It came to mind that maybe there was an ant script to build a ssl cert.
I ran accross this
Overwrites files with generated self-signed certificate and key files; target directory is the subdirectory of APACHE_HOME specified by the apache-server-ssl-cert-directory property in apache-conf.properties. Called by local-deploy-apache.
Calls targets to copy model httpd.conf and ssl.conf files using token filtering. Depended on by local-deploy-generated-apache-config.
Generates self-signed certificate and key files with openssl, based on peroperties set in apache-conf.properties. Depended on by local-deploy-generated-apache-certs.
So maybe that is what ofbiz needs to do. then the person downloading would be responsible to do the certs