diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c86ba1a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,22 @@
+# Certificate signing service
+
+An ACME-like shell server certificate signing service.
+
+A service that listens on a unix domain socket and signs certificate signing requests.
+It verifies the CSR's subject corresponds to the username of the peer.
+If a user tries to get a certificate for another user the request will be rejected.
+It will also add an email address as the SubjectAltName.
+This is for client certificates.
+
+## Motivation
+
+This was written with hashbang.sh in mind - a open registration shell server.
+SSH keys are used for authenticating with hashbang.sh machines, but users might want to connect to services using TLS or send signed and/or encrypted email.
+
+## Design
+
+The server `cert-service-server` loads up a certificate authority and listens on a socket.
+A client `cert-service-client` can connect to this socket and make a signing request.
+Using `SO_PEERCRED` the server decides if the client is allowed to have its certificate signed.
+
+The peers communicate using a custom protocol based on [ASN.1](https://en.wikipedia.org/wiki/ASN.1).