Nick Howitt wrote:

I know Ubuntu do something wit a more or less secure option. The more secure option does not allow 2048 bit RSA keys, but I have not managed to work out how they do that unless it is by setting their own internal RSA key to something longer (4096 bit).

If you don't know what you are doing, be careful playing around as you could inadvertently create something less secure.

Nick,

I agree that everybody needs to be carefull. Make a backup, document you changes in the config files while you are working on it (I add the url used in a comment-line in the config file, to retrieve the info used). After a restart of the service I use Greenbone scanner (via docker) to probe/scan my new security for that machine even these are behind the firewall without ports open to the internet.