diff --git a/roles/vpn/templates/openssl.cnf.j2 b/roles/vpn/templates/openssl.cnf.j2
index 9ec12b2d..5b8fcf5c 100644
--- a/roles/vpn/templates/openssl.cnf.j2
+++ b/roles/vpn/templates/openssl.cnf.j2
@@ -52,7 +52,7 @@ emailAddress		= optional
 # Easy-RSA request handling
 # We key off $DN_MODE to determine how to format the DN
 [ req ]
-default_bits		= 2048
+default_bits		= 4096
 default_keyfile 	= privkey.pem
 default_md		= sha256
 distinguished_name	= cn_only