The current (7.x) version of WCG is hardcoded to generate 1024-bit RSA end-entity dynamic certs. I understand that the upcoming 8.x version will increase this to 2048-bit RSA certs, but it will still be hard-coded. Also, there are in increasing number of ECDSA certs being used in the wild now (especially from Google and Cloudflare).
Please consider supporting ECDSA end-entity certs (either chained from a single "internal CA" cert or by supporting two internal CA certs, one RSA and one ECDSA), and then allowing the dynamic cert generation to be fully configurable by the WCG administrator, allowing us to specify:
a) min and max RSA key length (eg min = 2048, max = 4096)
b) min and max ECDSA named curve (eg min = P256, max = P384)
In both cases have the dynamically generated certs attempt to match the key length/curve of the real end-entity cert for the target remote server if possible, while still remaining constrained by these configured limits.
Regards,
Jacob