I want to offer ready-to-deploy Public Ubuntu Lucid AMIs on Amazon Web Services EC2. As these AMIs use open-source web apps, I want to pre-configure apache mod_ssl and force all traffic over https. That's easy enough.
I'm interested in a sanity check: just how insecure would it be to deploy without a first run script that generates a new CSR and server.key / server.crt files? (i.e., anyone who accesses the AMI will get a copy of the server.key used by anyone else running an instance launched from this AMI?
I have yet to see public AMIs from reputable community/enterprise companies offer AMIs in this manner- in fact most offer them without mod_ssl at all- leaving that up to the sys admin.
-Jack Murgia