diff --git a/CHANGELOG.md b/CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 0.5.0.0 - 2020-01-02
+### Added
+- Added back in support for self-signed certificate generation.
+
 ## 0.4.6.0 - 2019-10-20
 ### Changed
 - Upper bound bumps.
diff --git a/Main.hs b/Main.hs
--- a/Main.hs
+++ b/Main.hs
@@ -41,22 +41,19 @@
 import Crypto.Random ( getSystemDRG, randomBytesGenerate, SystemDRG ) -- cryptonite
 
 -- For certificate generation.
--- import Crypto.PubKey.RSA ( generate  ) -- crypto-pubkey
--- import Crypto.PubKey.RSA.PKCS15 ( sign ) -- crypto-pubkey
--- import Crypto.PubKey.HashDescr ( hashDescrSHA256 ) -- crypto-pubkey
--- import Data.ASN1.OID ( getObjectID ) -- asn1-types
--- import Data.ASN1.Types ( toASN1, {- for work-around -} ASN1Object ) -- asn1-types
--- import Data.ASN1.BinaryEncoding ( DER(DER) ) -- asn1-encoding
--- import Data.ASN1.Encoding ( encodeASN1' ) -- asn1-encoding
--- import qualified Data.PEM as PEM -- pem
--- import qualified Data.X509 as X509 -- x509
+import Crypto.Hash.Algorithms ( SHA256(SHA256) ) -- cryptonite
+import Crypto.PubKey.RSA ( generate  ) -- cryptonite
+import Crypto.PubKey.RSA.PKCS15 ( sign ) -- cryptonite
+import Crypto.Random.Types ( withDRG ) -- cryptonite
+import Data.ASN1.OID ( getObjectID ) -- asn1-types
+import Data.ASN1.Types ( toASN1 ) -- asn1-types
+import Data.ASN1.BinaryEncoding ( DER(DER) ) -- asn1-encoding
+import Data.ASN1.Encoding ( encodeASN1' ) -- asn1-encoding
+import qualified Data.PEM as PEM -- pem
+import qualified Data.X509 as X509 -- x509
 import qualified Data.Hourglass as HG -- hourglass
 import qualified System.Hourglass as HG -- hourglass
 
--- for work-around
--- import Data.ASN1.Types ( ASN1(..), ASN1ConstructionType(..), ASN1TimeType(..) )
--- import Data.ASN1.Types.Lowlevel ( ASN1Class(..) )
-
 -- For STUN
 import Control.Concurrent ( forkIO, threadDelay ) -- base
 import Control.Concurrent.MVar ( newEmptyMVar, putMVar, tryTakeMVar ) -- base
@@ -69,7 +66,7 @@
 -- Not future things: CGI etc of any sort, "extensibility"
 --
 vERSION :: String
-vERSION = "0.4.4.0"
+vERSION = "0.5.0.0"
 
 -- STUN code
 
@@ -111,38 +108,12 @@
 certExpiryInDays :: Int64
 certExpiryInDays = 30
 
-{-
--- Temporary work-around for bug in x509.
-newtype CertificateWorkaround = CW X509.Certificate
-    deriving ( Eq, Show )
-
-encodeCertificateHeader :: X509.Certificate -> [ASN1]
-encodeCertificateHeader cert =
-    eVer ++ eSerial ++ eAlgId ++ eIssuer ++ eValidity ++ eSubject ++ epkinfo ++ eexts
-  where eVer      = asn1Container (Container Context 0) [IntVal (fromIntegral $ X509.certVersion cert)]
-        eSerial   = [IntVal $ X509.certSerial cert]
-        eAlgId    = toASN1 (X509.certSignatureAlg cert) []
-        eIssuer   = toASN1 (X509.certIssuerDN cert) []
-        (t1, t2)  = X509.certValidity cert
-        eValidity = asn1Container Sequence [ASN1Time TimeGeneralized t1 (Just (HG.TimezoneOffset 0))
-                                           ,ASN1Time TimeGeneralized t2 (Just (HG.TimezoneOffset 0))]
-        eSubject  = toASN1 (X509.certSubjectDN cert) []
-        epkinfo   = toASN1 (X509.certPubKey cert) []
-        eexts     = toASN1 (X509.certExtensions cert) []
-        asn1Container ty l = [Start ty] ++ l ++ [End ty]
-
-instance ASN1Object CertificateWorkaround where
-    toASN1 (CW cert) = (encodeCertificateHeader cert ++)
--- End work-around code
--}
-
-{-
 generateCert :: Options -> HG.DateTime -> SystemDRG -> (Warp.TLSSettings, SystemDRG)
 generateCert opts now g = ((Warp.tlsSettingsMemory (PEM.pemWriteBS pemCert) (PEM.pemWriteBS pemKey)) {
                                 Warp.onInsecure = Warp.DenyInsecure (fromString "Use HTTPS") }, g'')
     where later = HG.timeAdd now (HG.Hours (24*certExpiryInDays))
           (bs, g') = randomBytesGenerate 8 g -- generate 8 random bytes for the serial number
-          ((pk, sk), g'') = generate g' rsaSizeInBytes rsaPublicExponent
+          ((pk, sk), g'') = withDRG g' (generate rsaSizeInBytes rsaPublicExponent)
           serialNum = BS.foldl' (\a w -> a*256 + fromIntegral w) 0 bs
           cn = getObjectID X509.DnCommonName
           o = getObjectID X509.DnOrganization
@@ -158,12 +129,11 @@
                   X509.certPubKey = X509.PubKeyRSA pk,
                   X509.certExtensions = X509.Extensions Nothing
               }
-          signFunc xs = (either (error . show) id (sign Nothing hashDescrSHA256 sk xs), sigAlg, ())
-          certBytes = X509.encodeSignedObject $ fst $ X509.objectToSignedExact signFunc (CW cert)
-          keyBytes = encodeASN1' DER (toASN1 sk [])
+          signFunc xs = (either (error . show) id (sign Nothing (Just SHA256) sk xs), sigAlg, ())
+          certBytes = X509.encodeSignedObject $ fst $ X509.objectToSignedExact signFunc cert
+          keyBytes = encodeASN1' DER (toASN1 (X509.PrivKeyRSA sk) [])
           pemCert = PEM.PEM (fromString "CERTIFICATE") [] certBytes  -- This is a mite silly.  Wrap in PEM just to immediately unwrap...
           pemKey = PEM.PEM (fromString "RSA PRIVATE KEY") [] keyBytes
--}
 
 -- File upload
 
@@ -310,7 +280,7 @@
     optRealm = "",
     optUserName = fromString "guest",
     optPassword = BS.empty,
-    optHTTPS = False, --True,
+    optHTTPS = True,
     optHost = "localhost",
     optCertificate = "",
     optKeyFile = "",
@@ -360,12 +330,10 @@
         "Require the given password. (Default: generated)",
     Option "u" ["username"] (ReqArg (\u opt -> opt { optUserName = fromString u }) "USERNAME")
         ("Require the given username. (Default: " ++ show (optUserName defOptions)  ++ ")"),
-    {-
     Option "s" ["secure"] (NoArg (\opt -> opt { optHTTPS = True }))
         "Enable HTTPS. (Default)",
     Option "" ["no-https"] (NoArg (\opt -> opt { optHTTPS = False }))
         "Disable HTTPS.",
-    -}
     Option "H" ["host"] (ReqArg (\host opt -> opt { optHost = host }) "HOST")
         ("Host name to use for generated certificate. (Default: " ++ show (optHost defOptions) ++ ")"),
     Option "" ["certificate"] (ReqArg (\f opt -> opt { optCertificate = f, optHTTPS = True }) "FILE")
@@ -466,15 +434,15 @@
                 $ app404
   where runner now g | optHTTPS opts && certProvided
                         = Warp.runTLS tlsFileSettings (Warp.setPort (optPort opts) Warp.defaultSettings)
-                     -- | optHTTPS opts = \app -> do
-                     --    when (not $ optQuiet opts) $ do
-                     --        putStrLn "Generating a self-signed certificate.  Use --no-https to disable HTTPS."
-                     --        putStrLn "Users will get warnings and will be vulnerable to man-in-the-middle attacks."
-                     --    Warp.runTLS tlsMemSettings (Warp.setPort (optPort opts) Warp.defaultSettings) app
+                     | optHTTPS opts = \app -> do
+                        when (not $ optQuiet opts) $ do
+                            putStrLn "Generating a self-signed certificate.  Use --no-https to disable HTTPS."
+                            putStrLn "Users will get warnings and will be vulnerable to man-in-the-middle attacks."
+                        Warp.runTLS tlsMemSettings (Warp.setPort (optPort opts) Warp.defaultSettings) app
                      | otherwise = Warp.run (optPort opts)
             where tlsFileSettings = (Warp.tlsSettings (optCertificate opts) (optKeyFile opts)) {
                         Warp.onInsecure = Warp.DenyInsecure (fromString "Use HTTPS") }
-                  -- (tlsMemSettings, _) = generateCert opts now g
+                  (tlsMemSettings, _) = generateCert opts now g
                   certProvided = not (null (optCertificate opts)) && not (null (optKeyFile opts))
 
         policy = basePolicy <> addBase dir
diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -9,8 +9,7 @@
 main goals.  It has no config files, and only a few, if any, easily provided command line parameters should be necessary.
 If convenience and security conflict, I'm willing to sacrifice a little convenience for security, but only a little.
 Often such conflicts are largely resolvable.  For example, requiring a password and using TLS improve security, but
-making a password or a certificate are inconvenient, so `sws` can generate these. *Currently, support for generating
-a certificate is removed.*
+making a password or a certificate are inconvenient, so `sws` can generate these.
 
 ### Use-case 1: Large file transfer
     
diff --git a/sws.cabal b/sws.cabal
--- a/sws.cabal
+++ b/sws.cabal
@@ -10,7 +10,7 @@
 -- PVP summary:      +-+------- breaking API changes
 --                   | | +----- non-breaking API additions
 --                   | | | +--- code changes with no API change
-version:             0.4.6.0
+version:             0.5.0.0
 
 -- A short (one-line) description of the package.
 synopsis:            A simple web server for serving directories.
@@ -64,6 +64,8 @@
   
   -- Other library packages from which modules are imported.
   build-depends:       
+    asn1-encoding         >= 0.9.6 && < 0.10,
+    asn1-types            >= 0.3.3 && < 0.4,
     base                  >= 4.11.1 && < 4.13,
     bytestring            >= 0.10.8 && < 0.11,
     containers            >= 0.6.0 && < 0.7,
@@ -75,13 +77,16 @@
     network               >= 2.7.0 && < 3.2,
     network-bsd           >= 2.7.0 && < 2.9,
     network-uri           >= 2.6.0 && < 2.7,
+    pem                   >= 0.2.4 && < 0.3,
     resourcet             >= 1.2.1 && < 1.3,
     transformers          >= 0.5.5 && < 0.6,
     wai                   >= 3.2.1 && < 3.3,
     wai-extra             >= 3.0.22 && < 3.1,
     wai-middleware-static >= 0.8.3 && < 0.9,
     warp                  >= 3.2.22 && < 3.4,
-    warp-tls              >= 3.2.4 && < 3.3
+    warp-tls              >= 3.2.4 && < 3.3,
+    x509                  >= 1.7.5 && < 1.8
+
   
   -- Directories containing source files.
   -- hs-source-dirs:      
