diff --git a/.env.example b/.env.example
index e60f9ae20..1b7383a91 100644
--- a/.env.example
+++ b/.env.example
@@ -17,18 +17,16 @@ SECRET_KEY=change_me
 # Certificates
 
 # TLS certificate filename from within the `nginx` container.
-# When empty, the default self-signed certificate is used.
 # For usage with Let's Encrypt certificate, use as:
 # QFIELDCLOUD_TLS_CERT="/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/fullchain.pem"
-# DEFAULT: ""
-QFIELDCLOUD_TLS_CERT=""
+# DEFAULT: "/etc/nginx/certs/${QFIELDCLOUD_HOST}.pem"
+QFIELDCLOUD_TLS_CERT="/etc/nginx/certs/${QFIELDCLOUD_HOST}.pem"
 
 # TLS private key filename from within the `nginx` container.
-# When empty, the default self-signed certificate is used.
 # For usage with Let's Encrypt certificate, use as:
 # QFIELDCLOUD_TLS_KEY="/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/privkey.pem"
-# DEFAULT: ""
-QFIELDCLOUD_TLS_KEY=""
+# DEFAULT: "/etc/nginx/certs/${QFIELDCLOUD_HOST}-key.pem"
+QFIELDCLOUD_TLS_KEY="/etc/nginx/certs/${QFIELDCLOUD_HOST}-key.pem"
 
 # TLS DF parameters filename from within the `nginx` container.
 # When empty, no DF parameters are used.
diff --git a/.gitignore b/.gitignore
index 334593b45..dca016e32 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,9 +8,11 @@ __pycache__/
 .env
 docker-compose.override.yml
 client/projects
-docker-nginx/certs/*
-docker-nginx/dhparams/*.pem
+conf/mkcert/*
 conf/certbot/*
+conf/nginx/certs/*.pem
+conf/nginx/config.d/*.conf
+conf/nginx/dhparams/*.pem
 Pipfile*
 **/site-packages
 docker-qgis/libqfieldsync
diff --git a/README.md b/README.md
index eed9b774a..e8ff660e1 100644
--- a/README.md
+++ b/README.md
@@ -220,11 +220,13 @@ Note if you run tests using the `docker-compose.test.yml` configuration, the `ap
 
 ## Add root certificate
 
-QFieldCloud will automatically generate a certificate and it's root certificate in `./docker-nginx/certs`. However, you need to trust the root certificate first, so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance.
+QFieldCloud will automatically generate a certificate and its root certificate in `./conf/nginx/certs`.
+However, you need to trust the root certificate first,
+so other programs (e.g. curl) can create secure connection to the local QFieldCloud instance.
 
 On Debian/Ubuntu, copy the root certificate to the directory with trusted certificates. Note the extension has been changed to `.crt`:
 
-    sudo cp ./docker-nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
+    sudo cp ./conf/nginx/certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
 
 Trust the newly added certificate:
 
@@ -305,14 +307,13 @@ To use this Let's Encrypt certificate within QFieldCloud you just need to uncomm
 
     QFIELDCLOUD_TLS_CERT=/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/fullchain.pem
     QFIELDCLOUD_TLS_KEY=/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/privkey.pem
-    QFIELDCLOUD_TLS_DHPARAMS=/etc/nginx/dhparams/dhparams4096.pem
 
-You can also use your own certificates by placing them in `conf/nginx/certs/` ànd changing `QFIELDCLOUD_TLS_CERT` and `QFIELDCLOUD_TLS_KEY` accordingly.
+You can also use your own certificates by placing them in `conf/nginx/certs/` and changing `QFIELDCLOUD_TLS_CERT` and `QFIELDCLOUD_TLS_KEY` accordingly.
 Don't forget to create your Diffie-Hellman parameters.
 
 ### Additional NGINX config
 
-You can add additional config to nginx placing files in `conf/nginx/config` ending with `.conf`. They will be included in the main `nginx.conf`.
+You can add additional config to nginx placing files in `conf/nginx/config.d/` ending with `.conf`. They will be included in the main `nginx.conf`.
 
 ## Infrastructure
 
diff --git a/conf/nginx/certs/README.md b/conf/nginx/certs/README.md
new file mode 100644
index 000000000..4ebae0522
--- /dev/null
+++ b/conf/nginx/certs/README.md
@@ -0,0 +1,6 @@
+This directory will contain the self-signed certificates automatically created by `mkcert`.
+
+You can also place your custom certificates.
+
+To make use of the any of the certificates in this directory, make sure you adjust the values of `QFIELDCLOUD_TLS_CERT` and `QFIELDCLOUD_TLS_KEY` environment variables.
+This directory is accessible in the `nginx` container at `/etc/nginx/certs/`.
diff --git a/docker-nginx/dhparams/ssl-dhparams.pem b/conf/nginx/dhparams/ssl-dhparams.pem
similarity index 100%
rename from docker-nginx/dhparams/ssl-dhparams.pem
rename to conf/nginx/dhparams/ssl-dhparams.pem
diff --git a/docker-compose.yml b/docker-compose.yml
index eaa536a26..8b12d1996 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -92,10 +92,10 @@ services:
       context: ./docker-nginx
     restart: unless-stopped
     volumes:
-      - ./docker-nginx/certs/:/etc/nginx/certs/:ro
-      - ./docker-nginx/dhparams:/etc/nginx/dhparams/:ro
       - ./conf/certbot/conf:/etc/letsencrypt:ro
-      - ./conf/nginx/config:/etc/nginx/config/:ro
+      - ./conf/nginx/certs/:/etc/nginx/certs/:ro
+      - ./conf/nginx/config.d:/etc/nginx/config.d/:ro
+      - ./conf/nginx/dhparams:/etc/nginx/dhparams/:ro
       - certbot_www:/var/www/certbot
     ports:
       - ${WEB_HTTP_PORT}:80
@@ -117,12 +117,13 @@ services:
         max-file: "10"
         tag: "{{.ImageName}}|{{.Name}}|{{.ImageFullID}}|{{.FullID}}"
 
+  # Automatically create self-signed certificates for local development and test deployments
   mkcert:
     image: vishnunair/docker-mkcert
     environment:
       domain: ${QFIELDCLOUD_HOST}
     volumes:
-      - ./docker-nginx/certs/:/root/.local/share/mkcert/
+      - ./conf/nginx/certs/:/root/.local/share/mkcert/
     command: /bin/sh -c 'mkcert -install && for i in $$(echo $$domain | sed "s/,/ /g"); do [ ! -f /root/.local/share/mkcert/$$i.pem ] && mkcert $$i; done && tail -f -n0 /etc/hosts'
 
   certbot:
diff --git a/docker-nginx/Dockerfile b/docker-nginx/Dockerfile
index 470ab8e0c..71f399688 100644
--- a/docker-nginx/Dockerfile
+++ b/docker-nginx/Dockerfile
@@ -4,4 +4,5 @@ COPY pages /var/www/html/pages/
 COPY templates/ /etc/nginx/templates/
 COPY options-ssl-nginx.conf /etc/nginx/options-ssl-nginx.conf
 COPY 99-autoreload.sh /docker-entrypoint.d/99-autoreload.sh
-CMD chmod +x /docker-entrypoint.d/99-autoreload.sh
+
+RUN chmod 755 /docker-entrypoint.d/99-autoreload.sh
diff --git a/docker-nginx/templates/default.conf.template b/docker-nginx/templates/default.conf.template
index 7b61d697f..f06004b74 100644
--- a/docker-nginx/templates/default.conf.template
+++ b/docker-nginx/templates/default.conf.template
@@ -80,8 +80,8 @@ server {
     return 444;
   }
 
-  # included additional config
-  include config/*.conf;
+  # include additional config from the current QFieldCloud instance. This is different from the default `conf.d` directory.
+  include config.d/*.conf;
 
   # deny annoying bot
   deny 34.215.13.216;