\end{lstlisting}
This will enhance the security of the key generation by using RSA keys
-with a length of 2048 bits, and set a lifetime of one year for the
-server/client certificates and five years for the CA certificate.
+with a length of 4096 bits, and set a lifetime of one year for the
+server/client certificates and five years for the CA certificate. \textbf{NOTE: 4096 bits is only an example of how to do this with easy-rsa.} See also section \ref{section:keylengths} for a discussion on keylengths.
In addition, edit the \verb|pkitool| script and replace all occurences
of \verb|sha1| with \verb|sha256|, to sign the certificates with