diff --git a/upgrade.py b/upgrade.py
index 721aea23..97140053 100644
--- a/upgrade.py
+++ b/upgrade.py
@@ -4,6 +4,8 @@
 import re
 import shutil
 
+from OpenSSL import crypto
+
 import diskutil
 import product
 from xcp.version import *
@@ -206,11 +208,21 @@ def __init__(self, source):
             input_data = util.readKeyValueFile(default_storage_conf_path)
             self.storage_type = input_data['TYPE']
 
+        self.key_size = None
+        cert_path = os.path.join(primary_fs.mount_point, "etc/xensource/xapi-ssl.pem")
+        with open(cert_path, "r") as cert_file:
+            cert_text = cert_file.read()
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_text)
+        self.key_size = cert.get_pubkey().bits()
+        logger.info("ExistingInstallation %s: certificate key size %s", self.key_size)
+
         primary_fs.unmount()
 
     def testUpgradeForbidden(self, tool):
         if tool.partTableType == constants.PARTITION_DOS:
             raise RuntimeError("Upgrade from a DOS partition type is not supported.")
+        if self.key_size < 2048:
+            raise RuntimeError("Server certificate is too small, must regenerate on 8.2.1 before upgrade.")
 
     prepTargetStateChanges = []
     prepTargetArgs = ['primary-disk', 'target-boot-mode', 'boot-partnum', 'primary-partnum', 'logs-partnum', 'swap-partnum', 'storage-partnum']