diff --git a/cicd/common.sh b/cicd/common.sh
index ec676593f..580deb87c 100644
--- a/cicd/common.sh
+++ b/cicd/common.sh
@@ -22,6 +22,15 @@ docker_extra_opts=""
 #  lxdocker="ghcr.io/loxilb-io/loxilb:latestu22"
 #fi
 
+
+if [ ! -d loxilb.io ]; then
+  ../common/minica --domains loxilb.io
+  mkdir cert
+  cp minica.pem cert/rootCA.crt
+  cp loxilb.io/cert.pem cert/server.crt
+  cp loxilb.io/key.pem cert/server.key
+fi
+
 loxilbs=()
 
 ## Given a docker name(arg1), return its pid
@@ -118,7 +127,7 @@ spawn_docker_host() {
       get_llb_peerIP $dname
       docker exec -dt $dname /root/loxilb-io/loxilb/loxilb $bgp_opts $cluster_opts $ka_opts $extra_opts
     else
-      docker run -u root --cap-add SYS_ADMIN   --restart unless-stopped --privileged -dt $docker_extra_opts --entrypoint /bin/bash $bgp_conf -v /dev/log:/dev/log $loxilb_config --name $dname $lxdocker $bgp_opts
+      docker run -u root --cap-add SYS_ADMIN   --restart unless-stopped --privileged -dt $docker_extra_opts --entrypoint /bin/bash $bgp_conf -v /dev/log:/dev/log -v `pwd`/cert:/opt/loxilb/cert/ $loxilb_config --name $dname $lxdocker $bgp_opts
       docker exec -dt $dname /root/loxilb-io/loxilb/loxilb $bgp_opts $cluster_opts $extra_opts
     fi
   elif [[ "$dtype" == "host" ]]; then
diff --git a/cicd/common/minica b/cicd/common/minica
new file mode 100755
index 000000000..a152b1664
Binary files /dev/null and b/cicd/common/minica differ
diff --git a/options/options.go b/options/options.go
index e139cec39..0dcfda75e 100644
--- a/options/options.go
+++ b/options/options.go
@@ -13,7 +13,7 @@ var Opts struct {
 	Host              string         `long:"host" description:"the IP to listen on" default:"0.0.0.0" env:"HOST"`
 	Port              int            `long:"port" description:"the port to listen on for insecure connections" default:"11111" env:"PORT"`
 	TLS               bool           `long:"tls" description:"enable TLS " env:"TLS"`
-	TLSHost           string         `long:"tls-host" description:"the IP to listen on for tls, when not specified it's the same as --host" env:"TLS_HOST"`
+	TLSHost           string         `long:"tls-host" description:"the IP to listen on for tls" default:"0.0.0.0" env:"TLS_HOST"`
 	TLSPort           int            `long:"tls-port" description:"the port to listen on for secure connections" default:"8091" env:"TLS_PORT"`
 	TLSCertificate    flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections" default:"/opt/loxilb/cert/server.crt" env:"TLS_CERTIFICATE"`
 	TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections" default:"/opt/loxilb/cert/server.key" env:"TLS_PRIVATE_KEY"`