diff --git a/httpd-init.service b/httpd-init.service
index 05af86e..e2e8dd6 100644
--- a/httpd-init.service
+++ b/httpd-init.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=One-time configuration for httpd.service
+Documentation=man:httpd-init.service(8)
 
 ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
 ConditionPathExists=|!/etc/pki/tls/certs/localhost-ca.crt
diff --git a/httpd-ssl-gencerts b/httpd-ssl-gencerts
index 0771b73..67b6d9a 100755
--- a/httpd-ssl-gencerts
+++ b/httpd-ssl-gencerts
@@ -3,22 +3,20 @@
 set -e
 
 FQDN=`hostname`
-# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
-if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
-   FQDN=localhost.localdomain
+
+if test -f /etc/pki/tls/certs/localhost.crt -o \
+        -f /etc/pki/tls/private/localhost.key -o \
+        -f /etc/pki/tls/certs/localhost-ca.crt; then
+    exit 1
 fi
 
 sscg -q                                                             \
      --cert-file           /etc/pki/tls/certs/localhost.crt         \
      --cert-key-file       /etc/pki/tls/private/localhost.key       \
      --ca-file             /etc/pki/tls/certs/localhost-ca.crt      \
-     --hash-alg            sha256                                   \
-     --key-strength        2048                                     \
      --lifetime            365                                      \
-     --country             "--"                                     \
-     --state               SomeState                                \
-     --locality            SomeCity                                 \
-     --organization        SomeOrganization                         \
-     --organizational-unit SomeOrganizationalUnit                   \
      --hostname            $FQDN                                    \
      --email               root@$FQDN
+
+# mod_ssl will send the CA cert if it's appended to the server cert.
+cat /etc/pki/tls/certs/localhost-ca.crt >> /etc/pki/tls/certs/localhost.crt
diff --git a/httpd.service.xml b/httpd.service.xml
index 8f82e59..d851862 100644
--- a/httpd.service.xml
+++ b/httpd.service.xml
@@ -37,12 +37,14 @@
   <refnamediv>
     <refname>httpd.service</refname>
     <refname>httpd.socket</refname>
+    <refname>httpd-init.service</refname>
     <refpurpose>httpd unit files for systemd</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
     <para>
       <filename>/usr/lib/systemd/system/httpd.service</filename>, 
+      <filename>/usr/lib/systemd/system/httpd-init.service</filename>,
       <filename>/usr/lib/systemd/system/httpd.socket</filename>
     </para>
   </refsynopsisdiv>
@@ -125,6 +127,20 @@ Wants=network-online.target</programlisting>
     </refsect2>
 
     <refsect2>
+      <title>SSL/TLS certificate generation</title>
+
+      <para>The <command>httpd-init.service</command> unit is provided
+      with the mod_ssl package. This oneshot unit automatically
+      creates a TLS server certificate and key (using a generated
+      self-signed CA certificate and key) for testing purposes before
+      httpd is started. To inhibit certificate generation, use
+      <command>systemctl mask httpd-init.service</command> after
+      installing mod_ssl, and adjust the mod_ssl configuration to use
+      an appropriate certicate and key.</para>
+
+    </refsect2>
+
+    <refsect2>
       <title>Reloading and stopping the service</title>
 
       <para>When running <command>systemctl reload
diff --git a/httpd.spec b/httpd.spec
index 4073f37..efff2c5 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.27
-Release: 8.4%{?dist}
+Release: 9%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -452,7 +452,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \
 	$RPM_BUILD_ROOT/etc/logrotate.d/httpd
 
 # Install systemd service man pages
-install -m 644 -p httpd.service.8 httpd.socket.8 \
+install -m 644 -p httpd.service.8 httpd-init.service.8 httpd.socket.8 \
         $RPM_BUILD_ROOT%{_mandir}/man8
 
 # fix man page paths
@@ -616,6 +616,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
 
 %{_mandir}/man8/*
+%exclude %{_mandir}/man8/httpd-init.*
 
 %{_unitdir}/httpd.service
 %{_unitdir}/htcacheclean.service
@@ -656,6 +657,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/httpd-ssl-pass-dialog
 %{_libexecdir}/httpd-ssl-gencerts
 %{_unitdir}/httpd.socket.d/10-listen443.conf
+%{_mandir}/man8/httpd-init.*
 
 %files -n mod_proxy_html
 %defattr(-,root,root)
@@ -685,6 +687,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9
+- use sscg defaults; append CA cert to generated cert
+- document httpd-init.service in httpd-init.service(8)
+
 * Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.4.27-8.1
 - Generate SSL certificates on service start, not %posttrans
 
diff --git a/ssl.conf b/ssl.conf
index a2709ce..a07bd8f 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -122,7 +122,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #   Set the CA certificate verification path where to find CA
 #   certificates for client authentication or alternatively one
 #   huge file containing all of them (file must be PEM encoded)
-SSLCACertificateFile /etc/pki/tls/certs/localhost-ca.crt
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 
 #   Client Authentication (Type):
 #   Client certificate verification type and depth.  Types are