Let's Encrypt uses 4096.
I think lets encrypt uses by default 2048, not 4096. Also, 4096 might indeed cause trouble with some old software. I recall issues with mono and older java versions. It is really nice to finally see TLS on openbsd.org. How about redirecting http to https? Also, it seems STS isn't being used. I don't know if this is a testing phase, but it would be nice to have those nevertheless. Cheers, Giancarlo Razzolini
