diff --git a/README.md b/README.md
new file mode 100644
index 0000000..dd6f47c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,40 @@
+# CAcert local development setup
+
+This repository contains a local development environment setup for the CAcert software.
+
+## Prerequisites
+
+* Linux system (tested on Debian Bullseye)
+* [Docker](https://tracker.debian.org/pkg/docker.io)
+* [docker-compose](https://pypi.org/project/docker-compose/)
+* [openssl](https://tracker.debian.org/pkg/openssl)
+* [myrepos](https://tracker.debian.org/pkg/myrepos)
+
+```shell
+sudo apt-get update
+sudo apt-get install docker.io openssl myrepos
+sudo adduser $USER docker
+newgrp docker
+python3 -m pip install --user -U docker-compose
+# make sure that ~/.local/bin is in $PATH 
+```
+
+## Usage
+
+Create a .env file that defines the following variables
+
+Variable | Usage
+--- | ---
+`MYSQL_ROOT_PASSWORD` | Database root password
+`MYSQL_APP_USER` | Database application user
+`MYSQL_APP_PASSWORD` | Database application password
+
+```shell
+git clone https://git.dittberner.info/jan/cacert-devsetup.git
+cd cacert-devsetup
+mr checkout
+./setup_test_ca.sh
+docker-compose up
+```
+
+After these steps you should be able to reach the CAcert application at https://test.cacert.localhost:8443/.
diff --git a/docker/apache-foreground b/docker/apache-foreground
index 12ba0e0..a729be6 100755
--- a/docker/apache-foreground
+++ b/docker/apache-foreground
@@ -4,15 +4,15 @@ set -eux
 # Apache gets grumpy about PID files pre-existing
 rm -f /run/apache2/apache2.pid
 
-cp /usr/local/etc/testca/certs/test.cacert.org.crt.pem /etc/ssl/certs/test.cacert.org.crt
-cp /usr/local/etc/testca/certs/test.cacert.org.key.pem /etc/ssl/private/test.cacert.org.pem
+cp /usr/local/etc/testca/certs/test.cacert.localhost.crt.pem /etc/ssl/certs/
+cp /usr/local/etc/testca/certs/test.cacert.localhost.key.pem /etc/ssl/private/
 (
   openssl x509 -in /usr/local/etc/testca/class3/ca.crt.pem
   openssl x509 -in /usr/local/etc/testca/root/ca.crt.pem
 ) >/etc/ssl/certs/combined.crt
 
-cp /usr/local/etc/testca/certs/secure.test.cacert.org.crt.pem /etc/ssl/certs/secure.crt
-cp /usr/local/etc/testca/certs/secure.test.cacert.org.key.pem /etc/ssl/private/secure_test_cacert_org.pem
+cp /usr/local/etc/testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
+cp /usr/local/etc/testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
 
 sed -i "s/@MYSQL_USERNAME@/$MYSQL_APP_USER/g; s/@MYSQL_PASSWORD@/$MYSQL_APP_PASSWORD/g" \
   /usr/local/etc/application/mysql.php
diff --git a/docker/apache-virtualhost.conf b/docker/apache-virtualhost.conf
index e8b25b7..8d61b51 100644
--- a/docker/apache-virtualhost.conf
+++ b/docker/apache-virtualhost.conf
@@ -1,11 +1,11 @@
 <VirtualHost *:80>
-  ServerName test.cacert.org
-  ServerAlias www.test.cacert.org
+  ServerName test.cacert.localhost
+  ServerAlias www.test.cacert.localhost
   DocumentRoot /www/www
 
   ScriptAlias /cgi-bin/ /www/cgi-bin/
-  Redirect permanent /revoke.crl        http://crl.cacert.org/revoke.crl
-  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
+  Redirect permanent /revoke.crl        http://crl.cacert.localhost/revoke.crl
+  Redirect permanent /class3-revoke.crl http://crl.cacert.localhost/class3-revoke.crl
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
@@ -15,8 +15,8 @@
 </VirtualHost>
 
 <VirtualHost *:443>
-  ServerName test.cacert.org
-  ServerAlias www.test.cacert.org
+  ServerName test.cacert.localhost
+  ServerAlias www.test.cacert.localhost
   DocumentRoot /www/www
 
   SSLEngine on
@@ -24,15 +24,15 @@
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
-  SSLCertificateFile /etc/ssl/certs/test.cacert.org.crt
-  SSLCertificateKeyFile /etc/ssl/private/test.cacert.org.pem
+  SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem
+  SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem
   SSLCACertificateFile /etc/ssl/certs/combined.crt
 
   Header always set Strict-Transport-Security "max-age=31536000"
 
   ScriptAlias /cgi-bin/ /www/cgi-bin/
-  Redirect permanent /revoke.crl        http://crl.cacert.org/revoke.crl
-  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
+  Redirect permanent /revoke.crl        http://crl.cacert.localhost/revoke.crl
+  Redirect permanent /class3-revoke.crl http://crl.cacert.localhost/class3-revoke.crl
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
@@ -42,8 +42,7 @@
 </VirtualHost>
 
 <VirtualHost *:443>
-  ServerName secure.test.cacert.org
-  ServerAlias secure.test.cacert.org
+  ServerName secure.test.cacert.localhost
   DocumentRoot /www/www
 
   SSLEngine on
@@ -51,20 +50,20 @@
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
-  SSLCertificateFile /etc/ssl/certs/secure.crt
-  SSLCertificateKeyFile /etc/ssl/private/secure_test_cacert_org.pem
+  SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem
+  SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem
   SSLVerifyClient require
   SSLVerifyDepth 2
   SSLCACertificateFile /etc/ssl/certs/combined.crt
   #SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
   #SSLOCSPEnable on
-  #SSLOCSPDefaultResponder http://ocsp.cacert.org/
+  #SSLOCSPDefaultResponder http://ocsp.cacert.localhost/
   SSLOptions +StdEnvVars
 
   Header always set Strict-Transport-Security "max-age=31536000"
 
-  Redirect permanent /revoke.crl        http://crl.cacert.org/revoke.crl
-  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
+  Redirect permanent /revoke.crl        http://crl.cacert.localhost/revoke.crl
+  Redirect permanent /class3-revoke.crl http://crl.cacert.localhost/class3-revoke.crl
   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
diff --git a/docker/cacert.conf b/docker/cacert.conf
index 068d40f..1edd99a 100644
--- a/docker/cacert.conf
+++ b/docker/cacert.conf
@@ -2,8 +2,8 @@
 
 MaxRequestsPerChild	100
 
-ServerAdmin	support@cacert.org
-ServerName	cacert.org
+ServerAdmin	support@cacert.localhost
+ServerName	cacert.localhost
 
 Header always set X-Frame-Options "DENY"
 Header always set X-XSS-Protection "1; mode=block"
diff --git a/docker/mysql.php b/docker/mysql.php
index 4d740f3..2b4dbf4 100644
--- a/docker/mysql.php
+++ b/docker/mysql.php
@@ -22,11 +22,11 @@ if ($_SESSION['mconn'] != FALSE)
     mysql_select_db("cacert");
     $_SESSION['mconn'] = TRUE;
 }
-$_SESSION['_config']['normalhostname'] = "test.cacert.org:8443";
-$_SESSION['_config']['securehostname'] = "secure.test.cacert.org:8443";
-$_SESSION['_config']['tverify'] = "tverify.cacert.org";
+$_SESSION['_config']['normalhostname'] = "test.cacert.localhost:8443";
+$_SESSION['_config']['securehostname'] = "secure.test.cacert.localhost:8443";
+$_SESSION['_config']['tverify'] = "tverify.cacert.localhost";
 
-function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $fromname = "", $errorsto = "returns@cacert.org", $use_utf8 = true)
+function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $fromname = "", $errorsto = "returns@cacert.localhost", $use_utf8 = true)
 {
     $lines = explode("\n", $message);
     $message = "";
@@ -53,9 +53,9 @@ function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $
         return;
     }
     $InputBuffer = fgets($smtp, 1024);
-    fputs($smtp, "EHLO test.cacert.org\r\n");
+    fputs($smtp, "EHLO test.cacert.localhost\r\n");
     $InputBuffer = fgets($smtp, 1024);
-    fputs($smtp, "MAIL FROM:<returns@cacert.org>\r\n");
+    fputs($smtp, "MAIL FROM:<returns@cacert.localhost>\r\n");
     $InputBuffer = fgets($smtp, 1024);
     $bits = explode(",", $to);
     foreach($bits as $user)
@@ -63,7 +63,7 @@ function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $
     $InputBuffer = fgets($smtp, 1024);
     fputs($smtp, "DATA\r\n");
     $InputBuffer = fgets($smtp, 1024);
-    fputs($smtp, "X-Mailer: CAcert.org Website\r\n");
+    fputs($smtp, "X-Mailer: CAcert.org Website (local development)\r\n");
     if (array_key_exists("REMOTE_ADDR", $_SERVER))
         fputs($smtp, "X-OriginatingIP: ".$_SERVER["REMOTE_ADDR"]."\r\n");
     fputs($smtp, "Sender: $errorsto\r\n");
diff --git a/docker/php5-cacert.ini b/docker/php5-cacert.ini
index 7fba72e..e0be8bc 100644
--- a/docker/php5-cacert.ini
+++ b/docker/php5-cacert.ini
@@ -8,7 +8,7 @@ memory_limit = 18M
 display_errors = Off
 log_errors = On
 error_log = /var/log/apache2/phperrors.log
-sendmail_path = "/usr/sbin/sendmail -t -i -freturns@cacert.org"
+sendmail_path = "/usr/sbin/sendmail -t -i -freturns@cacert.localhost"
 session.use_only_cookies = On
 session.cookie_secure = On
 error_reporting = E_ALL
diff --git a/setup_test_ca.sh b/setup_test_ca.sh
index 4fe0949..b6c3578 100755
--- a/setup_test_ca.sh
+++ b/setup_test_ca.sh
@@ -96,8 +96,8 @@ keyUsage               = critical,keyCertSign,cRLSign
 extendedKeyUsage       = serverAuth,clientAuth
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
-authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
-crlDistributionPoints  = URI:http://crl.test.cacert.org/class3.crl
+authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
+crlDistributionPoints  = URI:http://crl.test.cacert.localhost/class3.crl
 certificatePolicies    = @policy_class3_ca
 
 [server_ext]
@@ -106,13 +106,13 @@ keyUsage               = digitalSignature,keyEncipherment
 extendedKeyUsage       = serverAuth
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
-authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
-crlDistributionPoints  = URI:http://crl.test.cacert.org/class3.crl
+authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
+crlDistributionPoints  = URI:http://crl.test.cacert.localhost/class3.crl
 certificatePolicies    = @policy_class3_ca
 
 [policy_class3_ca]
 policyIdentifier       = 1.3.6.1.5.5.7.2.1
-CPS                    = http://test.cacert.org/ca/class3/cps.html
+CPS                    = http://test.cacert.localhost/ca/class3/cps.html
 EOF
 
 openssl req -new -x509 -config ca.cnf \
@@ -133,23 +133,23 @@ openssl ca -config ca.cnf \
   -rand_serial \
   -extensions class3_extensions \
   -batch
-openssl req -new -keyout certs/test.cacert.org.key.pem -nodes \
-  -out certs/test.cacert.org.csr.pem -subj "/CN=test.cacert.org" \
-  -addext "subjectAltName=DNS:test.cacert.org,DNS:www.test.cacert.org"
-openssl req -new -keyout certs/secure.test.cacert.org.key.pem -nodes \
-  -out certs/secure.test.cacert.org.csr.pem -subj "/CN=secure.test.cacert.org" \
-  -addext "subjectAltName=DNS:secure.test.cacert.org"
+openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
+  -out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
+  -addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
+openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \
+  -out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \
+  -addext "subjectAltName=DNS:secure.test.cacert.localhost"
 openssl ca -config ca.cnf \
   -name class3_ca \
-  -in certs/test.cacert.org.csr.pem \
-  -out certs/test.cacert.org.crt.pem \
+  -in certs/test.cacert.localhost.csr.pem \
+  -out certs/test.cacert.localhost.crt.pem \
   -rand_serial \
   -extensions server_ext \
   -batch
 openssl ca -config ca.cnf \
   -name class3_ca \
-  -in certs/secure.test.cacert.org.csr.pem \
-  -out certs/secure.test.cacert.org.crt.pem \
+  -in certs/secure.test.cacert.localhost.csr.pem \
+  -out certs/secure.test.cacert.localhost.crt.pem \
   -rand_serial \
   -extensions server_ext \
   -batch