diff --git a/.github/scripts/run-fips-it.sh b/.github/scripts/run-fips-it.sh
index 64b40498568..b0cfe748e7a 100755
--- a/.github/scripts/run-fips-it.sh
+++ b/.github/scripts/run-fips-it.sh
@@ -9,7 +9,7 @@ if [ $? -ne 0 ]; then
 fi
 STRICT_OPTIONS=""
 if [ "$1" = "strict" ]; then
-  STRICT_OPTIONS="-Dauth.server.fips.mode=strict -Dauth.server.supported.keystore.types=BCFKS -Dauth.server.keystore.type=bcfks -Dauth.server.supported.rsa.key.sizes=2048,4096"
+  STRICT_OPTIONS="-Dauth.server.fips.mode=strict -Dauth.server.supported.keystore.types=BCFKS -Dauth.server.keystore.type=bcfks -Dauth.server.supported.rsa.key.sizes=2048,3072,4096"
 fi
 echo "STRICT_OPTIONS: $STRICT_OPTIONS"
 TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh fips`
diff --git a/common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java b/common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java
index 283836c595d..4755cbb9948 100644
--- a/common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java
+++ b/common/src/main/java/org/keycloak/common/crypto/CryptoProvider.java
@@ -135,6 +135,6 @@ public interface CryptoProvider {
      * @return Allowed key sizes of RSA key modulus, which this cryptoProvider supports
      */
     default String[] getSupportedRsaKeySizes() {
-        return new String[] {"1024", "2048", "4096"};
+        return new String[] {"1024", "2048", "3072", "4096"};
     }
 }
diff --git a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/Fips1402StrictCryptoProvider.java b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/Fips1402StrictCryptoProvider.java
index 3f1e9ef3ab3..292f7aec66c 100644
--- a/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/Fips1402StrictCryptoProvider.java
+++ b/crypto/fips1402/src/main/java/org/keycloak/crypto/fips/Fips1402StrictCryptoProvider.java
@@ -18,6 +18,6 @@ public class Fips1402StrictCryptoProvider extends FIPS1402Provider {
     @Override
     public String[] getSupportedRsaKeySizes() {
         // RSA key of 1024 bits not supported in BCFIPS approved mode
-        return new String[] {"2048", "4096"};
+        return new String[] {"2048", "3072", "4096"};
     }
 }
diff --git a/services/src/main/java/org/keycloak/keys/AbstractGeneratedRsaKeyProviderFactory.java b/services/src/main/java/org/keycloak/keys/AbstractGeneratedRsaKeyProviderFactory.java
index ded3fff24f6..21a3a90ce4d 100644
--- a/services/src/main/java/org/keycloak/keys/AbstractGeneratedRsaKeyProviderFactory.java
+++ b/services/src/main/java/org/keycloak/keys/AbstractGeneratedRsaKeyProviderFactory.java
@@ -23,6 +23,7 @@ import java.security.cert.Certificate;
 import java.security.interfaces.RSAPrivateKey;
 
 import org.jboss.logging.Logger;
+import org.keycloak.Config;
 import org.keycloak.common.util.CertificateUtils;
 import org.keycloak.common.util.KeyUtils;
 import org.keycloak.common.util.MultivaluedHashMap;
@@ -33,10 +34,13 @@ import org.keycloak.crypto.KeyUse;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.provider.ConfigurationValidationHelper;
+import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.provider.ProviderConfigurationBuilder;
 
 public abstract class AbstractGeneratedRsaKeyProviderFactory extends AbstractRsaKeyProviderFactory {
 
+    private int defaultKeySize = 2048;
+
     abstract protected Logger getLogger();
 
     public final static ProviderConfigurationBuilder rsaKeyConfigurationBuilder() {
@@ -46,6 +50,17 @@ public abstract class AbstractGeneratedRsaKeyProviderFactory extends AbstractRsa
                 .property(Attributes.ACTIVE_PROPERTY);
     }
 
+    protected ProviderConfigurationBuilder generatedRsaKeyConfigurationBuilder() {
+        ProviderConfigProperty prop = Attributes.KEY_SIZE_PROPERTY.get();
+        prop.setDefaultValue(defaultKeySize);
+        return rsaKeyConfigurationBuilder().property(prop);
+    }
+
+    @Override
+    public void init(Config.Scope config) {
+        this.defaultKeySize = config.getInt(Attributes.KEY_SIZE_KEY, 2048);
+    }
+
     @Override
     public boolean createFallbackKeys(KeycloakSession session, KeyUse keyUse, String algorithm) {
         if (isValidKeyUse(keyUse) && isSupportedRsaAlgorithm(algorithm)) {
@@ -80,7 +95,7 @@ public abstract class AbstractGeneratedRsaKeyProviderFactory extends AbstractRsa
 
         ConfigurationValidationHelper.check(model).checkList(Attributes.KEY_SIZE_PROPERTY.get(), false);
 
-        int size = model.get(Attributes.KEY_SIZE_KEY, 2048);
+        int size = model.get(Attributes.KEY_SIZE_KEY, this.defaultKeySize);
 
         if (!(model.contains(Attributes.PRIVATE_KEY_KEY) && model.contains(Attributes.CERTIFICATE_KEY))) {
             generateKeys(realm, model, size);
diff --git a/services/src/main/java/org/keycloak/keys/GeneratedRsaEncKeyProviderFactory.java b/services/src/main/java/org/keycloak/keys/GeneratedRsaEncKeyProviderFactory.java
index fea6aa601d9..82dd8db5b16 100644
--- a/services/src/main/java/org/keycloak/keys/GeneratedRsaEncKeyProviderFactory.java
+++ b/services/src/main/java/org/keycloak/keys/GeneratedRsaEncKeyProviderFactory.java
@@ -51,8 +51,7 @@ public class GeneratedRsaEncKeyProviderFactory extends AbstractGeneratedRsaKeyPr
 
     @Override
     public List<ProviderConfigProperty> getConfigProperties() {
-        return AbstractGeneratedRsaKeyProviderFactory.rsaKeyConfigurationBuilder()
-                .property(Attributes.KEY_SIZE_PROPERTY.get())
+        return generatedRsaKeyConfigurationBuilder()
                 .property(Attributes.RS_ENC_ALGORITHM_PROPERTY)
                 .build();
     }
diff --git a/services/src/main/java/org/keycloak/keys/GeneratedRsaKeyProviderFactory.java b/services/src/main/java/org/keycloak/keys/GeneratedRsaKeyProviderFactory.java
index 65466ce0b5d..cc539c07b36 100644
--- a/services/src/main/java/org/keycloak/keys/GeneratedRsaKeyProviderFactory.java
+++ b/services/src/main/java/org/keycloak/keys/GeneratedRsaKeyProviderFactory.java
@@ -53,8 +53,7 @@ public class GeneratedRsaKeyProviderFactory extends AbstractGeneratedRsaKeyProvi
 
     @Override
     public List<ProviderConfigProperty> getConfigProperties() {
-        return AbstractGeneratedRsaKeyProviderFactory.rsaKeyConfigurationBuilder()
-                .property(Attributes.KEY_SIZE_PROPERTY.get())
+        return generatedRsaKeyConfigurationBuilder()
                 .property(Attributes.RS_ALGORITHM_PROPERTY)
                 .build();
     }
diff --git a/testsuite/integration-arquillian/HOW-TO-RUN.md b/testsuite/integration-arquillian/HOW-TO-RUN.md
index ff943f65c24..d63fca5be7c 100644
--- a/testsuite/integration-arquillian/HOW-TO-RUN.md
+++ b/testsuite/integration-arquillian/HOW-TO-RUN.md
@@ -656,7 +656,7 @@ For running testsuite with server using BCFIPS approved mode, those additional p
 -Dauth.server.fips.mode=strict \
 -Dauth.server.supported.keystore.types=BCFKS \
 -Dauth.server.keystore.type=bcfks \
--Dauth.server.supported.rsa.key.sizes=2048,4096
+-Dauth.server.supported.rsa.key.sizes=2048,3072,4096
 ```
 The log should contain `KeycloakFipsSecurityProvider` mentioning "Approved mode". Something like:
 ```
diff --git a/testsuite/integration-arquillian/tests/pom.xml b/testsuite/integration-arquillian/tests/pom.xml
index 6947f179e78..aca55f06934 100644
--- a/testsuite/integration-arquillian/tests/pom.xml
+++ b/testsuite/integration-arquillian/tests/pom.xml
@@ -259,7 +259,7 @@
         <auth.server.quarkus.cluster.config>local</auth.server.quarkus.cluster.config>
         <auth.server.fips.mode>disabled</auth.server.fips.mode>
         <auth.server.supported.keystore.types>JKS,PKCS12,BCFKS</auth.server.supported.keystore.types>
-        <auth.server.supported.rsa.key.sizes>1024,2048,4096</auth.server.supported.rsa.key.sizes>
+        <auth.server.supported.rsa.key.sizes>1024,2048,3072,4096</auth.server.supported.rsa.key.sizes>
         <auth.server.kerberos.supported>true</auth.server.kerberos.supported>
     </properties>