diff --git a/docs/transport.md b/docs/transport.md
index 9b0bd7f7..a66bc7d6 100644
--- a/docs/transport.md
+++ b/docs/transport.md
@@ -6,11 +6,11 @@ By default, `rathole` forwards traffic as it is. Different options can be enable
 Checkout the [example](../examples/tls)
 ### Client
 Normally, a self-signed certificate is used. In this case, the client needs to trust the CA. `trusted_root` is the path to the root CA's certificate PEM file.
-`hostname` is the hostname that the client used to validate aginst the certificate that the server presents.
+`hostname` is the hostname that the client used to validate aginst the certificate that the server presents. Note that it does not have to be the same with the `remote_addr` in `[client]`.
 ```
 [client.transport.tls]
-trusted_root = "example/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "example/tls/rootCA.crt"
+hostname = "localhost"
 ```
 
 ### Server
@@ -18,9 +18,17 @@ PKCS#12 archives are needed to run the server.
 
 It can be created using openssl like:
 ```
-openssl pkcs12 -export -out identity.pfx -inkey server-key.pem -in server-cert.pem -certfile ca_chain_certs.pem
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile ca_chain_certs.crt
 ```
 
+Aruguments are:
+
+- `-inkey`: Server Private Key
+- `-in`: Server Certificate
+- `-certfile`: CA Certificate
+
+Creating self-signed certificate with one's own CA is a non-trival task. However, a script is provided under tls example folder for reference.
+
 ## Noise Protocol
 ### Quickstart for the Noise Protocl
 In one word, the [Noise Protocol](http://noiseprotocol.org/noise.html) is a lightweigt, easy to configure and drop-in replacement of TLS. No need to create a self-sign certificate to secure the connection.
diff --git a/examples/tls/ca-cert.pem b/examples/tls/ca-cert.pem
deleted file mode 100644
index 8bbf6489..00000000
--- a/examples/tls/ca-cert.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIUXTmJtkI6aK16A8HPkP2IvowmSKwwDQYJKoZIhvcNAQEL
-BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjAxMDIwODEzMzhaFw0yMzAy
-MDMwODEzMzhaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
-HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQDAAq3LEmJigEuRT9sswUx6Kfc4T04oZvZTSYNIRrBF
-Zcc/EGZF/t/k2ciGDSAB1mL2rUdIfWveQ/5kRCSFffX5qvKFkzogRQQjFPLFjfoC
-lKXxvy/BOIwF786gvHbz5EI1dcAL+nRco3U6dHPdewvbQwX9cZrUD3pq+r1qlipY
-w5rZL7Z5cNoczhRAgFhIBHvsgBazkkOB7PDUkmkYAYnw3uK+r4coAqnnfjpxoaCQ
-dQi4JX2VvqOdgxzw9vIRqbL+p2NBPnVjcSj067Y9sxtfR3Xmt2dlMJuReFN8phnK
-8GiYiuiYA01O84htjHt+A8oVYKalXdPeikoSgPmhoJCQQs0NkBzGCc33U7XEa6kM
-j6Y81Id4uXAK5LxyVGo5zOEvOyF3EhceIJDeGS9NsGJyT757OuKrsCK0v8KNPsEh
-VvrcngnRQOWFTg/rp/vSrj7S5i0NPjkEpRitxaYBOg40DXyG1GfYf1SvneXpT0gh
-ZbgjipPrwvuZnJVqqIv1hVVNOKo7nJS24rZ/andZS8g6OE0bL9AlE1Sp2lMXuagJ
-2haPa2rSFZPqNPrP9wh5KVreD9UNeTb37NbXWeZXwKR8v20GAWjb2QQKY92zlMpI
-gmViEvJHrHbKVoU/8gyS9R7iL9JOehk3sqVhbjaDyouC9mosPrQFzp1frKvSlKNg
-1wIDAQABo1MwUTAdBgNVHQ4EFgQU98MJp09MMFw5s4sacYozQFzTNFwwHwYDVR0j
-BBgwFoAU98MJp09MMFw5s4sacYozQFzTNFwwDwYDVR0TAQH/BAUwAwEB/zANBgkq
-hkiG9w0BAQsFAAOCAgEABOtNqqKFEA3vynOFteZV+VquaRKqDuYn0doMMPH9cY20
-4ASioa3aqbmvBiSTDsOdvgP6j5nSVEtQCt5P3fBRMa8a3YnTGPNx8uGPuOA+ZD+b
-USR5FcXJHtkjSfpVF9DOZr34+khRpfHPEZQiaAAiKwaRnI4Gqhv6e6JoaimkQDYj
-xcKw+f1NcCdhSTkpcx9K/Qfa0cXKSL+0Hwl5AbDMsnRAkKu62YKdOv36nnBOMc2S
-6laNIx20nt8Evm3KBNDRiHAw8pwMGfnxCCG6hGo2IvYh6hOjZupVpP55iMgQUkfF
-Gmvxe/4wjuPCvI/Liy0PFfiCHVKASWIiMWG8u8WfJUw1/4RFZu4l2LVVuJOujr6n
-1k5vzIozuo6Ym8mKnnHQmYf5K9T/YuRW3EFa9Ar6/krjw6K/I97P+Wh/DVZiaGC5
-n90ZcRj+abb+zOfz0AHTOp7zlr3w4si7AF3tZ9WhW2R0BC3wwmXygli0I6iMXE7E
-tvXM5UwxLJoJen2fWqn75/91BifEqPWckPb1h14i73hAPVSte1wvstf8mER/DFSX
-Is/GxAhRsZChHn2lEJsvPlrfyMxYwcXTTvd//sp+iOZjfky5vhRuMDUYsHx6/znT
-q/rpT3CMnAVlMTf8n/0dY4mdcaQj0cRJfVnUlvZnhw0tJzCP3rH3smlpWloexds=
------END CERTIFICATE-----
diff --git a/examples/tls/client.toml b/examples/tls/client.toml
index ff239707..4a142826 100644
--- a/examples/tls/client.toml
+++ b/examples/tls/client.toml
@@ -1,12 +1,12 @@
 [client]
-remote_addr = "localhost:2333"
+remote_addr = "127.0.0.1:2333"
 default_token = "123"
 
 [client.transport]
 type = "tls"
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.foo1]
 local_addr = "127.0.0.1:80"
diff --git a/examples/tls/create_self_signed_cert.sh b/examples/tls/create_self_signed_cert.sh
new file mode 100644
index 00000000..e110a1f4
--- /dev/null
+++ b/examples/tls/create_self_signed_cert.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# create CA 
+openssl req -x509 \
+            -sha256 -days 356 \
+            -nodes \
+            -newkey rsa:2048 \
+            -subj "/CN=MyOwnCA/C=US/L=San Fransisco" \
+            -keyout rootCA.key -out rootCA.crt 
+
+# create server private key
+openssl genrsa -out server.key 2048
+
+# create certificate signing request (CSR)
+cat > csr.conf <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = California
+L = San Fransisco
+O = Someone
+OU = Someone
+CN = localhost
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+EOF
+
+openssl req -new -key server.key -out server.csr -config csr.conf
+
+# create server cert
+cat > cert.conf <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+EOF
+
+openssl x509 -req \
+    -in server.csr \
+    -CA rootCA.crt -CAkey rootCA.key \
+    -out server.crt \
+    -days 365 \
+    -sha256 -extfile cert.conf
+
+# create pkcs12
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile rootCA.crt -passout pass:1234
+
+# clean up
+rm server.csr csr.conf cert.conf
\ No newline at end of file
diff --git a/examples/tls/identity.pfx b/examples/tls/identity.pfx
index 5781b048..dfc5160d 100644
Binary files a/examples/tls/identity.pfx and b/examples/tls/identity.pfx differ
diff --git a/examples/tls/rootCA.crt b/examples/tls/rootCA.crt
new file mode 100644
index 00000000..f3ed90f3
--- /dev/null
+++ b/examples/tls/rootCA.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUT2Hjb+eORMuX0zIwClSygNTJiSQwDQYJKoZIhvcNAQEL
+BQAwNzEQMA4GA1UEAwwHTXlPd25DQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNh
+biBGcmFuc2lzY28wHhcNMjMwMzA3MTIzOTM5WhcNMjQwMjI2MTIzOTM5WjA3MRAw
+DgYDVQQDDAdNeU93bkNBMQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5z
+aXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4hFcu/+GeSQRR0
+XniadepJtCp3juIaHaYLMIsKg4fUSOiVlOCJU27wYa6xaYOcjSKpv7tmZ7YwFBwO
+dGdlcqAFD1nj+JCsHQAJKRIYWY6UklrQb0rd+67HXF03cN4sPGiAKXy52jaPYJIS
+oz5w8mfcz66b3q6fYmefyjwvqBl5nJApiWzBEtLPDKhmT6ST3VuQLdmYNEmL3lL9
+wVJu3R1L7gnzoUFdHyeOpAoALFAI8zfezI8IJsDLLdVfKZNZYm0PDB98ldlBQ2wf
+uXFTzuVHeifBFcUxhV5/U9c3Fp7UnuMD7/RAcABBE8aW6wFl246WjTk4v6r0QYgZ
+49BrnGMCAwEAAaNTMFEwHQYDVR0OBBYEFIwCXoKvHjF6mWhgNLwSEktXT9S/MB8G
+A1UdIwQYMBaAFIwCXoKvHjF6mWhgNLwSEktXT9S/MA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAIlSJqo9QJUZTE1SzafqihkSXBuLAKMNq+Box02o
+2tticlBV3BVpNZ4SbOs8oYN/Hmr2cDSmgbf4ZB1BqExarsrLnFuIrM4XWVzuFHSt
+oMSlE/OE6cO0wzqUlihmUfx2azuXKPLotAObD6fwNbUb03YxTpNrEqFxIjYn6g56
+Mp1Eo/Na2ptr41Nin2gHsynPOWdPhpBqBxnWMFz1pfZ7TB1h92DVqFN92fMzgvAT
+oJdTGl9hFTcS4XrYwOhhITNGn7oM9uTFpTd/IZbjAakcAnLcwRumthD32YJPpXqV
+JC2zJNBvEbQ4hdvZu3eNx5J8GU8wiMoJgYNy4zNMbM3qM+E=
+-----END CERTIFICATE-----
diff --git a/tests/for_tcp/tls_transport.toml b/tests/for_tcp/tls_transport.toml
index 92e6c178..e8fa9e31 100644
--- a/tests/for_tcp/tls_transport.toml
+++ b/tests/for_tcp/tls_transport.toml
@@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.echo] 
 local_addr = "127.0.0.1:8080" 
diff --git a/tests/for_udp/tls_transport.toml b/tests/for_udp/tls_transport.toml
index 52588523..fb45597b 100644
--- a/tests/for_udp/tls_transport.toml
+++ b/tests/for_udp/tls_transport.toml
@@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.echo] 
 type = "udp"