--- /dev/null
+#!/bin/bash
+
+set -eux
+
+openssl genrsa -out root-ca.key 4096
+openssl req -x509 -new -nodes \
+ -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=test" \
+ -key root-ca.key -sha256 -days 10000 -out root-ca.pem
+
+openssl genrsa -out cert0.key 4096
+openssl req -new -sha256 -key cert0.key \
+ -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=localhost" \
+ -out cert0.csr
+# Convert to PKCS#1 for Java
+openssl pkcs8 -in cert0.key -topk8 -nocrypt > cert0.pkcs1
+openssl x509 -req -in cert0.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial \
+ -out cert0.pem -days 10000 -sha256
+
+openssl genrsa -out cert1.key 4096
+openssl req -new -sha256 -key cert1.key \
+ -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=localhost" \
+ -out cert1.csr
+openssl pkcs8 -in cert1.key -topk8 -nocrypt > cert1.pkcs1
+openssl x509 -req -in cert1.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial \
+ -out cert1.pem -days 10000 -sha256