diff --git a/caddy/https/https.go b/caddy/https/https.go
index 83e5a52e8..f9214f149 100644
--- a/caddy/https/https.go
+++ b/caddy/https/https.go
@@ -404,7 +404,7 @@ const AlternatePort = "5033"
 // KeyType is the type to use for new keys.
 // This shouldn't need to change except for in tests;
 // the size can be drastically reduced for speed.
-var KeyType acme.KeyType
+var KeyType = acme.RSA2048
 
 // stopChan is used to signal the maintenance goroutine
 // to terminate.
diff --git a/caddy/https/setup.go b/caddy/https/setup.go
index ac1f7da30..03d186a7c 100644
--- a/caddy/https/setup.go
+++ b/caddy/https/setup.go
@@ -228,10 +228,6 @@ func loadCertsInDir(c *setup.Controller, dir string) error {
 // port to 443 if not already set, TLS is enabled, TLS is manual, and the host
 // does not equal localhost.
 func setDefaultTLSParams(c *server.Config) {
-	if KeyType == "" {
-		KeyType = acme.RSA2048
-	}
-
 	// If no ciphers provided, use default list
 	if len(c.TLS.Ciphers) == 0 {
 		c.TLS.Ciphers = defaultCiphers
diff --git a/caddy/https/setup_test.go b/caddy/https/setup_test.go
index 220cb0bcc..f1a07474f 100644
--- a/caddy/https/setup_test.go
+++ b/caddy/https/setup_test.go
@@ -55,6 +55,11 @@ func TestSetupParseBasic(t *testing.T) {
 		t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", c.TLS.ProtocolMaxVersion)
 	}
 
+	// KeyType default
+	if KeyType != acme.RSA2048 {
+		t.Errorf("Expected '2048' as KeyType, got %#v", KeyType)
+	}
+
 	// Cipher checks
 	expectedCiphers := []uint16{
 		tls.TLS_FALLBACK_SCSV,