[thirdparty/openssl.git] / doc / man1 / openssl-dhparam.pod

=pod

=head1 NAME

openssl-dhparam - DH parameter manipulation and generation

=head1 SYNOPSIS

B<openssl dhparam>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-dsaparam>]
[B<-check>]
[B<-noout>]
[B<-text>]
[B<-C>]
[B<-2>]
[B<-3>]
[B<-5>]
[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
[I<numbits>]

=for openssl ifdef dsaparam engine

=head1 DESCRIPTION

This command is used to manipulate DH parameter files.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>

The input format and output format; the default is B<PEM>.
The object is compatible with the PKCS#3 B<DHparameter> structure.
See L<openssl(1)/Format Options> for details.

=item B<-in> I<filename>

This specifies the input filename to read parameters from or standard input if
this option is not specified.

=item B<-out> I<filename>

This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
as the input filename.

=item B<-dsaparam>

If this option is used, DSA rather than DH parameters are read or created;
they are converted to DH format.  Otherwise, "strong" primes (such
that (p-1)/2 is also prime) will be used for DH parameter generation.

DH parameter generation with the B<-dsaparam> option is much faster,
and the recommended exponent length is shorter, which makes DH key
exchange more efficient.  Beware that with such DSA-style DH
parameters, a fresh DH key should be created for each use to
avoid small-subgroup attacks that may be possible otherwise.

=item B<-check>

Performs numerous checks to see if the supplied parameters are valid and
displays a warning if not.

=item B<-2>, B<-3>, B<-5>

The generator to use, either 2, 3 or 5. If present then the
input file is ignored and parameters are generated instead. If not
present but I<numbits> is present, parameters are generated with the
default generator 2.

=item B<-rand> I<files>, B<-writerand> I<file>

See L<openssl(1)/Random State Options> for more information.

=item I<numbits>

This option specifies that a parameter set should be generated of size
I<numbits>. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
present, parameters are generated with a default length of 2048 bits.
The minimim length is 512 bits. The maximum length is 10000 bits.

=item B<-noout>

This option inhibits the output of the encoded version of the parameters.

=item B<-text>

This option prints out the DH parameters in human readable form.

=item B<-C>

This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.

=item B<-engine> I<id>

Specifying an engine (by its unique I<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

=back

=head1 WARNINGS

This command combines the functionality of the L<openssl-dh(1)> and the
L<openssl-gendh(1)> commands in previous OpenSSL versions.
The L<openssl-dh(1)> and L<openssl-gendh(1)> commands are retained for now but
may have different purposes in future versions of OpenSSL.

=head1 NOTES

OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH.

This program manipulates DH parameters not keys.

=head1 BUGS

There should be a way to generate and manipulate DH keys.

=head1 SEE ALSO

L<openssl(1)>,
L<openssl-dsaparam(1)>

=head1 COPYRIGHT

Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
ef7eaa4c DSH	1	=pod
	2
	3	=head1 NAME
	4
b6b66573	5	openssl-dhparam - DH parameter manipulation and generation
ef7eaa4c DSH	6
	7	=head1 SYNOPSIS
	8
41918458	9	B<openssl dhparam>
169394d4	10	[B<-help>]
e8769719 RS	11	[B<-inform> B<DER>\|B<PEM>]
e8769719 RS	12	[B<-outform> B<DER>\|B<PEM>]
41918458 BM	13	[B<-in> I<filename>]
	14	[B<-out> I<filename>]
	15	[B<-dsaparam>]
fc1d88f0	16	[B<-check>]
ef7eaa4c DSH	17	[B<-noout>]
	18	[B<-text>]
	19	[B<-C>]
09483c58	20	[B<-2>]
a38c878c	21	[B<-3>]
09483c58	22	[B<-5>]
fed8bd90	23	[B<-rand> I<files>]
e8769719 RS	24	[B<-writerand> I<file>]
e8769719 RS	25	[B<-engine> I<id>]
41918458	26	[I<numbits>]
ef7eaa4c	27
9f3c076b	28	=for openssl ifdef dsaparam engine
1738c0ce	29
ef7eaa4c DSH	30	=head1 DESCRIPTION
	31
	32	This command is used to manipulate DH parameter files.
	33
	34	=head1 OPTIONS
	35
	36	=over 4
	37
169394d4 MR	38	=item B<-help>
	39
	40	Print out a usage message.
	41
777182a0	42	=item B<-inform> B<DER>\|B<PEM>, B<-outform> B<DER>\|B<PEM>
ef7eaa4c	43
777182a0 RS	44	The input format and output format; the default is B<PEM>.
	45	The object is compatible with the PKCS#3 B<DHparameter> structure.
	46	See L<openssl(1)/Format Options> for details.
ef7eaa4c	47
41918458	48	=item B<-in> I<filename>
ef7eaa4c DSH	49
	50	This specifies the input filename to read parameters from or standard input if
	51	this option is not specified.
	52
41918458	53	=item B<-out> I<filename>
ef7eaa4c DSH	54
	55	This specifies the output filename parameters to. Standard output is used
	56	if this option is not present. The output filename should B<not> be the same
	57	as the input filename.
	58
41918458 BM	59	=item B<-dsaparam>
	60
	61	If this option is used, DSA rather than DH parameters are read or created;
	62	they are converted to DH format. Otherwise, "strong" primes (such
	63	that (p-1)/2 is also prime) will be used for DH parameter generation.
	64
	65	DH parameter generation with the B<-dsaparam> option is much faster,
	66	and the recommended exponent length is shorter, which makes DH key
	67	exchange more efficient. Beware that with such DSA-style DH
	68	parameters, a fresh DH key should be created for each use to
	69	avoid small-subgroup attacks that may be possible otherwise.
	70
fc1d88f0 RS	71	=item B<-check>
fc1d88f0 RS	72
eeb21772 MC	73	Performs numerous checks to see if the supplied parameters are valid and
eeb21772 MC	74	displays a warning if not.
fc1d88f0	75
a38c878c	76	=item B<-2>, B<-3>, B<-5>
09483c58	77
a38c878c	78	The generator to use, either 2, 3 or 5. If present then the
b5a379aa	79	input file is ignored and parameters are generated instead. If not
2f0ea936	80	present but I<numbits> is present, parameters are generated with the
b5a379aa	81	default generator 2.
09483c58	82
a397aca4	83	=item B<-rand> I<files>, B<-writerand> I<file>
09483c58	84
a397aca4	85	See L<openssl(1)/Random State Options> for more information.
3ee1eac2	86
41918458	87	=item I<numbits>
09483c58	88
c4de074e	89	This option specifies that a parameter set should be generated of size
b5a379aa EK	90	I<numbits>. It must be the last option. If this option is present then
b5a379aa EK	91	the input file is ignored and parameters are generated instead. If
6de1fe90	92	this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
b5a379aa	93	present, parameters are generated with a default length of 2048 bits.
6de1fe90	94	The minimim length is 512 bits. The maximum length is 10000 bits.
09483c58	95
ef7eaa4c DSH	96	=item B<-noout>
ef7eaa4c DSH	97
c4de074e	98	This option inhibits the output of the encoded version of the parameters.
ef7eaa4c DSH	99
	100	=item B<-text>
	101
c4de074e	102	This option prints out the DH parameters in human readable form.
ef7eaa4c DSH	103
	104	=item B<-C>
	105
c4de074e	106	This option converts the parameters into C code. The parameters can then
bbd86bf5	107	be loaded by calling the get_dhNNNN() function.
ef7eaa4c	108
e8769719	109	=item B<-engine> I<id>
bfa35550	110
2f0ea936	111	Specifying an engine (by its unique I<id> string) will cause B<dhparam>
bfa35550 RL	112	to attempt to obtain a functional reference to the specified engine,
	113	thus initialising it if needed. The engine will then be set as the default
	114	for all available algorithms.
	115
ef7eaa4c DSH	116	=back
ef7eaa4c DSH	117
09483c58 DSH	118	=head1 WARNINGS
09483c58 DSH	119
35a810bb RL	120	This command combines the functionality of the L<openssl-dh(1)> and the
	121	L<openssl-gendh(1)> commands in previous OpenSSL versions.
	122	The L<openssl-dh(1)> and L<openssl-gendh(1)> commands are retained for now but
	123	may have different purposes in future versions of OpenSSL.
09483c58	124
ef7eaa4c DSH	125	=head1 NOTES
ef7eaa4c DSH	126
ef7eaa4c DSH	127	OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
	128	DH.
	129
	130	This program manipulates DH parameters not keys.
	131
	132	=head1 BUGS
	133
ef7eaa4c DSH	134	There should be a way to generate and manipulate DH keys.
	135
	136	=head1 SEE ALSO
	137
b6b66573 DMSP	138	L<openssl(1)>,
b6b66573 DMSP	139	L<openssl-dsaparam(1)>
ef7eaa4c	140
e2f92610 RS	141	=head1 COPYRIGHT
e2f92610 RS	142
a38c878c	143	Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	144
449040b4	145	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	146	this file except in compliance with the License. You can obtain a copy
	147	in the file LICENSE in the source distribution or at
	148	L<https://www.openssl.org/source/license.html>.
	149
	150	=cut