diff --git a/pki/ca-config.json b/pki/ca-config.json
new file mode 100644
index 0000000..75710f5
--- /dev/null
+++ b/pki/ca-config.json
@@ -0,0 +1,34 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "43800h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                "key encipherment",
+                "server auth"
+                    ]
+            },
+            "client": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                "key encipherment",
+                "client auth"
+                    ]
+            },
+            "peer": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                "key encipherment",
+                "server auth",
+                "client auth"
+                    ]
+            }
+        }
+    }
+}
diff --git a/pki/ca.json b/pki/ca.json
index e7ebfa1..93f9ed5 100644
--- a/pki/ca.json
+++ b/pki/ca.json
@@ -1,9 +1,5 @@
 {
-    "hosts": [
-        "itpartner.no",
-        "itpartner.intern",
-        "cluster.local"
-    ],
+    "CN": "k8s0",
     "key": {
         "algo": "rsa",
         "size": 2048
diff --git a/pki/client.json b/pki/client.json
index c4fb879..9d316ee 100644
--- a/pki/client.json
+++ b/pki/client.json
@@ -1,9 +1,6 @@
 {
-    "CN": "@host@",
-    "hosts": [
-        "@host@",
-        "@ip@"
-    ],
+    "CN": "client",
+    "hosts": [ "" ],
     "key": {
         "algo": "rsa",
         "size": 2048
diff --git a/pki/etcd.json b/pki/etcd.json
index 2d3cf02..9167185 100644
--- a/pki/etcd.json
+++ b/pki/etcd.json
@@ -1,7 +1,8 @@
 {
+    "CN": "@host@",
     "hosts": [
-        "etcd0",
-        "etcd1"
+        "@host@",
+        "@ip"
     ],
     "key": {
         "algo": "rsa",
diff --git a/pki/mkcerts.sh b/pki/mkcerts.sh
index 23a8fb5..27fd401 100755
--- a/pki/mkcerts.sh
+++ b/pki/mkcerts.sh
@@ -1,57 +1,55 @@
 #!/usr/bin/env bash
 
-hosts="k8s0-0,100 k8s0-1,101 k8s0-2,102"
+etcd="etcd0,100 etcd1,101"
 
-mkcacert () {
+cacert () {
     cfssl genkey -initca ca.json | cfssljson -bare ca
 }
 
-mkapicert () {
-    cfssl gencert -ca ca.pem -ca-key ca-key.pem apiserver.json \
-    | cfssljson -bare apiserver
+servercert () {
+    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
+        -config=ca-config.json -profile=server server.json \
+        | cfssljson -bare server
 }
 
-mketcdcert () {
-    cfssl gencert -ca ca.pem -ca-key ca-key.pem etcd.json \
-    | cfssljson -bare etcd
-}
-
-# mkclientcert () {
-#     cfssl gencert -ca ca.pem -ca-key ca-key.pem client.json \
-#     | cfssljson -bare client
-# }
-
-mkclientcert () {
+etcdcert () {
     host=$1
     ip=$2
-    sed "s/@host@/$host/g; s/@ip@/$ip/g; " client.json \
-        | cfssl gencert -ca ca.pem -ca-key ca-key.pem - \
+    sed "s/@host@/$host/g; s/@ip@/$ip/g;" etcd.json \
+        | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
+        -config=ca-config.json -profile=peer - \
         | cfssljson -bare $host
 }
 
-mkclientcerts () {
-    for i in $hosts; do
+clientcert () {
+    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
+        -config=ca-config.json -profile=client client.json \
+        | cfssljson -bare client
+}
+
+mketcdcerts () {
+    for i in $etcd; do
         IFS=","
         set -- $i
-        mkclientcert $1 10.253.18.$2
+        etcdcert $1 10.253.18.$2
     done
 }
 
 case $1 in
     all)
-        mkcacert
-        mkapicert
-        mketcdcert
-        mkclientcert
+        cacert
+        servercert
+        mketcdcerts
+        clientcert
         ;;
     client)
-        mkclientcerts
+        clientcert
         ;;
     api)
-        mkapicert
+        servercert
         ;;
     etcd)
-        mketcdcert
+        mketcdcerts
         ;;
     *)
         echo "usege: mkcerts.sh (all|client|api|etcd)"
diff --git a/pki/apiserver.json b/pki/server.json
similarity index 94%
rename from pki/apiserver.json
rename to pki/server.json
index 22e50df..035c3b7 100644
--- a/pki/apiserver.json
+++ b/pki/server.json
@@ -1,4 +1,5 @@
 {
+    "CN": "server",
     "hosts": [
         "k8s0-0",
         "kubernetes",
diff --git a/test/gitlab.yaml b/test/gitlab.yaml
new file mode 100644
index 0000000..ce6832f
--- /dev/null
+++ b/test/gitlab.yaml
@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+  labels:
+    run: gitlab
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  - port: 443
+    protocol: TCP
+    name: https
+  - port: 22
+    protocol: TCP
+    name: ssh
+  selector:
+   run: gitlab
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: gitlab
+  namespace: default
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: busybox
+      containers:
+      - image: gitlab/gitlab-ce:latest
+        name: gitlab-container
+        ports:
+        - containerPort: 80
+        - containerPort: 22
+        - containerPort: 443
+      volumeMounts:
+      - mountPath: /etc/gitlab
+        name: gitlab-data
+        subPath: config
+      - mountPath: /var/log/gitlab
+        name: gitlab-data
+        subPath: logs
+      - mountPath: /var/opt/gitlab
+        name: gitlab-data
+        subPath: data
+      volumes:
+      - name: gitlab-data
+        nfs:
+          server: 10.253.10.103
+          path: /data/gitlab
+          ReadOnly: false