diff --git a/include/freerdp/crypto/certificate.h b/include/freerdp/crypto/certificate.h
index c44694363..fe025841f 100644
--- a/include/freerdp/crypto/certificate.h
+++ b/include/freerdp/crypto/certificate.h
@@ -78,6 +78,8 @@ extern "C"
 	FREERDP_API BOOL freerdp_certificate_verify(const rdpCertificate* cert,
 	                                            const char* certificate_store_path);
 
+	FREERDP_API BOOL freerdp_certificate_is_rdp_security_compatible(const rdpCertificate* cert);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c
index 986583631..3c97946ab 100644
--- a/libfreerdp/core/peer.c
+++ b/libfreerdp/core/peer.c
@@ -256,13 +256,8 @@ static BOOL freerdp_peer_initialize(freerdp_peer* client)
 		return FALSE;
 	}
 
-	if (!freerdp_certificate_is_rsa(cert))
+	if (!freerdp_certificate_is_rdp_security_compatible(cert))
 	{
-		if (freerdp_settings_get_bool(settings, FreeRDP_RdpSecurity))
-			WLog_WARN(TAG, "certificate is not of RSA type, deactivating RDP security for good.");
-		else
-			WLog_INFO(TAG, "certificate is not of RSA type, RDP security not supported.");
-
 		if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
 			return FALSE;
 		if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
diff --git a/libfreerdp/crypto/certificate.c b/libfreerdp/crypto/certificate.c
index 0e383b563..ca81dd5db 100644
--- a/libfreerdp/crypto/certificate.c
+++ b/libfreerdp/crypto/certificate.c
@@ -1525,3 +1525,14 @@ BOOL freerdp_certificate_is_rsa(const rdpCertificate* cert)
 	WINPR_ASSERT(cert->x509);
 	return is_rsa_key(cert->x509);
 }
+
+BOOL freerdp_certificate_is_rdp_security_compatible(const rdpCertificate* cert)
+{
+	const rdpCertInfo* info = freerdp_certificate_get_info(cert);
+	if (!freerdp_certificate_is_rsa(cert) || !info || (info->ModulusLength != 2048 / 8))
+	{
+		WLog_INFO(TAG, "certificate is not RSA 2048, RDP security not supported.");
+		return FALSE;
+	}
+	return TRUE;
+}
diff --git a/server/shadow/shadow_server.c b/server/shadow/shadow_server.c
index 3b93f4f33..77dff9523 100644
--- a/server/shadow/shadow_server.c
+++ b/server/shadow/shadow_server.c
@@ -463,10 +463,10 @@ static DWORD WINAPI shadow_server_thread(LPVOID arg)
 
 	while (running)
 	{
-		HANDLE events[32];
+		HANDLE events[MAXIMUM_WAIT_OBJECTS] = { 0 };
 		DWORD nCount = 0;
 		events[nCount++] = server->StopEvent;
-		nCount += listener->GetEventHandles(listener, &events[nCount], 32 - nCount);
+		nCount += listener->GetEventHandles(listener, &events[nCount], ARRAYSIZE(events) - nCount);
 
 		if (nCount <= 1)
 		{
@@ -834,9 +834,17 @@ static BOOL shadow_server_init_certificate(rdpShadowServer* server)
 	rdpCertificate* cert = freerdp_certificate_new_from_file(server->CertificateFile);
 	if (!cert)
 		goto out_fail;
+
 	if (!freerdp_settings_set_pointer_len(settings, FreeRDP_RdpServerCertificate, cert, 1))
 		goto out_fail;
 
+	if (!freerdp_certificate_is_rdp_security_compatible(cert))
+	{
+		if (!freerdp_settings_set_bool(settings, FreeRDP_UseRdpSecurityLayer, FALSE))
+			goto out_fail;
+		if (!freerdp_settings_set_bool(settings, FreeRDP_RdpSecurity, FALSE))
+			goto out_fail;
+	}
 	ret = TRUE;
 out_fail:
 	free(filepath);