diff --git a/xrdp.spec b/xrdp.spec
index 1b605c3..d93bf8d 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -29,6 +29,7 @@ Requires: tigervnc-server-minimal
 
 Requires(post): systemd
 Requires(post): systemd-sysv
+Requires(post): openssl
 Requires(preun): systemd
 Requires(postun): systemd
 
@@ -60,6 +61,9 @@ echo '#!/bin/bash -l
 #install logrotate /etc/logrotate.d/xrdp
 %{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp
 
+#install openssl.conf /etc/xrdp
+%{__install} -Dp -m 644 keygen/openssl.conf %{buildroot}%{_sysconfdir}/xrdp/openssl.conf
+
 #install log file /var/log/xrdp-sesman.log
 %{__mkdir} -p %{buildroot}%{_localstatedir}/log/
 touch %{buildroot}%{_localstatedir}/log/xrdp-sesman.log
@@ -75,8 +79,18 @@ touch %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
 %post
 %systemd_post xrdp.service
 
-xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null
-%{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini
+if [ ! -f %{_sysconfdir}/xrdp/rsakeys.ini ]; then
+  xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null
+  %{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini
+fi
+
+if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then
+  openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+    -keyout %{_sysconfdir}/xrdp/key.pem \
+    -out %{_sysconfdir}/xrdp/cert.pem \
+    -subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \
+    -config %{_sysconfdir}/xrdp/openssl.conf
+fi
 
 %preun
 %systemd_preun xrdp.service
@@ -110,8 +124,12 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/xrdp
 %config(noreplace) %{_sysconfdir}/xrdp/sesman.ini
 %{_sysconfdir}/xrdp/*.sh
-%{_sysconfdir}/xrdp/*.pem
+%exclude %ghost %{_sysconfdir}/xrdp/*.pem
+%exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini
 %{_sysconfdir}/xrdp/km*.ini
+%{_sysconfdir}/xrdp/openssl.conf
+%{_sysconfdir}/xrdp/sesman.ini
+%{_sysconfdir}/xrdp/xrdp.ini
 %{_sysconfdir}/xrdp/xrdp_keyboard.ini
 %{_bindir}/xrdp-genkeymap
 %{_bindir}/xrdp-sesadmin