diff --git a/README.md b/README.md
index f69a560..f39c2d4 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@ Screenshots can be seen at [key-networks.com](https://key-networks.com).
 
 ## Getting Started
 
+### Note
+Relative directory references below are relative to the ztncui directory.
+
 ### Prerequisites
 * ztncui is a [node.js](https://nodejs.org) [Express](https://expressjs.com) application that requires [node.js](https://nodejs.org) v8 or higher.
 
@@ -128,6 +131,52 @@ HTTPS_HOST=12.34.56.78
 ```
 If HTTPS_HOST is not specified, but HTTPS_PORT is specified, then the app will listen for HTTPS requests on all interfaces.
 
+###### TLS Certificate
+For HTTPS you obviously need a TLS (SSL) certificate and private key pair.  There are a few options:
+
+1. Generate a self-signed certificate as follows:
+   ```shell
+   cd etc/tls
+   openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privkey.pem -out fullchain.pem
+   ```
+   Fill in the required details as prompted.
+
+   The advantage of this option is that it is quick and easy to generate the certificate / private key pair.  The disadvantage is that your web browser will give you a warning that it cannot verify the certificate.  You can override this warning and make a temporary exception.
+
+2. Buy a certificate:
+
+   You will need to store the private key as `etc/tls/privkey.pem` and the full certificate chain as `etc/tls/fullchain.pem`.  They need to be in PEM format.
+
+3. Get a free certificate from Letsencrypt.org:
+
+      a. Install certbot by following the instructions at certbot.eff.org:
+
+        i.   For "Software" select "None of the above".
+        ii.  For "System" select your OS.
+        iii. Follow the instructions to install certbot on your system.
+
+      b. Use certbot to generate a certificate in webroot mode from the root of the ztncui directory:
+      ```shell
+      certbot --webroot -w public -d [network_controller_fqdn]
+      ```
+      Where **[network_controller_fqdn]** is the FQDN that resolves back to the address of the machine running the ZeroTier network controller and ztncui.
+
+      If certbot runs successfully, it should give you the location of your certificate, which should be something like:
+      ```
+      /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
+      ```
+
+      c. Make soft links from etc/tls to the certificate and private key under /etc/letsencrypt/live:
+      ```shell
+      cd etc/tls
+      ln -s /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
+      ln -s /etc/letsencrypt/live/[network_controller_fqdn]/privkey.pem
+      ```
+
+###### Test HTTPS access
+Once you have a certificate at `etc/tls/fullchain.pem` and private key at `etc/tls/privkey.pem`, you should be able to access ztncui over HTTPS on the port specified by HTTPS_PORT.
+
+
 ##### 9. Remote access via SSH
 ###### SSH tunnel from Linux / Unix / macOS client
 An SSH tunnel can be established with:
diff --git a/public/.well-known/acme-challenge/.gitignore b/public/.well-known/acme-challenge/.gitignore
new file mode 100644
index 0000000..d6b7ef3
--- /dev/null
+++ b/public/.well-known/acme-challenge/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore