diff --git a/gimmecert/cli.py b/gimmecert/cli.py
index 72df6e10e719be7c79abe3e0fbd4a39057109bbe..a0ccbfdaddc45d312fcb8fd8068dce524d435d00 100644
--- a/gimmecert/cli.py
+++ b/gimmecert/cli.py
@@ -209,10 +209,21 @@ def setup_renew_subcommand_parser(parser, subparsers):
     existing certificate, and use the passed-in certificate signing request (CSR) instead. Use dash (-) to read from standard input. \
     If private key exists, it will be removed. Mutually exclusive with the --new-private-key option. Only the public key is taken from the CSR.''')
 
+    subparser.add_argument('--key-specification', '-k', type=key_specification,
+                           help='''Specification/parameters to use for private key generation. \
+    For RSA keys, use format rsa:BIT_LENGTH. Default is to use same specification as used for current certificate.''', default=None)
+
     def renew_wrapper(args):
+        # This is a workaround for having the key specification option
+        # be dependant on new private key option, since argparse
+        # cannot provide such verification on its own.
+        if args.key_specification and not args.new_private_key:
+            subparser.error("argument --key-specification/-k: must be used with --new-private-key/-p")
+
         project_directory = os.getcwd()
 
-        return renew(sys.stdout, sys.stderr, project_directory, args.entity_type, args.entity_name, args.new_private_key, args.csr, args.dns_names)
+        return renew(sys.stdout, sys.stderr, project_directory, args.entity_type, args.entity_name, args.new_private_key, args.csr, args.dns_names,
+                     args.key_specification)
 
     subparser.set_defaults(func=renew_wrapper)