diff --git a/.gitignore b/.gitignore
index 8c07c64..dff793c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@ config.yaml
 ephemeral_ca.egg-info
 .venv
 *.sw[op]
+certs/*.crt
+CA/serial
diff --git a/certs/.empty b/certs/.empty
new file mode 100644
index 0000000..e69de29
diff --git a/config.yaml.sample b/config.yaml.sample
index e642e36..78709c6 100644
--- a/config.yaml.sample
+++ b/config.yaml.sample
@@ -1,5 +1,7 @@
 ca_cert: "CA/root-ca.crt"
 ca_key: "CA/root-ca-unwrapped.key"
+serial_file: "CA/serial"
+certs_directory: "certs"
 valid_hours: 24
 signing_hash: "sha1"
 
diff --git a/ephemeral_ca/__init__.py b/ephemeral_ca/__init__.py
index 11cc2c5..be055f7 100644
--- a/ephemeral_ca/__init__.py
+++ b/ephemeral_ca/__init__.py
@@ -4,6 +4,8 @@ FlaskCA
 """
 
 import M2Crypto
+import fcntl
+import os
 import sys
 import time
 import uuid
@@ -28,6 +30,14 @@ def sign(csr,encoding):
     if encoding != 'pem':
         return False
 
+    with open(CONFIG['serial_file'], 'a+') as f:
+        f.seek(0)
+        fcntl.lockf(f, fcntl.LOCK_EX)
+        serial = int(f.read() or "1")
+        f.seek(0)
+        f.truncate(0)
+        f.write(str(serial+1))
+
     ca = M2Crypto.X509.load_cert(CONFIG["ca_cert"])
     key = M2Crypto.EVP.load_key(CONFIG["ca_key"])
     req = M2Crypto.X509.load_request_string(csr.encode('ascii'))
@@ -47,11 +57,13 @@ def sign(csr,encoding):
     new_cert.set_pubkey(pkey=req.get_pubkey())
     new_cert.set_subject(req.get_subject())
     new_cert.set_issuer(ca.get_subject())
-    new_cert.set_serial_number(31337)
+    new_cert.set_serial_number(serial)
 
     new_cert.sign(key, CONFIG['signing_hash'])
 
-    new_cert.save("temp-" + str(uuid.uuid1()) + '.crt')
+    new_cert.save(os.path.join(
+        CONFIG['certs_directory'],
+        '%06i-%s.crt' % (serial, new_cert.get_fingerprint(CONFIG['signing_hash']))))
 
     return new_cert.as_pem()