diff --git a/README.md b/README.md
index e0e3b7b..27c36c7 100644
--- a/README.md
+++ b/README.md
@@ -23,8 +23,16 @@
 }
 ```
 
+Generate self signed certificate:
+
+```shell
+$ cargo r --example generate_self_signed_ca
+```
+
 Important
 
-* intermediate certificate only tested ECDSA(P384) with SHA384
+* Intermediate certificate tested:
+    * ECDSA(P384) with SHA384
+    * P256 with SHA256
 * P384 with SHA256 is NOT supported
-* P256 with SHA256 should be supported, but not tested 
+
diff --git a/examples/generate_self_signed_ca.rs b/examples/generate_self_signed_ca.rs
new file mode 100644
index 0000000..b1b673b
--- /dev/null
+++ b/examples/generate_self_signed_ca.rs
@@ -0,0 +1,18 @@
+use rcgen::{BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, PKCS_ECDSA_P256_SHA256};
+
+fn main() {
+    let key_pair = KeyPair::generate(&PKCS_ECDSA_P256_SHA256).expect("Generate key pair failed");
+    let key_pem = key_pair.serialize_pem();
+    let mut certificate_params = CertificateParams::default();
+    certificate_params.key_pair = Some(key_pair);
+    certificate_params.is_ca = IsCa::Ca(BasicConstraints::Constrained(0));
+    let mut distinguished_name = DistinguishedName::new();
+    distinguished_name.push(DnType::CommonName, "Proxy Inspector Test CA");
+    certificate_params.distinguished_name = distinguished_name;
+
+    let certificate = Certificate::from_params(certificate_params)
+        .unwrap_or_else(|e| panic!("Generate cert failed: {}", e));
+    let certificate_pem = certificate.serialize_pem_with_signer(&certificate).expect("Sign cert failed");
+    println!("CERTIFICATE:\n{}", certificate_pem);
+    println!("KEY:\n{}", key_pem);
+}
\ No newline at end of file