diff --git a/hub/httpd.conf b/hub/httpd.conf
index 84965f87..4a74b115 100644
--- a/hub/httpd.conf
+++ b/hub/httpd.conf
@@ -11,28 +11,36 @@ Alias /kojihub "/usr/share/koji-hub/XMLRPC"
         PythonOption DBUser koji
         PythonOption DBHost db.example.com
         PythonOption KojiDir /mnt/koji
-        PythonOption AuthPrincipal kojihub@EXAMPLE.COM
-        PythonOption AuthKeytab /etc/koji.keytab
-        PythonOption ProxyPrincipals kojihub@EXAMPLE.COM
+
+        # Kerberos auth configuration
+        # PythonOption AuthPrincipal kojihub@EXAMPLE.COM
+        # PythonOption AuthKeytab /etc/koji.keytab
+        # PythonOption ProxyPrincipals kojihub@EXAMPLE.COM
+        # format string for host principals (%s = hostname)
+        # PythonOption HostPrincipalFormat compile/%s@EXAMPLE.COM
+        # end Kerberos auth configuration
+
+        # SSL client certificate auth configuration
         # the client username is the common name of the subject of their client certificate     
-        PythonOption DNUsernameComponent CN
+        # PythonOption DNUsernameComponent CN
         # separate multiple DNs with |
-        PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"
+        # PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"
+        # end SSL client certificate auth configuration
+
         PythonOption LoginCreatesUser On
         PythonOption KojiWebURL http://kojiweb.example.com/koji
-        #format string for host principals (%s = hostname)
-        PythonOption HostPrincipalFormat %s@EXAMPLE.COM
-        #PythonOption KojiDebug On
-        #PythonOption KojiTraceback "extended"
+        # PythonOption KojiDebug On
+        # PythonOption KojiTraceback "extended"
+        # sending tracebacks to the client isn't very helpful for debugging xmlrpc
         PythonDebug Off
-        #sending tracebacks to the client isn't very helpful for debugging xmlrpc
+        # autoreload is mostly useless to us (it would only reload kojixmlrpc.py)
         PythonAutoReload Off
-        #autoreload is mostly useless to us (it would only reload kojixmlrpc.py)
 </Directory>
 
 # uncomment this to enable authentication via SSL client certificates
 # <Location /kojihub>
-#         SSLVerifyClient require
-#         SSLVerifyDepth  10
 #         SSLOptions +StdEnvVars
 # </Location>
+# these options must be enabled globally (in ssl.conf)
+# SSLVerifyClient require
+# SSLVerifyDepth  10
diff --git a/hub/kojihub.py b/hub/kojihub.py
index 5ceb9ffc..3b6b0bf7 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -5022,8 +5022,9 @@ class RootExports(object):
         q = """SELECT id FROM channels WHERE name = 'default'"""
         default_channel = _singleValue(q)
         if krb_principal is None:
-            fmt = context.opts.get('HostPrincipalFormat','compile/%s@EXAMPLE.COM')
-            krb_principal = fmt % hostname
+            fmt = context.opts.get('HostPrincipalFormat')
+            if fmt:
+                krb_principal = fmt % hostname
         #users entry
         userID = context.session.createUser(hostname, usertype=koji.USERTYPES['HOST'],
                                             krb_principal=krb_principal)
diff --git a/www/conf/kojiweb.conf b/www/conf/kojiweb.conf
index 79b5cddf..61243c34 100644
--- a/www/conf/kojiweb.conf
+++ b/www/conf/kojiweb.conf
@@ -39,11 +39,12 @@ Alias /koji "/usr/share/koji-web/scripts/"
 # </Location>
 
 # uncomment this to enable authentication via SSL client certificates
-<Location /koji/login>
-        SSLVerifyClient require
-        SSLVerifyDepth  10
-        SSLOptions +StdEnvVars
-</Location>
+# <Location /koji/login>
+#     SSLOptions +StdEnvVars
+# </Location>
+# these options must be enabled globally (in ssl.conf)
+# SSLVerifyClient require
+# SSLVerifyDepth  10
 
 Alias /koji-static/ "/usr/share/koji-web/static/"