I played around with setting the system-wide cryptographic policy to FUTURE (link to RedHat).
As a result, I could not update the system via DNF anymore.
I ran a quick check on the mirror’s certificate:
echo | openssl s_client -connect mirrors.rockylinux.org:443 2>/dev/null | openssl x509 -text -noout | grep "Public-Key" RSA Public-Key: (2048 bit)
According to the FUTURE crypto policy, the minimum strength of an RSA key is 3072-bit.
A native security policy does seem to create a conflict with such basic system maintenance as updating the system.
I suspect that this is a third-party issue, but is this something that could be changed? Not a high priority…