diff --git a/Dockerfile b/Dockerfile
index e4c474b31..def9b17f3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,19 @@ RUN venv/bin/pip freeze
 ADD binary_dependencies binary_dependencies
 RUN gdebi --n binary_dependencies/*.deb
 
+# Install cfssl
+RUN mkdir /gocode
+ENV GOPATH /gocode
+RUN curl -O https://storage.googleapis.com/golang/go1.6.linux-amd64.tar.gz && \
+    tar -xvf go1.6.linux-amd64.tar.gz && \
+    sudo mv go /usr/local && \
+    rm -rf go1.6.linux-amd64.tar.gz && \
+    /usr/local/go/bin/go get -u github.com/cloudflare/cfssl/cmd/cfssl && \
+    /usr/local/go/bin/go get -u github.com/cloudflare/cfssl/cmd/cfssljson && \
+    sudo cp /gocode/bin/cfssljson /bin/cfssljson && \
+    sudo cp /gocode/bin/cfssl /bin/cfssl && \
+    sudo rm -rf /gocode && sudo rm -rf /usr/local/go
+
 # Install Grunt
 RUN ln -s /usr/bin/nodejs /usr/bin/node
 RUN npm install -g grunt-cli
@@ -42,6 +55,7 @@ RUN rm -rf grunt
 ADD conf/init/copy_config_files.sh /etc/my_init.d/
 ADD conf/init/doupdatelimits.sh /etc/my_init.d/
 ADD conf/init/copy_syslog_config.sh /etc/my_init.d/
+ADD conf/init/create_certs.sh /etc/my_init.d/
 ADD conf/init/runmigration.sh /etc/my_init.d/
 ADD conf/init/syslog-ng.conf /etc/syslog-ng/
 ADD conf/init/zz_boot.sh /etc/my_init.d/
@@ -56,7 +70,7 @@ RUN venv/bin/python -m external_libraries
 RUN mkdir /usr/local/nginx/logs/
 
 # TODO(ssewell): only works on a detached head, make work with ref
-ADD .git/HEAD GIT_HEAD
+#ADD .git/HEAD GIT_HEAD
 
 # Add all of the files!
 ADD . .
diff --git a/conf/init/create_certs.sh b/conf/init/create_certs.sh
new file mode 100755
index 000000000..82e3d4927
--- /dev/null
+++ b/conf/init/create_certs.sh
@@ -0,0 +1,10 @@
+#! /bin/bash
+set -e
+
+# Create certs
+echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare mitm
+cp mitm-key.pem /conf/mitm.key
+cp mitm.pem /conf/mitm.cert
+cp mitm.pem /usr/local/share/ca-certificates/mitm.crt
+
+update-ca-certificates
diff --git a/conf/init/zz_boot.sh b/conf/init/zz_boot.sh
index 70b6abc37..ab760266b 100755
--- a/conf/init/zz_boot.sh
+++ b/conf/init/zz_boot.sh
@@ -1,5 +1,3 @@
 #!/bin/bash
 
-sudo update-ca-certificates --fresh
-
 /venv/bin/python /boot.py