The advantage of this option is that it is quick and easy to generate the certificate / private key pair. The disadvantage is that your web browser will give you a warning that it cannot verify the certificate. You can override this warning and make a temporary exception.
2. Buy a certificate:
You will need to store the private key as `etc/tls/privkey.pem` and the full certificate chain as `etc/tls/fullchain.pem`. They need to be in PEM format.
3. Get a free certificate from Letsencrypt.org:
a. Install certbot by following the instructions at certbot.eff.org:
i. For "Software" select "None of the above".
ii. For "System" select your OS.
iii. Follow the instructions to install certbot on your system.
b. Use certbot to generate a certificate in webroot mode from the root of the ztncui directory:
```shell
certbot --webroot -w public -d [network_controller_fqdn]
```
Where **[network_controller_fqdn]** is the FQDN that resolves back to the address of the machine running the ZeroTier network controller and ztncui.
If certbot runs successfully, it should give you the location of your certificate, which should be something like:
Once you have a certificate at `etc/tls/fullchain.pem` and private key at `etc/tls/privkey.pem`, you should be able to access ztncui over HTTPS on the port specified by HTTPS_PORT.
##### 9. Remote access via SSH
###### SSH tunnel from Linux / Unix / macOS client