diff --git a/README.md b/README.md
index bf0334c..bc03ed1 100644
--- a/README.md
+++ b/README.md
@@ -8,45 +8,30 @@ UI components that are required by Hydra to allow login and consent.
 The code in this repository is licensed under the terms of the Apache License
 Version 2.0.
 
-Copyright © 2020-2022  Jan Dittberner
+Copyright © 2020-2023  Jan Dittberner
 
 ## Setup
 
 ### Certificates
 
-You need a set of certificates for the IDP. You can use the Test CA created by
-the ``setup_test_ca.sh`` script from the [CAcert developer
-setup](https://git.dittberner.info/jan/cacert-devsetup) repository like this:
+You need a set of certificate and private key and a PEM file with CA
+certificates used to verify client certificates to run `cacert-idp`.
 
-1. create signing requests
+An easy way to generate server certificate and key for local testing is
+[`mkcert`](https://github.com/FiloSottile/mkcert/releases).
 
-   ```
-   mkdir certs
-   cd certs
-   openssl req -new -newkey rsa:3072 -nodes \
-       -keyout idp.cacert.localhost.key \
-       -out idp.cacert.localhost.csr.pem \
-       -subj /CN=idp.cacert.localhost \
-       -addext subjectAltName=DNS:idp.cacert.localhost,DNS:login.cacert.localhost
-   cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
-   ```
-
-2. Use the CA to sign the certificates
+1. Run `mkcert` to generate `idp.cacert.localhost.pem` and
+   `idp.cacert.localhost+1-key.pem`:
 
-   ```
-   pushd $PATH_TO_DEVSETUP_TESTCA/
-   openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
-       -in idp.cacert.localhost.csr.pem \
-       -out idp.cacert.localhost.crt.pem -days 365
-   popd
-   cp $PATH_TO_DEVSETUP_TESTCA/idp.cacert.localhost.crt.pem .
+   ```shell
+   mkcert -cert-file idp.cacert.localhost login.cacert.localhost
    ```
 
-3. Copy CA certificate for client certificates
+2. Copy CA certificate for client certificates
   
-   ```
-   openssl x509 -in $PATH_TO_DEVSETUP_TESTCA/class3/ca.crt.pem \
-       -out client_ca.pem
+   ```shell
+   (curl -s http://www.cacert.org/certs/CAcert_Class3Root_x14E228.crt ; \
+    curl -s http://www.cacert.org/certs/root_X0F.crt ) > client_ca.pem
    ```
 
 ### Configure IDP
diff --git a/changelog.md b/changelog.md
index 2a22e2b..5a186ff 100644
--- a/changelog.md
+++ b/changelog.md
@@ -8,6 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Added
 - implement logout-successful handler
+### Changed
+- recommend `mkcert` to generate certificates for local development
+- change default configuration to use files recommended in README.md
+- separate server name and bind address to allow binding to a local address
+  but publish a different public name
 
 ## [0.1.3] - 2023-07-24
 ### Fixed
diff --git a/cmd/idp/main.go b/cmd/idp/main.go
index 6e19d87..c2a60b2 100644
--- a/cmd/idp/main.go
+++ b/cmd/idp/main.go
@@ -62,11 +62,12 @@ func main() {
 		logger,
 		"IDP",
 		map[string]interface{}{
+			"server.bind_address":     "",
+			"server.name":             "idp.cacert.localhost",
 			"server.port":             DefaultServerPort,
-			"server.name":             "login.cacert.localhost",
-			"server.key":              "certs/idp.cacert.localhost.key",
-			"server.certificate":      "certs/idp.cacert.localhost.crt.pem",
-			"security.client.ca-file": "certs/client_ca.pem",
+			"server.key":              "idp.cacert.localhost+1-key.pem",
+			"server.certificate":      "idp.cacert.localhost+1.pem",
+			"security.client.ca-file": "client_ca.pem",
 			"admin.url":               "https://hydra.cacert.localhost:4445/",
 			"i18n.languages":          []string{"en", "de"},
 		})
@@ -172,6 +173,7 @@ func main() {
 
 func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Logger, config *koanf.Koanf) {
 	clientCertificateCAFile := config.MustString("security.client.ca-file")
+	serverBindAddress := config.String("server.bind_address")
 	serverName := config.String("server.name")
 	serverPort := config.Int("server.port")
 
@@ -191,7 +193,7 @@ func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Log
 		ClientCAs:  clientCertPool,
 	}
 	server := &http.Server{
-		Addr:         fmt.Sprintf("%s:%d", serverName, serverPort),
+		Addr:         fmt.Sprintf("%s:%d", serverBindAddress, serverPort),
 		Handler:      handlerChain,
 		ReadTimeout:  TimeoutTwenty,
 		WriteTimeout: TimeoutTwenty,
@@ -220,7 +222,10 @@ func startServer(ctx context.Context, handlerChain http.Handler, logger *log.Log
 		close(done)
 	}()
 
-	logger.Infof("Server is ready to handle requests at https://%s/", server.Addr)
+	logger.WithFields(log.Fields{
+		"address": server.Addr,
+		"url":     fmt.Sprintf("https://%s:%d/", serverName, serverPort),
+	}).Info("Server is ready to handle requests")
 	atomic.StoreInt32(&handlers.Healthy, 1)
 
 	if err := server.ListenAndServeTLS(
diff --git a/docs/idp.toml b/docs/idp.toml
index 0a485b4..f0ed40d 100644
--- a/docs/idp.toml
+++ b/docs/idp.toml
@@ -5,8 +5,10 @@ csrf.key = "32-byte-long-random-base64-encoded-key"
 client.ca-file = "client.cas.pem"
 
 [server]
+# server name
+name = "idp.cacert.org"
 # server IP address
-name = "127.0.0.1"
+bind_address = "127.0.0.1"
 # server port
 port = 3443
 # server TLS X.509 certificate in PEM format