diff --git a/utils/gen-ec-cert.sh b/utils/gen-ec-cert.sh
new file mode 100644
index 0000000..0b86062
--- /dev/null
+++ b/utils/gen-ec-cert.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+usage()
+{
+	printf "Usage: %s [-c curve] [-d days] domain\n" "${0##*/}" >&2
+	exit 1
+}
+
+tonumber()
+{
+	printf "%u\n" "$*"
+}
+
+curve=secp384r1
+days=3650
+while getopts c:d: flag; do
+	case $flag in
+	c)	[ -n "$OPTARG" ] || usage
+		curve=$OPTARG
+		;;
+	d)	days=$(tonumber "$OPTARG") || usage
+		;;
+	*)	usage
+		;;
+	esac
+done
+shift $((OPTIND - 1))
+[ $# -eq 1 ] && [ -n "$1" ] || usage
+domain=$1
+
+(umask 077 && openssl genpkey -aes256 \
+    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key") &&
+    openssl req -new -nodes -x509 -days "$days" -subj "/CN=$domain" \
+    -key "$domain.key" -out "$domain.pem"