diff --git a/.gitignore b/.gitignore
index c171831c..1dd450a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ node_modules
 yarn-error.log
 *.swp
 includes/config.php
+rootCA.pem
diff --git a/installers/common.sh b/installers/common.sh
index 3e7982f5..fcabbc4f 100755
--- a/installers/common.sh
+++ b/installers/common.sh
@@ -35,42 +35,7 @@ elif [ "$php_package" = "php5-cgi" ]; then
     phpcgiconf="/etc/php5/cgi/php.ini"
 fi
 
-# Outputs a RaspAP Install log line
-function install_log() {
-    echo -e "\033[1;32mRaspAP Install: $*\033[m"
-}
-
-# Outputs a RaspAP Install Error log line and exits with status code 1
-function install_error() {
-    echo -e "\033[1;37;41mRaspAP Install Error: $*\033[m"
-    exit 1
-}
-
-# Outputs a RaspAP Warning line
-function install_warning() {
-    echo -e "\033[1;33mWarning: $*\033[m"
-}
-
-# Outputs a welcome message
-function display_welcome() {
-    raspberry='\033[0;35m'
-    green='\033[1;32m'
-
-    echo -e "${raspberry}\n"
-    echo -e " 888888ba                              .d888888   888888ba" 
-    echo -e " 88     8b                            d8     88   88     8b" 
-    echo -e "a88aaaa8P' .d8888b. .d8888b. 88d888b. 88aaaaa88a a88aaaa8P" 
-    echo -e " 88    8b. 88    88 Y8ooooo. 88    88 88     88   88" 
-    echo -e " 88     88 88.  .88       88 88.  .88 88     88   88" 
-    echo -e " dP     dP  88888P8  88888P  88Y888P  88     88   dP" 
-    echo -e "                             88"                             
-    echo -e "                             dP       version ${VERSION}"
-    echo -e "${green}"
-    echo -e "The Quick Installer will guide you through a few easy steps\n\n"
-}
-
 ### NOTE: all the below functions are overloadable for system-specific installs
-### NOTE: some of the below functions MUST be overloaded due to system-specific installs
 
 function config_installation() {
     install_log "Configure installation"
@@ -80,7 +45,7 @@ function config_installation() {
     if [ $assume_yes == 0 ]; then
         read answer
         if [[ $answer != "y" ]]; then
-            read -e -p "Enter alternate Lighttpd directory: " -i "/var/www/html/" webroot_dir
+            read -e -p "Enter alternate Lighttpd directory: " -i "/var/www/html" webroot_dir
         fi
     else
         echo -e
@@ -100,9 +65,9 @@ function config_installation() {
 }
 
 # Runs a system software update to make sure we're using all fresh packages
-function update_system_packages() {
-    # OVERLOAD THIS
-    install_error "No function definition for update_system_packages"
+function install_dependencies() {
+    install_log "Installing required packages"
+    sudo apt-get install $apt_option lighttpd $php_package git hostapd dnsmasq vnstat || install_error "Unable to install dependencies"
 }
 
 # Installs additional dependencies using system package manager
diff --git a/installers/mkcert.sh b/installers/mkcert.sh
new file mode 100755
index 00000000..0de09b0c
--- /dev/null
+++ b/installers/mkcert.sh
@@ -0,0 +1,148 @@
+#!/bin/bash
+#
+# RaspAP SSL certificate installation functions
+# author: @billz
+# license: GNU General Public License v3.0
+
+certname=$HOSTNAME."local"
+lighttpd_ssl="/etc/lighttpd/ssl"
+lighttpd_conf="/etc/lighttpd/lighttpd.conf"
+webroot_dir="/var/www/html"
+
+### NOTE: all the below functions are overloadable for system-specific installs
+
+function config_installation() {
+    install_log "Configure a new SSL certificate"
+    echo "Current system hostname is $HOSTNAME"
+    echo -n "Create an SSL certificate for ${certname}? (Recommended) [y/N]"
+    if [ $assume_yes == 0 ]; then
+        read answer
+        if [[ $answer != "y" ]]; then
+            read -e -p "Enter an alternate certificate name: " -i "${certname}" certname
+        fi
+    else
+        echo -e
+    fi
+
+    echo -n "Install to lighttpd SSL directory: ${lighttpd_ssl}? [y/N]: "
+    if [ $assume_yes == 0 ]; then
+        read answer
+        if [[ $answer != "y" ]]; then
+            read -e -p "Enter alternate lighttpd SSL directory: " -i "${lighttpd_ssl}" lighttpd_ssl
+        fi
+    else
+        echo -e
+    fi
+
+    install_divider
+    echo "A new SSL certificate for: ${certname}"
+    echo "will be installed to lighttpd SSL directory: ${lighttpd_ssl}"
+    install_divider
+    echo -n "Complete installation with these values? [y/N]: "
+    if [ $assume_yes == 0 ]; then
+        read answer
+        if [[ $answer != "y" ]]; then
+            echo "Installation aborted."
+            exit 0
+        fi
+    else
+        echo -e
+    fi
+}
+
+# Installs pre-built mkcert binary for Arch Linux ARM
+function install_mkcert() {
+    install_log "Fetching mkcert binary"
+    sudo wget -q https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm -O /usr/local/bin/mkcert || install_error "Unable to download mkcert"
+    sudo chmod +x /usr/local/bin/mkcert
+
+    install_log "Installing mkcert"
+    mkcert -install || install_error "Failed to install mkcert"
+}
+
+# Generate a certificate for host
+function generate_certificate() {
+    install_log "Generating a new certificate for $certname"
+    cd /home/pi
+    mkcert $certname "*.${certname}.local" $certname || install_error "Failed to generate certificate for $certname"
+
+    install_log "Combining private key and certificate"
+    cat $certname+2-key.pem $certname+2.pem > $certname.pem || install_error "Failed to combine key and certificate"
+    echo "OK"
+}
+
+# Create a directory for the combined .pem file in lighttpd
+function create_lighttpd_dir() {
+    install_log "Creating SLL directory for lighttpd"
+    if [ ! -d "$lighttpd_ssl" ]; then
+	sudo mkdir -p "$lighttpd_ssl" || install_error "Failed to create lighttpd directory"
+    fi
+    echo "OK"
+
+    install_log "Setting permissions and moving .pem file"
+    chmod 400 /home/pi/"$certname".pem || install_error "Unable to set permissions for .pem file"
+    sudo mv /home/pi/"$certname".pem /etc/lighttpd/ssl || install_error "Unable to move .pem file"
+    echo "OK"
+}
+
+# Generate config to enable SSL in lighttpd
+function configure_lighttpd() {
+    install_log "Configuring lighttpd for SSL"
+    lines=(
+        'server.modules += ("mod_openssl")'
+        '$SERVER["socket"] == ":443" {'
+        'ssl.engine = "enable"'
+        'ssl.pemfile = "'$lighttpd_ssl/$certname'.pem"'
+        'ssl.ca-file = "/home/pi/.local/share/mkcert/rootCA.pem"'
+        'server.name = "'$certname'"'
+        'server.document-root = "'${webroot_dir}'"}'
+    )
+    for line in "${lines[@]}"; do
+        if grep -Fxq "${line}" "${lighttpd_conf}" > /dev/null; then
+            echo "$line: Line already added"
+        else
+            sudo sed -i "$ a $line" $lighttpd_conf
+            echo "Adding line $line"
+        fi
+    done
+    echo "OK"
+}
+
+# Copy rootCA.pem to RaspAP web root
+function copy_rootca() {
+    install_log "Copying rootCA.pem to RaspAP web root"
+    sudo cp /home/pi/.local/share/mkcert/rootCA.pem ${webroot_dir} || install_error "Unable to copy rootCA.pem to ${webroot_dir}"
+    echo "OK"
+}
+
+# Restart lighttpd service
+function restart_lighttpd() {
+    install_log "Restarting lighttpd service"
+    sudo systemctl restart lighttpd.service || install_error "Unable to restart lighttpd service"
+    sudo systemctl status lighttpd.service
+}
+
+function install_complete() {
+    install_log "SSL certificate install completed!"
+    install_divider
+    echo "Open a browser and enter the address: http://${certname}/rootCA.pem"
+    echo "Download the root certificate to your client and add it to your system keychain."
+    echo "Note: Be sure to set this certificate to "Always trust" to avoid browser warnings."
+    echo "Finally, enter the address https://${certname} in your browser."
+    echo "Enjoy an encrypted SSL connection to RaspAP 🔒"
+    echo "For advanced options, run mkcert -help"
+    install_divider
+}
+
+function install_certificate() {
+    display_welcome
+    config_installation
+    install_mkcert
+    generate_certificate
+    create_lighttpd_dir 
+    configure_lighttpd
+    copy_rootca
+    restart_lighttpd
+    install_complete
+}
+
diff --git a/installers/raspbian.sh b/installers/raspbian.sh
index f2c310e2..de6036c4 100755
--- a/installers/raspbian.sh
+++ b/installers/raspbian.sh
@@ -4,41 +4,94 @@
 # author: @billz
 # license: GNU General Public License v3.0
 #
-# Command-line options: -y, --yes, --assume-yes
+# Command-line options:
+# -y, --yes, --assume-yes
 # Assume "yes" as answer to all prompts and run non-interactively
+#
+# c, --cert, --certficate
+# Installs mkcert and generates an SSL certificate for lighttpd
 
 UPDATE_URL="https://raw.githubusercontent.com/billz/raspap-webgui/master/"
 VERSION=$(curl -s "https://api.github.com/repos/billz/raspap-webgui/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")' )
-wget -q ${UPDATE_URL}/installers/common.sh -O /tmp/raspapcommon.sh
-source /tmp/raspapcommon.sh && rm -f /tmp/raspapcommon.sh
+USAGE=$'Usage: raspbian.sh [OPTION] \n\n-y, --yes, --assume-yes\n\tAssumes "yes" as an answer to all prompts'
+USAGE+=$'\n-c, --cert, --certficate\n\tInstalls an SSL certificate for lighttpd\n'
 
 assume_yes=0
-positional=()
-while [[ $# -gt 0 ]]
-do
-key="$1"
 
-case $key in
-    -y|--yes|--assume-yes)
-    assume_yes=1
-    apt_option="-y"
-    shift # past argument
-    shift # past value
-    ;;
-    *)    # unknown option
-    shift # past argument
-    ;;
-esac
+while :; do
+    case $1 in
+        -y|--yes|--assume-yes)
+        assume_yes=1
+        apt_option="-y"
+        ;;
+        -c|--cert|--certificate)
+        install_cert=1
+        ;;
+        -*|--*)
+        echo "Unknown option: $1";
+        echo "$USAGE"
+        exit 1
+        ;;
+        *)
+        break
+        ;;
+    esac
+    shift
 done
 
+# Outputs a welcome message
+function display_welcome() {
+    raspberry='\033[0;35m'
+    green='\033[1;32m'
+
+    echo -e "${raspberry}\n"
+    echo -e " 888888ba                              .d888888   888888ba"
+    echo -e " 88     8b                            d8     88   88     8b"
+    echo -e "a88aaaa8P' .d8888b. .d8888b. 88d888b. 88aaaaa88a a88aaaa8P"
+    echo -e " 88    8b. 88    88 Y8ooooo. 88    88 88     88   88"
+    echo -e " 88     88 88.  .88       88 88.  .88 88     88   88"
+    echo -e " dP     dP  88888P8  88888P  88Y888P  88     88   dP"
+    echo -e "                             88"
+    echo -e "                             dP       version ${VERSION}"
+    echo -e "${green}"
+    echo -e "The Quick Installer will guide you through a few easy steps\n\n"
+}
+
+# Outputs a RaspAP Install log line
+function install_log() {
+    echo -e "\033[1;32mRaspAP Install: $*\033[m"
+}
+
+# Outputs a RaspAP Install Error log line and exits with status code 1
+function install_error() {
+    echo -e "\033[1;37;41mRaspAP Install Error: $*\033[m"
+    exit 1
+}
+
+# Outputs a RaspAP Warning line
+function install_warning() {
+    echo -e "\033[1;33mWarning: $*\033[m"
+}
+
+# Outputs a RaspAP divider
+function install_divider() {
+    echo -e "\033[1;32m***************************************************************$*\033[m"
+}
+
 function update_system_packages() {
     install_log "Updating sources"
     sudo apt-get update || install_error "Unable to update package list"
 }
 
-function install_dependencies() {
-    install_log "Installing required packages"
-    sudo apt-get install $apt_option lighttpd $php_package git hostapd dnsmasq vnstat || install_error "Unable to install dependencies"
-}
+if [ "${install_cert:-}" = 1 ]; then
+    source="mkcert"
+    wget -q ${UPDATE_URL}installers/${source}.sh -O /tmp/raspap_${source}.sh
+    source /tmp/raspap_${source}.sh && rm -f /tmp/raspap_${source}.sh
+    install_certificate
+else
+    source="common"
+    wget -q ${UPDATE_URL}installers/${source}.sh -O /tmp/raspap_${source}.sh
+    source /tmp/raspap_${source}.sh && rm -f /tmp/raspap_${source}.sh
+    install_raspap
+fi
 
-install_raspap