diff --git a/requirements-nover.txt b/requirements-nover.txt
index a73a6768d..d19715a0a 100644
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@@ -63,3 +63,4 @@ bencode
 cryptography
 httmock
 moto
+timeparse
diff --git a/requirements.txt b/requirements.txt
index ecd12d9fd..ce982e43e 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -108,6 +108,7 @@ SQLAlchemy==1.0.12
 stevedore==1.12.0
 stringscore==0.1.0
 stripe==1.32.0
+timeparse==0.5.5
 toposort==1.4
 trollius==2.1
 tzlocal==1.2.2
diff --git a/util/generatepresharedkey.py b/util/generatepresharedkey.py
new file mode 100644
index 000000000..d1284d20c
--- /dev/null
+++ b/util/generatepresharedkey.py
@@ -0,0 +1,49 @@
+from app import app
+from data import model
+from data.database import ServiceKeyApprovalType
+from data.model.log import log_action
+from timeparse import ParseDatetime
+
+import argparse
+
+def generate_key(approver, service, name, expiration_date=None, notes=None):
+  metadata = {
+    'created_by': 'CLI tool',
+  }
+
+  # Generate a key with a private key that we *never save*.
+  (private_key, key) = model.service_keys.generate_service_key(service, expiration_date,
+                                                               metadata=metadata,
+                                                               name=name)
+  # Auto-approve the service key.
+  model.service_keys.approve_service_key(key.kid, approver, ServiceKeyApprovalType.SUPERUSER,
+                                         notes=notes or '')
+
+  # Log the creation and auto-approval of the service key.
+  key_log_metadata = {
+    'kid': key.kid,
+    'preshared': True,
+    'service': service,
+    'name': name,
+    'expiration_date': expiration_date,
+    'auto_approved': True,
+  }
+
+  log_action('service_key_create', None, metadata=key_log_metadata)
+  log_action('service_key_approve', None, metadata=key_log_metadata)
+  return private_key
+
+
+if __name__ == '__main__':
+  parser = argparse.ArgumentParser(description='Generates a preshared key')
+  parser.add_argument('approver', help='Quay username of the user approving this key')
+  parser.add_argument('service', help='The service name for which the key is being generated')
+  parser.add_argument('name', help='The friendly name for the key')
+  parser.add_argument('--expiration', help='The optional expiration date/time for the key',
+                      default=None, action=ParseDatetime)
+  parser.add_argument('--notes', help='Optional notes about the key', default=None)
+
+  args = parser.parse_args()
+  approver_user = model.user.get_user(args.approver)
+  generated = generate_key(approver_user, args.service, args.name, args.expiration, args.notes)
+  print generated.exportKey('PEM')