diff --git a/README b/README
new file mode 100644
index 00000000..baaeb079
--- /dev/null
+++ b/README
@@ -0,0 +1,17 @@
+Configuring SSL
+---------------
+Generate an unencrypted RSA private key for the servers and a certificate:
+
+  openssl genrsa -out rabbit-server-privkey.pem 2048
+
+Get an X.509 certificate. This can be self-signed, for example:
+
+  openssl req -batch -new -x509 -key rabbit-server-privkey.pem -out rabbit-server-cert.pem -days 10000
+
+Deploy the service:
+
+  juju deploy rabbitmq-server rabbit
+
+Enable SSL, passing in the key and certificate as configuration settings:
+
+  juju set rabbit ssl_enabled=True ssl_key="`cat rabbit-server-privkey.pem`" ssl_cert="`cat rabbit-server-cert.pem`"
diff --git a/config.yaml b/config.yaml
new file mode 100644
index 00000000..bfd22962
--- /dev/null
+++ b/config.yaml
@@ -0,0 +1,15 @@
+options:
+  ssl_enabled:
+    type: boolean
+    default: False
+    description: enable SSL
+  ssl_port:
+    type: int
+    default: 5673
+    description: SSL port
+  ssl_key:
+    type: string
+    description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
+  ssl_cert:
+    type: string
+    description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
diff --git a/hooks/config-changed b/hooks/config-changed
new file mode 100755
index 00000000..e1c498de
--- /dev/null
+++ b/hooks/config-changed
@@ -0,0 +1,59 @@
+#!/bin/bash
+set -eu
+
+juju-log "rabbitmq-server: Firing config hook"
+
+ssl_enabled=`config-get ssl_enabled`
+
+cd /etc/rabbitmq
+
+new_config=`mktemp /etc/rabbitmq/.rabbitmq.config.XXXXXX`
+chgrp rabbitmq "$new_config"
+chmod g+r "$new_config"
+exec 3> "$new_config"
+
+cat >&3 <<EOF
+[
+    {rabbit, [
+EOF
+
+ssl_key_file=/etc/rabbitmq/rabbit-server-privkey.pem
+ssl_cert_file=/etc/rabbitmq/rabbit-server-cert.pem
+
+if [ "$ssl_enabled" == "True" ]; then
+	umask 027
+	config-get ssl_key > "$ssl_key_file"
+	config-get ssl_cert > "$ssl_cert_file"
+	chgrp rabbitmq "$ssl_key_file" "$ssl_cert_file"
+	if [ ! -s "$ssl_key_file" ]; then
+		juju-log "ssl_key not set - can't configure SSL"
+		exit 0
+	fi
+	if [ ! -s "$ssl_cert_file" ]; then
+		juju-log "ssl_cert not set - can't configure SSL"
+		exit 0
+	fi
+	cat >&3 <<EOF
+	{ssl_listeners, [`config-get ssl_port`]},
+	{ssl_options, [
+		{certfile,"$ssl_cert_file"},
+		{keyfile,"$ssl_key_file"}
+	]},
+EOF
+fi
+
+cat >&3 <<EOF
+        {tcp_listeners, [5672]}
+    ]}
+].
+EOF
+
+exec 3>&-
+
+if [ -f rabbitmq.config ]; then
+	mv rabbitmq.config{,.bak}
+fi
+
+mv "$new_config" rabbitmq.config
+
+/etc/init.d/rabbitmq-server restart
diff --git a/revision b/revision
index e85087af..a7873645 100644
--- a/revision
+++ b/revision
@@ -1 +1 @@
-31
+34