diff --git a/bind8/conf_zonedef.cgi b/bind8/conf_zonedef.cgi
index a17937b63..7b00c673a 100755
--- a/bind8/conf_zonedef.cgi
+++ b/bind8/conf_zonedef.cgi
@@ -92,7 +92,7 @@ if (&supports_dnssec()) {
 
 	# Default algorithm
 	print &ui_table_row($text{'zonedef_alg'},
-		&ui_select("alg", $config{'tmpl_dnssecalg'} || "RSASHA1",
+		&ui_select("alg", $config{'tmpl_dnssecalg'} || "RSASHA256",
 			   [ &list_dnssec_algorithms() ]), 3);
 
 	# Default size
diff --git a/setup.pl b/setup.pl
index 6cebaa4e8..274f14840 100755
--- a/setup.pl
+++ b/setup.pl
@@ -494,7 +494,7 @@ else {
 		$cert = &tempname();
 		$key = &tempname();
 		$addtextsup = &get_openssl_version() >= 1.1 ? "-addext subjectAltName=DNS:$host,DNS:localhost -addext extendedKeyUsage=serverAuth" : "";
-		open(SSL, "| openssl req -newkey rsa:2048 -x509 -nodes -out $cert -keyout $key -days 1825 -sha256 -subj '/CN=$host/C=US/L=Santa Clara' $addtextsup >/dev/null 2>&1");
+		open(SSL, "| openssl req -newkey rsa:4096 -x509 -nodes -out $cert -keyout $key -days 1825 -sha256 -subj '/CN=$host/C=US/L=Santa Clara' $addtextsup >/dev/null 2>&1");
 		print SSL ".\n";
 		print SSL ".\n";
 		print SSL ".\n";
diff --git a/setup.sh b/setup.sh
index 2aa919d88..fb4f18b72 100755
--- a/setup.sh
+++ b/setup.sh
@@ -607,7 +607,7 @@ else
 			addtextsup=""
 		fi
 		# We can generate a new SSL key for this host
-		openssl req -newkey rsa:2048 -x509 -nodes -out $tempdir/cert -keyout $tempdir/key -days 1825 -sha256 -subj "/CN=$host/C=US/L=Santa Clara" $addtextsup >/dev/null 2>&1 <<EOF
+		openssl req -newkey rsa:4096 -x509 -nodes -out $tempdir/cert -keyout $tempdir/key -days 1825 -sha256 -subj "/CN=$host/C=US/L=Santa Clara" $addtextsup >/dev/null 2>&1 <<EOF
 .
 .
 .
diff --git a/sshd/sshd-lib.pl b/sshd/sshd-lib.pl
index b1892d3bc..264c6f898 100755
--- a/sshd/sshd-lib.pl
+++ b/sshd/sshd-lib.pl
@@ -505,7 +505,7 @@ if ($version{'type'} eq 'openssh' && $version{'number'} >= 6.5) {
 	return "ed25519";
 	}
 if ($version{'type'} eq 'openssh' && $version{'number'} >= 3.2) {
-	return "rsa1";
+	return "rsa";
 	}
 return undef;
 }
diff --git a/sshd/useradmin_update.pl b/sshd/useradmin_update.pl
index fc0fa96e6..4b3660f9d 100755
--- a/sshd/useradmin_update.pl
+++ b/sshd/useradmin_update.pl
@@ -11,12 +11,13 @@ if ($config{'sync_create'} && &has_command($config{'keygen_path'}) &&
 	local $cmd;
 	local $type = $config{'sync_type'} || &get_preferred_key_type();
 	local $tflag = $type ? "-t $type" : "";
+	local $bflag = $type eq "rsa" ? "-b 4096" : "";
 	if ($config{'sync_pass'} && $uinfo->{'passmode'} == 3) {
-		$cmd = "$config{'keygen_path'} $tflag -P ".
+		$cmd = "$config{'keygen_path'} $tflag $bflag -P ".
 		       quotemeta($uinfo->{'plainpass'});
 		}
 	else {
-		$cmd = "$config{'keygen_path'} $tflag -P \"\"";
+		$cmd = "$config{'keygen_path'} $tflag $bflag -P \"\"";
 		}
 	&system_logged("echo '' | ".&command_as_user($uinfo->{'user'}, 0, $cmd).
 		       " >/dev/null 2>&1");
diff --git a/usermin/change_ssl.cgi b/usermin/change_ssl.cgi
index d57b81ef1..9a4b67924 100755
--- a/usermin/change_ssl.cgi
+++ b/usermin/change_ssl.cgi
@@ -47,7 +47,7 @@ elsif ($in{'cipher_list_def'} == 3) {
 		# Generate file needed for PFS
 		my $out = &backquote_command(
 			"openssl dhparam -out ".
-			quotemeta($miniserv{'dhparams_file'})." 2048 2>&1");
+			quotemeta($miniserv{'dhparams_file'})." 4096 2>&1");
 		if ($?) {
 			&error(&text('ssl_edhparams',
 				     "<pre>".&html_escape($out)."</pre>"));
diff --git a/usermin/usermin-lib.pl b/usermin/usermin-lib.pl
index d84404266..fc66486dc 100755
--- a/usermin/usermin-lib.pl
+++ b/usermin/usermin-lib.pl
@@ -41,7 +41,7 @@ $latest_page_url = "$http_proto://$update_host/index6.html";
 $latest_rpm = "$http_proto://$update_host/download/usermin-latest.noarch.rpm";
 $latest_tgz = "$http_proto://$update_host/download/usermin-latest.tar.gz";
 
-$default_key_size = 2048;
+$default_key_size = 4096;
 
 $cron_cmd = "$module_config_directory/update.pl";
 
diff --git a/webmin/change_ssl.cgi b/webmin/change_ssl.cgi
index b3509fb98..16df935df 100755
--- a/webmin/change_ssl.cgi
+++ b/webmin/change_ssl.cgi
@@ -47,7 +47,7 @@ elsif ($in{'cipher_list_def'} == 3) {
 		# Generate file needed for PFS
 		my $out = &backquote_command(
 			"openssl dhparam -out ".
-			quotemeta($miniserv{'dhparams_file'})." 2048 2>&1");
+			quotemeta($miniserv{'dhparams_file'})." 4096 2>&1");
 		if ($?) {
 			&error(&text('ssl_edhparams',
 				     "<pre>".&html_escape($out)."</pre>"));
diff --git a/webmin/letsencrypt-lib.pl b/webmin/letsencrypt-lib.pl
index c863744cb..dabf3354e 100755
--- a/webmin/letsencrypt-lib.pl
+++ b/webmin/letsencrypt-lib.pl
@@ -269,7 +269,7 @@ if ($letsencrypt_cmd) {
 			}
 		}
 	$dir =~ s/\/[^\/]+$//;
-	$size ||= 2048;
+	$size ||= 4096;
 	my $out;
 	my $common_flags = " --duplicate".
 			   " --force-renewal".
diff --git a/webmin/webmin-lib.pl b/webmin/webmin-lib.pl
index 86c3c1f64..4f9760d95 100755
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -64,7 +64,7 @@ our $third_port = $primary_port;
 our $third_page = "/cgi-bin/third.cgi";
 our $third_ssl = $primary_ssl;
 
-our $default_key_size = "2048";
+our $default_key_size = "4096";
 
 our $webmin_yum_repo_file = "/etc/yum.repos.d/webmin.repo";
 our $webmin_yum_repo_url = "https://download.webmin.com/download/newkey/yum";