diff --git a/warden3/contrib/warden_ra/warden_ra.py b/warden3/contrib/warden_ra/warden_ra.py
index 68a98d0b511b9486167790318c139dd8da52e170..1df773bcf1ba6782d12e869ffc621a73a8487c72 100755
--- a/warden3/contrib/warden_ra/warden_ra.py
+++ b/warden3/contrib/warden_ra/warden_ra.py
@@ -12,12 +12,17 @@ import struct
 import argparse
 import subprocess
 import json
+import logging
 # *ph* server vulnerable to logjam, local openssl too new, use hammer to disable Diffie-Helmann
 import ssl
 ssl._DEFAULT_CIPHERS += ":!DH"
 
 import ejbcaws
 
+# for local version of up to date jsonschema
+sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "warden_server"))
+from warden_server import Request, ObjectReq, StreamLogger, FileLogger, Server, expose
+
 
 class EjbcaClient(object):
 
@@ -128,7 +133,10 @@ class EjbcaRegistry(object):
             subjectAltName="",
             subjectDN="",
             tokenType=ejbcaws.TOKEN_TYPE_USERGENERATED,
-            username="")
+            username="",
+            password = "".join((random.choice(string.ascii_letters + string.digits) for dummy in range(16))),
+            clearPwd = True
+        )
         client = EjbcaClient(registry=self, ejbca_data=new_ejbca_data)
         client.name = name
         client.admins = admins
@@ -155,6 +163,61 @@ def format_cert(cert):
         cert.get_issuer().as_text()
     )
 
+# Server side
+
+class NullAuthenticator(ObjectReq):
+
+    def __init__(self, req):
+        ObjectReq.__init__(self, req)
+
+
+    def __str__(self):
+        return "%s(req=%s)" % (type(self).__name__, type(self.req).__name__)
+
+
+    def authenticate(self, env, args):
+        return True
+
+
+    def authorize(self, env, client, path, method):
+        return True
+
+
+class CertHandler(ObjectReq):
+
+    def __init__(self, req, registry):
+        ObjectReq.__init__(self, req)
+        self.registry = registry
+
+    @expose(read=1, debug=1)
+    def getCert(self, name=None, password=None, events=None):
+        csr_data = (events or {}).get("csr")
+        if not (name and password and events):
+            raise self.req.error(message="Wrong or missing arguments", error=400)
+        client = self.registry.get_client(name[0])
+        if not client:
+            raise self.req.error(message="Unknown client", error=403)
+        #return {"client": client, "password": password[0], "csr_data": csr_data}
+        try:
+            newcert = client.new_cert(csr_data, password)
+        except Exception as e:
+            raise self.req.error(message="Processing error", error=403, cause=e)
+        return {"pem": newcert.as_pem()}
+
+
+def build_server(conf):
+    StreamLogger()
+    req = Request()
+    log = FileLogger(
+        req,
+        filename=os.path.join(os.path.dirname(__file__), os.path.splitext(os.path.split(__file__)[1])[0] + ".log"),
+        level=logging.DEBUG)
+    auth = NullAuthenticator(req)
+    registry = EjbcaRegistry(**conf)
+    handler = CertHandler(req, registry)
+    server = Server(req, auth, handler)
+    return server
+
 
 # Command line arguments
 
@@ -172,7 +235,7 @@ def list_clients(registry, name=None, verbose=False):
         print(client)
         if verbose:
             print(client.verbose_str())
-        for cert in sorted(client.get_certs(), key=lambda c: c.get_not_after()):
+        for cert in sorted(client.get_certs(), key=lambda c: c.get_not_after().get_datetime()):
             print(format_cert(cert))
             if verbose:
                 print(cert.as_text())