diff --git a/args.go b/args.go
index 89fda43..474bec8 100644
--- a/args.go
+++ b/args.go
@@ -9,14 +9,14 @@ import (
 )
 
 type args struct {
-	ShowHelp     bool
-	DataDir      string
-	BlobDir      string
-	CtlNet       string
-	CtlAddr      string
-	GenerateCert bool
-	SQLiteDB     string
-	CleanUp      bool
+	ShowHelp  bool
+	DataDir   string
+	BlobDir   string
+	CtlNet    string
+	CtlAddr   string
+	RegenKeys bool
+	SQLiteDB  string
+	CleanUp   bool
 }
 
 func defaultGrumbleDir() string {
@@ -63,7 +63,7 @@ func init() {
 	flag.StringVar(&Args.BlobDir, "blobdir", defaultBlobDir(), "Directory to use for blob storage")
 	flag.StringVar(&Args.CtlNet, "ctlnet", defaultCtlNet(), "Network to use for ctl socket")
 	flag.StringVar(&Args.CtlAddr, "ctladdr", defaultCtlAddr(), "Address to use for ctl socket")
-	flag.BoolVar(&Args.GenerateCert, "gencert", false, "Generate a self-signed certificate for use with Grumble")
+	flag.BoolVar(&Args.RegenKeys, "regenkeys", false, "Force Grumble to regenerate its global RSA keypair and certificate")
 
 	// SQLite related
 	if SQLiteSupport {
diff --git a/gencert.go b/gencert.go
index 24139f9..a26ae3b 100644
--- a/gencert.go
+++ b/gencert.go
@@ -17,7 +17,7 @@ import (
 	"time"
 )
 
-// Generate a 2048-bit RSA keypair and a Grumble auto-generated X509
+// Generate a 4096-bit RSA keypair and a Grumble auto-generated X509
 // certificate. Output PEM-encoded DER representations of the resulting
 // certificate and private key to certpath and keypath.
 func GenerateSelfSignedCert(certpath, keypath string) (err error) {
@@ -34,7 +34,7 @@ func GenerateSelfSignedCert(certpath, keypath string) (err error) {
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 	}
 
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	priv, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return err
 	}
diff --git a/grumble.go b/grumble.go
index 81b4840..732a3ad 100644
--- a/grumble.go
+++ b/grumble.go
@@ -44,23 +44,35 @@ func main() {
 		log.Fatalf("Unable to initialize blobstore: %v", err.Error())
 	}
 
-	if Args.GenerateCert {
-		certfn := filepath.Join(Args.DataDir, "cert")
-		keyfn := filepath.Join(Args.DataDir, "key")
-		log.Printf("Generating 2048-bit RSA keypair for self-signed certificate...")
+	certFn := filepath.Join(Args.DataDir, "cert")
+	keyFn := filepath.Join(Args.DataDir, "key")
+	shouldRegen := false
+	if Args.RegenKeys {
+		shouldRegen = true
+	} else {
+		files := []string{certFn, keyFn}
+		for _, fn := range files {
+			_, err := os.Stat(fn)
+			if err != nil {
+				if e, ok := err.(*os.PathError); ok {
+					if e.Err == os.ENOENT {
+						shouldRegen = true
+					}
+				}
+			}
+		}
+	}
+	if shouldRegen {
+		log.Printf("Generating 4096-bit RSA keypair for self-signed certificate...")
 
-		err := GenerateSelfSignedCert(certfn, keyfn)
+		err := GenerateSelfSignedCert(certFn, keyFn)
 		if err != nil {
 			log.Printf("Error: %v", err)
 			return
 		}
 
-		log.Printf("Certificate output to %v", certfn)
-		log.Printf("Private key output to %v", keyfn)
-
-		log.Printf("Done generating certificate and private key.")
-		log.Printf("Please restart Grumble to make use of the generated certificate and private key.")
-		return
+		log.Printf("Certificate output to %v", certFn)
+		log.Printf("Private key output to %v", keyFn)
 	}
 
 	// Should we import data from a Murmur SQLite file?