dhparam(1ssl)dhparam(1ssl)NAMEdhparam - DH parameter manipulation and generation
SYNOPSIS
openssl dhparam [-inform DER | PEM] [-outform DER | PEM] [-in file‐
name] [-out filename] [-dsaparam] [-noout] [-text] [-C] [-2] [-5]
[-rand filename] [numbits]
OPTIONS
Specifies the input format. The DER option uses an ASN1 DER encoded
form compatible with the PKCS#3 DHparameter structure. The PEM form is
the default format. It consists of the DER format base64 encoded with
additional header and footer lines. Specifies the output format. The
options have the same meaning as the -inform option. Specifies the
input filename to read parameters from or standard input if this option
is not specified. Specifies the output filename parameters. Standard
output is used if this option is not present. The output filename
should not be the same as the input filename. If this option is used,
DSA rather than DH parameters are read or created; they are converted
to DH format. Otherwise, strong primes (such that (p-1)/2 is also
prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much
faster, and the recommended exponent length is shorter, which
makes DH key exchange more efficient. Beware that with such
DSA-style DH parameters, a fresh DH key should be created for
each use to avoid small-subgroup attacks that may be possible
otherwise. The generator to use, either 2 or 5. Two is the
default. If present then the input file is ignored and parame‐
ters are generated instead. A file or files containing random
data used to seed the random number generator, or an EGD socket.
(See RAND_egd(3).) Multiple files can be specified separated by
a OS-dependent character. The separator is a semicolon (;) for
MS-Windows, a comma (,) for OpenVMS, and a colon (:) for all
others. Specifies that a parameter set should be generated of
size numbits. It must be the last option. If not present then a
value of 512 is used. If this option is present then the input
file is ignored and parameters are generated instead. Inhibits
the output of the encoded version of the parameters. Prints out
the DH parameters in human readable form. Converts the parame‐
ters into C code. The parameters can then be loaded by calling
the get_dh numbits() function.
DESCRIPTION
This command is used to manipulate DH parameter files.
NOTES
The dhparam program combines the functionality of the dh and gendh pro‐
grams in previous versions of OpenSSL and SSLeay. The dh and gendh pro‐
grams might have different purposes in future versions of OpenSSL.
PEM format DH parameters use the header and footer lines:
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
OpenSSL only supports the older PKCS#3 DH, not the newer X9.42 DH.
This program manipulates DH parameters not keys.
RESTRICTIONS
There should be a way to generate and manipulate DH keys.
HISTORY
The dhparam command was added in OpenSSL 0.9.5. The -dsaparam option
was added in OpenSSL 0.9.6.
SEE ALSO
Commands: dsaparam(1ssl)dhparam(1ssl)
