diff --git a/Dockerfile b/Dockerfile
index 600fdf78..7f04e0fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM fedora:24
 
 # so we don't have to compile those when fetched from PyPI
-RUN dnf install -y python-pip python2-setuptools python2-cffi python2-zmq python2-cryptography koji python2-pdc-client && \
+RUN dnf install -y python-pip python2-setuptools python2-cffi python2-zmq python2-cryptography koji python2-pdc-client swig && \
     dnf autoremove -y && dnf clean all && \
     mkdir /opt/fm-orchestrator/
 WORKDIR /opt/fm-orchestrator/
@@ -12,5 +12,5 @@ COPY koji.conf /etc/rida/
 
 COPY . /opt/fm-orchestrator/
 
-RUN python2 ./manage.py upgradedb && ./generate_localhost_cert.sh
+RUN python2 ./manage.py upgradedb && python2 manage.py generatelocalhostcert
 CMD ["python2", "manage.py", "runssl"]
diff --git a/README.rst b/README.rst
index a1879cf7..38cde04a 100644
--- a/README.rst
+++ b/README.rst
@@ -395,3 +395,27 @@ It may happen that you will run into issues and the container won't start proper
     $ sudo docker-compose build --no-cache --pull
 
 First command will stop and remove all containers and volumes and second command will pull latest base image and perform a clean build without cache.
+
+
+``fedmsg Signing for Development``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable fedmsg signing in development, you will need to follow a series of steps.
+Note that this will conflict with signed messages from a different CA that are on the message bus, so this may cause unexpected results.
+
+Generate the CA, the certificate to be used by fedmsg, and the CRL with::
+
+    $ python manage.py gendevfedmsgcert
+
+Setup Apache to host the CRL::
+
+    $ dnf install httpd && systemctl enable httpd && systemctl start httpd
+    $ mkdir -p /var/www/html/crl
+    $ ln -s /opt/fm-orchestrator/pki/ca.crl /var/www/html/crl/ca.crl
+    $ ln -s /opt/fm-orchestrator/pki/ca.crt /var/www/html/crl/ca.crt
+
+Create a directory to house the fedmsg cache::
+
+    $ mkdir -p /etc/pki/fedmsg
+
+Then uncomment the fedmsg signing configuration in fedmsg.d/rida.py.
diff --git a/Vagrantfile b/Vagrantfile
index bb10a555..332b668c 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -2,14 +2,14 @@
 # vi: set ft=ruby :
 
 $script = <<SCRIPT
-    dnf install -y python python-virtualenv python-devel libffi-devel redhat-rpm-config openssl-devel gcc gcc-c++ koji git
+    dnf install -y python python-virtualenv python-devel libffi-devel redhat-rpm-config openssl-devel gcc gcc-c++ koji git swig
     pip install -r /opt/fm-orchestrator/src/requirements.txt
     pip install -r /opt/fm-orchestrator/src/test-requirements.txt
     cd /opt/fm-orchestrator/src
     mkdir -p /etc/rida
     cp -av koji.conf /etc/rida/
     python manage.py upgradedb
-    ./generate_localhost_cert.sh
+    python manage.py generatelocalhostcert
 SCRIPT
 
 Vagrant.configure("2") do |config|
diff --git a/fedmsg.d/rida.py b/fedmsg.d/rida.py
index da06b44b..d588f24f 100644
--- a/fedmsg.d/rida.py
+++ b/fedmsg.d/rida.py
@@ -8,4 +8,21 @@ config = {
             "tcp://127.0.0.1:300%i" % i for i in range(10)
         ],
     },
+
+    # Start of code signing configuration
+    # 'sign_messages': True,
+    # 'validate_signatures': True,
+    # 'crypto_backend': 'x509',
+    # 'crypto_validate_backends': ['x509'],
+    # 'ssldir': '/opt/fm-orchestrator/pki',
+    # 'crl_location': 'http://localhost/crl/ca.crl',
+    # 'crl_cache': '/etc/pki/fedmsg/crl.pem',
+    # 'crl_cache_expiry': 10,
+    # 'ca_cert_location': 'http://localhost/crl/ca.crt',
+    # 'ca_cert_cache': '/etc/pki/fedmsg/ca.crt',
+    # 'ca_cert_cache_expiry': 0,  # Never expires
+    # 'certnames': {
+    #     'rida.localhost': 'localhost'
+    # }
+    # End of code signing configuration
 }
diff --git a/generate_localhost_cert.sh b/generate_localhost_cert.sh
deleted file mode 100755
index 0ffe5dc8..00000000
--- a/generate_localhost_cert.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-openssl req -subj '/CN=localhost/O=My Company Name LTD./C=US' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
diff --git a/manage.py b/manage.py
index 92210ae5..0632802d 100644
--- a/manage.py
+++ b/manage.py
@@ -26,11 +26,13 @@ import flask_migrate
 import logging
 import os
 import ssl
+from shutil import rmtree
 
 from rida import app, conf, db
 from rida.config import Config
-from rida.pdc import get_pdc_client_session, get_module, get_module_runtime_dependencies, get_module_tag, \
-    get_module_build_dependencies
+from rida.pdc import (
+    get_pdc_client_session, get_module, get_module_runtime_dependencies,
+    get_module_tag, get_module_build_dependencies)
 import rida.auth
 
 
@@ -75,12 +77,14 @@ def testpdc():
     cfg.pdc_develop = True
 
     pdc_session = get_pdc_client_session(cfg)
-    module = get_module(pdc_session, {'name': 'testmodule', 'version': '4.3.43', 'release': '1'})
+    module = get_module(pdc_session, {'name': 'testmodule', 'version': '4.3.43',
+                                      'release': '1'})
 
     if module:
         print ("pdc_data=%s" % str(module))
         print ("deps=%s" % get_module_runtime_dependencies(pdc_session, module))
-        print ("build_deps=%s" % get_module_build_dependencies(pdc_session, module))
+        print ("build_deps=%s" % get_module_build_dependencies(
+            pdc_session, module))
         print ("tag=%s" % get_module_tag(pdc_session, module))
     else:
         print ('module was not found')
@@ -93,6 +97,142 @@ def upgradedb():
     flask_migrate.upgrade()
 
 
+@manager.command
+def gendevfedmsgcert(pki_dir='/opt/fm-orchestrator/pki', force=False):
+    """
+    Creates a CA, a certificate signed by that CA, and generates a CRL.
+    """
+    from OpenSSL import crypto
+
+    if os.path.exists(pki_dir):
+        if force:
+            rmtree(pki_dir)
+        else:
+            print('The directory "{}" already exists'.format(pki_dir))
+            return
+
+    os.mkdir(pki_dir)
+
+    ca_crt_path = os.path.join(pki_dir, 'ca.crt')
+    ca_key_path = os.path.join(pki_dir, 'ca.key')
+    msg_key_path = os.path.join(pki_dir, 'localhost.key')
+    msg_crt_path = os.path.join(pki_dir, 'localhost.crt')
+    ca_crl = os.path.join(pki_dir, 'ca.crl')
+
+    # Create a key pair for the CA
+    ca_key = crypto.PKey()
+    ca_key.generate_key(crypto.TYPE_RSA, 2048)
+
+    with open(ca_key_path, 'w') as ca_key_file:
+        ca_key_file.write(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key))
+
+    # Create a self-signed CA cert
+    ca_cert = crypto.X509()
+    ca_subject = ca_cert.get_subject()
+    ca_subject.C = 'US'
+    ca_subject.ST = 'MA'
+    ca_subject.L = 'Boston'
+    ca_subject.O = 'Development'
+    ca_subject.CN = 'Dev-CA'
+    ca_cert.set_serial_number(1)
+    ca_cert.gmtime_adj_notBefore(0)
+    ca_cert.gmtime_adj_notAfter(315360000)  # 10 years
+    ca_cert.set_issuer(ca_cert.get_subject())
+    ca_cert.set_pubkey(ca_key)
+    ca_cert.add_extensions([
+        crypto.X509Extension('basicConstraints', True, 'CA:true')])
+    ca_cert.sign(ca_key, 'sha256')
+
+    with open(ca_crt_path, 'w') as ca_crt_file:
+        ca_crt_file.write(
+            crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
+
+    # Create a key pair for the message signing cert
+    msg_key = crypto.PKey()
+    msg_key.generate_key(crypto.TYPE_RSA, 2048)
+
+    with open(msg_key_path, 'w') as msg_key_file:
+        msg_key_file.write(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, msg_key))
+
+    # Create a cert signed by the CA
+    msg_cert = crypto.X509()
+    msg_cert_subject = msg_cert.get_subject()
+    msg_cert_subject.C = 'US'
+    msg_cert_subject.ST = 'MA'
+    msg_cert_subject.L = 'Boston'
+    msg_cert_subject.O = 'Development'
+    msg_cert_subject.CN = 'localhost'
+    msg_cert.set_serial_number(2)
+    msg_cert.gmtime_adj_notBefore(0)
+    msg_cert.gmtime_adj_notAfter(315360000)  # 10 years
+    msg_cert.set_issuer(ca_cert.get_subject())
+    msg_cert.set_pubkey(msg_key)
+    cert_extensions = [
+        crypto.X509Extension(
+            'keyUsage', True,
+            'digitalSignature, keyEncipherment, nonRepudiation'),
+        crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
+        crypto.X509Extension('basicConstraints', True, 'CA:false'),
+        crypto.X509Extension('crlDistributionPoints', False,
+                             'URI:http://localhost/crl/ca.crl'),
+        crypto.X509Extension('authorityInfoAccess', False,
+                             'caIssuers;URI:http://localhost/crl/ca.crt'),
+        crypto.X509Extension('subjectKeyIdentifier', False, 'hash',
+                             subject=ca_cert)
+    ]
+    msg_cert.add_extensions(cert_extensions)
+    msg_cert.sign(ca_key, 'sha256')
+
+    with open(msg_crt_path, 'w') as msg_crt_file:
+        msg_crt_file.write(
+            crypto.dump_certificate(crypto.FILETYPE_PEM, msg_cert))
+
+    # Generate the CRL
+    with open(ca_crl, 'w') as ca_crl_file:
+        ca_crl_file.write(
+            crypto.CRL().export(ca_cert, ca_key, type=crypto.FILETYPE_PEM,
+                                days=3650, digest='sha256'))
+
+
+@manager.command
+def generatelocalhostcert():
+    # Create a key pair for the message signing cert
+    from OpenSSL import crypto
+    cert_key = crypto.PKey()
+    cert_key.generate_key(crypto.TYPE_RSA, 2048)
+
+    with open('server.key', 'w') as cert_key_file:
+        cert_key_file.write(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, cert_key))
+
+    cert = crypto.X509()
+    msg_cert_subject = cert.get_subject()
+    msg_cert_subject.C = 'US'
+    msg_cert_subject.ST = 'MA'
+    msg_cert_subject.L = 'Boston'
+    msg_cert_subject.O = 'Development'
+    msg_cert_subject.CN = 'localhost'
+    cert.set_serial_number(2)
+    cert.gmtime_adj_notBefore(0)
+    cert.gmtime_adj_notAfter(315360000)  # 10 years
+    cert.set_issuer(cert.get_subject())
+    cert.set_pubkey(cert_key)
+    cert_extensions = [
+        crypto.X509Extension(
+            'keyUsage', True,
+            'digitalSignature, keyEncipherment, nonRepudiation'),
+        crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
+    ]
+    cert.add_extensions(cert_extensions)
+    cert.sign(cert_key, 'sha256')
+
+    with open('server.crt', 'w') as cert_file:
+        cert_file.write(
+            crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
+
+
 @manager.command
 def runssl(host=conf.host, port=conf.port, debug=False):
     """ Runs the Flask app with the HTTPS settings configured in config.py
diff --git a/requirements.txt b/requirements.txt
index d0fc5f7a..a1ec17f8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,3 +12,5 @@ Flask-SQLAlchemy
 Flask-Migrate
 python-fedora
 funcsigs # Python2 only
+m2crypto
+m2ext
diff --git a/submit-build.sh b/submit-build.sh
index 05521273..bb237463 100755
--- a/submit-build.sh
+++ b/submit-build.sh
@@ -3,5 +3,5 @@ echo "Submmiting a build of modules/testmodule, #020ea37251df5019fde9e7899d2f7d7
 echo "Using https://localhost:5000/rida/module-builds/"
 echo "NOTE: You need to be a Fedora packager for this to work"
 echo
-curl --cert ~/.fedora.cert -k -H "Content-Type: text/json" --data @submit-build.json https://localhost:5000/rida/module-builds/
+curl --cert ~/.fedora.cert -k -H "Content-Type: text/json" --data @submit-build.json https://localhost:5000/rida/1/module-builds/
 echo