diff --git a/docs/configuration_reference.rst b/docs/configuration_reference.rst
index 1d8d4269..e3c8386d 100644
--- a/docs/configuration_reference.rst
+++ b/docs/configuration_reference.rst
@@ -232,6 +232,7 @@ be defined in each relevant certificate configuration.
       follow_cnames: false
       reuse_key: false
       key_type: ecdsa
+      key_size: 2048
 
 ``certificate`` properties
 --------------------------
@@ -319,6 +320,12 @@ be defined in each relevant certificate configuration.
     * *type*: ``string``
     * *default*: ``rsa`` (a RSA-type key will be used)
 
+``key_size``
+~~~~~~~~~~~~
+    * Size of key to use when the certificate is generated. Must be ``2048`` or ``3072`` or ``4096``.
+    * *type*: ``integer``
+    * *default*: ``2048`` (a 2048-bit key will be used)
+
 
 .. _link: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname
 
diff --git a/src/dnsrobocert/core/certbot.py b/src/dnsrobocert/core/certbot.py
index 9b92e79d..b31f5790 100644
--- a/src/dnsrobocert/core/certbot.py
+++ b/src/dnsrobocert/core/certbot.py
@@ -72,6 +72,7 @@ def certonly(
     force_renew: bool = False,
     reuse_key: bool = False,
     key_type: str = "rsa",
+    key_size: int = 2048,
 ) -> None:
     if not domains:
         return
@@ -85,6 +86,8 @@ def certonly(
         additional_params.append("--reuse-key")
     if key_type:
         additional_params.extend(["--key-type", key_type])
+    if key_size:
+        additional_params.extend(["--rsa-key-size", key_size])
 
     for domain in domains:
         additional_params.append("-d")
@@ -134,6 +137,7 @@ def _issue(config_path: str, directory_path: str, lock: threading.Lock) -> None:
                 force_renew = certificate.get("force_renew", False)
                 reuse_key = certificate.get("reuse_key", False)
                 key_type = certificate.get("key_type", "rsa")
+                key_size = certificate.get("key_size", 2048)
                 LOGGER.info(
                     f"Handling the certificate for domain(s): {', '.join(domains)}"
                 )
@@ -146,6 +150,7 @@ def _issue(config_path: str, directory_path: str, lock: threading.Lock) -> None:
                     force_renew=force_renew,
                     reuse_key=reuse_key,
                     key_type=key_type,
+                    key_size=key_size,
                 )
             except BaseException as error:
                 LOGGER.error(
diff --git a/src/dnsrobocert/schema.yml b/src/dnsrobocert/schema.yml
index f11bec2f..e23e26a7 100644
--- a/src/dnsrobocert/schema.yml
+++ b/src/dnsrobocert/schema.yml
@@ -130,6 +130,9 @@ properties:
         key_type:
           type: string
           enum: [rsa, ecdsa]
+        key_size:
+          type: number
+          enum: [2048, 3072, 4096]
       required: [domains, profile]
       additionalProperties: false
 additionalProperties: false
diff --git a/test/integration_tests/dnsrobocert_test.py b/test/integration_tests/dnsrobocert_test.py
index d577722c..468a099e 100644
--- a/test/integration_tests/dnsrobocert_test.py
+++ b/test/integration_tests/dnsrobocert_test.py
@@ -190,6 +190,7 @@ def test_it(tmp_path: Path) -> None:
   follow_cnames: true
   reuse_key: true
   key_type: ecdsa
+  key_size: 2048
   pfx:
     export: true
     passphrase: test