the stuff here written here that "the DD-WRT people" do not care is not right.
We noticed this article (even now subscribed to lwn) and we'll take care on a solution.
Our main hassle with a solution right now is, that we on most platforms do not have enough space to put openssl for the key (and x509) stuff into the firmware.
Secondly, we don't trust in the right now random quality on embedded systems. (Ok, that is for sure better than having these "secret defaults").
Also we assume, that offering people the service somewhere "out in the web" to generate the keys will also lead into trust problems again.
We found stuff to do the RSA part already, but haven't finished off with the x509 part.