVBAMMECouZ2RudC1jbG91ZC5jb20wWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAARJcFCde1et82GZjZmr7M8nsx7dQki3SJ6v
+EfVxrRO6AaAkge6eq1mg0MyYRCc2j8Q+W4foy2tlVwywRJCiKnvzozowODAJBgNV
+HRMEAjAAMCsGA1UdEQQkMCKCECouZ2RudC1jbG91ZC5jb22CDmdkbnQtY2xvdWQu
+Y29tMAoGCCqGSM49BAMCA0gAMEUCIBi5SITjNG7P/5qVs6EyJ2E9602KiNUS1EbY
+3CJ33z0YAiEAySQ+MOtTESxRzRgkxuQHFktyCGyRWmqrkOEDES1j+QQ=
+-----END CERTIFICATE-----
diff --git a/key/self-sign.key b/key/self-sign.key
new file mode 100644
index 0000000..3fec678
--- /dev/null
+++ b/key/self-sign.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIC6qFeIiJvkGqYIxpfl14NZ8bOu6Fk0jfLumg39lTTLMoAoGCCqGSM49
+AwEHoUQDQgAESXBQnXtXrfNhmY2Zq+zPJ7Me3UJIt0ierxH1ca0TugGgJIHunqtZ
+oNDMmEQnNo/EPluH6MtrZVcMsESQoip78w==
+-----END EC PRIVATE KEY-----
diff --git a/sign.sh b/sign.sh
new file mode 100644
index 0000000..04f80b6
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+openssl ecparam -name secp256r1 -genkey -out key/self-sign.key # 使用椭圆曲线生成私钥
+#./tool gen-key key/self-sign.key gdnt-cloud.com 2048 # 使用 RSA 生成私钥
+./tool gen-csr csr/self-sign.csr gdnt-cloud.com conf/wildcard.conf key/self-sign.key
+./tool self-sign crt/self-sign.crt gdnt-cloud.com 3650 sha256 req_v3_usr conf/wildcard.conf csr/self-sign.csr key/self-sign.key
+./tool chain chain.pem gdnt-cloud.com crt/self-sign.crt
diff --git a/tool b/tool
new file mode 100755
index 0000000..e10ba4d
--- /dev/null
+++ b/tool
@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+set -eu
+
+COMMAND=$1
+shift
+OUT=$1
+shift
+DOMAIN=$1
+shift
+
+mkdir -p $(dirname $OUT)
+PREGEN_OUT=$(echo "$OUT" | sed "s#/gen/#/pregen/#") 
+if [ -e $PREGEN_OUT ]
+then
+  cp $PREGEN_OUT $OUT
+  exit 0
+fi
+
+case "$COMMAND" in
+chain)
+  cat $@ > $OUT
+  ;;
+dhparam)
+  openssl dhparam \
+  -out $OUT \
+  $1
+  ;;
+gen-csr)
+  openssl req -new \
+    -out $OUT \
+    -config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
+    -key $2
+  ;;
+gen-csr-no-subject)
+  openssl req -new \
+    -subj / \
+    -out $OUT \
+    -config <(cat $1 | sed "s/__DOMAIN__/$DOMAIN/g") \
+    -key $2
+  ;;
+gen-ca)
+  openssl req -new -x509 -days 7300 \
+    -out $OUT \
+    -config $1 \
+    -key $2
+  ;;  
+gen-key)
+  openssl genrsa \
+    -out $OUT \
+    $1
+  ;;
+gen-ecckey)
+  openssl ecparam \
+    -out $OUT \
+    -name $1 \
+    -genkey
+  ;;
+gen-pkcs12-p12)
+  openssl pkcs12 \
+    -out $OUT \
+    -export \
+    -clcerts \
+    -passout "pass:$DOMAIN" \
+    -in $1 \
+    -inkey $2
+  ;;
+pkcs12-convert-p12-pem)
+  openssl pkcs12 \
+    -out $OUT \
+    -clcerts \
+    -passin "pass:$DOMAIN" \
+    -passout "pass:$DOMAIN" \
+    -in $1
+  ;;
+self-sign)
+  openssl x509  -req  -CAcreateserial \
+    -out $OUT \
+    -days $1 \
+    -$2 \
+    -extensions $3 \
+    -extfile <(cat $4 | sed "s/__DOMAIN__/$DOMAIN/g") \
+    -in $5 \
+    -signkey $6
+  ;;
+sign)
+  openssl x509 \
+    -req \
+    -CAcreateserial \
+    -days $1 \
+    -$2 \
+    -out $OUT \
+    -extensions $3 \
+    -extfile <(cat $4 | sed "s/__DOMAIN__/$DOMAIN/g") \
+    -in $5 \
+    -CAkey $6 \
+    -CA $7
+  ;;
+*)
+  echo "Unknown command."
+  exit 1
+esac