diff --git a/package.json b/package.json
index 1e45de6881495042a873d00681c892f3c587fa08..e5ba824e036e07a32b5f8c642f2807de90af37c3 100644
--- a/package.json
+++ b/package.json
@@ -41,7 +41,7 @@
         "jshint": "0.7.1"
     },
     "scripts": {
-        "postinstall": "./scripts/generate_ephemeral_keys.sh",
+        "postinstall": "node ./scripts/generate_ephemeral_keys.js",
         "test": "./scripts/test",
         "start": "./scripts/run_locally.js"
     },
diff --git a/scripts/generate_ephemeral_keys.js b/scripts/generate_ephemeral_keys.js
new file mode 100644
index 0000000000000000000000000000000000000000..d721ebc42a2fa8f14725a01cc52dfea3e262e28c
--- /dev/null
+++ b/scripts/generate_ephemeral_keys.js
@@ -0,0 +1,46 @@
+var fs = require('fs');
+var path = require('path');
+var child_process = require('child_process');
+var existsSync = fs.existsSync || path.existsSync;
+
+var VAR = path.join(__dirname, '../var');
+var CERT = path.join(VAR, 'root.cert');
+
+function exec(file, args, next) {
+  child_process.exec([file, args].join(' '), function(err, stdout, stderr) {
+    if (err) throw err;
+    if (stderr) console.error(stderr);
+    next && next(stdout);
+  });
+}
+
+
+// if keys already exist, do nothing
+if (existsSync(CERT)) {
+  process.exit(0);
+}
+
+var GENERATE_KEYPAIR = path.join(__dirname, '../node_modules/.bin/generate-keypair');
+var CERTIFY = path.join(__dirname, '../node_modules/.bin/certify');
+
+if (!existsSync(GENERATE_KEYPAIR)) {
+  console.error('cannot find generate-keypair from jwcrypto. try: npm install');
+  process.exit(1);
+}
+
+if (!existsSync(CERTIFY)) {
+  console.error('cannot find certify from jwcrypto. try: rm -rf node_modules && npm install');
+  process.exit(1);
+}
+
+console.log('*** Generating ephemeral keys used for testing ***');
+
+exec(GENERATE_KEYPAIR, '-k 256 -a rsa', function(stdout) {
+  if (stdout) console.log(stdout);
+  fs.mkdirSync(VAR);
+  exec(CERTIFY, '-s key.secretkey -p key.publickey', function(cert) {
+    fs.writeFileSync(CERT, cert);
+    fs.unlinkSync('key.publickey');
+    fs.renameSync('key.secretkey', path.join(VAR, 'root.secretkey'));
+  });
+});