diff --git a/.gitignore b/.gitignore
index 9c81e929444abd89b425b9be30071da03181bedb..c2dde0e60f82dc64e8609cae89311c7ec9014b4d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,5 +4,5 @@
 *.swo
 certs/*
 keys/*
-openssl.cnf
+openssl.cnf*
 CA.*
diff --git a/README.rst b/README.rst
index 7d63b9cb97d8d0e1fc0f8d033211e2d44169fd9d..6b4cd0cb75fe3840c8ce4dfa58a76d96f4de7218 100644
--- a/README.rst
+++ b/README.rst
@@ -21,6 +21,10 @@ configuration for starting work and a new CA key and certificate. ::
     $ mkdir domain.tld
     $ cd domain.tld
     $ ssl-ca init
+    Generating RSA private key, 512 bit long modulus
+    .++++++++++++
+    ......++++++++++++
+    e is 65537 (0x10001)
 
 To generate a new key and certificate for the www host, the key will at
 ``keys/www`` and the certificate at ``certs/www`` ::
@@ -49,6 +53,8 @@ Nimrod Adar.
 TODO
 ----
 
+- Verify that the fqdn is correct.
 - Fill out example output in the usage section.
 - Add checks and failure messages to each action.
-- Finish openssl configuration.
+- Delete serial file.
+- Testing (creating a ca, creating a key and cert and verifying).
diff --git a/ssl-ca b/ssl-ca
index 6b507c5cc01c185ae749594333ade1d6b9e70f0a..4389d82def50fba10bc9c99b0f1e48e3210d6d9d 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -1,5 +1,6 @@
 #!/bin/sh -e
 
+domain="$(basename $(pwd))"
 default_config=\
 "[ ca ]
 default_ca = CA_default
@@ -12,45 +13,65 @@ private_key = CA.key
 default_md = sha256
 default_days = 365
 email_in_dn = no
-policy = policy_any
 
-[ policy_any ]
-countryName = US
-stateOrProvinceName =
+[ req_distinguished_name]
+#C = 2 letter country code
+#ST = State
+#L = Locality
+#O = Organization name
+#OU = Organizational unit
+#emailAddress = email address
+#CN = *.*.$domain
 
 [ req ]
+distinguished_name = req_distinguished_name
 prompt = no
-encrypt_key =
+encrypt_key = no
 default_md = sha256
 default_bits = 2048"
 
-#keytype=\"$keytype\"
-#cipher=\"$cipher\"
-#state='Somewhere'
-#locality='Some other place.'
-#orgname='Acme'
-#orgunit='Widgets'
-
 usage () {
     echo "Usage: $0 init|gen|sign|resign"
 }
 
 init () {
-    mkdir "certs"
-    mkdir "keys"
-    openssl genra -out CA.key
-    openssl req -x509 -new -config openssl.cnf -key CA.key -out CA.crt
+    mkdir -p "certs"
+    mkdir -p "keys"
     echo "$default_config" > "openssl.cnf"
+    openssl genrsa \
+        -out CA.key
+    openssl req \
+        -x509 \
+        -config openssl.cnf \
+        -new \
+        -subj "CN=*.*.$domain" \
+        -key CA.key \
+        -out CA.crt
 }
 
 sign_key () {
-    csr="$(mktemp)"
-    openssl req -new -config openssl.cnf -out "$csr"
-    openssl x509 -req -in "$csr" -out "certs/$1.crt"
+    echo "Generating CSR for $1.$domain."
+    csr="$(mktemp -t ssl-ca)"
+    openssl req \
+        -key keys/$1 \
+        -new \
+        -config openssl.cnf \
+        -subj "/CN=*.*.$1.$domain" \
+        -out "$csr"
+    echo "Generating cert for $1.$domain."
+    openssl x509 \
+        -req \
+        -in "$csr" \
+        -out "certs/$1" \
+        -CA CA.crt \
+        -CAcreateserial \
+        -extensions v3_ca \
+        -CAkey CA.key
     rm "$csr"
 }
 
 gen_key () {
+    echo "Generating key for $1.$domain."
     openssl genrsa -out "keys/$1"
 }