diff --git a/gateways/docker/docker-compose.yml b/gateways/docker/docker-compose.yml
index 40e4628c..c87f74d7 100644
--- a/gateways/docker/docker-compose.yml
+++ b/gateways/docker/docker-compose.yml
@@ -25,6 +25,8 @@ services:
       - ./${PATH_GATEWAYS}/traefik/traefik.toml:/etc/traefik/traefik.toml
       - ./${PATH_GATEWAYS}/traefik/logs:/var/log/traefik/
       # - shared_logs:/var/log/traefik/
+      - ./secrets/_wildcard.${BASE_URL}-key.pem:/etc/ssl/mkcert/key.pem #if they don't exist it's ok
+      - ./secrets/_wildcard.${BASE_URL}.pem:/etc/ssl/mkcert/cert.pem
 #        networks:
 #          - management
     labels:
diff --git a/gateways/docker/traefik/traefik.toml.dev-ssl b/gateways/docker/traefik/traefik.toml.dev-ssl
new file mode 100644
index 00000000..13c2ca45
--- /dev/null
+++ b/gateways/docker/traefik/traefik.toml.dev-ssl
@@ -0,0 +1,132 @@
+################################################################
+# Global configuration
+################################################################
+logLevel = "INFO"
+
+defaultEntryPoints = ["http", "https"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+     [entryPoints.http.redirect]
+     entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      minVersion = "VersionTLS12"
+      cipherSuites = ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
+      [[entryPoints.https.tls.certificates]]
+        certFile = "/etc/ssl/mkcert/cert.pem"
+        keyFile = "/etc/ssl/mkcert/key.pem"
+
+
+################################################################
+# Web configuration backend
+################################################################
+[web]
+address = ":8080"
+
+[accessLog]
+filePath = "/var/log/traefik/traefik-access.log"
+
+################################################################
+# Docker configuration backend
+################################################################
+
+# Enable Docker configuration backend
+#
+# Optional
+#
+[docker]
+
+# Docker server endpoint. Can be a tcp or a unix socket endpoint.
+#
+# Required
+#
+endpoint = "unix:///var/run/docker.sock"
+
+# Default domain used.
+# Can be overridden by setting the "traefik.domain" label on a container.
+#
+# Required
+#
+domain = "${BASE_URL}"
+
+
+# Enable watch docker changes
+#
+# Optional
+#
+watch = true
+
+# Override default configuration template. For advanced users :)
+#
+# Optional
+#
+# filename = "docker.tmpl"
+
+# Expose containers by default in traefik
+# If set to false, containers that don't have `traefik.enable=true` will be ignored
+#
+# Optional
+# Default: true
+#
+exposedbydefault = false
+
+# Use the IP address from the binded port instead of the inner network one. For specific use-case :)
+
+#
+# Optional
+# Default: false
+#
+usebindportip = true
+# Use Swarm Mode services as data provider
+#
+# Optional
+# Default: false
+#
+swarmmode = false
+
+
+# Enable docker TLS connection
+#
+#  [docker.tls]
+#  ca = "/etc/ssl/ca.crt"
+#  cert = "/etc/ssl/docker.crt"
+#  key = "/etc/ssl/docker.key"
+#  insecureskipverify = true
+
+
+# CORS proxy pass for MyAEGEE confluence, Google calendar and Dockerhub
+[file]
+[frontends]
+  [frontends.jira-cors-frontend]
+  backend = "jira-cors-backend"
+  priority = 20
+  [frontends.jira-cors-frontend.routes.main]
+    rule = "PathPrefixStrip:/services/jira-cors/;"
+
+  [frontends.calendar-cors-frontend]
+  backend = "calendar-cors-backend"
+  priority = 20
+  [frontends.calendar-cors-frontend.routes.main]
+    rule = "PathPrefixStrip:/services/calendar-cors/;"
+
+  [frontends.dockerhub-frontend]
+  backend = "dockerhub-backend"
+  priority = 20
+  [frontends.dockerhub-frontend.routes.main]
+    rule = "PathPrefixStrip:/services/dockerhub/;"
+
+[backends]
+  [backends.jira-cors-backend]
+    [backends.jira-cors-backend.servers.server1]
+    url = "https://myaegee.atlassian.net/"
+
+  [backends.calendar-cors-backend]
+    [backends.calendar-cors-backend.servers.server1]
+    url = "https://calendar.google.com/"
+
+  [backends.dockerhub-backend]
+    [backends.dockerhub-backend.servers.server1]
+    url = "https://hub.docker.com"
diff --git a/helper.sh b/helper.sh
index 41581803..7782842c 100755
--- a/helper.sh
+++ b/helper.sh
@@ -58,10 +58,15 @@ init_boot ()
     chmod 600 "${DIR}"/secrets/acme.json # Traefik doesn't let ACME challenge go through otherwise
 
     touch "${DIR}"/gateways/docker/traefik/traefik.toml # to avoid making it think it's a folder
+
     if [[ "${MYAEGEE_ENV}" != "development" ]]; then
       envsubst < "${DIR}"/gateways/docker/traefik/traefik.toml.template > "${DIR}"/gateways/docker/traefik/traefik.toml
     else
-      cat "${DIR}"/gateways/docker/traefik/traefik.toml.dev > "${DIR}"/gateways/docker/traefik/traefik.toml
+      if [[ ! -f "${DIR}/secrets/_wildcard.${BASE_URL}.pem" ]]; then
+        cat "${DIR}"/gateways/docker/traefik/traefik.toml.dev > "${DIR}"/gateways/docker/traefik/traefik.toml
+      else
+        cat "${DIR}"/gateways/docker/traefik/traefik.toml.dev-ssl > "${DIR}"/gateways/docker/traefik/traefik.toml
+      fi
     fi
 
     echo -e "\n[Deployment] Setting secrets\n"
diff --git a/start.sh b/start.sh
index 3a4265ae..a2038e78 100755
--- a/start.sh
+++ b/start.sh
@@ -4,11 +4,13 @@
 
 #check how to bootstrap
 novagrant=false
+nossl=true
 fast=false
 reset=false
 while [ "$#" -gt 0 ]; do
     case "$1" in
         --no-vagrant) novagrant=true; shift ;;
+        --with-ssl) nossl=false; shift ;;
         --fast) fast=true; shift ;;
         --reset) reset=true; shift ;;
 
@@ -35,11 +37,31 @@ fi
 
 if [ ! -f "${DIR}"/.env ]; then #check if it exists, if not take the example
     cp "${DIR}"/.env.example "${DIR}"/.env
+    # TODO replace the base url with vagrant top line,
+    # OR generate vagrant based on that?
 fi
 
 #shellcheck disable=SC2046
 export $(grep -v '^#' ${DIR}/.env | xargs -d '\n')
 
+check_mkcert() {
+
+  if type mkcert >/dev/null 2>&1; then
+    if [[ ! -f "${DIR}/secrets/_wildcard.${BASE_URL}.pem" ]]; then
+      mkcert -install
+      mkcert "*.${BASE_URL}"
+      mv ./*.pem secrets/
+      echo '[Start script] ##### created cert files'
+    else
+      echo '[Start script] ##### cert files already good!'
+    fi
+  else
+    echo "You don't have mkcert, check how to install it on github.com/filosottile/mkcert"
+  fi
+
+  #TODO: pilot traefik to use this etc (either here or helper.sh)
+}
+
 #run accordingly
 if ( $novagrant ); then
   check_etc_hosts "127.0.0.1" "localhost"
@@ -47,6 +69,9 @@ if ( $novagrant ); then
   make bootstrap
 else
   check_etc_hosts "192.168.168.168" "${BASE_URL}"
+  if ( ! $nossl ); then
+    check_mkcert
+  fi
   if ( $fast ); then
     sed -i 's/development/production/' .env
   fi