When using legacy security, it's possible for the server to lazily generate a self-signed certificate on first use for a specified host name. I've created a proposal for adding similar functionality when Elytron is in use: