diff --git a/Makefile.am b/Makefile.am
index 486ff1d67a..5db9220c5c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,8 +29,7 @@ else
 bin_PROGRAMS += coolwsd
 endif
 
-dist_bin_SCRIPTS = coolwsd-systemplate-setup \
-                   coolwsd-generate-proof-key
+dist_bin_SCRIPTS = coolwsd-systemplate-setup
 
 man_MANS = man/coolwsd.1 \
            man/coolforkit.1 \
@@ -38,7 +37,6 @@ man_MANS = man/coolwsd.1 \
            man/coolconfig.1 \
            man/coolstress.1 \
            man/coolwsd-systemplate-setup.1 \
-           man/coolwsd-generate-proof-key.1 \
            man/coolmount.1
 
 
diff --git a/coolwsd-generate-proof-key b/coolwsd-generate-proof-key
deleted file mode 100755
index 1765f23bfb..0000000000
--- a/coolwsd-generate-proof-key
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-if [ "$1" == "-h" ]; then
-    echo "Usage: coolwsd-generate-proof-key [-h] [CONFIGDIR]"
-    echo "CONFIGDIR defaults to /etc/coolwsd"
-    exit 0
-fi
-
-if [ "$1" ]; then
-    CONFIGDIR="$1"
-else
-    CONFIGDIR="/etc/coolwsd"
-fi
-
-SUDO=''
-if [ ! -w "$CONFIGDIR" ]; then
-    if (( $EUID != 0 )); then
-        if hash sudo 2>/dev/null; then
-            SUDO='sudo'
-        else
-            echo "Run the script as root."
-            exit 1
-        fi
-    fi
-fi
-
-if [ -f $CONFIGDIR/proof_key ]; then
-    echo "$CONFIGDIR/proof_key exists already."
-    exit 0
-fi
-
-if hash ssh-keygen 2>/dev/null; then
-    $SUDO ssh-keygen -t rsa -N "" -m PEM -f $CONFIGDIR/proof_key
-    if [ $? -ne 0 ] ; then
-        exit $?
-    fi
-    if id -u cool >/dev/null 2>&1; then
-        $SUDO chown cool: $CONFIGDIR/proof_key
-    else
-        echo "User cool does not exist. Please reinstall coolwsd package, or in case of manual installation from source, create the cool user manually."
-    fi
-else
-    echo "ssh-keygen command not found. Please install openssh client tools."
-    exit 127
-fi
-
diff --git a/coolwsd.spec.in b/coolwsd.spec.in
index dca7bea891..60d42bff96 100644
--- a/coolwsd.spec.in
+++ b/coolwsd.spec.in
@@ -15,7 +15,7 @@ License:        EULA
 Source0:        coolwsd-@PACKAGE_VERSION@.tar.gz
 BuildRequires:  libcap-devel pam-devel gcc-c++ cppunit-devel pam-devel fontconfig make
 Requires:       collaboraoffice collaboraoffice-ure collaboraofficebasis-core collaboraofficebasis-writer collaboraofficebasis-impress collaboraofficebasis-graphicfilter collaboraofficebasis-en-US collaboraofficebasis-calc collaboraofficebasis-ooofonts collaboraofficebasis-images collaboraofficebasis-draw collaboraofficebasis-extension-pdf-import collaboraofficebasis-ooolinguistic collaboraofficebasis-math
-Requires(post): coreutils grep sed cpio /usr/sbin/setcap /usr/bin/ssh-keygen
+Requires(post): coreutils grep sed cpio /usr/sbin/setcap
 Provides: loolwsd
 Obsoletes: loolwsd collaboraoffice-dict-br collaboraoffice-dict-et collaboraoffice-dict-gd collaboraoffice-dict-gu collaboraoffice-dict-hi collaboraoffice-dict-lt collaboraoffice-dict-lv collaboraoffice-dict-ro collaboraoffice-dict-sr collaboraoffice-dict-te collaboraofficebasis-as collaboraofficebasis-bn-IN collaboraofficebasis-ast collaboraofficebasis-br collaboraofficebasis-ca-valencia collaboraofficebasis-cy collaboraofficebasis-et collaboraofficebasis-ga collaboraofficebasis-gd collaboraofficebasis-gu collaboraofficebasis-hi collaboraofficebasis-km collaboraofficebasis-kn collaboraofficebasis-lt collaboraofficebasis-lv collaboraofficebasis-ml collaboraofficebasis-mr collaboraofficebasis-nn collaboraofficebasis-or collaboraofficebasis-pa-IN collaboraofficebasis-ro collaboraofficebasis-sr collaboraofficebasis-sr-Latn collaboraofficebasis-ta collaboraofficebasis-te
 
@@ -56,7 +56,6 @@ echo "account    required     pam_unix.so" >>  %{buildroot}/etc/pam.d/coolwsd
 /usr/bin/loolwsd
 /usr/bin/coolwsd-systemplate-setup
 /usr/bin/loolwsd-systemplate-setup
-/usr/bin/coolwsd-generate-proof-key
 /usr/bin/coolforkit
 /usr/bin/coolconvert
 /usr/bin/coolconfig
@@ -77,7 +76,6 @@ echo "account    required     pam_unix.so" >>  %{buildroot}/etc/pam.d/coolwsd
 /usr/share/man/man1/coolconfig.1.gz
 /usr/share/man/man1/coolstress.1.gz
 /usr/share/man/man1/coolwsd-systemplate-setup.1.gz
-/usr/share/man/man1/coolwsd-generate-proof-key.1.gz
 /usr/share/man/man1/coolmount.1.gz
 /usr/lib/systemd/system/coolwsd.service
 
@@ -130,7 +128,7 @@ chown cool:cool ${coolparent}/cool/child-roots
 
 fc-cache ${lokitroot}/share/fonts/truetype
 coolwsd-systemplate-setup ${coolparent}/cool/systemplate ${lokitroot} >/dev/null 2>&1
-coolwsd-generate-proof-key >/dev/null 2>&1
+coolconfig generate-proof-key >/dev/null 2>&1
 
 if [ $COOLWSD_IS_ACTIVE == "1" ]; then systemctl start coolwsd; fi
 
diff --git a/debian/control b/debian/control
index e52951cfba..eacc860b0f 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Package: coolwsd
 Section: web
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends},
- adduser, fontconfig, cpio, libcap2-bin, openssh-client,
+ adduser, fontconfig, cpio, libcap2-bin,
  collaboraofficebasis-calc,
  collaboraofficebasis-core,
  collaboraofficebasis-graphicfilter,
diff --git a/debian/coolwsd.postinst.in b/debian/coolwsd.postinst.in
index 36a5e88bee..96eebef9a1 100644
--- a/debian/coolwsd.postinst.in
+++ b/debian/coolwsd.postinst.in
@@ -24,7 +24,7 @@ case "$1" in
 	fc-cache @LO_PATH@/share/fonts/truetype
 
 	coolwsd-systemplate-setup /opt/cool/systemplate @LO_PATH@ >/dev/null 2>&1
-	coolwsd-generate-proof-key >/dev/null 2>&1
+	coolconfig generate-proof-key >/dev/null 2>&1
     cat << EOF > /etc/apt/apt.conf.d/25coolwsd
 // Rebuild systemplate of @APP_NAME@
 DPkg::Post-Invoke { "echo Updating coolwsd systemplate;coolwsd-systemplate-setup /opt/cool/systemplate @LO_PATH@ >/dev/null 2>&1 || true"; };
diff --git a/docker/from-packages/scripts/start-collabora-online.sh b/docker/from-packages/scripts/start-collabora-online.sh
index 4956bb114a..1e7e0cf05e 100755
--- a/docker/from-packages/scripts/start-collabora-online.sh
+++ b/docker/from-packages/scripts/start-collabora-online.sh
@@ -56,7 +56,7 @@ fi
 ) &
 
 # Generate WOPI proof key
-coolwsd-generate-proof-key
+coolconfig generate-proof-key
 
 # Start coolwsd
 exec /usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --o:logging.color=false ${extra_params}
diff --git a/man/coolconfig.1 b/man/coolconfig.1
index d2a024667c..14e691ec4e 100644
--- a/man/coolconfig.1
+++ b/man/coolconfig.1
@@ -1,4 +1,4 @@
-.TH COOLCONFIG "1" "Nov 2021" "coolconfig" "User Commands"
+.TH COOLCONFIG "1" "Jul 2023" "coolconfig" "User Commands"
 .SH NAME
 coolconfig \- Configuration tool for Collabora Online.
 .SH SYNOPSIS
@@ -50,5 +50,7 @@ The \fBupdate\-system\-template\fR command updates Collabora Online's system tem
 .PP
 update\-system\-template
 .PP
+.SS "generate\-proof\-key"
+The \fBgenerate\-proof\-key\fR command creates an RSA key pair in /etc/coolwsd for the WOPI Proof headers. The postinstall script of coolwsd package usually creates this RSA key pair in case of new installation.
 .SH "SEE ALSO"
-coolforkit(1), coolconvert(1), coolwsd(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
+coolforkit(1), coolconvert(1), coolwsd(1), coolwsd-systemplate-setup(1), coolmount(1)
diff --git a/man/coolconvert.1 b/man/coolconvert.1
index 92dd0933bb..4aa97266d4 100644
--- a/man/coolconvert.1
+++ b/man/coolconvert.1
@@ -17,4 +17,4 @@ coolconvert OPTIONS FILE(S)
 \fB\-\-no\-check\-certificate\fR  Disable checking of SSL certs
 .PP
 .SH "SEE ALSO"
-coolwsd(1), coolforkit(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
+coolwsd(1), coolforkit(1), coolconfig(1), coolwsd-systemplate-setup(1), coolmount(1)
diff --git a/man/coolforkit.1 b/man/coolforkit.1
index bcd074b49a..e13621c810 100644
--- a/man/coolforkit.1
+++ b/man/coolforkit.1
@@ -8,4 +8,4 @@ Single-threaded process that spawns LibreOfficeKit (LOK) instances.
 .PP
 \fBNote\fR: Running this standalone is not possible. It is spawned by coolwsd and is controlled via a pipe.
 .SH "SEE ALSO"
-coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
+coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolmount(1)
diff --git a/man/coolmount.1 b/man/coolmount.1
index 66cca3546f..46ebd4a57d 100644
--- a/man/coolmount.1
+++ b/man/coolmount.1
@@ -8,4 +8,4 @@ This is a very tiny helper to allow overlay mounting.
 .PP
 \fBNote\fR: Running this standalone is not possible. It is used internally by coolwsd when it creates the jail for the document.
 .SH "SEE ALSO"
-coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolforkit(1)
+coolwsd(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolforkit(1)
diff --git a/man/coolwsd-generate-proof-key.1 b/man/coolwsd-generate-proof-key.1
deleted file mode 100644
index ae99bab6e1..0000000000
--- a/man/coolwsd-generate-proof-key.1
+++ /dev/null
@@ -1,9 +0,0 @@
-.TH COOLWSD-GENERATE_PROOF_KEY "1" "April 2020" "coolwsd-generate-proof-key " "User Commands"
-.SH NAME
-coolwsd-generate-proof-key \- Utility that genarates WOPI Proof keys for Collabora Online
-.SH SYNOPSIS
-coolwsd-generate-proof-key
-.SH DESCRIPTION
-coolwsd-generate-proof-key creates an RSA key pair in /etc/coolwsd for the WOPI Proof headers. The script is automatically run by the postinstall script of coolwsd package, but in case of failure sysadmins can run it manually.
-.SH "SEE ALSO"
-coolforkit(1), coolconvert(1), coolconfig(1), coolwsd(1), coolwsd-systemplate-setup(1), coolmount(1)
diff --git a/man/coolwsd-systemplate-setup.1 b/man/coolwsd-systemplate-setup.1
index 73fe8f24f1..a06fdca745 100644
--- a/man/coolwsd-systemplate-setup.1
+++ b/man/coolwsd-systemplate-setup.1
@@ -6,4 +6,4 @@ coolwsd-systemplate-setup <chroot template directory for system libs to create>
 .SH DESCRIPTION
 coolwsd-systemplate-setup creates a minimal system template for running the LibreOfficeKit in a chroot jail. The system template contains the bare minimum of system libraries to run LibreOfficeKit, and also fonts and locale data from the system.
 .SH "SEE ALSO"
-coolforkit(1), coolconvert(1), coolconfig(1), coolwsd(1), coolwsd-generate-proof-key(1), coolmount(1)
+coolforkit(1), coolconvert(1), coolconfig(1), coolwsd(1), coolmount(1)
diff --git a/man/coolwsd.1 b/man/coolwsd.1
index f08eaabe7b..1b5fdd10f1 100644
--- a/man/coolwsd.1
+++ b/man/coolwsd.1
@@ -31,4 +31,4 @@ coolwsd OPTIONS
 \fB\-\-nocaps\fR                       Use a non\-privileged forkit, with increase in security problems.
 .PP
 .SH "SEE ALSO"
-coolforkit(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolwsd-generate-proof-key(1), coolmount(1)
+coolforkit(1), coolconvert(1), coolconfig(1), coolwsd-systemplate-setup(1), coolmount(1)
diff --git a/tools/Config.cpp b/tools/Config.cpp
index d269d7805e..f093bf43d5 100644
--- a/tools/Config.cpp
+++ b/tools/Config.cpp
@@ -9,7 +9,10 @@
 
 #include <iostream>
 #include <iomanip>
+#include <pwd.h>
 #include <sstream>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include <sysexits.h>
 #include <termios.h>
 #include <unistd.h>
@@ -17,6 +20,7 @@
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 
+#include <Poco/Crypto/RSAKey.h>
 #include <Poco/Exception.h>
 #include <Poco/File.h>
 #include <Poco/Util/Application.h>
@@ -126,6 +130,7 @@ void Config::displayHelp()
               << "    set-support-key" << std::endl
 #endif
               << "    set <key> <value>" << std::endl
+              << "    generate-proof-key" << std::endl
               << "    update-system-template" << std::endl << std::endl;
 }
 
@@ -440,6 +445,47 @@ int Config::main(const std::vector<std::string>& args)
                 std::cout << "Migration of old configuration failed." << std::endl;
         }
     }
+    else if (args[0] == "generate-proof-key")
+    {
+        std::string proofKeyPath =
+#if ENABLE_DEBUG
+            DEBUG_ABSSRCDIR
+#else
+            COOLWSD_CONFIGDIR
+#endif
+            "/proof_key";
+
+#if !ENABLE_DEBUG
+        struct passwd* pwd;
+        pwd = getpwnam(COOL_USER_ID);
+        if (pwd == NULL)
+        {
+            std::cerr << "User '" COOL_USER_ID
+                         "' does not exist. Please reinstall coolwsd package, or in case of manual "
+                         "installation from source, create the '" COOL_USER_ID "' user manually."
+                      << std::endl;
+            return EX_NOUSER;
+        }
+#endif
+
+        Poco::File proofKeyFile(proofKeyPath);
+        if (!proofKeyFile.exists())
+        {
+            Poco::Crypto::RSAKey proofKey =
+                Poco::Crypto::RSAKey(Poco::Crypto::RSAKey::KeyLength::KL_2048,
+                                     Poco::Crypto::RSAKey::Exponent::EXP_LARGE);
+            proofKey.save(proofKeyPath + ".pub", proofKeyPath, "" /*no password*/);
+#if !ENABLE_DEBUG
+            chmod(proofKeyPath.c_str(), S_IRUSR | S_IWUSR);
+            chown(proofKeyPath.c_str(), pwd->pw_uid, -1);
+#endif
+        }
+        else
+        {
+            std::cerr << proofKeyPath << " exists already. New proof key was not generated."
+                      << std::endl;
+        }
+    }
     else
     {
         std::cerr << "No such command, \"" << args[0]  << '"' << std::endl;
diff --git a/wsd/ProofKey.cpp b/wsd/ProofKey.cpp
index 46dfa5fc68..bb6cc8b345 100644
--- a/wsd/ProofKey.cpp
+++ b/wsd/ProofKey.cpp
@@ -140,7 +140,7 @@ Proof::Proof()
             std::string msg = e.displayText() +
                 "\nNo proof-key will be present in discovery."
                 "\nIf you need to use WOPI security, generate an RSA key using this command:"
-                "\n    coolwsd-generate-proof-key"
+                "\n    sudo coolconfig generate-proof-key"
                 "\nor if your config dir is not /etc, you can run ssh-keygen manually:"
                 "\n    ssh-keygen -t rsa -N \"\" -m PEM -f \"" + keyPath + "\""
                 "\nNote: the proof_key file must be readable by the coolwsd process.";