diff --git a/room-app/src/main/java/net/wasdev/gameon/room/Kafka.java b/room-app/src/main/java/net/wasdev/gameon/room/Kafka.java
index 57c861e..f1392da 100644
--- a/room-app/src/main/java/net/wasdev/gameon/room/Kafka.java
+++ b/room-app/src/main/java/net/wasdev/gameon/room/Kafka.java
@@ -48,22 +48,6 @@ public void init(){
          producerProps.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG,"org.apache.kafka.common.serialization.StringSerializer");
          producerProps.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG,"org.apache.kafka.common.serialization.StringSerializer");
 
-         //this is a cheat, we need to enable ssl when talking to message hub, and not to kafka locally
-         //the easiest way to know which we are running on, is to check how many hosts are in kafkaUrl
-         //locally for kafka there'll only ever be one, and messagehub gives us a whole bunch..
-         boolean multipleHosts = kafkaUrl.indexOf(",") != -1;
-         if(multipleHosts){
-           Log.log(Level.INFO, this, "Initializing SSL Config for MessageHub");
-           producerProps.put("security.protocol","SASL_SSL");
-           producerProps.put("ssl.protocol","TLSv1.2");
-           producerProps.put("ssl.enabled.protocols","TLSv1.2");
-           Path p = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
-           producerProps.put("ssl.truststore.location", p.toString());
-           producerProps.put("ssl.truststore.password","changeit");
-           producerProps.put("ssl.truststore.type","JKS");
-           producerProps.put("ssl.endpoint.identification.algorithm","HTTPS");
-         }
-
          producer = new KafkaProducer<String, String>(producerProps);
      }catch(Exception e){
          System.out.println("KAFKA INIT FAILED");
diff --git a/room-wlpcfg/Dockerfile b/room-wlpcfg/Dockerfile
index da75fac..f407373 100644
--- a/room-wlpcfg/Dockerfile
+++ b/room-wlpcfg/Dockerfile
@@ -2,6 +2,10 @@ FROM gameontext/docker-liberty-custom:master-29
 
 ENV SERVERDIRNAME room
 
+ADD https://raw.githubusercontent.com/gameontext/gameon/master/bin/gen-keystore.sh /opt/gen-keystore.sh
+USER 0
+RUN chmod g+rwx /opt/gen-keystore.sh
+USER 1001
 COPY ./startup.sh /opt/startup.sh
 ADD ./servers/gameon-room /opt/ol/wlp/usr/servers/defaultServer/
 RUN mkdir -p /opt/ol/wlp/usr/servers/defaultServer/resources/security
diff --git a/room-wlpcfg/servers/gameon-room/jvm.options b/room-wlpcfg/servers/gameon-room/jvm.options
index a8ae79e..dca92e5 100644
--- a/room-wlpcfg/servers/gameon-room/jvm.options
+++ b/room-wlpcfg/servers/gameon-room/jvm.options
@@ -1 +1,3 @@
--Djava.security.Security.setProperty("networkaddress.cache.ttl" , "30");
+-Djava.security.Security.setProperty("networkaddress.cache.ttl" , "30")
+-Djavax.net.ssl.trustStore=/opt/ol/wlp/usr/servers/defaultServer/resources/security/truststore.jks
+-Djavax.net.ssl.trustStorePassword=gameontext-trust
diff --git a/room-wlpcfg/servers/gameon-room/server.xml b/room-wlpcfg/servers/gameon-room/server.xml
index a68d806..a61963d 100644
--- a/room-wlpcfg/servers/gameon-room/server.xml
+++ b/room-wlpcfg/servers/gameon-room/server.xml
@@ -18,8 +18,8 @@
   <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*"  -->
   <httpEndpoint host="*" httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>
 
-  <keyStore id="defaultKeyStore" location="key.jks"  password="testOnlyKeystore"/>
-  <keyStore id="defaultTrustStore" location="truststore.jks" password="truststore"/>
+  <keyStore id="defaultKeyStore" location="key.pkcs12"  password="gameontext-keys"/>
+  <keyStore id="defaultTrustStore" location="truststore.jks" password="gameontext-trust"/>
 
   <sslDefault sslRef="DefaultSSLSettings" />
   <ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
diff --git a/room-wlpcfg/startup.sh b/room-wlpcfg/startup.sh
index f4a337d..9748431 100755
--- a/room-wlpcfg/startup.sh
+++ b/room-wlpcfg/startup.sh
@@ -38,27 +38,7 @@ if [ -f /etc/cert/cert.pem ]; then
   cp /etc/cert/cert.pem ${ssl_path}/cert.pem
 fi
 
-
-if [ -f ${ssl_path}/cert.pem ] ; then
-  echo "Building keystore/truststore from cert.pem"
-  echo "-creating dir"
-  echo "-cd dir"
-  cd ${ssl_path}
-  echo "-converting pem to pkcs12"
-  openssl pkcs12 -passin pass:keystore -passout pass:keystore -export -out cert.pkcs12 -in cert.pem
-  echo "-importing pem to truststore.jks"
-  keytool -import -v -trustcacerts -alias default -file cert.pem -storepass truststore -keypass keystore -noprompt -keystore truststore.jks
-  echo "-creating dummy key.jks"
-  keytool -genkey -storepass testOnlyKeystore -keypass wefwef -keyalg RSA -alias endeca \
-          -keystore key.jks -dname CN=rsssl,OU=unknown,O=unknown,L=unknown,ST=unknown,C=CA
-  echo "-emptying key.jks"
-  keytool -delete -storepass testOnlyKeystore -alias endeca -keystore key.jks
-  echo "-importing pkcs12 to key.jks"
-  keytool -v -importkeystore -srcalias 1 -alias 1 -destalias default -noprompt \
-          -srcstorepass keystore -deststorepass testOnlyKeystore -srckeypass keystore -destkeypass testOnlyKeystore \
-          -srckeystore cert.pkcs12 -srcstoretype PKCS12 -destkeystore key.jks -deststoretype JKS
-  echo "done"
-  cd ${SERVER_PATH}
-fi
+# Make sure keystores are present or are generated
+/opt/gen-keystore.sh ${ssl_path} ${ssl_path}
 
 exec /opt/ol/wlp/bin/server run defaultServer