diff --git a/README.md b/README.md
index f7d3b3f..931a7ed 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,26 @@ After installation, `/etc/rockslide.toml` can be edited, at the very least a `ma
 
 It is highly recommended (though not necessary) to forward a wildcard DNS domain to the machine running `rockslide`, this documentation will use `*.rockslide.example.com` as a fictional instance of this.
 
+### TLS support
+
+Right now, preliminary TLS support is available, albeit without automatic certificate renewal.
+
+### Creating a wildcard certificate manually with `uacme`
+
+The recommended way to create a wildcard certificate on a debian server is as follows (requires `uacme` to be installed):
+
+```
+mkdir /etc/uacme.d
+uacme -v -d /etc/uacme.d
+uacme -v -c /etc/uacme.d issue '*.rockslide.example.com'
+```
+
+`uacme` will output a string of the form `challenge=dns-01 ident=rockslide.example.com token=... key_auth=XXX`
+
+A `TXT` entry resolving `_acme_challenge.rockslide.example.com` to `XXX` must be created in your DNS configuration. You can verify it has propagated by running `dig +short -t txt _acme-challenge.rockslide.example.com`.
+
+Once the record shows up, enter `y` into `uacme`. A complete certificate bundle will be stored in `/etc/uacme.d/rockslide.example.com/cert.pem`, with the private key found in `/etc/uacme.d/private/rockslide.example.com/key.pem`.
+
 ## Running containers
 
 With `podman` or `docker` installed on any local dev machine, we can pull an already existing "Hello, world" image, tag it and deploy it: