diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index de8a5ce..10672a2 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/azuread" {
   version     = "2.47.0"
   constraints = "2.47.0"
   hashes = [
+    "h1:KB9BNRNStbdsfdRmVXUwXtN77qgX5VjBy2UALcqp218=",
     "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=",
     "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e",
     "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
@@ -25,6 +26,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
   version     = "3.87.0"
   constraints = "3.87.0"
   hashes = [
+    "h1:Mjidmu1JGPnPIrkRZqIpOGzg5bad0kMXO983pLoOET8=",
     "h1:PfnDrSQo5bwN6KV1nVj+5MHnNxeD3bglvFahgJctQHY=",
     "zh:1547ed020fa6ca25d940b28601442c7e4495fdea9fb1ead7affb867383f5f40b",
     "zh:325e6d636b5ab09a24837194647617c9fabd42f0fb2c7e18ae8d2a8b2d890a55",
@@ -46,6 +48,7 @@ provider "registry.terraform.io/hashicorp/dns" {
   constraints = "3.4.0"
   hashes = [
     "h1:70aN98H5dljSSKyOkOkZ0AXB24vpyLrOF9S7yBZ9Ro0=",
+    "h1:nnWpjQjxyHqj057xymOndkH8s5xwzV5AqqzmbRSg4ZA=",
     "zh:0a853845b3dc567b86bef2c03ff2c1157c23752c0ce4394a494cb5ffb7394e59",
     "zh:134988a8b7ca76ae89c36fd515a06ae01a163a5fbbe17417d43c024900ad7453",
     "zh:1fce68832350b7f5790ff89333e534a7f2dfb71c41048a15fdf7a154b82dd5c0",
@@ -65,6 +68,7 @@ provider "registry.terraform.io/hashicorp/random" {
   version = "3.6.0"
   hashes = [
     "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=",
+    "h1:R5Ucn26riKIEijcsiOMBR3uOAjuOMfI1x7XvH4P6B1w=",
     "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d",
     "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211",
     "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829",
@@ -84,6 +88,7 @@ provider "registry.terraform.io/hashicorp/tls" {
   version     = "4.0.5"
   constraints = "4.0.5"
   hashes = [
+    "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=",
     "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=",
     "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e",
     "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32",
@@ -104,6 +109,7 @@ provider "registry.terraform.io/vancluever/acme" {
   version     = "2.19.0"
   constraints = "2.19.0"
   hashes = [
+    "h1:KYVcGnKzrS3NqhTeh+YqhETukbZMnjdBcFUz47aRUv0=",
     "h1:up+gI3vTyo/jrqODp7L3/r+1WT1RcHF2iTHKeL4c5x0=",
     "zh:0362a3cd06e5180387f68f6a2b354014057b3efe3c032614654f6303e9295ce9",
     "zh:1fca8dd9711f2ac7c62d84e96bd08a365bd33de1c3329c35fda8e57590e0305b",
diff --git a/main.tf b/main.tf
index 2e0bec7..9c986cf 100644
--- a/main.tf
+++ b/main.tf
@@ -158,6 +158,7 @@ module "ilmo" {
   dns_resource_group_name = module.dns_prod.resource_group_name
   root_zone_name          = module.dns_prod.root_zone_name
   subdomain               = "ilmo"
+  acme_account_key        = module.common.acme_account_key
 
   dkim_selector = "mg"
   dkim_key      = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQYrVWefo+vOByb07hseOTt1Ryu47Yt5odumYka5JiEt1p/FHl/ZeeY8gehxV0Dv4PIWM91htY2JY2UZguGYFODzqq9Y9AeKjWpq1dyFKiM8nlrI6GRin0kY7SRLeSgpcVFuwNLiT74Wqy477Geq+l5/Stwho23kHu/pXiQuVUMwIDAQAB"
diff --git a/modules/ilmo/dns.tf b/modules/ilmo/dns.tf
index ba0019b..f5ee913 100644
--- a/modules/ilmo/dns.tf
+++ b/modules/ilmo/dns.tf
@@ -50,3 +50,24 @@ resource "azurerm_dns_txt_record" "ilmo_dmarc" {
     value = "v=DMARC1;p=none;sp=none;rua=mailto:dmarc@tietokilta.fi!10m;ruf=mailto:dmarc@tietokilta.fi!10m"
   }
 }
+
+# A record for the web app
+resource "azurerm_dns_a_record" "ilmo_a" {
+  name                = var.subdomain
+  resource_group_name = var.dns_resource_group_name
+  zone_name           = var.root_zone_name
+  ttl                 = 300
+  records             = data.dns_a_record_set.ilmo_dns_fetch.addrs
+}
+
+# Azure verification key
+resource "azurerm_dns_txt_record" "ilmo_asuid" {
+  name                = "asuid.${var.subdomain}"
+  resource_group_name = var.dns_resource_group_name
+  zone_name           = var.root_zone_name
+  ttl                 = 300
+
+  record {
+    value = azurerm_linux_web_app.ilmo_backend.custom_domain_verification_id
+  }
+}
diff --git a/modules/ilmo/main.tf b/modules/ilmo/main.tf
index d5276bc..40651d3 100644
--- a/modules/ilmo/main.tf
+++ b/modules/ilmo/main.tf
@@ -1,3 +1,12 @@
+terraform {
+  required_providers {
+    acme = {
+      source  = "vancluever/acme"
+      version = "2.19.0"
+    }
+  }
+}
+
 locals {
   db_name = "${var.env_name}_ilmo_db"
   fqdn    = "${var.subdomain}.${var.root_zone_name}"
@@ -76,3 +85,57 @@ resource "azurerm_linux_web_app" "ilmo_backend" {
     ]
   }
 }
+
+
+resource "azurerm_app_service_custom_hostname_binding" "ilmo_hostname_binding" {
+  hostname            = local.fqdn
+  app_service_name    = azurerm_linux_web_app.ilmo_backend.name
+  resource_group_name = var.resource_group_name
+
+  # Deletion may need manual work.
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/11231
+  # TODO: Add dependencies for creation
+  depends_on = [
+    azurerm_dns_a_record.ilmo_a,
+    azurerm_dns_txt_record.ilmo_asuid
+  ]
+}
+resource "random_password" "ilmo_cert_password" {
+  length  = 48
+  special = false
+}
+
+resource "acme_certificate" "ilmo_acme_cert" {
+  account_key_pem          = var.acme_account_key
+  common_name              = local.fqdn
+  key_type                 = "2048" # RSA
+  certificate_p12_password = random_password.ilmo_cert_password.result
+
+  dns_challenge {
+    provider = "azure"
+    config = {
+      AZURE_RESOURCE_GROUP = var.dns_resource_group_name
+      AZURE_ZONE_NAME      = var.root_zone_name
+    }
+  }
+}
+
+resource "azurerm_app_service_certificate" "ilmo_cert" {
+  name                = "tik-ilmo-cert-${terraform.workspace}"
+  resource_group_name = var.resource_group_name
+  location            = var.resource_group_location
+  pfx_blob            = acme_certificate.ilmo_acme_cert.certificate_p12
+  password            = acme_certificate.ilmo_acme_cert.certificate_p12_password
+}
+
+resource "azurerm_app_service_certificate_binding" "ilmo_cert_binding" {
+  certificate_id      = azurerm_app_service_certificate.ilmo_cert.id
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.ilmo_hostname_binding.id
+  ssl_state           = "SniEnabled"
+}
+
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/14642#issuecomment-1084728235
+# Currently, the azurerm provider doesn't give us the IP address, so we need to fetch it ourselves.
+data "dns_a_record_set" "ilmo_dns_fetch" {
+  host = azurerm_linux_web_app.ilmo_backend.default_hostname
+}
diff --git a/modules/ilmo/variables.tf b/modules/ilmo/variables.tf
index 384a534..9d8b2ef 100644
--- a/modules/ilmo/variables.tf
+++ b/modules/ilmo/variables.tf
@@ -76,3 +76,7 @@ variable "tikweb_rg_name" {
 variable "tikweb_rg_location" {
   type = string
 }
+
+variable "acme_account_key" {
+  type = string
+}
\ No newline at end of file