diff --git a/scripts/generate-wireguard-client-certificate b/scripts/generate-wireguard-client-certificate
new file mode 100755
index 0000000..6c5734d
--- /dev/null
+++ b/scripts/generate-wireguard-client-certificate
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+
+from os import environ
+from sys import argv, exit
+from uuid import uuid4
+
+from bundlewrap.repo import Repository
+
+try:
+    username = argv[1]
+except IndexError:
+    print('Usage: {} <username>'.format(argv[0]))
+    exit(1)
+
+repo = Repository(environ.get('BW_REPO_PATH', '.'))
+
+privkey = repo.libs.keys.gen_privkey(repo, f'wireguard {username} key {uuid4()}')
+psk = repo.libs.keys.gen_privkey(repo, f'wireguard {username} psk {uuid4()}')
+pubkey = repo.libs.keys.get_pubkey_from_privkey(repo, f'wireguard {username}', privkey)
+
+enc_psk = repo.vault.encrypt(str(psk))
+enc_pubkey = repo.vault.encrypt(str(pubkey))
+
+# editorconfig-checker-disable
+print(f"""Keys have been generated. Please take note of them:
+
+  Private Key: {privkey}
+          PSK: {psk}
+   Public Key: {pubkey}
+
+Put the following config into your desired wireguard server config:
+
+        '{username}': {{
+            'psk': vault.decrypt('{enc_psk}'),
+            'pubkey': vault.decrypt('{enc_pubkey}'),
+        }},""")