diff --git a/installers/mkcert.sh b/installers/mkcert.sh
new file mode 100644
index 00000000..5d95c75a
--- /dev/null
+++ b/installers/mkcert.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# RaspAP SSL certificate installation functions
+# author: @billz
+# license: GNU General Public License v3.0
+
+certname=$HOSTNAME."local"
+lighttpd_ssl="/etc/lighttpd/ssl"
+
+### NOTE: all the below functions are overloadable for system-specific installs
+
+function config_installation() {
+    install_log "Configure a new SSL certificate"
+    echo "Current system hostname is ${certname}"
+    echo -n "Create an SSL certificate for ${certname}? (Recommended) [y/N]"
+    if [ $assume_yes == 0 ]; then
+        read answer
+        if [[ $answer != "y" ]]; then
+            read -e -p "Enter an alternate certificate name: " -i "${certname}" certname
+        fi
+    else
+        echo -e
+    fi
+
+    echo -n "Install to Lighttpd SSL directory: ${lighttpd_ssl}? [y/N]: "
+    if [ $assume_yes == 0 ]; then
+        read answer
+        if [[ $answer != "y" ]]; then
+            read -e -p "Enter alternate Lighttpd SSL directory: " -i "${lighttpd_ssl}/" lighttpd_ssl
+        fi
+    else
+        echo -e
+    fi
+    echo -e "\033[1;32m***************************************************************$*\033[m"
+    echo "A new SSL certificate for: ${certname}"
+    echo "will be installed to Lighttpd SSL directory: ${lighttpd_ssl}"
+    echo -e "\033[1;32m***************************************************************$*\033[m"
+    echo -n "Complete installation with these values? [y/N]: "
+    if [ $assume_yes == 0 ]; then
+        read answer
+        if [[ $answer != "y" ]]; then
+            echo "Installation aborted."
+            exit 0
+        fi
+    else
+        echo -e
+    fi
+}
+
+# Installs pre-built mkcert binary for Arch Linux ARM
+function install_mkcert() {
+    install_log "Fetching mkcert binary"
+    sudo wget https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm -O /usr/local/bin/mkcert || install_error "Unable to download mkcert"
+    sudo chmod +x /usr/local/bin/mkcert
+
+    install_log "Installing mkcert"
+    mkcert -install || install_error "Failed to install mkcert"
+}
+
+# Generate a certificate for host
+function generate_certificate() {
+    install_log "Generating a new certificate for $certname"
+    cd /home/pi
+    mkcert $certname "*.${certname}.local" $certname || install_error "Failed to generate certificate for $certname"
+
+    install_log "Combining private key and certificate"
+    cat $certname+2-key.pem $certname+2.pem > $certname.pem || install_error "Failed to combine key and certificate"
+}
+
+# Create a directory for the combined .pem file in lighttpd
+function create_lighttpd_dir() {
+    #todo: check for existence
+    install_log "Create SLL directory for lighttpd"
+    sudo mkdir -p "$lighttpd_ssl" || install_error "Failed to create lighttpd directory"
+
+    install_log "Setting permissions and moving the .pem file"
+    chmod 400 /home/pi/"$certname".pem || install_error "Unable to set permissions for .pem file"
+    sudo mv /home/pi/"$certname".pem /etc/lighttpd/ssl
+}
+
+# Edit the lighttpd configuration
+function configure_lighttpd() {
+    install_log "Configuring lighttpd for SSL"
+
+
+}
+
+# Copy rootCA.pem to RaspAP web root
+function copy_rootca() {
+    install_log "Copying rootCA.pem to RaspAP web root"
+    sudo cp /home/pi/.local/share/mkcert/rootCA.pem ${webroot_dir}
+}
+
+function install_complete() {
+    install_log "Installation completed!"
+
+    if [ "${assume_yes:-}" = 0 ]; then
+        # Prompt to reboot if wired ethernet (eth0) is connected.
+        # With default_configuration this will create an active AP on restart.
+        echo "ok"
+    fi
+}
+
+function install_certificate() {
+    display_welcome
+    config_installation
+    install_mkcert
+    generate_certificate
+    create_lighttpd_dir 
+    configure_lighttpd
+    copy_rootca
+    restart_lighttpd
+    install_complete
+}
+