diff --git a/container_files/system/shibboleth_keygen.sh b/container_files/system/shibboleth_keygen.sh
old mode 100755
new mode 100644
index 205792e..f6d17ab
--- a/container_files/system/shibboleth_keygen.sh
+++ b/container_files/system/shibboleth_keygen.sh
@@ -1,29 +1,37 @@
 #! /bin/sh
 
-while getopts h:u:g:o:e:y:bf c
+while getopts n:h:u:g:o:e:y:bf c
      do
          case $c in
+           u)         USER=$OPTARG;;
+           g)         GROUP=$OPTARG;;
            o)         OUT=$OPTARG;;
            b)         BATCH=1;;
            f)         FORCE=1;;
            h)         FQDN=$OPTARG;;
            e)         ENTITYID=$OPTARG;;
            y)         YEARS=$OPTARG;;
-           \?)        echo "shibboleth_keygen [-o output directory (default .)] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
+                   n)         PREFIX=$OPTARG;;
+                   \?)        echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix (default 'sp')]"
                       exit 1;;
          esac
      done
+     
 if [ -z "$OUT" ] ; then
     OUT=.
 fi
 
+if [ -z "$PREFIX" ]; then
+        PREFIX="sp"
+fi
+
 if [ -n "$FORCE" ] ; then
-    rm $OUT/sp-key.pem $OUT/sp-cert.pem
+    rm $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
 fi
 
-if  [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
+if  [ -s $OUT/${PREFIX}-key.pem -o -s $OUT/${PREFIX}-cert.pem ] ; then
     if [ -z "$BATCH" ] ; then  
-        echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
+        echo The files $OUT/${PREFIX}-key.pem and/or $OUT/${PREFIX}-cert.pem already exist!
         echo Use -f option to force recreation of keypair.
         exit 2
     fi
@@ -31,7 +39,7 @@ if  [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
 fi
 
 if [ -z "$FQDN" ] ; then
-    FQDN=`hostname --fqdn`
+    FQDN=`hostname`
 fi
 
 if [ -z "$YEARS" ] ; then
@@ -46,14 +54,14 @@ else
     ALTNAME=DNS:$FQDN,URI:$ENTITYID
 fi
 
-SSLCNF=$OUT/sp-cert.cnf
+SSLCNF=$OUT/${PREFIX}-cert.cnf
 cat >$SSLCNF <<EOF
-# OpenSSL configuration file for creating sp-cert.pem
+# OpenSSL configuration file for creating keypair
 [req]
 prompt=no
-default_bits=2048
+default_bits=3072
 encrypt_key=no
-default_md=sha1
+default_md=sha256
 distinguished_name=dn
 # PrintableStrings only
 string_mask=MASK:0002
@@ -65,11 +73,20 @@ subjectAltName=$ALTNAME
 subjectKeyIdentifier=hash
 EOF
 
-touch $OUT/sp-key.pem
-chmod 600 $OUT/sp-key.pem
+touch $OUT/${PREFIX}-key.pem
+chmod 600 $OUT/${PREFIX}-key.pem
 if [ -z "$BATCH" ] ; then
-    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
+    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem
 else
-    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
+    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem 2> /dev/null
+fi
+rm $SSLCNF
+
+if  [ -s $OUT/${PREFIX}-key.pem -a -n "$USER" ] ; then
+    chown $USER $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
 fi
-rm $SSLCNF
\ No newline at end of file
+
+if  [ -s $OUT/${PREFIX}-key.pem -a -n "$GROUP" ] ; then
+    chgrp $GROUP $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
+fi
+