diff --git a/account/mksyscert.in b/account/mksyscert.in
index 6ede8542f929e788e24728c6c31cb1754ae816c3..8d5dbb829ce95d04a1db6624f2dcfe99bfd9fb4f 100755
--- a/account/mksyscert.in
+++ b/account/mksyscert.in
@@ -298,7 +298,7 @@ if( defined( $oldkeyfile ) ) {
     my $genopts =
 	($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
 
-    system("$OPENSSL genrsa $genopts -out syscert_key.pem 1024")
+    system("$OPENSSL genrsa $genopts -out syscert_key.pem 2048")
 	    == 0 or fatal("Could generate new key");
     
     system("$OPENSSL req -text -new -config syscert.cnf ".
diff --git a/account/mkusercert.in b/account/mkusercert.in
index 41183007753d0c997f22823673bf257d0ff2a64f..acd871998bed3bde729a3819644de904a3a207b0 100755
--- a/account/mkusercert.in
+++ b/account/mkusercert.in
@@ -401,7 +401,7 @@ sub CreateNewCert() {
 	my $genopts =
 	    ($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
 
-	system("$OPENSSL genrsa $genopts -out usercert_key.pem 1024")
+	system("$OPENSSL genrsa $genopts -out usercert_key.pem 2048")
 	    == 0 or fatal("Could generate new key");
     }
     my $reqopts = ($encrypted ? "-passin 'pass:${sh_password}' " : "");
diff --git a/ssl/GNUmakefile.in b/ssl/GNUmakefile.in
index 21e89f6c4356589bd18e72b4d429758a3cd59c30..e685b8a47b319f9f51c91f251cc7f04d660c3c93 100644
--- a/ssl/GNUmakefile.in
+++ b/ssl/GNUmakefile.in
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2000-2017 University of Utah and the Flux Group.
+# Copyright (c) 2000-2018 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -159,7 +159,7 @@ emulab_privkey.pem:
 	# Generate a priv key for signing stuff. This one gets a
 	# passphrase.
 	# 
-	openssl genrsa -out emulab_privkey.pem -des3
+	openssl genrsa -out emulab_privkey.pem -des3 2048
 
 emulab_pubkey.pem:	emulab_privkey.pem
 	#
@@ -173,7 +173,7 @@ emulab_pubkey.pem:	emulab_privkey.pem
 # by you and writable. 
 #
 %.key:
-	openssl genrsa -out $@ -rand .rand 1024
+	openssl genrsa -out $@ -rand .rand 2048
 
 # The point of the this is to recover the keys from where they were
 # originally installed. We do this cause people often lose their