In an ad hoc network, nodes may face the need to generate new public keys. To be verifiably authentic, these newly generated public keys need to be certified. However, because of the absence of a permanent communication infrastructure, a certification authority (CA) that can issue certificates may not always be reachable. The downside is that secure communication channels cannot be established. Previously proposed solutions do not guarantee that identities contained in certificates are valid or, when they do, they rely on neighbors to validate user-key bindings. However, there is no guarantee that nodes that are known in advance will always be present in the network. Therefore, neighbors are not always able to verify a node's identity before certificate issuance. In this paper we define a scheme that permits nodes to generate, on-demand, and independently of any third entity, public keys that can be authenticated with the aid of a unique certificate, issued by a CA at initialization. This certificate binds a valid identity to a hash code. We then extend this scheme to a solution permitting certificates to be generated, on-demand, and independently of any third entity, that can be authenticated with a unique signature generated by a CA. Finally we solve the problem of updated revocation information. Copyright © 2010 John Wiley & Sons, Ltd.