diff --git a/selfsigned_certs.sh b/selfsigned_certs.sh
new file mode 100644
index 0000000..46d5e1f
--- /dev/null
+++ b/selfsigned_certs.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# selfsigned.sh — create a long-lived self-signed cert with SANs
+# Usage: sudo ./selfsigned.sh [days] [outdir]
+
+set -euo pipefail
+
+# Prompt for domain if not provided
+read -rp "Enter the domain (e.g., panel.example.com): " DOMAIN
+if [[ -z "$DOMAIN" ]]; then
+  echo "Domain cannot be empty." >&2
+  exit 1
+fi
+
+DAYS="${1:-36500}"                               # Default: 100 years
+OUTDIR="${2:-/etc/ssl/selfsigned/$DOMAIN}"
+
+command -v openssl >/dev/null 2>&1 || { echo "openssl is required"; exit 1; }
+
+mkdir -p "$OUTDIR"
+chmod 700 "$OUTDIR"
+
+CONF="$OUTDIR/openssl.cnf"
+KEY="$OUTDIR/$DOMAIN.key"
+CRT="$OUTDIR/$DOMAIN.crt"
+PEM="$OUTDIR/$DOMAIN.pem"
+
+cat > "$CONF" <<EOF
+[req]
+default_bits       = 4096
+prompt             = no
+default_md         = sha256
+distinguished_name = dn
+x509_extensions    = v3_req
+
+[dn]
+C  = US
+O  = Self-Signed
+OU = IT
+CN = ${DOMAIN}
+
+[v3_req]
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${DOMAIN}
+DNS.2 = *.${DOMAIN}
+IP.1  = 127.0.0.1
+EOF
+
+# Generate key + cert
+openssl req -x509 -nodes -newkey rsa:4096 \
+  -days "$DAYS" \
+  -keyout "$KEY" \
+  -out "$CRT" \
+  -config "$CONF"
+
+# Combined PEM (useful for HAProxy, some tools)
+cat "$CRT" "$KEY" > "$PEM"
+chmod 600 "$KEY" "$CRT" "$PEM"
+
+echo "✅ Self-signed certificate created:"
+echo "  Cert : $CRT"
+echo "  Key  : $KEY"
+echo "  PEM  : $PEM"
+echo "  Conf : $CONF"
+echo
+echo "📌 Add this to your nginx config:"
+echo "    ssl_certificate     $CRT;"
+echo "    ssl_certificate_key $KEY;"
\ No newline at end of file