diff --git a/make-certs.sh b/make-certs.sh
new file mode 100755
index 0000000..c7ae71b
--- /dev/null
+++ b/make-certs.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+CERT_DIR="./storage/caddy/config"
+
+mkdir -p "$CERT_DIR"
+
+# Generate CA certificate and key if they don't exist
+if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
+    echo "Generating CA certificate and key..."
+    if ! openssl req \
+        -x509 \
+        -newkey rsa:4096 \
+        -keyout "$CERT_DIR/ca_key.pem" \
+        -out "$CERT_DIR/ca_cert.pem" \
+        -days 365 \
+        -nodes \
+        -subj "/CN=Azurite CA" \
+        -text \
+        -addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
+        echo "Error: Failed to generate CA certificate and key." >&2
+        exit 1
+    fi
+fi
+
+# Generate server certificate and key if they don't exist
+if [[ ! -f "$CERT_DIR/server_cert.pem" || ! -f "$CERT_DIR/server_key.pem" ]]; then
+    echo "Generating server certificate and key..."
+    if ! openssl req \
+        -newkey rsa:4096 \
+        -keyout "$CERT_DIR/server_key.pem" \
+        -nodes \
+        -subj "/CN=localhost" \
+        -addext "basicConstraints=critical,CA:FALSE" \
+        -addext "keyUsage=digitalSignature,keyEncipherment" \
+        -addext "extendedKeyUsage=serverAuth,clientAuth" \
+        -addext "subjectAltName=DNS:localhost,DNS:terraform.blob.core.windows.net,IP:127.0.0.1" \
+    | openssl x509 \
+        -req \
+        -CA "$CERT_DIR/ca_cert.pem" \
+        -CAkey "$CERT_DIR/ca_key.pem" \
+        -set_serial "0x$(openssl rand -hex 16)" \
+        -copy_extensions copyall \
+        -days 365 \
+        -text \
+        -out "$CERT_DIR/server_cert.pem"; then
+        echo "Error: Failed to generate server certificate and key." >&2
+        exit 1
+    fi
+fi
+