Unfortunately there was a bug in the OpenSSL package in Debian which results in weak keys for services with SSL functionality.
Download the tarball, unpack it, move the lists (blacklist.RSA-2048 and blacklist.RSA-2048) to
Now you can use those lists with nmap.
nmap -p443 \
--script ssl-known-key \
--ssl-known-key.fingerprintfile /usr /share/nmap/nselib/data/blacklist.RSA-2048,/usr /share/nmap/nselib/data/blacklist.RSA-1024