diff --git a/container_files/shibboleth_keygen.bat b/container_files/shibboleth_keygen.bat
new file mode 100644
index 0000000..53a7fe1
--- /dev/null
+++ b/container_files/shibboleth_keygen.bat
@@ -0,0 +1,115 @@
+@echo off
+setlocal
+
+set DAYS=
+set YEARS=
+set FQDN=
+set ENTITYID=
+set TEMP_DOMAIN_NAME=
+set PARAM=
+set PREFIX=
+set OUT=%~dp0
+
+:opt_start
+set PARAM=%1
+
+if not defined PARAM goto opt_end
+if %1==-o goto opt_out
+if %1==-n goto opt_prefix
+if %1==-h goto opt_fqdn
+if %1==-e goto opt_entityid
+if %1==-y goto opt_years
+if %1==-f goto opt_force
+goto usage
+:opt_end
+
+if not defined PREFIX set PREFIX=sp
+
+if exist "%OUT%\%PREFIX%-key.pem" goto protect
+if exist "%OUT%\%PREFIX%-cert.pem" goto protect
+
+if not defined YEARS set YEARS=10
+set /a DAYS=%YEARS%*365
+
+if not defined FQDN goto guess_fqdn
+
+:generate
+set PATH=%PATH%;%ProgramFiles%\Shibboleth\SP\lib\
+set CNF="%OUT%\%PREFIX%-cert.cnf"
+echo # OpenSSL configuration file for creating keypair       >%CNF%
+echo [req]                                                   >>%CNF%
+echo prompt=no                                               >>%CNF%
+echo default_bits=3072                                       >>%CNF%
+echo encrypt_key=no                                          >>%CNF%
+echo default_md=sha256                                       >>%CNF%
+echo distinguished_name=dn                                   >>%CNF%
+echo # PrintableStrings only                                 >>%CNF%
+echo string_mask=MASK:0002                                   >>%CNF%
+echo x509_extensions=ext                                     >>%CNF%
+echo [dn]                                                    >>%CNF%
+echo CN=%FQDN%                                               >>%CNF%
+echo [ext]                                                   >>%CNF%
+if defined ENTITYID (echo subjectAltName=DNS:%FQDN%,URI:%ENTITYID% >>%CNF%) else (echo subjectAltName=DNS:%FQDN% >>%CNF%)
+echo subjectKeyIdentifier=hash                               >>%CNF%
+openssl.exe req -config %CNF% -new -x509 -days %DAYS% -keyout "%OUT%\%PREFIX%-key.pem" -out "%OUT%\%PREFIX%-cert.pem"
+del %CNF%
+exit /b
+
+:protect
+echo The files %OUT%\%PREFIX%-key.pem and/or %OUT%\%PREFIX%-cert.pem already exist!
+echo Use -f option to force recreation of keypair.
+exit /b
+
+:opt_out
+set OUT=%2
+shift
+shift
+goto opt_start
+
+:opt_prefix
+set PREFIX=%2
+shift
+shift
+goto opt_start
+
+:opt_force
+if exist "%OUT%\%PREFIX%-key.pem" del "%OUT%\%PREFIX%-key.pem"
+if exist "%OUT%\%PREFIX%-cert.pem" del "%OUT%\%PREFIX%-cert.pem"
+shift
+goto opt_start
+
+:opt_fqdn
+set FQDN=%2
+shift
+shift
+goto opt_start
+
+:opt_entityid
+set ENTITYID=%2
+shift
+shift
+goto opt_start
+
+:opt_years
+set YEARS=%2
+shift
+shift
+goto opt_start
+
+:usage
+echo usage: keygen [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix] [-o output dir]
+exit /b
+
+:guess_fqdn
+for /F "tokens=2 delims=:" %%i in ('"ipconfig /all | findstr /c:"Primary DNS Suffix" /c:"Primary Dns Suffix""') do set TEMP_DOMAIN_NAME=%%i
+if defined TEMP_DOMAIN_NAME set FQDN=%TEMP_DOMAIN_NAME: =%
+set TEMP_DOMAIN_NAME=
+if defined USERDNSDOMAIN set FQDN=%USERDNSDOMAIN%
+
+for /F %%i in ('hostname') do set HOST=%%i
+if defined FQDN (set FQDN=%HOST%.%FQDN%) else (set FQDN=%HOST%)
+
+echo >"%FQDN%"
+for /F %%i in ('dir /b/l %FQDN%') do set FQDN=%%i
+del %FQDN%
+goto generate