diff --git a/non_graf_installer/certificates/generate_mtls_certs.sh b/non_graf_installer/certificates/generate_mtls_certs.sh
new file mode 100644
index 0000000..223b6c7
--- /dev/null
+++ b/non_graf_installer/certificates/generate_mtls_certs.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+
+set -e
+
+# === 0. Preguntar por el hostname real ===
+read -rp "🖥️  Introduce el nombre DNS real del servidor (ej: opengnsys-server.local.es): " REAL_HOSTNAME
+
+if [[ -z "$REAL_HOSTNAME" ]]; then
+    echo "❌ El nombre del host no puede estar vacío"
+    exit 1
+fi
+
+BASE_DIR="mtls-certs"
+mkdir -p "$BASE_DIR/ca"
+
+# === 1. Crear CA si no existe ===
+if [ ! -f "$BASE_DIR/ca/ca.crt" ]; then 
+    openssl genrsa -out "$BASE_DIR/ca/ca.key" 4096
+    openssl req -x509 -new -nodes -key "$BASE_DIR/ca/ca.key" -sha256 -days 3650 \
+        -out "$BASE_DIR/ca/ca.crt" \
+        -subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=CA/CN=opengnsys-ca"
+fi 
+
+# === 2. Servicios y puertos ===
+declare -A services=(
+    ["ogcore"]=8443
+    ["ogrepo"]=8006
+    ["ogboot"]=8081
+    ["ogdhcp"]=8082
+    ["ogagent"]=8000
+)
+
+# === 3. Crear certificados por servicio ===
+for service in "${!services[@]}"; do
+    port="${services[$service]}"
+    echo "🔧 Generando certificado para $service (puerto $port)..."
+
+    read -rp "🌐 Introduce la IP del servicio $service: " SERVICE_IP
+    if [[ -z "$SERVICE_IP" ]]; then
+        echo "❌ La IP no puede estar vacía"
+        exit 1
+    fi
+
+    DIR="$BASE_DIR/$service"
+    mkdir -p "$DIR"
+
+    openssl genrsa -out "$DIR/$service.key" 2048
+
+    openssl req -new -key "$DIR/$service.key" -out "$DIR/$service.csr" \
+        -subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=$service/CN=$service.local"
+
+    # Archivo de extensión para SAN
+    cat > "$DIR/$service.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = $service.local
+DNS.2 = $REAL_HOSTNAME
+IP.1 = $SERVICE_IP
+EOF
+
+    openssl x509 -req -in "$DIR/$service.csr" -CA "$BASE_DIR/ca/ca.crt" \
+        -CAkey "$BASE_DIR/ca/ca.key" -CAcreateserial \
+        -out "$DIR/$service.crt" -days 825 -sha256 -extfile "$DIR/$service.ext"
+
+    rm "$DIR/$service.csr"
+done
+
+echo "✅ Certificados generados en ./$BASE_DIR con hostname real: $REAL_HOSTNAME"
+
+# === 4. Crear certificado de cliente para navegador ===
+CLIENT_DIR="$BASE_DIR/cliente"
+mkdir -p "$CLIENT_DIR"
+
+echo "🔐 Generando certificado de cliente para navegador..."
+
+openssl genrsa -out "$CLIENT_DIR/cliente.key" 2048
+
+openssl req -new -key "$CLIENT_DIR/cliente.key" \
+    -subj "/C=ES/ST=Madrid/L=Madrid/O=Opengnsys/OU=clientes/CN=cliente-navegador" \
+    -out "$CLIENT_DIR/cliente.csr"
+
+cat > "$CLIENT_DIR/cliente.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+EOF
+
+openssl x509 -req -in "$CLIENT_DIR/cliente.csr" -CA "$BASE_DIR/ca/ca.crt" \
+    -CAkey "$BASE_DIR/ca/ca.key" -CAcreateserial \
+    -out "$CLIENT_DIR/cliente.crt" -days 825 -sha256 -extfile "$CLIENT_DIR/cliente.ext"
+
+# Crear archivo .p12 para navegador
+openssl pkcs12 -export \
+    -inkey "$CLIENT_DIR/cliente.key" \
+    -in "$CLIENT_DIR/cliente.crt" \
+    -certfile "$BASE_DIR/ca/ca.crt" \
+    -out "$CLIENT_DIR/cliente-navegador.p12" \
+    -name "Certificado Cliente Navegador"
+
+rm "$CLIENT_DIR/cliente.csr" "$CLIENT_DIR/cliente.ext"
+
+echo "✅ Certificado de cliente para navegador creado en:"
+echo "   $CLIENT_DIR/cliente-navegador.p12"