diff --git a/ssl/GNUmakefile.in b/ssl/GNUmakefile.in
index b4dbddc223f4b6b6eb20022797c9607fc6af677f..7c44bf9d10565896ff89cacabee8d2da6ae21a21 100644
--- a/ssl/GNUmakefile.in
+++ b/ssl/GNUmakefile.in
@@ -63,6 +63,38 @@ server.pem:	dirsmade server.cnf ca.cnf
 	cat server_key.pem server_cert.pem > server.pem
 	rm -f newreq.pem
 
+#
+# This is for the main web server on boss.
+# 
+apache2.pem:	dirsmade apache2.cnf ca.cnf
+	#
+	# Create the server side private key and certificate request.
+	#
+	openssl req -new -config apache2.cnf \
+		-keyout apache2_key.pem -out apache2_req.pem
+	#
+	# Combine key and cert request.
+	#
+	cat apache2_key.pem apache2_req.pem > newreq.pem
+	#
+	# Sign the apache cert request, creating a apache certificate.
+	#
+	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
+		-out apache2_cert.pem \
+		-cert cacert.pem -keyfile cakey.pem \
+		-infiles newreq.pem
+	#
+	# Combine the key and the certificate into one file. This file is
+	# is not actually installed though; the separate files will be
+	# installed into the apache cert/key directories by install/boss-install
+	# when the boss node is created.
+	#
+	cat apache2_key.pem apache2_cert.pem > apache2.pem
+	rm -f newreq.pem
+
+#
+# This is for the secondary web server on users.
+# 
 apache.pem:	dirsmade apache.cnf ca.cnf
 	#
 	# Create the server side private key and certificate request.
diff --git a/ssl/apache2.cnf.in b/ssl/apache2.cnf.in
new file mode 100644
index 0000000000000000000000000000000000000000..9fcbea1ad9d195f27a0bae0df137ef6dc2c10860
--- /dev/null
+++ b/ssl/apache2.cnf.in
@@ -0,0 +1,27 @@
+[ req ]
+prompt                  = no
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	        = v3_ca	# The extentions to add to the self signed cert
+encrypt_key		= no
+string_mask             = nombstr
+
+[ req_distinguished_name ]
+C                      = @SSLCERT_COUNTRY@
+ST                     = @SSLCERT_STATE@
+L                      = @SSLCERT_LOCALITY@
+O                      = @SSLCERT_ORGNAME@
+OU                     = WebServer
+# The apache server wants the CommonName (CN) to match what we set "ServerName"
+# to in apache/http.conf.in (in the SSL section).
+CN                     = @USERNODE@
+emailAddress           = @TBOPSEMAIL@
+
+[ req_attributes ]
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true