diff --git a/tigervnc.changes b/tigervnc.changes
index 96c5540..c0a3657 100644
--- a/tigervnc.changes
+++ b/tigervnc.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jun 16 13:17:15 UTC 2016 - msrb@suse.com
+
+- Generate VNC key and certificate on first use, not during
+  installation. (bnc#982349)
+
 -------------------------------------------------------------------
 Mon Jun 13 15:21:19 UTC 2016 - msrb@suse.com
 
@@ -5,6 +11,7 @@ Mon Jun 13 15:21:19 UTC 2016 - msrb@suse.com
   * Fix zlib stream reset in tight encoding. (bnc#963417)
 
 -------------------------------------------------------------------
+>>>>>>> ./tigervnc.changes.rb2c0921742fcc34e855cefa0bc741324
 Tue May 24 12:46:07 UTC 2016 - msrb@suse.com
 
 - Add /etc/pam.d/vnc configuration and add vnc user to shadow
diff --git a/tigervnc.spec b/tigervnc.spec
index 80fbac6..dce26e6 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -108,6 +108,7 @@ Source7:        vnc_inetd_httpd
 Source8:        vnc.reg
 Source9:        vncpasswd.arg
 Source10:       vnc.pam
+Source11:       with-vnc-key.sh
 Patch1:         tigervnc-newfbsize.patch
 Patch2:         tigervnc-clean-pressed-key-on-exit.patch
 Patch3:         u_tigervnc-ignore-epipe-on-write.patch
@@ -130,10 +131,10 @@ it attempts to maintain a common look and feel and re-use components, where poss
 TigerVNC also provides extensions for advanced authentication methods and TLS encryption.
 
 %package -n xorg-x11-Xvnc
-# Needed to generate certificates
-Requires(post): openssl
 Requires(post): /usr/sbin/useradd
 Requires(post): /usr/sbin/groupadd
+# Needed to generate certificates
+Requires:       openssl
 # Needed to serve java applet
 Requires:       icewm
 Requires:       python
@@ -144,6 +145,7 @@ Requires:       xinit
 Requires:       xkbcomp
 Requires:       xkeyboard-config
 Requires:       xorg-x11-fonts-core
+Provides:       xorg-x11-Xvnc:/usr/lib/vnc/with-vnc-key.sh
 Summary:        TigerVNC implementation of Xvnc
 Group:          System/X11/Servers/XF86_4
 
@@ -257,6 +259,9 @@ ln -s -f %{_sysconfdir}/alternatives/vncviewer.1.gz $RPM_BUILD_ROOT%{_mandir}/ma
 
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/vnc
 
+mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/vnc
+install -D -m 755 %{SOURCE11} $RPM_BUILD_ROOT%{_libexecdir}/vnc
+
 rm -rf $RPM_BUILD_ROOT/usr/share/doc/tigervnc-*
 
 %find_lang '%{name}'
@@ -266,18 +271,6 @@ getent group %{vncgroup} > /dev/null || groupadd -r %{vncgroup} || :
 getent passwd %{vncuser} > /dev/null || useradd -r -g %{vncgroup} -d /var/lib/empty -s /sbin/nologin -c "user for VNC" %{vncuser} || :
 usermod -G shadow -a %{vncuser} || :
 
-%post -n xorg-x11-Xvnc
-if ! test -e %{tlskey} ; then
-  (umask 077 && openssl genrsa -out %{tlskey} 2048)
-  chown %{vncuser}:%{vncgroup} %{tlskey}
-fi
-if ! test -e %{tlscert} ; then
-  cn="Automatically generated certificate for the VNC service"
-  openssl req -new -x509 -extensions usr_cert \
-    -key %{tlskey} -out %{tlscert} -days 7305 -subj "/CN=$cn/"
-  chown %{vncuser}:%{vncgroup} %{tlscert}
-fi
-
 %post
 %if 0%{?suse_version} >= 1315
 %_sbindir/update-alternatives \
@@ -360,10 +353,12 @@ fi
 %doc java/com/tigervnc/vncviewer/README
 %{_datadir}/vnc
 
-%dir %{_sysconfdir}/vnc
+%dir %attr(0755,%{vncuser},%{vncuser}) %{_sysconfdir}/vnc
 %ghost %attr(0600,%{vncuser},%{vncuser}) %config(noreplace) %{tlskey}
 %ghost %attr(0644,%{vncuser},%{vncuser}) %config(noreplace) %{tlscert}
 
+%{_libexecdir}/vnc
+
 %files -n libXvnc1
 %defattr(-,root,root)
 %{_libdir}/libXvnc.so.1*
diff --git a/vnc.xinetd b/vnc.xinetd
index d683da5..a42b1fd 100644
--- a/vnc.xinetd
+++ b/vnc.xinetd
@@ -9,8 +9,8 @@ service vnc1
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/Xvnc
-	server_args	= -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
+	server		= /usr/lib/vnc/with-vnc-key.sh
+	server_args	= /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1024x768 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -24,8 +24,8 @@ service vnc2
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/Xvnc
-	server_args	= -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
+	server		= /usr/lib/vnc/with-vnc-key.sh
+	server_args	= /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1280x1024 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -39,8 +39,8 @@ service vnc3
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/Xvnc
-	server_args	= -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
+	server		= /usr/lib/vnc/with-vnc-key.sh
+	server_args	= /usr/bin/Xvnc -noreset -inetd -once -query localhost -geometry 1600x1200 -securitytypes X509None,None -X509Key /etc/vnc/tls.key -X509Cert /etc/vnc/tls.cert -log *:syslog:30
 	disable		= yes
 }
 # default: off
@@ -54,8 +54,8 @@ service vnchttpd1
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/vnc_inetd_httpd
-	server_args	= 1024 768 5901
+	server		= /usr/lib/vnc/with-vnc-key.sh
+	server_args	= /usr/bin/vnc_inetd_httpd 1024 768 5901
 	disable		= yes
 }
 # default: off
@@ -69,8 +69,8 @@ service vnchttpd2
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/vnc_inetd_httpd
-	server_args	= 1280 1024 5902
+	server		= /usr/lib/vnc/with-vnc-key.sh
+	server_args	= /usr/bin/vnc_inetd_httpd 1280 1024 5902
 	disable		= yes
 }
 # default: off
@@ -84,7 +84,7 @@ service vnchttpd3
 	protocol	= tcp
 	wait		= no
 	user		= vnc
-	server		= /usr/bin/vnc_inetd_httpd
-	server_args	= 1600 1200 5903
+	server		= /usr/lib/vnc/with-vnc-key.sh
+	server_args	= /usr/bin/vnc_inetd_httpd 1600 1200 5903
 	disable		= yes
 }
diff --git a/with-vnc-key.sh b/with-vnc-key.sh
new file mode 100644
index 0000000..14a43f6
--- /dev/null
+++ b/with-vnc-key.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Wrapper that makes sure /etc/vnc/tls.{key,cert} exist before executing given command.
+
+
+TLSKEY=/etc/vnc/tls.key
+TLSCERT=/etc/vnc/tls.cert
+
+
+if test -s $TLSKEY -a -s $TLSCERT; then
+    # Execute the command we were given.
+    exec "$@"
+fi
+
+(
+    # Wait for lock on the key file. We must not proceed while someone else is creating it.
+    flock 200
+
+    # If the key file doesn't exist or has zero size (because it doubles as lock), generate it.
+    if ! test -s $TLSKEY ; then
+        (umask 077 && openssl genrsa -out $TLSKEY 2048) >&200
+        chown vnc:vnc $TLSKEY
+    fi
+
+    # If the cert file doesn't exist, generate it.
+    if ! test -e $TLSCERT ; then
+        CN="Automatically generated certificate for the VNC service"
+        openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
+        chown vnc:vnc $TLSCERT
+    fi
+
+) 200>>$TLSKEY 2>/dev/null
+
+# Execute the command we were given.
+exec "$@"