diff --git a/warden3/contrib/warden_ra/warden_apply.sh b/warden3/contrib/warden_ra/warden_apply.sh
new file mode 100755
index 0000000000000000000000000000000000000000..68ec6066513fddead24d99f04808f72b7200b7fb
--- /dev/null
+++ b/warden3/contrib/warden_ra/warden_apply.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+url='https://warden-ra.cesnet.cz/warden-ra/getCert'
+key=key.pem
+csr=csr.pem
+cert=cert.pem
+result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM
+config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM
+client="$1"
+password="$2"
+
+trap 'rm -f "$config $result"' INT TERM HUP EXIT
+
+function flee { echo -e "$1"; exit $2; }
+
+[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} client.name password" 255
+
+openssl version >/dev/null 2>&1 || flee "Haven't found 'openssl' binary."
+curl --version >/dev/null 2>&1 || flee "Haven't found 'curl' binary."
+for n in "$csr" "$key" "$cert"; do
+    [ -e "$n" ] && flee "$n already exists, I won't overwrite, move them away first, please." 254
+done
+for n in "$result" "$config"; do
+    touch "$n" || flee "Error creating temporary file ($n)." 253
+done
+
+echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName=dummy" \
+> "$config"
+
+openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" \
+|| flee "Error generating key/certificate request." 252
+
+curl --progress-bar --request POST --data-binary '@-' "$url?name=$client&password=$password" \
+< "$csr" \
+> "$result"
+
+case $(<$result) in '-----BEGIN CERTIFICATE-----'*)
+    mv "$result" "$cert"
+    flee "Succesfully generated key ($key) and obtained certificate ($cert)." 0
+esac
+
+flee "$(<$result)\n\nCertificate request failed. Please save all error messages for communication with registration authority representative." 252