diff --git a/.gitignore b/.gitignore
index 1882264037105810498bd0da3b9eee9b832211c6..9c81e929444abd89b425b9be30071da03181bedb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,5 @@
 *.swo
 certs/*
 keys/*
-config
+openssl.cnf
+CA.*
diff --git a/README.rst b/README.rst
index 17b7fc3ef2f8b1f0af327b1dc8e8758e2d8c0257..17b091223c84be154c6c7b96abec379ebfa075d0 100644
--- a/README.rst
+++ b/README.rst
@@ -24,7 +24,7 @@ To start a new CA ::
     $ ssl-ca init
 
 This will create a new directory with the directory structure and a
-configuration file **Remember to change the configuration in the config file.**
+configuration file **Remember to change the configuration in `openssl.cnf`.**
 
 To generate a new CA key and certificate (inside the new directory)::
 
diff --git a/ssl-ca b/ssl-ca
index 0b68b1eb5de68ddede36a4e7129b7f75d1520ce1..688014146330be7e3e0faf3f955942b5fd0fc96f 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -1,45 +1,96 @@
 #!/bin/sh -e
 
 default_config=\
-"# This file is sourced by the shell script program, so comments start with #
-# and usual shell evaluation and variables can be used.
-# No setting is mandatory and missing setting will be left blank or the
-# default value will be used.
-keysize=2048
-keytype='rsa'
-cipher='aes256'
-days=365
-countrycode='US'
-state='Somewhere'
-locality='Some other place.'
-orgname='Acme'
-orgunit='Widgets'
-email='hostmaster@example.com'"
+"[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = .
+certs = certs
+certificate = CA.crt
+private_key = CA.key
+default_md = sha256
+default_days = 365
+email_in_dn = no
+policy = policy_any
+
+[ policy_any ]
+countryName = US
+stateOrProvinceName =
+
+[ req ]
+prompt = no
+encrypt_key =
+default_md = sha256
+default_bits = 2048"
+
+#keytype=\"$keytype\"
+#cipher=\"$cipher\"
+#state='Somewhere'
+#locality='Some other place.'
+#orgname='Acme'
+#orgunit='Widgets'
 
 usage () {
-    cat /dev/null
+    echo "Usage: $0 "
 }
 
 init () {
-    if [ -a "$1" ]
-    then
-        echo "$1 already exists."
-        exit 1
-    fi
-    mkdir "$1"
     mkdir "$1/certs"
     mkdir "$1/keys"
-    echo "$default_config" > config
+    echo "$default_config" > "$1/openssl.cnf"
 }
 
 sign_key () {
-    cat /dev/null
+    csr="$(mktemp)"
+    openssl req -new -config openssl.cnf -out $csr
+    openssl x509 -req -in $csr -out certs/$1.crt
+    rm $csr
 }
 
 gen_key () {
-    cat /dev/null
+    openssl genrsa -out keys/$1.key
 }
 
 ca_gen () {
-    cat /dev/null
+    openssl genra -out CA.key
+    openssl req -x509 -new -config openssl.cnf -key CA.key -out CA.crt
 }
+
+if [ $# -lt 1 ]
+then
+    usage
+    exit 1
+fi
+
+case "$1" in
+    init)
+        init
+        ;;
+    ca-gen)
+        ca-gen
+        ;;
+    gen)
+        gen_key
+        sign_key $key
+        ;;
+    sign)
+        for key in keys/*.key
+        do
+            if [ ! -f certs/$key.pem ]
+            then
+                sign_key $key
+            fi
+        done
+        ;;
+    resign)
+        for key in keys/*
+        do
+            sign_key $key
+        done
+        ;;
+    *)
+        usage
+        exit 1
+        ;;
+esac