I have the same problem. We ship a pre-configured server that has a web-based component. Some users would like all that traffic to be encrypted via SSL but that will open a flood of support calls when they complain the browser says the connection is insecure.
We ship a USB with these systems for re-install, however I guess we'll have to make a custom key for every customer with their own unique signed certificates on them. I bet they won't keep the key secure either.
I wish their was a way to do it the SSH way, i.e. you've seen this machine once before so you can be sure it's the same machine.