diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c6a7b77..57fa91a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -183,6 +183,7 @@ deploy-staging:
     - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR} && npm ci --prefer-offline"
     - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR}/frontend && npm ci --prefer-offline"
     - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR}/backend && node migrations/run-all.js"
+    - ssh ${STAGING_USER}@${STAGING_HOST} "cd ${STAGING_DIR}/backend && test -f certs/cert.pem || (mkdir -p certs && openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj '/CN=cve-dashboard.local' 2>/dev/null)"
     - ssh ${STAGING_USER}@${STAGING_HOST} "systemctl restart cve-backend-staging || systemctl start cve-backend-staging || true"
     - echo "Staging deploy complete."
   after_script:
@@ -228,6 +229,7 @@ deploy-production:
     - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR} && npm ci --prefer-offline"
     - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/frontend && npm ci --prefer-offline"
     - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/backend && node migrations/run-all.js"
+    - ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/backend && test -f certs/cert.pem || (mkdir -p certs && openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj '/CN=cve-dashboard.local' 2>/dev/null)"
     - ssh ${PROD_USER}@${PROD_HOST} "test -f /etc/systemd/system/cve-backend.service || true"
     - ssh ${PROD_USER}@${PROD_HOST} "systemctl daemon-reload && systemctl enable cve-backend && systemctl restart cve-backend"
     - echo "Production deploy complete."