diff --git a/xrdp.spec b/xrdp.spec
index ffe60b1..e5e1d49 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -4,7 +4,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.1
-Release:   3%{?dist}
+Release:   4%{?dist}
 License:   ASL 2.0
 Group:     Applications/Internet
 URL:       http://www.xrdp.org/
@@ -82,20 +82,6 @@ echo '#!/bin/bash -l
 %post
 %systemd_post xrdp.service
 
-if [ ! -s %{_sysconfdir}/xrdp/rsakeys.ini ]; then
-  (umask 377; xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini >/dev/null)
-fi
-chmod 400 %{_sysconfdir}/xrdp/rsakeys.ini
-
-if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
-  (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
-    -keyout %{_sysconfdir}/xrdp/key.pem \
-    -out %{_sysconfdir}/xrdp/cert.pem \
-    -config %{_sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1)
-fi
-chmod 400 %{_sysconfdir}/xrdp/cert.pem
-chmod 400 %{_sysconfdir}/xrdp/key.pem
-
 %preun
 %systemd_preun xrdp.service
 if [ $1 -eq 0 ]; then
@@ -119,6 +105,21 @@ if [ "`systemctl is-active xrdp.service`" = 'active' ]; then
     systemctl start xrdp.service >/dev/null 2>&1 || :
 fi
 
+%posttrans
+if [ ! -s %{_sysconfdir}/xrdp/rsakeys.ini ]; then
+  (umask 377; xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini >/dev/null)
+fi
+chmod 400 %{_sysconfdir}/xrdp/rsakeys.ini
+
+if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
+  (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+    -keyout %{_sysconfdir}/xrdp/key.pem \
+    -out %{_sysconfdir}/xrdp/cert.pem \
+    -config %{_sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1)
+fi
+chmod 400 %{_sysconfdir}/xrdp/cert.pem
+chmod 400 %{_sysconfdir}/xrdp/key.pem
+
 
 %files
 %doc COPYING *.txt
@@ -183,6 +184,9 @@ fi
 %{_libdir}/pkgconfig/xrdp.pc
 
 %changelog
+* Mon Feb 20 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.1-4
+- Move key/cert generation to posttrans stage
+
 * Thu Feb 16 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.1-3
 - Fix log file rotation