diff --git a/cover.html b/cover.html
new file mode 100644
index 0000000..f63f349
--- /dev/null
+++ b/cover.html
@@ -0,0 +1,196 @@
+
+<!DOCTYPE html>
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+		<title>selfcert: Go Coverage Report</title>
+		<style>
+			body {
+				background: black;
+				color: rgb(80, 80, 80);
+			}
+			body, pre, #legend span {
+				font-family: Menlo, monospace;
+				font-weight: bold;
+			}
+			#topbar {
+				background: black;
+				position: fixed;
+				top: 0; left: 0; right: 0;
+				height: 42px;
+				border-bottom: 1px solid rgb(80, 80, 80);
+			}
+			#content {
+				margin-top: 50px;
+			}
+			#nav, #legend {
+				float: left;
+				margin-left: 10px;
+			}
+			#legend {
+				margin-top: 12px;
+			}
+			#nav {
+				margin-top: 10px;
+			}
+			#legend span {
+				margin: 0 5px;
+			}
+			.cov0 { color: rgb(192, 0, 0) }
+.cov1 { color: rgb(128, 128, 128) }
+.cov2 { color: rgb(116, 140, 131) }
+.cov3 { color: rgb(104, 152, 134) }
+.cov4 { color: rgb(92, 164, 137) }
+.cov5 { color: rgb(80, 176, 140) }
+.cov6 { color: rgb(68, 188, 143) }
+.cov7 { color: rgb(56, 200, 146) }
+.cov8 { color: rgb(44, 212, 149) }
+.cov9 { color: rgb(32, 224, 152) }
+.cov10 { color: rgb(20, 236, 155) }
+
+		</style>
+	</head>
+	<body>
+		<div id="topbar">
+			<div id="nav">
+				<select id="files">
+				
+				<option value="file0">github.com/gopatchy/selfcert/selfcert.go (75.9%)</option>
+				
+				</select>
+			</div>
+			<div id="legend">
+				<span>not tracked</span>
+			
+				<span class="cov0">no coverage</span>
+				<span class="cov1">low coverage</span>
+				<span class="cov2">*</span>
+				<span class="cov3">*</span>
+				<span class="cov4">*</span>
+				<span class="cov5">*</span>
+				<span class="cov6">*</span>
+				<span class="cov7">*</span>
+				<span class="cov8">*</span>
+				<span class="cov9">*</span>
+				<span class="cov10">high coverage</span>
+			
+			</div>
+		</div>
+		<div id="content">
+		
+		<pre class="file" id="file0" style="display: none">package selfcert
+
+import (
+        "crypto/ecdsa"
+        "crypto/elliptic"
+        "crypto/rand"
+        "crypto/tls"
+        "crypto/x509"
+        "crypto/x509/pkix"
+        "encoding/pem"
+        "math/big"
+        "net"
+        "time"
+)
+
+func NewTLSConfig(hosts []string) (*tls.Config, error) <span class="cov8" title="1">{
+        priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+        if err != nil </span><span class="cov0" title="0">{
+                return nil, err
+        }</span>
+
+        <span class="cov8" title="1">serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+
+        serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+        if err != nil </span><span class="cov0" title="0">{
+                return nil, err
+        }</span>
+
+        <span class="cov8" title="1">template := x509.Certificate{
+                SerialNumber: serialNumber,
+                Subject: pkix.Name{
+                        Organization: []string{"Acme Co"},
+                },
+                NotBefore:             time.Now(),
+                NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
+                KeyUsage:              x509.KeyUsageDigitalSignature,
+                ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+                BasicConstraintsValid: true,
+        }
+
+        for _, h := range hosts </span><span class="cov8" title="1">{
+                if ip := net.ParseIP(h); ip != nil </span><span class="cov0" title="0">{
+                        template.IPAddresses = append(template.IPAddresses, ip)
+                }</span> else<span class="cov8" title="1"> {
+                        template.DNSNames = append(template.DNSNames, h)
+                }</span>
+        }
+
+        <span class="cov8" title="1">certBytes, err := x509.CreateCertificate(rand.Reader, &amp;template, &amp;template, &amp;priv.PublicKey, priv)
+        if err != nil </span><span class="cov0" title="0">{
+                return nil, err
+        }</span>
+
+        <span class="cov8" title="1">certPem := pem.EncodeToMemory(&amp;pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
+
+        keyBytes, err := x509.MarshalPKCS8PrivateKey(priv)
+        if err != nil </span><span class="cov0" title="0">{
+                return nil, err
+        }</span>
+
+        <span class="cov8" title="1">keyPem := pem.EncodeToMemory(&amp;pem.Block{Type: "PRIVATE KEY", Bytes: keyBytes})
+
+        cert, err := tls.X509KeyPair(certPem, keyPem)
+        if err != nil </span><span class="cov0" title="0">{
+                return nil, err
+        }</span>
+
+        <span class="cov8" title="1">conf := &amp;tls.Config{
+                Certificates: []tls.Certificate{cert},
+                MinVersion:   tls.VersionTLS13,
+                NextProtos:   []string{"h2"},
+        }
+
+        return conf, nil</span>
+}
+
+func NewTLSConfigFromHostPort(hostport string) (*tls.Config, error) <span class="cov8" title="1">{
+        host, _, err := net.SplitHostPort(hostport)
+        if err != nil </span><span class="cov0" title="0">{
+                return nil, err
+        }</span>
+
+        <span class="cov8" title="1">return NewTLSConfig([]string{host})</span>
+}
+</pre>
+		
+		</div>
+	</body>
+	<script>
+	(function() {
+		var files = document.getElementById('files');
+		var visible;
+		files.addEventListener('change', onChange, false);
+		function select(part) {
+			if (visible)
+				visible.style.display = 'none';
+			visible = document.getElementById(part);
+			if (!visible)
+				return;
+			files.value = part;
+			visible.style.display = 'block';
+			location.hash = part;
+		}
+		function onChange() {
+			select(files.value);
+			window.scrollTo(0, 0);
+		}
+		if (location.hash != "") {
+			select(location.hash.substr(1));
+		}
+		if (!visible) {
+			select("file0");
+		}
+	})();
+	</script>
+</html>
diff --git a/cover.out b/cover.out
new file mode 100644
index 0000000..c98659a
--- /dev/null
+++ b/cover.out
@@ -0,0 +1,19 @@
+mode: atomic
+github.com/gopatchy/selfcert/selfcert.go:16.56,18.16 2 1
+github.com/gopatchy/selfcert/selfcert.go:18.16,20.3 1 0
+github.com/gopatchy/selfcert/selfcert.go:22.2,25.16 3 1
+github.com/gopatchy/selfcert/selfcert.go:25.16,27.3 1 0
+github.com/gopatchy/selfcert/selfcert.go:29.2,41.26 2 1
+github.com/gopatchy/selfcert/selfcert.go:41.26,42.38 1 1
+github.com/gopatchy/selfcert/selfcert.go:42.38,44.4 1 0
+github.com/gopatchy/selfcert/selfcert.go:44.9,46.4 1 1
+github.com/gopatchy/selfcert/selfcert.go:49.2,50.16 2 1
+github.com/gopatchy/selfcert/selfcert.go:50.16,52.3 1 0
+github.com/gopatchy/selfcert/selfcert.go:54.2,57.16 3 1
+github.com/gopatchy/selfcert/selfcert.go:57.16,59.3 1 0
+github.com/gopatchy/selfcert/selfcert.go:61.2,64.16 3 1
+github.com/gopatchy/selfcert/selfcert.go:64.16,66.3 1 0
+github.com/gopatchy/selfcert/selfcert.go:68.2,74.18 2 1
+github.com/gopatchy/selfcert/selfcert.go:77.69,79.16 2 1
+github.com/gopatchy/selfcert/selfcert.go:79.16,81.3 1 0
+github.com/gopatchy/selfcert/selfcert.go:83.2,83.37 1 1