diff --git a/deploy/certificates/.gitignore b/deploy/certificates/.gitignore
new file mode 100644
index 000000000..bddb2cc22
--- /dev/null
+++ b/deploy/certificates/.gitignore
@@ -0,0 +1,4 @@
+*.key
+*.pem
+*.pfx
+*.txt
diff --git a/deploy/certificates/README.md b/deploy/certificates/README.md
new file mode 100644
index 000000000..44416bb0c
--- /dev/null
+++ b/deploy/certificates/README.md
@@ -0,0 +1,34 @@
+# Dev certificates for Docker
+
+1. Create a self-signed certificate
+2. Install certificates
+3. Configure the services
+
+## 1 - Create the self-signed certificate (`.pem + .key`) and its `.pfx` file
+
+**From WSL**, run the `create-docker-certificate.sh` script with a strong password for the certificate.
+
+```bash
+./create-docker-certificate.sh "secure-COMPLEX-and-SECRET-password"
+```
+
+The script creates a certificate for both `host.docker.internal` and `localhost`.
+
+### 2 - Install the certificates
+
+Run the `install-docker-certificate.ps1` with the same password you used above:
+
+```powershell
+.\install-docker-certificate.ps1 "secure-COMPLEX-and-SECRET-password"
+```
+
+The above script:
+
+1. Imports the certificate in the current user root CA store.
+2. Copies the certificate files to the `%USERPROFILE%\.aspnet\https` folder. Servers will serve the certificate from this folder.
+3. Copies the `.pem` file as `.crt` to the src\certificates folder to add it as a root CA when building the images for some services.
+
+### 3 - Configure some services to serve the certificates
+
+1. Copy the `src\docker-compose.certificates.sample.yaml` file as `src\docker-compose.certificates.yaml`
+2. Configure the password you assigned to the certificates in the settings `ASPNETCORE_Kestrel__Certificates__Default__Password`
diff --git a/deploy/certificates/create-docker-certificate.sh b/deploy/certificates/create-docker-certificate.sh
index f29edc1ce..93cf93239 100644
--- a/deploy/certificates/create-docker-certificate.sh
+++ b/deploy/certificates/create-docker-certificate.sh
@@ -5,10 +5,10 @@ openssl req \
   -out docker-self-signed.pem \
   -keyout docker-self-signed.key \
   -newkey rsa:2048 -nodes -sha256 \
-  -subj '/CN=localhost' \
+  -subj '/CN=host.docker.internal' \
   -extensions EXT \
   -config <( \
-    printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:localhost,DNS.2:host.docker.internal'\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
+    printf "[dn]\nCN=host.docker.internal\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName='DNS.1:host.docker.internal,DNS.2:localhost'\nkeyUsage=digitalSignature,keyCertSign\nextendedKeyUsage=serverAuth")
 
 echo "printing text version..."
 openssl x509 -in docker-self-signed.pem -text -noout > docker-self-signed.txt
diff --git a/deploy/certificates/import-certificate.ps1 b/deploy/certificates/import-certificate.ps1
deleted file mode 100644
index c9f1a5013..000000000
--- a/deploy/certificates/import-certificate.ps1
+++ /dev/null
@@ -1,8 +0,0 @@
-param (
-    [Parameter(Mandatory = $true)]
-    [string]$Password
-)
-
-$CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText
-
-Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword
diff --git a/deploy/certificates/install-docker-certificate.ps1 b/deploy/certificates/install-docker-certificate.ps1
new file mode 100644
index 000000000..64960fff2
--- /dev/null
+++ b/deploy/certificates/install-docker-certificate.ps1
@@ -0,0 +1,17 @@
+param (
+    [Parameter(Mandatory = $true)]
+    [string]$Password
+)
+
+# Import into current user root CA store
+$CertPassword = ConvertTo-SecureString -String "$Password" -Force -AsPlainText
+Import-PfxCertificate -Exportable -FilePath .\docker-self-signed.pfx -CertStoreLocation Cert:\CurrentUser\Root\ -Password $CertPassword
+
+# Copy to user profile to use as HTTPS certificate in server containers
+mkdir $env:USERPROFILE\.aspnet\https -Force
+Copy-Item docker-self-signed.pem $env:USERPROFILE\.aspnet\https -Force
+Copy-Item docker-self-signed.key $env:USERPROFILE\.aspnet\https -Force
+Copy-Item docker-self-signed.pfx $env:USERPROFILE\.aspnet\https -Force
+
+# Copy to src folder to register as a root CA in client containers
+Copy-Item docker-self-signed.pem ..\..\src\certificates  -Force
diff --git a/deploy/certificates/media/root-ca-import-warning.png b/deploy/certificates/media/root-ca-import-warning.png
deleted file mode 100644
index 23fc2140b..000000000
Binary files a/deploy/certificates/media/root-ca-import-warning.png and /dev/null differ
diff --git a/src/.gitignore b/src/.gitignore
new file mode 100644
index 000000000..fa69a6ea0
--- /dev/null
+++ b/src/.gitignore
@@ -0,0 +1 @@
+certificates
diff --git a/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile b/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
index 037105cb4..cb366bc2b 100644
--- a/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
+++ b/src/ApiGateways/Web.Bff.Shopping/aggregator/Dockerfile
@@ -1,5 +1,7 @@
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS base
-WORKDIR /app
+WORKDIR /usr/local/share/ca-certificates
+COPY "certificates/docker-self-signed.crt" .
+RUN update-ca-certificates
 EXPOSE 80
 
 FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
diff --git a/src/Services/Identity/Identity.API/Configuration/Config.cs b/src/Services/Identity/Identity.API/Configuration/Config.cs
index 72599c322..04a9aa043 100644
--- a/src/Services/Identity/Identity.API/Configuration/Config.cs
+++ b/src/Services/Identity/Identity.API/Configuration/Config.cs
@@ -41,7 +41,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
                 // JavaScript Client
                 new Client
                 {
-                    ClientId = "spa",
+                    ClientId = "js",
                     ClientName = "eShop SPA OpenId Client",
                     AllowedGrantTypes = GrantTypes.Implicit,
                     AllowAccessTokensViaBrowser = true,
diff --git a/src/Web/WebMVC/Dockerfile b/src/Web/WebMVC/Dockerfile
index a21c9d9a7..74d4b72a8 100644
--- a/src/Web/WebMVC/Dockerfile
+++ b/src/Web/WebMVC/Dockerfile
@@ -1,5 +1,7 @@
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1 AS base
-WORKDIR /app
+WORKDIR /usr/local/share/ca-certificates
+COPY "certificates/docker-self-signed.crt" .
+RUN update-ca-certificates
 EXPOSE 80
 
 FROM mcr.microsoft.com/dotnet/core/sdk:3.1 AS build
diff --git a/src/docker-compose.certificates.sample.yaml b/src/docker-compose.certificates.sample.yaml
index b7d4af112..b667b2184 100644
--- a/src/docker-compose.certificates.sample.yaml
+++ b/src/docker-compose.certificates.sample.yaml
@@ -10,25 +10,25 @@ services:
     volumes:
       - ~/.aspnet/https:/https:ro
 
-  ordering-api:
+  webstatus:
     environment:
-      - ASPNETCORE_URLS=https://+:443;http://+:80
+      - ASPNETCORE_URLS=https://+:443
       - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
       - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
     volumes:
       - ~/.aspnet/https:/https:ro
 
-  webstatus:
+  webmvc:
     environment:
-      - ASPNETCORE_URLS=https://+:443
+      - ASPNETCORE_URLS=https://+:443;http://+:80
       - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
       - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
     volumes:
       - ~/.aspnet/https:/https:ro
 
-  webmvc:
+  webspa:
     environment:
-      - ASPNETCORE_URLS=https://+:443
+      - ASPNETCORE_URLS=https://+:443;http://+:80
       - ASPNETCORE_Kestrel__Certificates__Default__Password=<secure-COMPLEX-and-SECRET-password>
       - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/docker-self-signed.pfx
     volumes:
diff --git a/src/docker-compose.override.yml b/src/docker-compose.override.yml
index f3475fc43..4ea826115 100644
--- a/src/docker-compose.override.yml
+++ b/src/docker-compose.override.yml
@@ -46,10 +46,10 @@ services:
       - XamarinCallback=https://${ESHOP_PROD_EXTERNAL_DNS_NAME_OR_IP}:5105/xamarincallback
       - ConnectionString=${ESHOP_AZURE_IDENTITY_DB:-Server=sqldata;Database=Microsoft.eShopOnContainers.Service.IdentityDb;User Id=sa;Password=Pass@word}
       - MvcClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5100
-      - LocationApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5109/locations-api
-      - MarketingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5110/marketing-api
-      - BasketApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5103/basket-api
-      - OrderingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5102/ordering-api
+      - LocationApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/locations-api
+      - MarketingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/marketing-api
+      - BasketApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/basket-api
+      - OrderingApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5202/ordering-api
       - MobileShoppingAggClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5120
       - WebShoppingAggClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5121
       - WebhooksApiClient=https://${ESHOP_EXTERNAL_DNS_NAME_OR_IP}:5113