You are able to change/update the certool.cfg. You can check if there is parameter available for keysize.
VMware Knowledge Base
If there is no parameter available you can use OpenSSL to generate the CSR with a 4096 bit keysize.
Rick
Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly.
Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick