# Enabling HTTPS Connections
Source: https://docs.chain.link/chainlink-nodes/resources/enabling-https-connections

> For the complete documentation index, see [llms.txt](/llms.txt).

This guide will walk you through how to generate your own self-signed certificates for use by the Chainlink node. You can also substitute self-signed certificates with certificates of your own, like those created by <a href="https://letsencrypt.org/" target="_blank">Let's Encrypt</a>.

> **TIP: TLS**
>
> You will need [OpenSSL](https://www.openssl.org) in order to generate your own self-signed certificates.

Create a directory `tls/` within your local Chainlink directory:

<Tabs client:visible>
  <Fragment slot="tab.1">Sepolia</Fragment>
  <Fragment slot="tab.2">Mainnet</Fragment>

  <Fragment slot="panel.1">
    ```text Sepolia
    mkdir ~/.chainlink-sepolia/tls
    ```
  </Fragment>

  <Fragment slot="panel.2">
    ```text Mainnet
    mkdir ~/.chainlink/tls
    ```
  </Fragment>
</Tabs>

Run this command to create a `server.crt` and `server.key` file in the previously created directory:

<Tabs client:visible>
  <Fragment slot="tab.1">Sepolia</Fragment>
  <Fragment slot="tab.2">Mainnet</Fragment>

  <Fragment slot="panel.1">
    ```shell Sepolia
    openssl req -x509 -out  ~/.chainlink-sepolia/tls/server.crt  -keyout ~/.chainlink-sepolia/tls/server.key \
      -newkey rsa:2048 -nodes -sha256 -days 365 \
      -subj '/CN=localhost' -extensions EXT -config <( \
       printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
    ```
  </Fragment>

  <Fragment slot="panel.2">
    ```shell Mainnet
    openssl req -x509 -out  ~/.chainlink/tls/server.crt  -keyout ~/.chainlink/tls/server.key \
      -newkey rsa:2048 -nodes -sha256 -days 365 \
      -subj '/CN=localhost' -extensions EXT -config <( \
       printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
    ```
  </Fragment>
</Tabs>

Next, add the `TLS_CERT_PATH` and `TLS_KEY_PATH` environment variables to your `.env` file.

```shell Shell
echo "TLS_CERT_PATH=/chainlink/tls/server.crt
TLS_KEY_PATH=/chainlink/tls/server.key" >> .env
```

If `CHAINLINK_TLS_PORT=0` is present in your `.env` file, remove it by running:

```shell Shell
sed -i '/CHAINLINK_TLS_PORT=0/d' .env
```

Also remove the line that disables `SECURE_COOKIES` by running:

```shell Shell
code": "sed -i '/SECURE_COOKIES=false/d' .env
```

Finally, update your run command to forward port 6689 to the container instead of 6688:

<Tabs client:visible>
  <Fragment slot="tab.1">Sepolia</Fragment>
  <Fragment slot="tab.2">Mainnet</Fragment>

  <Fragment slot="panel.1">
    ```shell Sepolia
    cd ~/.chainlink-sepolia && docker run -p 6689:6689 -v ~/.chainlink-sepolia:/chainlink -it
    --env-file=.env smartcontract/chainlink local n
    ```
  </Fragment>

  <Fragment slot="panel.2">
    ```shell Mainnet
    cd ~/.chainlink && docker run -p 6689:6689 -v ~/.chainlink:/chainlink -it --env-file=.env
    smartcontract/chainlink local n
    ```
  </Fragment>
</Tabs>

Now when running the node, you can access it by navigating to [https://localhost:6689](https://localhost:6689) if running on the same machine or with a ssh tunnel.