diff --git a/config.yaml b/config.yaml
index edfc69e..c8635a5 100644
--- a/config.yaml
+++ b/config.yaml
@@ -57,9 +57,10 @@ options:
   ssl_key:
     type: string
     description: SSL key to use with certificate specified as ssl_cert.      
-  # CA Cert info
+  # Locally generated CA Cert info (only use without keystone)
+  # These options are deprecated and will be removed sometime
   use-https:
-    default: "no"
+    default: "yes"
     type: string
     description: Whether to listen on HTTPS
   country:
@@ -78,6 +79,7 @@ options:
     default: CN
     type: string
     description: Common Name
+  # General Swift Proxy configuration
   bind-port:
     default: 8080
     type: int
diff --git a/hooks/swift_utils.py b/hooks/swift_utils.py
index 70af275..c9d1e68 100644
--- a/hooks/swift_utils.py
+++ b/hooks/swift_utils.py
@@ -193,19 +193,6 @@ def write_proxy_config():
     proxy_control('restart')
     subprocess.check_call(['open-port', str(bind_port)])
 
-def configure_ssl():
-    # this should be expanded to cover setting up user-specified certificates
-    if (utils.config_get('use-https') == 'yes' and
-        not os.path.isfile(SSL_CERT) and
-        not os.path.isfile(SSL_KEY)):
-        subj = '/C=%s/ST=%s/L=%s/CN=%s' %\
-               (utils.config_get('country'), utils.config_get('state'),
-                utils.config_get('locale'), utils.config_get('common-name'))
-        cmd = ['openssl', 'req', '-new', '-x509', '-nodes',
-               '-out', SSL_CERT, '-keyout', SSL_KEY,
-               '-subj', subj]
-        subprocess.check_call(cmd)
-
 
 def _load_builder(path):
     # lifted straight from /usr/bin/swift-ring-builder
diff --git a/hooks/utils.py b/hooks/utils.py
index b324b31..106572a 100644
--- a/hooks/utils.py
+++ b/hooks/utils.py
@@ -13,6 +13,7 @@ import subprocess
 import socket
 import sys
 import base64
+import tempfile
 
 
 def do_hooks(hooks):
@@ -320,6 +321,8 @@ def https():
     .
     returns: boolean
     '''
+    if config_get('use-https'):
+        return True
     if config_get('ssl_cert') and config_get('ssl_key'):
         return True
     for r_id in relation_ids('identity-service'):
@@ -366,6 +369,11 @@ def enable_https(port_maps, namespace):
                     key = relation_get('ssl_key', rid=r_id, unit=unit)
                 if not ca_cert:
                     ca_cert = relation_get('ca_cert', rid=r_id, unit=unit)
+        if (not (cert and key and ca_cert) and
+            config_get('use-https')):
+            juju_log('INFO',
+                     "Using self-signed SSL certificate.")
+            (cert, key) = generate_cert()
     else:
         juju_log('INFO',
                  "Using SSL certificate provided in service config.")
@@ -474,6 +482,32 @@ def setup_https(port_maps, namespace):
         enable_https(port_maps, namespace)
 
 
+def generate_cert():
+    '''
+    Generates a self signed certificate and key using the
+    provided charm configuration data.
+
+    returns: tuple of (cert, key)
+    '''
+    CERT = '/etc/swift/ssl.cert'
+    KEY = '/etc/swift/ssl.key'
+    if (not os.path.exists(CERT) and
+        not os.path.exists(KEY)):
+        subj = '/C=%s/ST=%s/L=%s/CN=%s' %\
+            (config_get('country'), config_get('state'),
+             config_get('locale'), config_get('common-name'))
+        cmd = ['openssl', 'req', '-new', '-x509', '-nodes',
+               '-out', CERT, '-keyout', KEY,
+               '-subj', subj]
+        subprocess.check_call(cmd)
+    # Slurp as base64 encoded - makes handling easier up the stack
+    with open(CERT, 'r') as cfile:
+        ssl_cert = base64.b64encode(cfile.read())
+    with open(KEY, 'r') as kfile:
+        ssl_key = base64.b64encode(kfile.read())
+    return (ssl_cert, ssl_key)
+
+
 def determine_api_port(public_port):
     '''
     Determine correct API server listening port based on