diff --git a/crypto/proof_rsa.go b/crypto/proof_rsa.go
new file mode 100644
index 00000000..b33e3eac
--- /dev/null
+++ b/crypto/proof_rsa.go
@@ -0,0 +1,48 @@
+package crypto
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"io/ioutil"
+)
+
+// KeyData stores a key and a certificate for the server proof
+type KeyData struct {
+	key  *rsa.PrivateKey
+	cert *x509.Certificate
+}
+
+// LoadKeyData loads the key and cert from files
+func LoadKeyData(certFileName string, keyFileName string) (*KeyData, error) {
+	keyDER, err := ioutil.ReadFile(keyFileName)
+	if err != nil {
+		return nil, err
+	}
+	key, err := x509.ParsePKCS1PrivateKey(keyDER)
+	if err != nil {
+		return nil, err
+	}
+	certDER, err := ioutil.ReadFile(certFileName)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := x509.ParseCertificate(certDER)
+	if err != nil {
+		return nil, err
+	}
+
+	return &KeyData{key: key, cert: cert}, nil
+}
+
+// SignServerProof signs CHLO and server config for use in the server proof
+func (kd *KeyData) SignServerProof(chlo []byte, serverConfigData []byte) ([]byte, error) {
+	hash := sha256.New()
+	hash.Write([]byte("QUIC server config signature\x00"))
+	chloHash := sha256.Sum256(chlo)
+	hash.Write(chloHash[:])
+	hash.Write(serverConfigData)
+	return rsa.SignPSS(rand.Reader, kd.key, crypto.SHA256, hash.Sum(nil), nil)
+}
diff --git a/example/cert.der b/example/cert.der
new file mode 100644
index 00000000..03f8e143
Binary files /dev/null and b/example/cert.der differ
diff --git a/example/key.der b/example/key.der
new file mode 100644
index 00000000..2db9aadb
Binary files /dev/null and b/example/key.der differ