diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml
index 6c02e0ebaa9267eff1a2cd58bf2be118976ae113..ae9b666efcef603aa87bdc5348c3412c79771624 100644
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -62,4 +62,4 @@
       loop: "{{ x509_ca_list | default(default_x509_ca_list) }}"
 
     - name: Generate global DH params
-      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"
+      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits | default('2048') }}" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits | default('2048') }}"
diff --git a/roles/float-infra-nginx/defaults/main.yml b/roles/float-infra-nginx/defaults/main.yml
index 50b41600357ef0ecc4520c71601f908490a4705a..23e9ff294934b183572b8552f678279560b64a8d 100644
--- a/roles/float-infra-nginx/defaults/main.yml
+++ b/roles/float-infra-nginx/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+# If you change this default, you also need to change playbooks/init-credentials.yml.
 dhparam_bits: 2048
 
 # Ports that NGINX should bind to. Only change if you are setting
diff --git a/roles/float-infra-nginx/tasks/nginx.yml b/roles/float-infra-nginx/tasks/nginx.yml
index 7d0c0722dfdf2a151ae19fa23bece9c29719c8af..e4ba5f2dea85155db84193b584f37d986cb623f7 100644
--- a/roles/float-infra-nginx/tasks/nginx.yml
+++ b/roles/float-infra-nginx/tasks/nginx.yml
@@ -79,8 +79,8 @@
 
 - name: Install DH parameters
   copy:
-    src: "{{ credentials_dir }}/x509/dhparam"
-    dest: /etc/nginx/dhparam
+    src: "{{ credentials_dir }}/x509/dhparam-{{ dhparam_bits }}"
+    dest: /etc/nginx/dhparam-{{ dhparam_bits }}
 
 - name: Install NGINX config (dirs)
   file:
diff --git a/roles/float-infra-nginx/templates/config/conf.d/ssl.conf b/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
index 99ab8b1180221a4c48a438289b449b5e865e1382..e0eac1602e70f0dc62879641bd046032d1e1ef60 100644
--- a/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
+++ b/roles/float-infra-nginx/templates/config/conf.d/ssl.conf
@@ -3,7 +3,7 @@ ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 5m;
-ssl_dhparam /etc/nginx/dhparam;
+ssl_dhparam /etc/nginx/dhparam-{{ dhparam_bits }};
 ssl_ecdh_curve secp384r1;
 
 # Allow longer keepalive timeouts for SSL connections.