# CA certificate

    mkdir -p files/swanctl/CA
    pki --gen > files/swanctl/CA/ca-key.der
    pki --self \
        --in files/swanctl/CA/ca-key.der \
        --dn "C=NO, O=Trygvis IO AS, CN=Trygvis IO CA" \
        --ca > files/swanctl/CA/ca-cert.der

# Peer certificate

    mkdir -p files/swanctl/$host/{rsa,x509}
    pki --gen > files/swanctl/$host/rsa/$host-key.der
    pki --pub --in files/swanctl/$host/rsa/$host-key.der | \
      pki --issue \
        --cakey files/swanctl/CA/ca-key.der \
        --cacert files/swanctl/CA/ca-cert.der \
        --dn "C=NO, O=Trygvis IO AS, CN=$host.trygvis.io" > files/swanctl/$host/x509/$host-cert.der