openiddict · kevinchalet · Feb 4, 2026 · Feb 3, 2026
diff --git a/src/OpenIddict.Client/OpenIddictClientBuilder.cs b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
@@ -207,7 +207,7 @@ public OpenIddictClientBuilder AddDevelopmentEncryptionCertificate(X500Distingui
             if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
@@ -299,7 +299,7 @@ public OpenIddictClientBuilder AddEphemeralEncryptionKey(string algorithm)
             SecurityAlgorithms.RsaOAEP or
             SecurityAlgorithms.RsaOaepKeyWrap
                 => AddEncryptionCredentials(new EncryptingCredentials(
-                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 2048)),
+                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 4096)),
                     algorithm, SecurityAlgorithms.Aes256CbcHmacSha512)),
 
             _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0058))
@@ -585,7 +585,7 @@ public OpenIddictClientBuilder AddDevelopmentSigningCertificate(X500Distinguishe
             if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
@@ -681,7 +681,7 @@ SecurityAlgorithms.RsaSsaPssSha256Signature or
             SecurityAlgorithms.RsaSsaPssSha384Signature or
             SecurityAlgorithms.RsaSsaPssSha512Signature
                 => AddSigningCredentials(new SigningCredentials(new RsaSecurityKey(
-                    OpenIddictHelpers.CreateRsaKey(size: 2048)), algorithm)),
+                    OpenIddictHelpers.CreateRsaKey(size: 4096)), algorithm)),
 
 #if SUPPORTS_ECDSA
             SecurityAlgorithms.EcdsaSha256 or

diff --git a/src/OpenIddict.Server/OpenIddictServerBuilder.cs b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@@ -218,7 +218,7 @@ public OpenIddictServerBuilder AddDevelopmentEncryptionCertificate(X500Distingui
             if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
@@ -310,7 +310,7 @@ public OpenIddictServerBuilder AddEphemeralEncryptionKey(string algorithm)
             SecurityAlgorithms.RsaOAEP or
             SecurityAlgorithms.RsaOaepKeyWrap
                 => AddEncryptionCredentials(new EncryptingCredentials(
-                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 2048)),
+                    new RsaSecurityKey(OpenIddictHelpers.CreateRsaKey(size: 4096)),
                     algorithm, SecurityAlgorithms.Aes256CbcHmacSha512)),
 
             _ => throw new InvalidOperationException(SR.GetResourceString(SR.ID0058))
@@ -593,11 +593,10 @@ public OpenIddictServerBuilder AddDevelopmentSigningCertificate(X500Distinguishe
                 .Cast<X509Certificate2>()
                 .ToList();
 
-            if (!certificates.Exists(certificate =>
-                    certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
+            if (!certificates.Exists(certificate => certificate.NotBefore < now.LocalDateTime && certificate.NotAfter > now.LocalDateTime))
             {
 #if SUPPORTS_CERTIFICATE_GENERATION
-                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
+                using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 4096);
 
                 var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
                 request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
@@ -693,7 +692,7 @@ SecurityAlgorithms.RsaSsaPssSha256Signature or
             SecurityAlgorithms.RsaSsaPssSha384Signature or
             SecurityAlgorithms.RsaSsaPssSha512Signature
                 => AddSigningCredentials(new SigningCredentials(new RsaSecurityKey(
-                    OpenIddictHelpers.CreateRsaKey(size: 2048)), algorithm)),
+                    OpenIddictHelpers.CreateRsaKey(size: 4096)), algorithm)),
 
 #if SUPPORTS_ECDSA
             SecurityAlgorithms.EcdsaSha256 or