diff --git a/build/probe_nk_certs.pl b/build/probe_nk_certs.pl
index 6d44f298..36554355 100755
--- a/build/probe_nk_certs.pl
+++ b/build/probe_nk_certs.pl
@@ -101,6 +101,28 @@ sub comment {
 			$subject = $1;
 		}
 
+		#
+		# Extract the public key size.  This is displayed differently
+		# in different versions of OpenSSL.
+		#
+		if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
+			$pubSize = $1;
+			$pubSizeCount{$pubSize}++;
+			# print "   Public key size: $pubSize\n";
+			if ($pubSize < 1024) {
+				error('PUBLIC KEY TOO SHORT');
+			}
+			next;
+		} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
+			$pubSize = $1;
+			$pubSizeCount{$pubSize}++;
+			# print "   Public key size: $pubSize\n";
+			if ($pubSize < 1024) {
+				error('PUBLIC KEY TOO SHORT');
+			}
+			next;
+		}
+		
 		if (/Not After : (.*)$/) {
 			$notAfter = $1;
 			$notAfterTime = str2time($notAfter);
@@ -122,6 +144,10 @@ sub comment {
 
 	}
 	
+	if ($pubSize < 2048) {
+		warning("short public key: $pubSize bits, certificate expires $notAfter");
+	}
+
 	if ($subject eq $issuer) {
 		$issuer = "(self-signed certificate)";
 	}
diff --git a/build/probe_nk_nocerts.pl b/build/probe_nk_nocerts.pl
index 9d850118..808f6ac6 100755
--- a/build/probe_nk_nocerts.pl
+++ b/build/probe_nk_nocerts.pl
@@ -107,6 +107,28 @@ sub comment {
 			$subject = $1;
 		}
 
+		#
+		# Extract the public key size.  This is displayed differently
+		# in different versions of OpenSSL.
+		#
+		if (/RSA Public Key: \((\d+) bit\)/) { # OpenSSL 0.9x
+			$pubSize = $1;
+			$pubSizeCount{$pubSize}++;
+			# print "   Public key size: $pubSize\n";
+			if ($pubSize < 1024) {
+				error('PUBLIC KEY TOO SHORT');
+			}
+			next;
+		} elsif (/^\s*Public-Key: \((\d+) bit\)/) { # OpenSSL 1.0
+			$pubSize = $1;
+			$pubSizeCount{$pubSize}++;
+			# print "   Public key size: $pubSize\n";
+			if ($pubSize < 1024) {
+				error('PUBLIC KEY TOO SHORT');
+			}
+			next;
+		}
+		
 		if (/Not After : (.*)$/) {
 			$notAfter = $1;
 			$notAfterTime = str2time($notAfter);
@@ -128,6 +150,10 @@ sub comment {
 
 	}
 
+	if ($pubSize < 2048) {
+		warning("short public key: $pubSize bits, certificate expires $notAfter");
+	}
+
 	if ($subject eq $issuer) {
 		$issuer = "(self-signed certificate)";
 	}