diff --git a/pkg/app/app.go b/pkg/app/app.go
index 2261258..8e571a3 100644
--- a/pkg/app/app.go
+++ b/pkg/app/app.go
@@ -2,7 +2,6 @@ package app
 
 import (
 	"apc-p15-tool/pkg/pkcs15"
-	"encoding/base64"
 	"os"
 
 	"go.uber.org/zap"
@@ -59,7 +58,21 @@ func Start() {
 	}
 
 	// app.logger.Debug(hex.EncodeToString(p15File))
-	app.logger.Debug(base64.RawStdEncoding.EncodeToString(p15File))
+	// app.logger.Debug(base64.RawStdEncoding.EncodeToString(p15File))
+
+	apcHeader, err := makeFileHeader(p15File)
+	if err != nil {
+		app.logger.Fatalf("failed to make p15 file header (%s)", err)
+		// FATAL
+	}
+
+	apcFile := append(apcHeader, p15File...)
+
+	err = os.WriteFile("./apctool.p15", apcFile, 0777)
+	if err != nil {
+		app.logger.Fatalf("failed to write apc p15 file (%s)", err)
+		// FATAL
+	}
 
 	// TEMP TEMP TEMP
 }
diff --git a/pkg/pkcs15/encrypted_envelope.go b/pkg/pkcs15/encrypted_envelope.go
index 7e0acc8..b0eef9d 100644
--- a/pkg/pkcs15/encrypted_envelope.go
+++ b/pkg/pkcs15/encrypted_envelope.go
@@ -73,6 +73,7 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	wrappedCEK = append(wrappedCEK, cekPadding...)
 
 	// double encrypt CEK
@@ -102,7 +103,9 @@ func (p15 *pkcs15KeyCert) encryptedKeyEnvelope() ([]byte, error) {
 		return nil, err
 	}
 
+	// envelope content (that will be encrypted)
 	content := p15.privateKeyObject()
+
 	// pad content, see: https://datatracker.ietf.org/doc/html/rfc3852 6.3
 	contentPadLen := uint8(contentDesCipher.BlockSize() - (len(content) % contentDesCipher.BlockSize()))
 	// ALWAYS pad, if content is exact, add full block of padding