diff --git a/grpc_ssl.t b/grpc_ssl.t
index f59d867..41bac32 100644
--- a/grpc_ssl.t
+++ b/grpc_ssl.t
@@ -103,7 +103,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -121,7 +121,7 @@
 
 foreach my $name ('client') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/h2_proxy_request_buffering_ssl.t b/h2_proxy_request_buffering_ssl.t
index 5f15175..b677b6e 100644
--- a/h2_proxy_request_buffering_ssl.t
+++ b/h2_proxy_request_buffering_ssl.t
@@ -82,7 +82,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_proxy_ssl.t b/h2_proxy_ssl.t
index f03f0a4..a7bb9a7 100644
--- a/h2_proxy_ssl.t
+++ b/h2_proxy_ssl.t
@@ -57,7 +57,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl.t b/h2_ssl.t
index fa44582..907fb31 100644
--- a/h2_ssl.t
+++ b/h2_ssl.t
@@ -56,7 +56,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl_proxy_cache.t b/h2_ssl_proxy_cache.t
index 029040c..74dcfb2 100644
--- a/h2_ssl_proxy_cache.t
+++ b/h2_ssl_proxy_cache.t
@@ -70,7 +70,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl_variables.t b/h2_ssl_variables.t
index 4bd14e2..25d0aa0 100644
--- a/h2_ssl_variables.t
+++ b/h2_ssl_variables.t
@@ -69,7 +69,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl_verify_client.t b/h2_ssl_verify_client.t
index e4af45d..5908e66 100644
--- a/h2_ssl_verify_client.t
+++ b/h2_ssl_verify_client.t
@@ -73,7 +73,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/mail_capability.t b/mail_capability.t
index 5456fc8..2b64c0d 100644
--- a/mail_capability.t
+++ b/mail_capability.t
@@ -103,7 +103,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/mail_imap_ssl.t b/mail_imap_ssl.t
index c7ebfb5..2089a7f 100644
--- a/mail_imap_ssl.t
+++ b/mail_imap_ssl.t
@@ -119,7 +119,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/mail_ssl.t b/mail_ssl.t
index 5d200e5..c0521b7 100644
--- a/mail_ssl.t
+++ b/mail_ssl.t
@@ -139,7 +139,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -149,7 +149,7 @@
 
 foreach my $name ('localhost', 'inherits') {
 	system("openssl genrsa -out $d/$name.key -passout pass:localhost "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/proxy_if.t b/proxy_if.t
index 7436321..6146a41 100644
--- a/proxy_if.t
+++ b/proxy_if.t
@@ -158,7 +158,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_request_buffering_ssl.t b/proxy_request_buffering_ssl.t
index 36c5963..5fd7f3c 100644
--- a/proxy_request_buffering_ssl.t
+++ b/proxy_request_buffering_ssl.t
@@ -97,7 +97,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl.t b/proxy_ssl.t
index 43e31e7..192457f 100644
--- a/proxy_ssl.t
+++ b/proxy_ssl.t
@@ -79,7 +79,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl_certificate.t b/proxy_ssl_certificate.t
index a49ee8c..5a2ce63 100644
--- a/proxy_ssl_certificate.t
+++ b/proxy_ssl_certificate.t
@@ -100,7 +100,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -118,7 +118,7 @@
 
 foreach my $name ('3.example.com') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/proxy_ssl_keepalive.t b/proxy_ssl_keepalive.t
index aefdcca..526c018 100644
--- a/proxy_ssl_keepalive.t
+++ b/proxy_ssl_keepalive.t
@@ -73,7 +73,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl_name.t b/proxy_ssl_name.t
index 5557a36..00245ba 100644
--- a/proxy_ssl_name.t
+++ b/proxy_ssl_name.t
@@ -116,7 +116,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl_verify.t b/proxy_ssl_verify.t
index 09133ee..5d8a3f5 100644
--- a/proxy_ssl_verify.t
+++ b/proxy_ssl_verify.t
@@ -109,7 +109,7 @@
 $t->write_file('openssl.1.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
@@ -124,7 +124,7 @@
 $t->write_file('openssl.2.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 
diff --git a/ssl.t b/ssl.t
index e656e7c..20068c1 100644
--- a/ssl.t
+++ b/ssl.t
@@ -151,7 +151,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -166,7 +166,7 @@
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 3
diff --git a/ssl_certificate.t b/ssl_certificate.t
index e02fceb..cfba552 100644
--- a/ssl_certificate.t
+++ b/ssl_certificate.t
@@ -134,7 +134,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -152,7 +152,7 @@
 
 foreach my $name ('pass') {
 	system("openssl genrsa -out $d/$name.key -passout pass:pass "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create $name key: $!\n";
 	system("openssl req -x509 -new -config $d/openssl.conf "
 		. "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key "
diff --git a/ssl_certificate_chain.t b/ssl_certificate_chain.t
index d2aa542..d2ab0c2 100644
--- a/ssl_certificate_chain.t
+++ b/ssl_certificate_chain.t
@@ -73,7 +73,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -86,7 +86,7 @@
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/ssl_certificate_perl.t b/ssl_certificate_perl.t
index 87660c7..82d949c 100644
--- a/ssl_certificate_perl.t
+++ b/ssl_certificate_perl.t
@@ -81,7 +81,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_certificates.t b/ssl_certificates.t
index ab58ca9..a6ec6ad 100644
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -70,7 +70,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -80,7 +80,7 @@
 
 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
 	. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
-system("openssl genrsa -out $d/rsa.key 1024 >>$d/openssl.out 2>&1") == 0
+system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
         or die "Can't create RSA pem: $!\n";
 
 foreach my $name ('ec', 'rsa') {
diff --git a/ssl_client_escaped_cert.t b/ssl_client_escaped_cert.t
index d2a70d9..e7fb5ee 100644
--- a/ssl_client_escaped_cert.t
+++ b/ssl_client_escaped_cert.t
@@ -63,7 +63,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_crl.t b/ssl_crl.t
index 25110ea..c5e32a8 100644
--- a/ssl_crl.t
+++ b/ssl_crl.t
@@ -81,7 +81,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -94,7 +94,7 @@
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/ssl_engine_keys.t b/ssl_engine_keys.t
index 7c21400..c42b042 100644
--- a/ssl_engine_keys.t
+++ b/ssl_engine_keys.t
@@ -106,7 +106,7 @@
 PIN = 1234
 
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -127,7 +127,7 @@
 		. ">>$d/openssl.out 2>&1");
 
 	system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm.so '
-		. '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:1024 '
+		. '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:2048 '
 		. ">>$d/openssl.out 2>&1");
 
 	system('openssl req -x509 -new -engine pkcs11 '
diff --git a/ssl_password_file.t b/ssl_password_file.t
index f59d35a..6dbfb03 100644
--- a/ssl_password_file.t
+++ b/ssl_password_file.t
@@ -92,7 +92,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -103,7 +103,7 @@
 
 foreach my $name ('localhost', 'inherits') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/ssl_proxy_protocol.t b/ssl_proxy_protocol.t
index 6ef3a8a..1e69bf0 100644
--- a/ssl_proxy_protocol.t
+++ b/ssl_proxy_protocol.t
@@ -76,7 +76,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_proxy_upgrade.t b/ssl_proxy_upgrade.t
index fb1619d..261234f 100644
--- a/ssl_proxy_upgrade.t
+++ b/ssl_proxy_upgrade.t
@@ -72,7 +72,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_sni.t b/ssl_sni.t
index a3e53ff..8df5876 100644
--- a/ssl_sni.t
+++ b/ssl_sni.t
@@ -100,7 +100,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t
index 75878d7..2f31662 100644
--- a/ssl_sni_reneg.t
+++ b/ssl_sni_reneg.t
@@ -76,7 +76,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_sni_sessions.t b/ssl_sni_sessions.t
index 5780bc5..35ef753 100644
--- a/ssl_sni_sessions.t
+++ b/ssl_sni_sessions.t
@@ -106,7 +106,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_stapling.t b/ssl_stapling.t
index 9319fbe..d5b8ff3 100644
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -124,7 +124,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -137,7 +137,7 @@
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/ssl_verify_client.t b/ssl_verify_client.t
index ef86c7f..60a8cfd 100644
--- a/ssl_verify_client.t
+++ b/ssl_verify_client.t
@@ -116,7 +116,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t
index 0912a54..37a8c10 100644
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -63,7 +63,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -76,7 +76,7 @@
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/stream_proxy_protocol_ssl.t b/stream_proxy_protocol_ssl.t
index d64e6c3..141f181 100644
--- a/stream_proxy_protocol_ssl.t
+++ b/stream_proxy_protocol_ssl.t
@@ -59,7 +59,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl.t b/stream_proxy_ssl.t
index 15371f8..cc6b6c7 100644
--- a/stream_proxy_ssl.t
+++ b/stream_proxy_ssl.t
@@ -83,7 +83,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl_certificate.t b/stream_proxy_ssl_certificate.t
index 876195b..ee2e0d5 100644
--- a/stream_proxy_ssl_certificate.t
+++ b/stream_proxy_ssl_certificate.t
@@ -104,7 +104,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -122,7 +122,7 @@
 
 foreach my $name ('3.example.com') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/stream_proxy_ssl_name.t b/stream_proxy_ssl_name.t
index c3064c3..304a578 100644
--- a/stream_proxy_ssl_name.t
+++ b/stream_proxy_ssl_name.t
@@ -101,7 +101,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl_name_complex.t b/stream_proxy_ssl_name_complex.t
index 262ac95..47b317f 100644
--- a/stream_proxy_ssl_name_complex.t
+++ b/stream_proxy_ssl_name_complex.t
@@ -62,7 +62,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl_verify.t b/stream_proxy_ssl_verify.t
index ea116dc..e9d5f28 100644
--- a/stream_proxy_ssl_verify.t
+++ b/stream_proxy_ssl_verify.t
@@ -111,7 +111,7 @@
 $t->write_file('openssl.1.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
@@ -126,7 +126,7 @@
 $t->write_file('openssl.2.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 
diff --git a/stream_ssl.t b/stream_ssl.t
index 78490e2..641d123 100644
--- a/stream_ssl.t
+++ b/stream_ssl.t
@@ -92,7 +92,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -103,7 +103,7 @@
 
 foreach my $name ('localhost', 'inherits') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/stream_ssl_certificate.t b/stream_ssl_certificate.t
index b8e0493..13425a4 100644
--- a/stream_ssl_certificate.t
+++ b/stream_ssl_certificate.t
@@ -117,7 +117,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -135,7 +135,7 @@
 
 foreach my $name ('pass') {
 	system("openssl genrsa -out $d/$name.key -passout pass:pass "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create $name key: $!\n";
 	system("openssl req -x509 -new -config $d/openssl.conf "
 		. "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key "
diff --git a/stream_ssl_preread.t b/stream_ssl_preread.t
index e555e05..6991902 100644
--- a/stream_ssl_preread.t
+++ b/stream_ssl_preread.t
@@ -126,7 +126,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_preread_alpn.t b/stream_ssl_preread_alpn.t
index 70cdf25..eb61e34 100644
--- a/stream_ssl_preread_alpn.t
+++ b/stream_ssl_preread_alpn.t
@@ -86,7 +86,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_realip.t b/stream_ssl_realip.t
index 565e427..7de6625 100644
--- a/stream_ssl_realip.t
+++ b/stream_ssl_realip.t
@@ -84,7 +84,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_variables.t b/stream_ssl_variables.t
index e5766dc..7575ef8 100644
--- a/stream_ssl_variables.t
+++ b/stream_ssl_variables.t
@@ -73,7 +73,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_verify_client.t b/stream_ssl_verify_client.t
index 2411bfb..988fdc3 100644
--- a/stream_ssl_verify_client.t
+++ b/stream_ssl_verify_client.t
@@ -92,7 +92,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
index 12b37d5..f17d5ef 100644
--- a/stream_upstream_zone_ssl.t
+++ b/stream_upstream_zone_ssl.t
@@ -86,7 +86,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/upstream_zone_ssl.t b/upstream_zone_ssl.t
index 32732f4..b13def8 100644
--- a/upstream_zone_ssl.t
+++ b/upstream_zone_ssl.t
@@ -89,7 +89,7 @@
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]