Take a look at this blog post for reference: http://www.turnkeylinux.org/blog/ssl-certificates

You can re-run the script that generates the default certificates on new installations as follows:

/usr/lib/inithooks/firstboot.d/15regen-sslcert

If you look at the source of the above script (or execute it with --help), you'll see that the default values can be tweaked. For example, if you want to change the default amount of bits (1024), prepend the script with BITS=2048

Hope the above helps.