diff --git a/system/options.nix b/system/options.nix
index 495938ba15b..b27f74b9234 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -1464,6 +1464,22 @@
         ";
       };
 
+      sslServerCert = mkOption {
+        default = "";
+	example = /var/host.cert;
+	description = "
+	  Path to server SSL certificate.
+	";
+      };
+
+      sslServerKey = mkOption {
+        default = "";
+	example = /var/host.key;
+	description = "
+	  Path to server SSL certificate key.
+	";
+      };
+
       logDir = mkOption {
         default = "/var/log/httpd";
         description = "
diff --git a/upstart-jobs/apache-httpd/default.nix b/upstart-jobs/apache-httpd/default.nix
index 9d3a614c329..b3f3d0518e6 100644
--- a/upstart-jobs/apache-httpd/default.nix
+++ b/upstart-jobs/apache-httpd/default.nix
@@ -58,6 +58,8 @@ let
 
   allSubservices = mainSubservices ++ pkgs.lib.concatMap subservicesFor vhosts;
 
+  sslServerCert = cfg.sslServerCert;
+  sslServerKey = cfg.sslServerKey;
 
   # !!! should be in lib
   writeTextInDir = name: text:
@@ -81,7 +83,7 @@ let
       "mime" "dav" "status" "autoindex" "asis" "info" "cgi" "dav_fs"
       "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
       "userdir" "alias" "rewrite" "proxy" "proxy_http"
-    ] ++ optional cfg.enableSSL "ssl_module";
+    ] ++ optional cfg.enableSSL "ssl";
     
 
   loggingConf = ''
@@ -128,8 +130,8 @@ let
 
         SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
-        SSLCertificateFile @sslServerCert@
-        SSLCertificateKeyFile @sslServerKey@
+        SSLCertificateFile ${sslServerCert}
+        SSLCertificateKeyFile ${sslServerKey}
 
         #   MSIE compatability.
         SetEnvIf User-Agent ".*MSIE.*" \