diff --git a/extra/pki/GNUmakefile b/extra/pki/GNUmakefile
index 5b42c62..60327c1 100644
--- a/extra/pki/GNUmakefile
+++ b/extra/pki/GNUmakefile
@@ -12,6 +12,7 @@ CRT_DAYS?=	365
 CRT_EXT:=	v3_crt
 CONFIG:=	x509v3ca.cnf
 PASSWORD:=	test
+DIGEST:=	-$(shell echo test | openssl dgst -sha256 2>/dev/null | grep -q f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 && echo sha256 || echo sha1)
 
 all: rsa dsa ec targets server pwd
 
@@ -59,7 +60,7 @@ ec.key:
 	$(OPENSSL) ecparam -out $@ -name prime192v1 -genkey
 
 %.crt: %.key $(CONFIG)
-	$(OPENSSL) req -new -nodes -x509 -sha1 -out $@ -key $< \
+	$(OPENSSL) req -new -nodes -x509 $(DIGEST) -out $@ -key $< \
 		-config $(CONFIG) -extensions $(CA_EXT) \
 		-subj $(CA_SUBJECT) \
 		-set_serial 0 -days $(CA_DAYS)
@@ -68,7 +69,7 @@ server.key:
 	$(OPENSSL) genrsa -out $@ 1024
 
 server.crt: server.key $(CONFIG)
-	$(OPENSSL) req -new -nodes -x509 -sha1 -out $@ -key $< \
+	$(OPENSSL) req -new -nodes -x509 $(DIGEST) -out $@ -key $< \
 		-config $(CONFIG) -extensions $(CRT_EXT) \
 		-subj $(CRT_SUBJECT) \
 		-set_serial 42 -days $(CRT_DAYS)
@@ -82,10 +83,10 @@ targets: targets/daniel.roe.ch.pem targets/wildcard.roe.ch.pem
 targets/daniel.roe.ch.pem: rsa.crt
 	$(MKDIR) -p targets
 	$(OPENSSL) genrsa -out targets/daniel.roe.ch.key 1024
-	$(OPENSSL) req -new -sha1 -subj '/C=CH/CN=daniel.roe.ch/' \
+	$(OPENSSL) req -new $(DIGEST) -subj '/C=CH/CN=daniel.roe.ch/' \
 		-key targets/daniel.roe.ch.key \
 		-out targets/daniel.roe.ch.csr
-	$(OPENSSL) x509 -req -sha1 -CAcreateserial -days 365 \
+	$(OPENSSL) x509 -req $(DIGEST) -CAcreateserial -days 365 \
 		-CA rsa.crt -CAkey rsa.key \
 		-in targets/daniel.roe.ch.csr \
 		-out targets/daniel.roe.ch.crt
@@ -97,10 +98,10 @@ targets/daniel.roe.ch.pem: rsa.crt
 targets/wildcard.roe.ch.pem: rsa.crt
 	$(MKDIR) -p targets
 	$(OPENSSL) genrsa -out targets/wildcard.roe.ch.key 1024
-	$(OPENSSL) req -new -sha1 -subj '/C=CH/CN=*.roe.ch/' \
+	$(OPENSSL) req -new $(DIGEST) -subj '/C=CH/CN=*.roe.ch/' \
 		-key targets/wildcard.roe.ch.key \
 		-out targets/wildcard.roe.ch.csr
-	$(OPENSSL) x509 -req -sha1 -CAcreateserial -days 365 \
+	$(OPENSSL) x509 -req $(DIGEST) -CAcreateserial -days 365 \
 		-CA rsa.crt -CAkey rsa.key \
 		-in targets/wildcard.roe.ch.csr \
 		-out targets/wildcard.roe.ch.crt
diff --git a/sslsplit.1 b/sslsplit.1
index 821604c..6abd772 100644
--- a/sslsplit.1
+++ b/sslsplit.1
@@ -624,7 +624,8 @@ compression and selecting only fast block cipher cipher suites and using a
 precomputed private key \fBleaf.key\fP for the forged certificates
 (most significant speed increase is gained by choosing fast algorithms and
 small keysizes for the CA and leaf private keys; check \fBopenssl speed\fP for
-algorithm performance on your system):
+algorithm performance on your system and note that clients may not support all
+algorithms and key sizes):
 .LP
 .HS
 .nf
@@ -664,8 +665,8 @@ subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always,issuer:always
 \fBEOF\fP
 
-\fBopenssl genrsa -out ca.key 1024\fP
-\fBopenssl req -new -nodes -x509 -sha1 -out ca.crt -key ca.key \\
+\fBopenssl genrsa -out ca.key 2048\fP
+\fBopenssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key \\
         -config x509v3ca.cnf -extensions v3_ca \\
         -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' \\
         -set_serial 0 -days 3650\fP