diff --git a/create.sh b/create.sh
index de7cc6d..6c1dbd6 100755
--- a/create.sh
+++ b/create.sh
@@ -12,6 +12,7 @@ echo_cyan "Installing binaries and libs..."
 install_binary $(which switch_root)
 install_binary $(which bash)
 install_binary $(which mount)
+install_binary $(which openssl) && cp -r /etc/ssl "${ROOT}/etc/"
 install_kmod
 install_busybox
 
diff --git a/init.sh b/init.sh
index 8578f1e..2649351 100755
--- a/init.sh
+++ b/init.sh
@@ -2,6 +2,7 @@
 source /init_functions.sh
 create_mounts
 load_modules
+create_certs
 setup_network
 mount_root
 exec switch_root /mnt /sbin/init "$@"
diff --git a/init_functions.sh b/init_functions.sh
index 35eb1d3..fafbf6b 100644
--- a/init_functions.sh
+++ b/init_functions.sh
@@ -33,6 +33,19 @@ create_mounts() {
     ln -sfT /proc/self/fd/2 /dev/stderr
 }
 
+create_certs() {
+  cert_dir="/tmp/certs"
+  key="$cert_dir/guest_api.key"
+  cert="$cert_dir/guest_api.crt"
+  subject="/C=W3/O=DeTEE/OU=COCO/CN=guest-api"
+  mkdir -p "$cert_dir"
+  openssl genpkey -algorithm RSA -out "$key" \
+    -pkeyopt rsa_keygen_bits:4096 2>/dev/null
+  openssl req -x509 -new \
+    -key "$key" -out "$cert" \
+    -days 365 -subj "$subject" 2>/dev/null
+}
+
 # expects kernel param in this format: detee_net=192.168.122.140_24_192.168.122.1_1.1.1.1
 setup_network() {
   local settings='' ip_addr='' mask='' cidr='' gateway='' nameserver=''