diff --git a/easy-rsa/1.0/vars b/easy-rsa/1.0/vars
index da89cd2..b0b4cd1 100644
--- a/easy-rsa/1.0/vars
+++ b/easy-rsa/1.0/vars
@@ -37,7 +37,7 @@ echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
-export KEY_SIZE=1024
+export KEY_SIZE=2048
 
 # These are the default values for fields
 # which will be placed in the certificate.
diff --git a/easy-rsa/2.0/openssl-0.9.6.cnf b/easy-rsa/2.0/openssl-0.9.6.cnf
index d28341d..7b86c9f 100644
--- a/easy-rsa/2.0/openssl-0.9.6.cnf
+++ b/easy-rsa/2.0/openssl-0.9.6.cnf
@@ -56,7 +56,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
+default_md	= sha256		# which md to use.
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -89,6 +89,7 @@ emailAddress		= optional
 [ req ]
 default_bits		= $ENV::KEY_SIZE
 default_keyfile 	= privkey.pem
+default_md		= sha256
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
diff --git a/easy-rsa/2.0/openssl-0.9.8.cnf b/easy-rsa/2.0/openssl-0.9.8.cnf
index 340b8af..6365e8e 100644
--- a/easy-rsa/2.0/openssl-0.9.8.cnf
+++ b/easy-rsa/2.0/openssl-0.9.8.cnf
@@ -59,7 +59,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
+default_md	= sha256		# which md to use.
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -94,6 +94,7 @@ emailAddress		= optional
 [ req ]
 default_bits		= $ENV::KEY_SIZE
 default_keyfile 	= privkey.pem
+default_md		= sha256
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
diff --git a/easy-rsa/2.0/openssl-1.0.0.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf
index fa258a5..93ac6ea 100644
--- a/easy-rsa/2.0/openssl-1.0.0.cnf
+++ b/easy-rsa/2.0/openssl-1.0.0.cnf
@@ -54,7 +54,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# use public key default MD
+default_md	= sha256		# use public key default MD
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -89,6 +89,7 @@ emailAddress		= optional
 [ req ]
 default_bits		= $ENV::KEY_SIZE
 default_keyfile 	= privkey.pem
+default_md		= sha256
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
diff --git a/easy-rsa/2.0/pkitool b/easy-rsa/2.0/pkitool
index 49588f5..b9a9e44 100755
--- a/easy-rsa/2.0/pkitool
+++ b/easy-rsa/2.0/pkitool
@@ -322,7 +322,7 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
 
     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
 	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
 	    chmod 0600 "$CA.key"
     else        
@@ -356,7 +356,7 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
 	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
 	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
 	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
+	        -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
 	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
 	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
 	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars
index 742129b..e60420c 100644
--- a/easy-rsa/2.0/vars
+++ b/easy-rsa/2.0/vars
@@ -50,7 +50,7 @@ export PKCS11_PIN="dummy"
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
-export KEY_SIZE=1024
+export KEY_SIZE=2048
 
 # In how many days should the root CA key expire?
 export CA_EXPIRE=3650
diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample
index 36e6f71..9882319 100644
--- a/easy-rsa/Windows/vars.bat.sample
+++ b/easy-rsa/Windows/vars.bat.sample
@@ -21,7 +21,7 @@ rem are paranoid.  This will slow
 rem down TLS negotiation performance
 rem as well as the one-time DH parms
 rem generation process.
-set KEY_SIZE=1024
+set KEY_SIZE=2048
 
 rem These are the default values for fields
 rem which will be placed in the certificate.