Hi, I wasn't able to figure out how to test the trigger solution suggested by Paul Wise. I did end up taking so long to fix this that OpenSSL 1.1.1 was released, and I tried to set an installation dependency so the updated version of openssl would be installed first.
It does check to see if the too small keys are installed, deletes them and then regenerates the keys. (With an autopkgtest) Diane
signature.asc
Description: This is a digitally signed message part