diff --git a/ocserv/README.md b/ocserv/README.md
index 933ccb7..b658afa 100644
--- a/ocserv/README.md
+++ b/ocserv/README.md
@@ -41,6 +41,7 @@ $ docker-compose exec ocserv bash
     Re-enter password: ******
 >>> exit
 $ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
+$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
 $ docker-compose logs -f
 ```
 
@@ -61,11 +62,13 @@ AnyConnect ->
             File System: client.p12
 ```
 
+> :question: Android client show warning dialog: `Certificate is not yet valid.`
+
 ## desktop client
 
 [download](https://www.cellsystech.com/software/anyconnect/)
 
-`client.p12` can be imported into keychain.
+`client.p12` and `server-cert.pem` can be imported into keychain.
 
 
 [1]: http://www.infradead.org/ocserv/
diff --git a/ocserv/init.sh b/ocserv/init.sh
index e1b6ad3..028018f 100755
--- a/ocserv/init.sh
+++ b/ocserv/init.sh
@@ -26,6 +26,7 @@ _EOF_
 
 cat > server.tmpl <<_EOF_
 cn = "${VPN_DOMAIN}"
+dns_name = "${VPN_DOMAIN}"
 organization = "ocserv"
 serial = 2
 expiration_days = 3650
@@ -75,12 +76,13 @@ certtool --generate-certificate \
          --outfile client-cert.pem
 
 certtool --to-p12 \
-         --load-privkey client-key.pem \
          --pkcs-cipher 3des-pkcs12 \
+         --load-ca-certificate ca-cert.pem \
          --load-certificate client-cert.pem \
+         --load-privkey client-key.pem \
          --outfile client.p12 \
          --outder \
-         --p12-name "${VPN_USERNAME}" \
+         --p12-name "${VPN_DOMAIN}" \
          --password "${VPN_PASSWORD}"
 
 sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \