diff --git a/Makefile b/Makefile
index 4f06831..f07cd51 100644
--- a/Makefile
+++ b/Makefile
@@ -12,13 +12,17 @@ SRCS=\
 	server-peer.go \
 	server-ws.go
 
+CMD_DATA=\
+	cmd/tls.crt \
+	cmd/tls.key
+
 CMD_SRCS=\
 	cmd/config.go \
-	cmd/main.go
+	cmd/main.go \
 
 all: hodu
 
-hodu: $(SRCS) $(CMD_SRCS)
+hodu: $(SRCS) $(CMD_DATA) $(CMD_SRCS)
 	CGO_ENABLED=0 go build -x -o $@ $(CMD_SRCS)
 
 clean:
@@ -35,4 +39,10 @@ hodu_grpc.pb.go: hodu.proto
 		--go-grpc_out=. --go-grpc_opt=paths=source_relative \
 		hodu.proto
 
+cmd/tls.crt:
+	openssl req -x509 -newkey rsa:4096 -keyout cmd/tls.key -out cmd/tls.crt -sha256 -days 36500 -nodes -subj "/CN=hodu"
+
+cmd/tls.key:
+	openssl req -x509 -newkey rsa:4096 -keyout cmd/tls.key -out cmd/tls.crt -sha256 -days 36500 -nodes -subj "/CN=hodu"
+
 .PHONY: clean
diff --git a/cmd/config.go b/cmd/config.go
index 1994a83..057b761 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -25,13 +25,14 @@ type ServerTLSConfig struct {
 }
 
 type ClientTLSConfig struct {
-	Enabled          bool    `yaml:"enabled"`
-	CertFile         string  `yaml:"cert-file"`
-	KeyFile          string  `yaml:"key-file"`
-	CertText         string  `yaml:"cert-text"`
-	KeyText          string  `yaml:"key-text"`
-	ServerCACertFile string  `yaml:"server-ca-cert-file"`
-	ServerCACertText string  `yaml:"server-ca-cert-text"`
+	Enabled            bool    `yaml:"enabled"`
+	CertFile           string  `yaml:"cert-file"`
+	KeyFile            string  `yaml:"key-file"`
+	CertText           string  `yaml:"cert-text"`
+	KeyText            string  `yaml:"key-text"`
+	ServerCACertFile   string  `yaml:"server-ca-cert-file"`
+	ServerCACertText   string  `yaml:"server-ca-cert-text"`
+	InsecureSkipVerify bool    `yaml:"skip-verify"`
 }
 
 type ServerConfig struct {
diff --git a/cmd/main.go b/cmd/main.go
index 114a098..087a725 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -3,6 +3,7 @@ package main
 import "context"
 import "crypto/tls"
 import "crypto/x509"
+import _ "embed"
 import "flag"
 import "fmt"
 import "hodu"
@@ -17,35 +18,13 @@ import "sync"
 import "syscall"
 import "time"
 
+//go:embed tls.crt
+var hodu_tls_cert_text []byte
+//go:embed tls.key
+var hodul_tls_key_text []byte
 
 // --------------------------------------------------------------------
 
-const rootKey = `-----BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIHg+g2unjA5BkDtXSN9ShN7kbPlbCcqcYdDu+QeV8XWuoAoGCCqGSM49
-AwEHoUQDQgAEcZpodWh3SEs5Hh3rrEiu1LZOYSaNIWO34MgRxvqwz1FMpLxNlx0G
-cSqrxhPubawptX5MSr02ft32kfOlYbaF5Q==
------END EC PRIVATE KEY-----
-`
-
-const rootCert = `-----BEGIN CERTIFICATE-----
-MIIB+TCCAZ+gAwIBAgIJAL05LKXo6PrrMAoGCCqGSM49BAMCMFkxCzAJBgNVBAYT
-AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
-aXRzIFB0eSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNTEyMDgxNDAxMTNa
-Fw0yNTEyMDUxNDAxMTNaMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0
-YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMM
-CWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHGaaHVod0hLOR4d
-66xIrtS2TmEmjSFjt+DIEcb6sM9RTKS8TZcdBnEqq8YT7m2sKbV+TEq9Nn7d9pHz
-pWG2heWjUDBOMB0GA1UdDgQWBBR0fqrecDJ44D/fiYJiOeBzfoqEijAfBgNVHSME
-GDAWgBR0fqrecDJ44D/fiYJiOeBzfoqEijAMBgNVHRMEBTADAQH/MAoGCCqGSM49
-BAMCA0gAMEUCIEKzVMF3JqjQjuM2rX7Rx8hancI5KJhwfeKu1xbyR7XaAiEA2UT7
-1xOP035EcraRmWPe7tO0LpXgMxlh2VItpc2uc2w=
------END CERTIFICATE-----
-`
-// --------------------------------------------------------------------
-
 type AppLogger struct {
 	id string
 	out io.Writer
@@ -176,7 +155,7 @@ func tls_string_to_client_auth_type(str string) tls.ClientAuthType {
 
 // --------------------------------------------------------------------
 
-func make_server_tls_config(cfg *ServerTLSConfig) (*tls.Config, error) {
+func make_tls_server_config(cfg *ServerTLSConfig) (*tls.Config, error) {
 	var tlscfg *tls.Config
 
 	if cfg.Enabled {
@@ -190,7 +169,7 @@ func make_server_tls_config(cfg *ServerTLSConfig) (*tls.Config, error) {
 			cert, err = tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
 		} else {
 			// use the embedded certificate
-			cert, err = tls.X509KeyPair([]byte(rootCert), []byte(rootKey))
+			cert, err = tls.X509KeyPair(hodu_tls_cert_text, hodul_tls_key_text)
 		}
 		if err != nil {
 			return nil, fmt.Errorf("failed to load key pair - %s", err)
@@ -230,7 +209,6 @@ func make_server_tls_config(cfg *ServerTLSConfig) (*tls.Config, error) {
 			Certificates: []tls.Certificate{cert},
 			ClientAuth: tls_string_to_client_auth_type(cfg.ClientAuthType),
 			ClientCAs: cert_pool, // trusted CA certs for client certificate verification
-			//ServerName: "hodu",
 		}
 	}
 
@@ -243,7 +221,7 @@ func server_main(ctl_addrs []string, svcaddrs []string, cfg *ServerConfig) error
 	var err error
 
 	if cfg != nil {
-		tlscfg, err = make_server_tls_config(&cfg.TLS)
+		tlscfg, err = make_tls_server_config(&cfg.TLS)
 		if err != nil {
 			return err
 		}
@@ -276,7 +254,7 @@ func client_main(ctl_addrs []string, server_addr string, peer_addrs []string, cf
 	var err error
 
 	if cfg != nil {
-		tlscfg, err = make_server_tls_config(&cfg.TLS)
+		tlscfg, err = make_tls_server_config(&cfg.TLS)
 		if err != nil {
 			return err
 		}
@@ -405,8 +383,8 @@ func main() {
 	os.Exit(0)
 
 wrong_usage:
-	fmt.Fprintf(os.Stderr, "USAGE: %s server --rpc-on=addr:port --ctl-on=addr:port \n", os.Args[0])
-	fmt.Fprintf(os.Stderr, "       %s client --rpc-server=addr:port --ctl-on=addr:port  [peer-addr:peer-port ...]\n", os.Args[0])
+	fmt.Fprintf(os.Stderr, "USAGE: %s server --rpc-on=addr:port --ctl-on=addr:port\n", os.Args[0])
+	fmt.Fprintf(os.Stderr, "       %s client --rpc-server=addr:port --ctl-on=addr:port [peer-addr:peer-port ...]\n", os.Args[0])
 	os.Exit(1)
 
 oops:
diff --git a/cmd/tls.crt b/cmd/tls.crt
new file mode 100644
index 0000000..d6c6ccc
--- /dev/null
+++ b/cmd/tls.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFATCCAumgAwIBAgIUYf8nD4uZJgKt00E1vhq2Kmbc3S8wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEaG9kdTAgFw0yNDEyMDcwMzQwMzFaGA8yMTI0MTExMzAz
+NDAzMVowDzENMAsGA1UEAwwEaG9kdTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAI8fLL9mkZH38Hu0zftteEKbDU7fsWLhUBg+vvPthIkEFowpWWrp6Pf7
+l2fu6jfAh8NzxFCafhrCMNqtN6dvCJQ8chB4E9fT2hWtbkZE+YnbQo7zundXelza
+CxnTE9f1r+LJ9CfymuA+2hz5RG+gU+k+JT2d0GpwSiCuUt2NnfGUOWfFdNTAxsbX
+pffCdjeyjlbrjkZKpNpWudmE0XcAJH/CGq0Y3SCjuU4tDKJ6aJ0ozLbUxP8UTOgr
+jl8W6vtIbpc/Epk8K2ylugZdjLHcTH0DjcWPO8IsGSxVjgppsMYoBO0iM4KkNpD7
+PaJkofyeUkqkJ7vHQ/1MBx2yMGkfVdnwCCT6HZOohIdNk7Y2Azl8o9+Q2tBT/sGh
+UhCCtm3uFNiGjj6CoGsbmsu2SVS3AIJtkgDFcuFNIOiqxk322GY8kwZVLYMm0t77
+z3utOKm3zIedqh4yDtfYlIUmTASzXTXEmzQYOCvZyCYFtcqR3Q5uCu5e9grimkkl
+4WkaWOxdsHrACpmEJbpd+4l/mwg+WYPpWA81OnWfmO0qTRew6OGF5iaYtdF+5sPW
+lUvL5Y1k/TRMUd1cbsOhe0Hnb2QJYlNxxn3aI2jflhc8kVnSd3BfFn8qSzEooj7C
+zLiZS+Wmzxo5f1Wlb9KIyljODpeIp7o7f4IsySW7uq0hncxcDe8lAgMBAAGjUzBR
+MB0GA1UdDgQWBBTsf09ZVNMHbhXGpxWD/lcAIUmlRDAfBgNVHSMEGDAWgBTsf09Z
+VNMHbhXGpxWD/lcAIUmlRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4ICAQAok06886mPX617Eg5SQw8JlZujt3FXxWWTeBuZJkOraZ2sirsocYh0ep28
+3FDYWFHJjHmHaGnfjmbDuQaZ8+dbGxr9vwCott7yw71q0FqZTjmAqdvmyLPeaYfA
+r2vdyNTWe9zI/7c0k8KnyNhsqXoDbmuQ65vUnXHe0r1u1WSlFj40rcpzSYwQ5F4S
+iZ3JymJkTTyxyeNjngTmBaxEhe7cP5S7bsmL5lsDLQgXVaJAJaQqIbrt8H9Snp1a
+9GG0+NgAevFonazwTJXj+QyYyWYD0uGHSR9gQtUL8okZhf+WtW1yIN9pWs8clVJc
+fmDklOfvpDmOQuYG10fUHH1NoyciPnQMWQWXI9Zvy3pd4qg/9DYKY54I8Y2J80Vn
+G/JqXjLCGp7IdB3lrLRe3XAca1SBbgCh3FhqD/W8Qb8aJLx2E6eDwZmW0ophpxXQ
+6zIsK+60Aruk8pHnsqc+n4rXGXprboMk5aF5tjhnLncF/D6/qvxEJN85RHCZfvOs
+hoWNe9jjPEvCUPB23kDBPLxxPEzJm3y4pvwmvImvV2+N6akRqGa3LbupJEqtVBKd
+/6IpFjzTQTPiq024jtZTVbx3vqdupWNcZcTkcdb4GfhgtNu3RYssqheknRIsjisF
+1TlVrONqaIsFe9V5UW3fqa/4h6S6pO99pcNSzJn3VSRkJhZoaw==
+-----END CERTIFICATE-----
diff --git a/cmd/tls.key b/cmd/tls.key
new file mode 100644
index 0000000..ad02408
--- /dev/null
+++ b/cmd/tls.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCPHyy/ZpGR9/B7
+tM37bXhCmw1O37Fi4VAYPr7z7YSJBBaMKVlq6ej3+5dn7uo3wIfDc8RQmn4awjDa
+rTenbwiUPHIQeBPX09oVrW5GRPmJ20KO87p3V3pc2gsZ0xPX9a/iyfQn8prgPtoc
++URvoFPpPiU9ndBqcEogrlLdjZ3xlDlnxXTUwMbG16X3wnY3so5W645GSqTaVrnZ
+hNF3ACR/whqtGN0go7lOLQyiemidKMy21MT/FEzoK45fFur7SG6XPxKZPCtspboG
+XYyx3Ex9A43FjzvCLBksVY4KabDGKATtIjOCpDaQ+z2iZKH8nlJKpCe7x0P9TAcd
+sjBpH1XZ8Agk+h2TqISHTZO2NgM5fKPfkNrQU/7BoVIQgrZt7hTYho4+gqBrG5rL
+tklUtwCCbZIAxXLhTSDoqsZN9thmPJMGVS2DJtLe+897rTipt8yHnaoeMg7X2JSF
+JkwEs101xJs0GDgr2cgmBbXKkd0ObgruXvYK4ppJJeFpGljsXbB6wAqZhCW6XfuJ
+f5sIPlmD6VgPNTp1n5jtKk0XsOjhheYmmLXRfubD1pVLy+WNZP00TFHdXG7DoXtB
+529kCWJTccZ92iNo35YXPJFZ0ndwXxZ/KksxKKI+wsy4mUvlps8aOX9VpW/SiMpY
+zg6XiKe6O3+CLMklu7qtIZ3MXA3vJQIDAQABAoICABHsNn9Vid88rFnhf3X/9HJq
+1lTNQHqAerY+jU0grls2LtioiPERj8IWOJSkX6JRsu6v/aKWZjpVnSaVUIXgKrPd
+ie80ClAZ0JKsYEXed11jHsemD/DH/KPKDl/ShgaiVr9QyQmDoQ9573h3YrGT404v
+IRzBOYtKuo2zJt9lz6SkCjhLiuDlrz7RXJBVQtagvqB16SA2UsSg3a82qcB8PRXe
+qdaJaY+f0SHQFGf4akdcB57RsEW9NhBQ/Ag+Z3jGTksUc/DKjymQ62XGq0rOqqlx
+G3zk/ffH6/MYV6xIJgH6mvtTMB4pEEhBnitK7NokvWtpeSxTvNjof2+hk9xmNyre
+qSgipEgjTtyScKGjLyDP0UwuFAO1CDrHKvSqXEA3lWLUCjE/+K3DxwnUhl1nDNSn
+Hn2PBwkBimyAVQc5YoGecNTam0VjDVlmp621zxmFyT56c5VxVHC4UF2V2XxzivlV
+PewfTTDZJm5/B3v/mH6WPc9qPYDHiEo2T9Nb2a/toEJIAlEiz+9g/wyw9EiP4Pjp
+az91bwMvvlmMu8zpFbe3GU1fkjJ6HXbwwTAj4SAWlNQHQKL5WYeD9pGw+hPTaaO/
+JFEt2idDUw3wi1pClUZ8zZeNjsk1RiGErFNMPEeekeGNp9A5YfuBHKbDljDBGKBP
+y+IxT7Tn15LqKg9HNIlhAoIBAQDCDiBTvNf+chYXrbQxAkgCgKRVrHPxYKg0SxdD
+KJy2LRVilTo31c9FTk2RFLSoA+YKqIk34Z4DCH8Ilc/BUjvgMba2alugPYHhUTzf
+SvBHkWVoG6/PJkiqty/AGQE6ODAYEgM2rSj/XtYx6mAInbtU/fInys52WYfVHT1O
+mx4H7vTWQ3dkMGtcKxyU5JZAZY91O3dW2rR7lDmsbCr/ar4EHHh0Im+cdlgc/DBQ
+9l4wG8RMMcRz7DTq+yRa/IrLUjW/kSapdRYFQ1ZON0W+ogdgOnnCNC0xCyYlB1L3
+E5BPS0VYkBbYbGJIolV1NUB5gz/UNpixlbWL4TolcHhJ1LZNAoIBAQC8ztqDvaHh
+cH4Vc5cIoR5tgEeiXHCA0HNXsxnluJiLy50KbNOwQ505/1VzxjxiY6Z2lxi93d8c
+cl8hEMifVriSJIHDwNCstZpdvhX1LNkyQgzaANmZV/qNf9IKDaKWU/CspxfzcB5C
+1h+msLbU1/IYogEceGgXf+2/ICNSTlxYrqd/4/txDrmQaidbSeDAvGAue/QlqpEc
+e/FAQwGQoIT9j4WglLDi6KrqOUk88h4XP/7MivUBctcomfQzdmkmr1nHyraamgNz
+uE823b/ry+TkJ+b9Jm6dHsqr4Alg+kuVSt6YFnVh3AOiUME97lJ+/QGkgqaBCYIb
+D1upNG00Urg5AoIBADt2fK1sJnuPlfl3fsmtu0cZCEJAb969EY3EnMI1hZ/FPNJS
+i95kI/lGvzn/sEPzvd/yOOnotrSTO+nzjg/dFP/j++r1uFHnxw62CAMcQXiMsxgt
+s7e0MXwuWfFxOBEQ+pvFmTp94RwvgU8WVIsPWkH29ub+nDljwd2p8glOOuuPa3Lk
+hYcr1xoNE9sEGI5vEICJ0k3JApkDmJCfLKXLnaJA3yAnFTBKi0GGfX+xnrb7KzF1
+5o7nCGggwMkorZcT/+hNoB05BaBjO+UHxtVdbQktofXCaz6l/fBGyENxuTyzAfLb
+ZES5IXzEUY9y2+jgMQTkHfH8v/6260xhpFprVdkCggEALzlt3lWoD8MbRjJLLJVg
+DvNu92U3noCE2QKrD5JEVXLwLJNbv1KqGL+MmBCVOebC1Bam0ZaVH4Bb2uFfzLrc
+H3GSI2wuxYQGwDuzMketa6ypmj1sL7aZrJqz5l/Sstb787M3gmQgrYbxE7hPgp0g
+qJicvoo/PuF4jb10GDoRTv0gWBSl53lPYJeskGDCHnL/e6D1SBaJhR5bET+xPINp
+wCINwkRumdKoLT123A+TBy2yhWacMWiP+E/JjLWpR0vEoPxLABBVnLQU3BxKzKeK
+8KYqWFcsg5AYETVQIzl3fjfjxRaY9YkaP5cDPoJFkA2oQ4WKL+w45pvIyWGbjuLB
+wQKCAQAXxB4nKdcN8eQZx5tSus97yf7yPm0HSEEzNy6rnbqtS3uX3/KEYFACBoTP
+C5kpuNYEXHp8LgWhnnT/gtSLLQHSiTULKKKc7tm15zYMSRcWH7qHDTgzUE3FxfQu
+JUXssKeN0JDbm6HoEma53uFYw5XSRB3Odg1mszoyO0fD4xBqo6jay8d/8oi4SfLf
+mxV1kMKzW2tr0iyQIt3O/gehsMwtiK3u923CMrtmvDSJpUxHZh5QWte8FcHPeo6g
+cuK6DBook4bA4tMyXnH5LszXL5pwbeTGddiCoc8EbI1WJKBByHizTWYAVl0znXg7
+cE9VuuHZqcE0fWokNG7bO3t6lqPg
+-----END PRIVATE KEY-----