2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-dhparam - DH parameter manipulation and generation
12 [B<-inform> B<DER>|B<PEM>]
13 [B<-outform> B<DER>|B<PEM>]
24 {- $OpenSSL::safe::opt_engine_synopsis -}
25 {- $OpenSSL::safe::opt_r_synopsis -}
26 {- $OpenSSL::safe::opt_provider_synopsis -}
29 =for openssl ifdef dsaparam engine
33 This command has been deprecated.
34 The L<openssl-pkeyparam(1)> command should be used instead.
36 This command is used to manipulate DH parameter files.
44 Print out a usage message.
46 =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
48 The input format and output format; the default is B<PEM>.
49 The object is compatible with the PKCS#3 B<DHparameter> structure.
50 See L<openssl(1)/Format Options> for details.
52 =item B<-in> I<filename>
54 This specifies the input filename to read parameters from or standard input if
55 this option is not specified.
57 =item B<-out> I<filename>
59 This specifies the output filename parameters to. Standard output is used
60 if this option is not present. The output filename should B<not> be the same
61 as the input filename.
65 If this option is used, DSA rather than DH parameters are read or created;
66 they are converted to DH format. Otherwise, "strong" primes (such
67 that (p-1)/2 is also prime) will be used for DH parameter generation.
69 DH parameter generation with the B<-dsaparam> option is much faster,
70 and the recommended exponent length is shorter, which makes DH key
71 exchange more efficient. Beware that with such DSA-style DH
72 parameters, a fresh DH key should be created for each use to
73 avoid small-subgroup attacks that may be possible otherwise.
77 Performs numerous checks to see if the supplied parameters are valid and
78 displays a warning if not.
80 =item B<-2>, B<-3>, B<-5>
82 The generator to use, either 2, 3 or 5. If present then the
83 input file is ignored and parameters are generated instead. If not
84 present but I<numbits> is present, parameters are generated with the
89 This option specifies that a parameter set should be generated of size
90 I<numbits>. It must be the last option. If this option is present then
91 the input file is ignored and parameters are generated instead. If
92 this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
93 present, parameters are generated with a default length of 2048 bits.
94 The minimim length is 512 bits. The maximum length is 10000 bits.
98 This option inhibits the output of the encoded version of the parameters.
102 This option prints out the DH parameters in human readable form.
106 This option converts the parameters into C code. The parameters can then
107 be loaded by calling the get_dhNNNN() function.
109 {- $OpenSSL::safe::opt_engine_item -}
111 {- $OpenSSL::safe::opt_r_item -}
113 {- $OpenSSL::safe::opt_provider_item -}
119 This command replaces the B<dh> and B<gendh> commands of previous
122 OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
125 This command manipulates DH parameters not keys.
129 There should be a way to generate and manipulate DH keys.
134 L<openssl-pkeyparam(1)>,
135 L<openssl-dsaparam(1)>
139 This command was deprecated in OpenSSL 3.0.
143 Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
145 Licensed under the Apache License 2.0 (the "License"). You may not use
146 this file except in compliance with the License. You can obtain a copy
147 in the file LICENSE in the source distribution or at
148 L<https://www.openssl.org/source/license.html>.