diff --git a/ocserv/Dockerfile b/ocserv/Dockerfile
index d17d6e4..3d351e3 100644
--- a/ocserv/Dockerfile
+++ b/ocserv/Dockerfile
@@ -52,9 +52,12 @@ RUN set -xe \
     && make install \
     && mkdir -p /etc/ocserv/certs \
     && cp ./doc/sample.config /etc/ocserv/ocserv.conf \
-    && sed -i -e 's@../tests/@/etc/ocserv/certs/@' \
+    && cp ./doc/profile.xml /etc/ocserv/profile.xml \
+    && sed -i -e 's@^#user-profile = /path/to/file.xml@user-profile = /etc/ocserv/profile.xml@' \
+              -e 's@../tests/@/etc/ocserv/certs/@' \
               -e 's@certs/ca.pem@certs/ca-cert.pem@' \
               -e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \
+              -e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \
               -e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \
               -e 's@^dns =.*$@dns = 8.8.8.8@' \
               -e 's@^route@#&@' \
diff --git a/ocserv/README.md b/ocserv/README.md
index b0d9e71..46a67f6 100644
--- a/ocserv/README.md
+++ b/ocserv/README.md
@@ -23,4 +23,13 @@ ocserv:
   restart: always
 ```
 
+> :warning: Please choose a strong password to protect VPN service.
+
+## up and running
+
+```bash
+$ docker-compose up -d
+$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
+```
+
 [1]: http://www.infradead.org/ocserv/
diff --git a/ocserv/docker-entrypoint.sh b/ocserv/docker-entrypoint.sh
index 6620e43..b689149 100755
--- a/ocserv/docker-entrypoint.sh
+++ b/ocserv/docker-entrypoint.sh
@@ -10,4 +10,4 @@ fi
 
 iptables -t nat -A POSTROUTING -s ${VPN_NETWORK}/${VPN_NETMASK} -j MASQUERADE
 
-exec ocserv -c /etc/ocserv/ocserv.conf -f $@
+exec ocserv -c /etc/ocserv/ocserv.conf -f -d 1 "$@"
diff --git a/ocserv/init.sh b/ocserv/init.sh
index 47fc524..e1b6ad3 100755
--- a/ocserv/init.sh
+++ b/ocserv/init.sh
@@ -34,6 +34,16 @@ signing_key
 tls_www_server
 _EOF_
 
+cat > client.tmpl <<_EOF_
+cn = "client@${VPN_DOMAIN}"
+uid = "client@${VPN_DOMAIN}"
+unit = "ocserv"
+expiration_days = 3650
+signing_key
+tls_www_client
+_EOF_
+
+# gen ca keys
 certtool --generate-privkey \
          --outfile ca-key.pem
 
@@ -42,6 +52,7 @@ certtool --generate-self-signed \
          --template ca.tmpl \
          --outfile ca-cert.pem
 
+# gen server keys
 certtool --generate-privkey \
          --outfile server-key.pem
 
@@ -52,6 +63,26 @@ certtool --generate-certificate \
          --template server.tmpl \
          --outfile server-cert.pem
 
+# gen client keys
+certtool --generate-privkey \
+         --outfile client-key.pem
+
+certtool --generate-certificate \
+         --load-privkey client-key.pem \
+         --load-ca-certificate ca-cert.pem \
+         --load-ca-privkey ca-key.pem \
+         --template client.tmpl \
+         --outfile client-cert.pem
+
+certtool --to-p12 \
+         --load-privkey client-key.pem \
+         --pkcs-cipher 3des-pkcs12 \
+         --load-certificate client-cert.pem \
+         --outfile client.p12 \
+         --outder \
+         --p12-name "${VPN_USERNAME}" \
+         --password "${VPN_PASSWORD}"
+
 sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
        -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf