diff --git a/install.sh b/install.sh
index 0a67f00..ba6cde8 100644
--- a/install.sh
+++ b/install.sh
@@ -69,6 +69,12 @@ sed -i $'s/)\s*uninstallFunc/) unsupportedFunc/g' /usr/local/bin/pihole
 # pihole -r / pihole reconfigure
 sed -i $'s/)\s*reconfigurePiholeFunc/) unsupportedFunc/g' /usr/local/bin/pihole
 
+#enable ssl mod ssl if needed (debian:billseye)
+if [ -z "$(compgen -G /etc/lighttpd/conf-enabled/*-ssl.conf)" ]; then
+  apt-get update && apt-get install -y --no-install-recommends lighttpd-mod-openssl
+  lighty-enable-mod ssl
+fi
+
 if [[ "${PIHOLE_DOCKER_TAG}" != "dev" && "${PIHOLE_DOCKER_TAG}" != "nightly" ]]; then
   # If we are on a version other than dev or nightly, disable `pihole checkout`, otherwise it is useful to have for quick troubleshooting sometimes
   sed -i $'s/)\s*piholeCheckoutFunc/) unsupportedFunc/g' /usr/local/bin/pihole
diff --git a/s6/debian-root/etc/cont-init.d/20-start.sh b/s6/debian-root/etc/cont-init.d/20-start.sh
index 97cd6ab..8353234 100644
--- a/s6/debian-root/etc/cont-init.d/20-start.sh
+++ b/s6/debian-root/etc/cont-init.d/20-start.sh
@@ -36,4 +36,13 @@ fi
 
 pihole -v
 
+# generate default certificate if needed
+if [ ! -e /etc/lighttpd/server.pem ]; then
+  echo "Generating a ssl certificate for lighttpd."
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/lighttpd/key.pem -out /etc/lighttpd/certificate.pem -sha256 -days 3650 -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com"
+  cat /etc/lighttpd/certificate.pem /etc/lighttpd/key.pem > /etc/lighttpd/server.pem
+  chown -R www-data:www-data /etc/lighttpd
+  chmod 0600 /etc/lighttpd/*.pem
+fi
+
 echo "  Container tag is: ${PIHOLE_DOCKER_TAG}"
\ No newline at end of file