diff --git a/bin/lamassu-migrate b/bin/lamassu-migrate
new file mode 100755
index 00000000..d083ef53
--- /dev/null
+++ b/bin/lamassu-migrate
@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+
+const path = require('path')
+const migrate = require('migrate')
+
+const migrateDir = path.resolve(__dirname, '..', 'migrations')
+const migrateConfig = path.resolve(migrateDir, '.migrate')
+const set = migrate.load(migrateConfig, migrateDir)
+
+set.up(err => {
+  if (err) {
+    console.log('DB Migration failed: %s', err)
+    process.exit(1)
+  }
+
+  console.log('DB Migration succeeded.')
+  process.exit(0)
+})
diff --git a/certs.sh b/certs.sh
index 2d7f0960..ae020c7c 100644
--- a/certs.sh
+++ b/certs.sh
@@ -1,13 +1,11 @@
-# make directories to work from
+DOMAIN=localhost
+
 mkdir -p certs
 
-# Create your very own Root Certificate Authority
 openssl genrsa \
   -out certs/root-ca.key.pem \
   4096
 
-# Self-sign your Root Certificate Authority
-# Since this is private, the details can be as bogus as you like
 openssl req \
   -x509 \
   -new \
@@ -17,9 +15,6 @@ openssl req \
   -out certs/root-ca.crt.pem \
   -subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator CA/CN=lamassu-operator.is"
 
-# Create a Device Certificate for each domain,
-# such as example.com, *.example.com, awesome.example.com
-# NOTE: You MUST match CN to the domain name or ip address you want to use
 openssl genrsa \
   -out certs/server.key.pem \
   4096
@@ -28,7 +23,7 @@ openssl genrsa \
 openssl req -new \
   -key certs/server.key.pem \
   -out certs/server.csr.pem \
-  -subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator/CN=localhost"
+  -subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator/CN=$DOMAIN"
 
 # Sign the request from Device with your Root CA
 openssl x509 \
diff --git a/lib/app.js b/lib/app.js
index dc090a26..9917d4a6 100644
--- a/lib/app.js
+++ b/lib/app.js
@@ -53,6 +53,7 @@ module.exports = function (options) {
 
       authMiddleware = function (req, res, next) {
         const deviceId = req.connection.getPeerCertificate().fingerprint
+        console.log(deviceId)
 
         return pair.isPaired(deviceId)
         .then(r => {
diff --git a/migrations/017-user_tokens.js b/migrations/017-user_tokens.js
new file mode 100644
index 00000000..e7c001ba
--- /dev/null
+++ b/migrations/017-user_tokens.js
@@ -0,0 +1,22 @@
+var db = require('./db')
+
+exports.up = function (next) {
+  var sql = [
+    'drop table if exists users',
+    `create table user_tokens (
+      token text PRIMARY KEY,
+      name text NOT NULL,
+      created timestamptz NOT NULL default now()
+    )`,
+    `create table one_time_passes (
+      token text PRIMARY KEY,
+      name text NOT NULL,
+      created timestamptz NOT NULL default now()
+    )`
+  ]
+  db.multi(sql, next)
+}
+
+exports.down = function (next) {
+  next()
+}
diff --git a/package.json b/package.json
index 1ef22990..e9b1b19a 100644
--- a/package.json
+++ b/package.json
@@ -52,6 +52,7 @@
   },
   "bin": {
     "lamassu-server": "./bin/lamassu-server",
+    "lamassu-migrate": "./bin/lamassu-migrate",
     "ssu-raqia": "./bin/ssu-raqia",
     "ssu": "./bin/ssu",
     "hkdf": "./bin/hkdf"