diff --git a/certidude/api.py b/certidude/api.py
index 702d698..0d5bc25 100644
--- a/certidude/api.py
+++ b/certidude/api.py
@@ -7,7 +7,7 @@ import types
 import urllib.request
 import click
 from time import sleep
-from certidude.wrappers import Request, Certificate
+from certidude.wrappers import Request, Certificate, CertificateAuthorityConfig
 from certidude.auth import login_required
 from certidude.mailer import Mailer
 from pyasn1.codec.der import decoder
@@ -356,3 +356,19 @@ class ApplicationConfigurationResource(CertificateAuthorityBase):
         resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn)
         resp.body = Template(open("/etc/openvpn/%s.template" % ca.slug).read()).render(ctx)
         
+
+def certidude_app():
+    config = CertificateAuthorityConfig()
+
+    app = falcon.API()
+    app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))
+    app.add_route("/api/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config))
+    app.add_route("/api/{ca}/certificate/", CertificateAuthorityResource(config))
+    app.add_route("/api/{ca}/revoked/", RevocationListResource(config))
+    app.add_route("/api/{ca}/signed/{cn}/", SignedCertificateDetailResource(config))
+    app.add_route("/api/{ca}/signed/", SignedCertificateListResource(config))
+    app.add_route("/api/{ca}/request/{cn}/", RequestDetailResource(config))
+    app.add_route("/api/{ca}/request/", RequestListResource(config))
+    app.add_route("/api/{ca}/", IndexResource(config))
+
+    return app
diff --git a/certidude/cli.py b/certidude/cli.py
index 978eb98..7802bdb 100755
--- a/certidude/cli.py
+++ b/certidude/cli.py
@@ -798,30 +798,16 @@ def certidude_serve(user, port, listen, enable_signature):
 
     click.echo("Serving API at %s:%d" % (listen, port))
     import pwd
-    import falcon
     from wsgiref.simple_server import make_server, WSGIServer
     from socketserver import ThreadingMixIn
-    from certidude.api import CertificateAuthorityResource, \
-        RequestDetailResource, RequestListResource, \
-        SignedCertificateDetailResource, SignedCertificateListResource, \
-        RevocationListResource, IndexResource, ApplicationConfigurationResource, \
-        CertificateStatusResource
+    from certidude.api import certidude_app
 
     class ThreadingWSGIServer(ThreadingMixIn, WSGIServer):
         pass
 
     click.echo("Listening on %s:%d" % (listen, port))
 
-    app = falcon.API()
-    app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))
-    app.add_route("/api/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config))
-    app.add_route("/api/{ca}/certificate/", CertificateAuthorityResource(config))
-    app.add_route("/api/{ca}/revoked/", RevocationListResource(config))
-    app.add_route("/api/{ca}/signed/{cn}/", SignedCertificateDetailResource(config))
-    app.add_route("/api/{ca}/signed/", SignedCertificateListResource(config))
-    app.add_route("/api/{ca}/request/{cn}/", RequestDetailResource(config))
-    app.add_route("/api/{ca}/request/", RequestListResource(config))
-    app.add_route("/api/{ca}/", IndexResource(config))
+    app = certidude_app()
 
     app.add_sink(StaticResource(os.path.join(os.path.dirname(__file__), "static")))
     httpd = make_server(listen, port, app, ThreadingWSGIServer)
diff --git a/certidude/wsgi.py b/certidude/wsgi.py
index 241f6cd..5b546c4 100644
--- a/certidude/wsgi.py
+++ b/certidude/wsgi.py
@@ -1,29 +1,14 @@
+"""
+    certidude.wsgi
+    ~~~~~~~~~~~~~~
 
+    Certidude web app factory for WSGI-compatible web servers
+"""
 import os
-import falcon
-from certidude.wrappers import CertificateAuthorityConfig
-from certidude.api import CertificateAuthorityResource, \
-    RequestDetailResource, RequestListResource, \
-    SignedCertificateDetailResource, SignedCertificateListResource, \
-    RevocationListResource, IndexResource, ApplicationConfigurationResource, \
-    CertificateStatusResource
+from certidude.api import certidude_app
 
-# TODO: deduplicate routing code
 # TODO: set up /run/certidude/api paths and permissions
-
-config = CertificateAuthorityConfig()
-
 assert os.getenv("PUSH_SUBSCRIBE"), "Please set PUSH_SUBSCRIBE to your web server's subscription URL"
 assert os.getenv("PUSH_PUBLISH"), "Please set PUSH_PUBLISH to your web server's publishing URL"
 
-app = falcon.API()
-app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))
-app.add_route("/api/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config))
-app.add_route("/api/{ca}/certificate/", CertificateAuthorityResource(config))
-app.add_route("/api/{ca}/revoked/", RevocationListResource(config))
-app.add_route("/api/{ca}/signed/{cn}/", SignedCertificateDetailResource(config))
-app.add_route("/api/{ca}/signed/", SignedCertificateListResource(config))
-app.add_route("/api/{ca}/request/{cn}/", RequestDetailResource(config))
-app.add_route("/api/{ca}/request/", RequestListResource(config))
-app.add_route("/api/{ca}/", IndexResource(config))
-
+app = certidude_app()