5 openssl-dhparam - DH parameter manipulation and generation
11 [B<-inform> B<DER>|B<PEM>]
12 [B<-outform> B<DER>|B<PEM>]
24 [B<-writerand> I<file>]
28 =for comment ifdef dsaparam engine
32 This command is used to manipulate DH parameter files.
40 Print out a usage message.
42 =item B<-inform> B<DER>|B<PEM>
44 This specifies the input format. The B<DER> option uses an ASN1 DER encoded
45 form compatible with the PKCS#3 DHparameter structure. The PEM form is the
46 default format: it consists of the B<DER> format base64 encoded with
47 additional header and footer lines.
49 =item B<-outform> B<DER>|B<PEM>
51 This specifies the output format, the options have the same meaning and default
52 as the B<-inform> option.
54 =item B<-in> I<filename>
56 This specifies the input filename to read parameters from or standard input if
57 this option is not specified.
59 =item B<-out> I<filename>
61 This specifies the output filename parameters to. Standard output is used
62 if this option is not present. The output filename should B<not> be the same
63 as the input filename.
67 If this option is used, DSA rather than DH parameters are read or created;
68 they are converted to DH format. Otherwise, "strong" primes (such
69 that (p-1)/2 is also prime) will be used for DH parameter generation.
71 DH parameter generation with the B<-dsaparam> option is much faster,
72 and the recommended exponent length is shorter, which makes DH key
73 exchange more efficient. Beware that with such DSA-style DH
74 parameters, a fresh DH key should be created for each use to
75 avoid small-subgroup attacks that may be possible otherwise.
79 Performs numerous checks to see if the supplied parameters are valid and
80 displays a warning if not.
82 =item B<-2>, B<-3>, B<-5>
84 The generator to use, either 2, 3 or 5. If present then the
85 input file is ignored and parameters are generated instead. If not
86 present but I<numbits> is present, parameters are generated with the
89 =item B<-rand> I<files>
91 The files containing random data used to seed the random number generator.
92 Multiple files can be specified separated by an OS-dependent character.
93 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
96 =item B<-writerand> I<file>
98 Writes random data to the specified I<file> upon exit.
99 This can be used with a subsequent B<-rand> flag.
103 This option specifies that a parameter set should be generated of size
104 I<numbits>. It must be the last option. If this option is present then
105 the input file is ignored and parameters are generated instead. If
106 this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
107 present, parameters are generated with a default length of 2048 bits.
108 The minimim length is 512 bits. The maximum length is 10000 bits.
112 This option inhibits the output of the encoded version of the parameters.
116 This option prints out the DH parameters in human readable form.
120 This option converts the parameters into C code. The parameters can then
121 be loaded by calling the get_dhNNNN() function.
123 =item B<-engine> I<id>
125 Specifying an engine (by its unique I<id> string) will cause B<dhparam>
126 to attempt to obtain a functional reference to the specified engine,
127 thus initialising it if needed. The engine will then be set as the default
128 for all available algorithms.
134 This command combines the functionality of the L<openssl-dh(1)> and the
135 L<openssl-gendh(1)> commands in previous OpenSSL versions.
136 The L<openssl-dh(1)> and L<openssl-gendh(1)> commands are retained for now but
137 may have different purposes in future versions of OpenSSL.
141 PEM format DH parameters use the header and footer lines:
143 -----BEGIN DH PARAMETERS-----
144 -----END DH PARAMETERS-----
146 OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
149 This program manipulates DH parameters not keys.
153 There should be a way to generate and manipulate DH keys.
158 L<openssl-dsaparam(1)>
162 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
164 Licensed under the Apache License 2.0 (the "License"). You may not use
165 this file except in compliance with the License. You can obtain a copy
166 in the file LICENSE in the source distribution or at
167 L<https://www.openssl.org/source/license.html>.