diff --git a/doc/EN/beaglebone.txt b/doc/EN/beaglebone.txt
index c53c0872..62958ff2 100644
--- a/doc/EN/beaglebone.txt
+++ b/doc/EN/beaglebone.txt
@@ -1650,7 +1650,7 @@ openssl req \
   -keyout /etc/ssl/private/$HOSTNAME.key \
   -out /etc/ssl/certs/$HOSTNAME.crt
 
-openssl dhparam -check -text -5 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
+openssl dhparam -check -text -dsaparam 2048 -out /etc/ssl/certs/$HOSTNAME.dhparam
 
 chmod 400 /etc/ssl/private/$HOSTNAME.key
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
diff --git a/src/freedombone-addcert b/src/freedombone-addcert
index 300ce9a2..187fa7d7 100755
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -218,7 +218,7 @@ fi
 # generate DH params
 if [ ! $NODH ]; then
 	if [ ! -f /etc/ssl/certs/$CERTFILE.dhparam ]; then
-		openssl dhparam -check -text -5 $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
+		openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out /etc/ssl/certs/$CERTFILE.dhparam
 		chmod 640 /etc/ssl/certs/$CERTFILE.dhparam
 	fi
 fi
diff --git a/src/freedombone-config b/src/freedombone-config
index 4d1f0378..e2401a1d 100755
--- a/src/freedombone-config
+++ b/src/freedombone-config
@@ -763,11 +763,6 @@ function interactive_configuration {
         esac
         if [[ $INSTALLING_ON_BBB == "yes" ]]; then
             USB_DRIVE=/dev/sda1
-            # here a short diffie-hellman key length is used, because otherwise creation of keys
-            # becomes impractically long on the beaglebone. It is known (as of 2015) that
-            # 1024bit DH may be breakable, so this is really a tradeoff between security and the
-            # available hardware
-            DH_KEYLENGTH=1024
         fi
         save_configuration_file
     fi
diff --git a/src/freedombone-sec b/src/freedombone-sec
index d7f2e62a..c88f4b3d 100755
--- a/src/freedombone-sec
+++ b/src/freedombone-sec
@@ -351,18 +351,18 @@ function regenerate_dh_keys {
       dialog --backtitle "Freedombone Security Configuration" \
              --title "Diffie-Hellman key length" \
              --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
-             1 "1024 bits (WARNING: this may be insecure)" off \
-             2 "2048 bits" on \
-             3 "3072 bits" off 2> $data
+             1 "2048 bits" off \
+             2 "3072 bits" on \
+             3 "4096 bits" off 2> $data
       sel=$?
       case $sel in
           1) exit 1;;
           255) exit 1;;
       esac
       case $(cat $data) in
-          1) DH_KEYLENGTH=1024;;
-          2) DH_KEYLENGTH=2048;;
-          3) DH_KEYLENGTH=3072;;
+          1) DH_KEYLENGTH=2048;;
+          2) DH_KEYLENGTH=3072;;
+          3) DH_KEYLENGTH=4096;;
       esac
 
       ctr=0
@@ -371,7 +371,7 @@ function regenerate_dh_keys {
           if [[ -f $file ]]; then
               filename=/etc/ssl/certs/$(echo $file | awk -F '/etc/ssl/mycerts/' '{print $2}' | awk -F '.crt' '{print $1}').dhparam
               if [ -f $filename ]; then
-                  openssl dhparam -check -text -5 $DH_KEYLENGTH -out $filename
+                  openssl dhparam -check -text -dsaparam $DH_KEYLENGTH -out $filename
                   ctr=$((ctr + 1))
               fi
           fi