diff --git a/README.md b/README.md
index c1e3daf..0a82f2d 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,10 @@ chmod 0700 psk
 openssl genrsa -out ca.key 4096
 CN=CA openssl req -config openssl.cnf -x509 -new -nodes -key ca.key -sha256 -days 3650  -out ca.crt
 
+# create key for the server and sign it with the CA 
+CN=localhost openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout server.key --out server.csr
+openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
+
 # create example client CSR for testing (check openssl.cnf against "psk" file)
 CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
 
@@ -45,7 +49,7 @@ CN=rotuer openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client
 nix-build && result/bin/certifix  --challenge-password psk  --certificate ca.crt --private-key ca.key localhost:19613
 
 # send it
-curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  http://localhost:8201/sign
+curl -v -H 'content-type: application/x-pem-file' --data-binary @client.csr  https://localhost:19613/sign
 ```
 
 ## Background
diff --git a/main.fnl b/main.fnl
index 1bdc279..9302bd5 100644
--- a/main.fnl
+++ b/main.fnl
@@ -2,7 +2,8 @@
 
 (local server (require :http.server))
 (local headers (require :http.headers))
-(local ssl (require :openssl))
+(local htls (require :http.tls))
+(local ctx (require :openssl.ssl.context))
 (local csr (require :openssl.x509.csr))
 (local x509 (require :openssl.x509))
 (local pkey (require :openssl.pkey))
@@ -53,10 +54,14 @@
 
 (fn parse-args [args]
   (match args
-    ["--certificate" f & rest]
-    (assoc (parse-args rest) :certificate (slurp f))
-    ["--private-key" f & rest]
-    (assoc (parse-args rest) :private-key (slurp f))
+    ["--ca-certificate" f & rest]
+    (assoc (parse-args rest) :ca-certificate (slurp f))
+    ["--ca-private-key" f & rest]
+    (assoc (parse-args rest) :ca-private-key (slurp f))
+    ["--server-certificate" f & rest]
+    (assoc (parse-args rest) :server-certificate (slurp f))
+    ["--server-private-key" f & rest]
+    (assoc (parse-args rest) :server-private-key (slurp f))
     ["--challenge-password" f & rest]
     (assoc (parse-args rest) :challenge-password (read-line f))
     [bind-address] { : bind-address }
@@ -66,13 +71,15 @@
        (doto
            (parse-args arg)
          (case
-             {: certificate : private-key : challenge-password : bind-address}
+             {: ca-certificate : ca-private-key
+              : server-certificate : server-private-key
+              : challenge-password : bind-address}
            true
            _
            (assert nil "missing required command line params"))))
 
-(local ca-key (pkey.new options.private-key))
-(local ca-crt (x509.new options.certificate))
+(local ca-key (pkey.new options.ca-private-key))
+(local ca-crt (x509.new options.ca-certificate))
 
 (fn new-crt [csr]
   (let [crt
@@ -110,6 +117,11 @@
       _
       (send-error out 404 "not found"))))
 
+(fn ssl-context []
+  (doto (htls.new_server_context)
+    (: :setCertificate (x509.new options.server-certificate))
+    (: :setPrivateKey (pkey.new options.server-private-key))))
+
 (fn new-server []
   (let [(addr port) (string.match options.bind-address "(.+):(%d+)$")]
     (ncall (server.listen
@@ -117,6 +129,8 @@
             :host addr
             :port (tonumber port)
             :onstream on-stream
+            :tls true
+            :ctx (ssl-context)
             }))))
 
 (let [s (new-server)]