diff --git a/ct/alpine-step-ca.sh b/ct/alpine-step-ca.sh
index e5f3aad7..c17affb5 100644
--- a/ct/alpine-step-ca.sh
+++ b/ct/alpine-step-ca.sh
@@ -16,7 +16,8 @@ var_version="3.20"
 var_unprivileged="0"
 
 # CA default values
-DEFAULT_CA_NAME="HomeLab"
+DEFAULT_CA_NAME="HomeLab CA"
+
 
 
 # App Output & Base Settings
@@ -54,7 +55,10 @@ function update_script() {
 
 function ca_settings() {
 
+  # Step 0: Announce
   whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "Configure Certificate Authority" "Now that we defined the container we need to configure the certificate authority." 8 58
+  
+  # Basic - Step 1: Name of CA
   if CA_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of certificate authority" 8 58 "$DEFAULT_CA_NAME" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
     if [ -z "$CA_NAME" ]; then
       CA_NAME="$DEFAULT_CA_NAME"
@@ -63,36 +67,97 @@ function ca_settings() {
     exit
   fi
 
+  # Basic - Step 2: DNS entries of CA
   CA_DNS_ENTRIES=()
   DEFAULT_CA_DNS_ENTRY="${HN}.local"
-  if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
-    if [ -z "$CA_DNS_ENTRY" ]; then
-      CA_DNS_ENTRIES+=("--dns=$DEFAULT_CA_DNS_ENTRY")
-    else
-      CA_DNS_ENTRIES+=("--dns=$CA_DNS_ENTRY")
+
+  if CA_PRIMARY_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "$DEFAULT_CA_DNS_ENTRY" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
+    if [ -z "$CA_PRIMARY_DNS" ]; then
+      CA_PRIMARY_DNS=$DEFAULT_CA_DNS_ENTRY
     fi
+    CA_DNS_ENTRIES+=("--dns=$CA_PRIMARY_DNS")
   else
     exit
   fi
 
   while whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Do you want to add another DNS entry?" 10 72  ; do
-    if CA_DNS_ENTRY=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
-      if [ -n "$CA_DNS_ENTRY" ]; then
-        CA_DNS_ENTRIES+=(" --dns=$CA_DNS_ENTRY")
+    if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "DNS entry of Certificate Authority" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
+      if [ -n "$dns_entry" ]; then
+        CA_DNS_ENTRIES+=(" --dns=$dns_entry")
       fi
     fi
   done
 
+  # Basic - Step 3: X509 policy allow by DNS name
+  x509_policy_dns=()
+  while true; do
+    if dns_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by DNS. Use full ('domain.local') or wildcard ('*.local') DNS:" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
+      if [ -n "$dns_entry" ]; then
+        x509_policy_dns+=("$(dns_entry)")
+      else
+        break
+      fi
+    else
+      exit
+    fi
+  done
+
+  # Basic - Step 4: X509 policy allow by IP address/range
+  x509_policy_ips=()
+  while true; do
+    if ip_entry=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "[X509 Policy] Allowed by IP addresses. Use single address ('192.168.1.169' or '::1') or CIDR address ranges ('192.168.1.0/24' or '2001:0db8::/120'):" 8 58 "" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
+      if [ -n "$ip_entry" ]; then
+        x509_policy_ips+=("$(ip_entry)")
+      else
+        break
+      fi
+    else
+      exit
+    fi
+  done
+
+  # ACME - Step 1: Should ACME be enabled?
+  if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Configure Certificate Authority" --yesno "Enable ACME?" 10 58); then
+    CA_ACME="yes"
+    
+    # ACME - Step 2: Name of ACME provider
+    default_ca_acme_name="acme"
+    if CA_ACME_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Name of ACME provider" 8 58 "$default_ca_acme_name" --title "Configure Certificate Authority" 3>&1 1>&2 2>&3); then
+      if [ -z "$CA_ACME_NAME" ]; then
+        CA_ACME_NAME="$default_ca_acme_name"
+      fi
+    else
+      exit
+    fi
+
+  else
+    CA_ACME="no"
+  fi
+
   if [ "$VERBOSE" = "yes" ]; then
     echo -e "${DEFAULT}${BOLD}${DGN}Name of CA: ${BGN}$CA_NAME${CL}"
     echo -e "${DEFAULT}${BOLD}${DGN}DNS entries of CA:${CL}"
     for DNS_ENTRY in ${CA_DNS_ENTRIES[*]}; do
-      echo -e "- $DNS_ENTRY"
+      echo -e "  - $DNS_ENTRY"
     done
+    echo -e "${DEFAULT}${BOLD}${DGN}X509 Policy - allow:{CL}"
+    echo -e "  - DNS entries: ${x509_policy_dns[*]}"
+    echo -e "  - IP addresses: ${x509_policy_ips[*]}"
+
+    echo -e "${DEFAULT}${BOLD}${DGN}Enable ACME: ${BGN}$CA_ACME${CL}"
+    if [ "${CA_ACME}" = "yes" ]; then
+      echo -e "  - Name of provider: ${CA_ACME_NAME}"
+      echo -e "  - Allowed domains: "
+    fi
   fi
 
   export CA_NAME
-  export CA_DNS=${CA_DNS_ENTRIES[*]};
+  export CA_PRIMARY_DNS
+  export CA_DNS=${CA_DNS_ENTRIES[*]}
+  export CA_X509_POLICY_DNS=${x509_policy_dns[*]}
+  export CA_X509_POLICY_IPS=${x509_policy_ips[*]}
+  export CA_ACME
+  export CA_ACME_NAME
 }
 
 start
@@ -102,3 +167,6 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+if [ "${CA_ACME}" = "yes" ]; then
+  echo -e "  ACME should be reachable at URL: https://${CA_PRIMARY_DNS}/acme/{$CA_ACME_NAME}/directory"
+fi
diff --git a/install/alpine-step-ca-install.sh b/install/alpine-step-ca-install.sh
index d3bc5307..a37aa056 100644
--- a/install/alpine-step-ca-install.sh
+++ b/install/alpine-step-ca-install.sh
@@ -27,6 +27,10 @@ $STD export STEPPATH=/etc/step-ca
 if [ "$VERBOSE" = "yes" ]; then
   env #Display environment details
 fi
+
+x509_policy_dns=($(echo "${CA_X509_POLICY_DNS}" | tr ' ' '\n'))
+x509_policy_ips=($(echo "${CA_X509_POLICY_IPS}" | tr ' ' '\n'))
+
 msg_ok "Environment prepared"
 
 msg_info "Installing Alpine Step-CA"
@@ -45,9 +49,24 @@ EOF
 msg_ok "Generated CA secret stored in ${passwd_file}"
 
 
-msg_info "Initialize CA"
-$STD step ca init --name="$CA_NAME" $CA_DNS --password-file=/etc/step-ca/password.txt --acme --deployment-type=standalone --address=0.0.0.0:443 --provisioner=acme
-$STD step ca provisioner update acme --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h
+msg_info "Initialize base CA"
+$STD step ca init --name "${CA_NAME}" $CA_DNS --password-file /etc/step-ca/password.txt --deployment-type=standalone --address ":443" --provisioner=admin
+
+for dns_entry in "${x509_policy_dns[@]}"; do
+  $STD step ca policy authority x509 allow dns "${dns_entry}"
+done
+for ip_entry in "${x509_policy_ips[@]}"; do
+  $STD step ca policy authority x509 allow ip ${ip_entry}
+done
+
+if [ "${CA_ACME}" = "yes" ]; then
+  msg_info "Initialize ACME for CA"
+  $STD step ca provisioner add ${CA_ACME_NAME} --type ACME
+  $STD step ca provisioner update ${CA_ACME_NAME} --x509-min-dur=20m --x509-max-dur=32h --x509-default-dur=24h
+fi
+if [ "${CA_SSH}" = "yes" ]; then
+  msg_info "Inititialize CA for SSH"
+fi
 msg_ok "Finished initialization of CA"
 
 # Start application