xref: /freebsd/crypto/openssl/doc/man1/openssl-dhparam.pod.in (revision aa7957345732816fb0ba8308798d2f79f45597f9) 
1b077aed3SPierre Pronchery=pod
2b077aed3SPierre Pronchery{- OpenSSL::safe::output_do_not_edit_headers(); -}
3b077aed3SPierre Pronchery
4b077aed3SPierre Pronchery=head1 NAME
5b077aed3SPierre Pronchery
6b077aed3SPierre Proncheryopenssl-dhparam - DH parameter manipulation and generation
7b077aed3SPierre Pronchery
8b077aed3SPierre Pronchery=head1 SYNOPSIS
9b077aed3SPierre Pronchery
10b077aed3SPierre ProncheryB<openssl dhparam>
11b077aed3SPierre Pronchery[B<-help>]
12b077aed3SPierre Pronchery[B<-inform> B<DER>|B<PEM>]
13b077aed3SPierre Pronchery[B<-outform> B<DER>|B<PEM>]
14b077aed3SPierre Pronchery[B<-in> I<filename>]
15b077aed3SPierre Pronchery[B<-out> I<filename>]
16b077aed3SPierre Pronchery[B<-dsaparam>]
17b077aed3SPierre Pronchery[B<-check>]
18b077aed3SPierre Pronchery[B<-noout>]
19b077aed3SPierre Pronchery[B<-text>]
20b077aed3SPierre Pronchery[B<-2>]
21b077aed3SPierre Pronchery[B<-3>]
22b077aed3SPierre Pronchery[B<-5>]
23b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
24b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_provider_synopsis -}
25b077aed3SPierre Pronchery[I<numbits>]
26b077aed3SPierre Pronchery
27b077aed3SPierre Pronchery=head1 DESCRIPTION
28b077aed3SPierre Pronchery
29b077aed3SPierre ProncheryThis command is used to manipulate DH parameter files.
30b077aed3SPierre Pronchery
31b077aed3SPierre ProncherySee L<openssl-genpkey(1)/EXAMPLES> for examples on how to generate
32b077aed3SPierre Proncherya key using a named safe prime group without generating intermediate
33b077aed3SPierre Proncheryparameters.
34b077aed3SPierre Pronchery
35b077aed3SPierre Pronchery=head1 OPTIONS
36b077aed3SPierre Pronchery
37b077aed3SPierre Pronchery=over 4
38b077aed3SPierre Pronchery
39b077aed3SPierre Pronchery=item B<-help>
40b077aed3SPierre Pronchery
41b077aed3SPierre ProncheryPrint out a usage message.
42b077aed3SPierre Pronchery
43b077aed3SPierre Pronchery=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
44b077aed3SPierre Pronchery
45b077aed3SPierre ProncheryThe input format and output format; the default is B<PEM>.
46b077aed3SPierre ProncheryThe object is compatible with the PKCS#3 B<DHparameter> structure.
47b077aed3SPierre ProncherySee L<openssl-format-options(1)> for details.
48b077aed3SPierre Pronchery
49b077aed3SPierre Pronchery=item B<-in> I<filename>
50b077aed3SPierre Pronchery
51b077aed3SPierre ProncheryThis specifies the input filename to read parameters from or standard input if
52b077aed3SPierre Proncherythis option is not specified.
53b077aed3SPierre Pronchery
54b077aed3SPierre Pronchery=item B<-out> I<filename>
55b077aed3SPierre Pronchery
56b077aed3SPierre ProncheryThis specifies the output filename parameters to. Standard output is used
57b077aed3SPierre Proncheryif this option is not present. The output filename should B<not> be the same
58b077aed3SPierre Proncheryas the input filename.
59b077aed3SPierre Pronchery
60b077aed3SPierre Pronchery=item B<-dsaparam>
61b077aed3SPierre Pronchery
62b077aed3SPierre ProncheryIf this option is used, DSA rather than DH parameters are read or created;
63b077aed3SPierre Proncherythey are converted to DH format.  Otherwise, "strong" primes (such
64b077aed3SPierre Proncherythat (p-1)/2 is also prime) will be used for DH parameter generation.
65b077aed3SPierre Pronchery
66b077aed3SPierre ProncheryDH parameter generation with the B<-dsaparam> option is much faster,
67b077aed3SPierre Proncheryand the recommended exponent length is shorter, which makes DH key
68b077aed3SPierre Proncheryexchange more efficient.  Beware that with such DSA-style DH
69b077aed3SPierre Proncheryparameters, a fresh DH key should be created for each use to
70b077aed3SPierre Proncheryavoid small-subgroup attacks that may be possible otherwise.
71b077aed3SPierre Pronchery
72b077aed3SPierre Pronchery=item B<-check>
73b077aed3SPierre Pronchery
74b077aed3SPierre ProncheryPerforms numerous checks to see if the supplied parameters are valid and
75b077aed3SPierre Proncherydisplays a warning if not.
76b077aed3SPierre Pronchery
77b077aed3SPierre Pronchery=item B<-2>, B<-3>, B<-5>
78b077aed3SPierre Pronchery
79b077aed3SPierre ProncheryThe generator to use, either 2, 3 or 5. If present then the
80b077aed3SPierre Proncheryinput file is ignored and parameters are generated instead. If not
81b077aed3SPierre Proncherypresent but I<numbits> is present, parameters are generated with the
82b077aed3SPierre Proncherydefault generator 2.
83b077aed3SPierre Pronchery
84b077aed3SPierre Pronchery=item I<numbits>
85b077aed3SPierre Pronchery
86b077aed3SPierre ProncheryThis option specifies that a parameter set should be generated of size
87b077aed3SPierre ProncheryI<numbits>. It must be the last option. If this option is present then
88b077aed3SPierre Proncherythe input file is ignored and parameters are generated instead. If
89b077aed3SPierre Proncherythis option is not present but a generator (B<-2>, B<-3> or B<-5>) is
90b077aed3SPierre Proncherypresent, parameters are generated with a default length of 2048 bits.
91*aa795734SPierre ProncheryThe minimum length is 512 bits. The maximum length is 10000 bits.
92b077aed3SPierre Pronchery
93b077aed3SPierre Pronchery=item B<-noout>
94b077aed3SPierre Pronchery
95b077aed3SPierre ProncheryThis option inhibits the output of the encoded version of the parameters.
96b077aed3SPierre Pronchery
97b077aed3SPierre Pronchery=item B<-text>
98b077aed3SPierre Pronchery
99b077aed3SPierre ProncheryThis option prints out the DH parameters in human readable form.
100b077aed3SPierre Pronchery
101b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_engine_item -}
102b077aed3SPierre Pronchery
103b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_r_item -}
104b077aed3SPierre Pronchery
105b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_provider_item -}
106b077aed3SPierre Pronchery
107b077aed3SPierre Pronchery=back
108b077aed3SPierre Pronchery
109b077aed3SPierre Pronchery=head1 NOTES
110b077aed3SPierre Pronchery
111b077aed3SPierre ProncheryThis command replaces the B<dh> and B<gendh> commands of previous
112b077aed3SPierre Proncheryreleases.
113b077aed3SPierre Pronchery
114b077aed3SPierre Pronchery=head1 SEE ALSO
115b077aed3SPierre Pronchery
116b077aed3SPierre ProncheryL<openssl(1)>,
117b077aed3SPierre ProncheryL<openssl-pkeyparam(1)>,
118b077aed3SPierre ProncheryL<openssl-dsaparam(1)>,
119b077aed3SPierre ProncheryL<openssl-genpkey(1)>.
120b077aed3SPierre Pronchery
121b077aed3SPierre Pronchery=head1 HISTORY
122b077aed3SPierre Pronchery
123b077aed3SPierre ProncheryThe B<-engine> option was deprecated in OpenSSL 3.0.
124b077aed3SPierre Pronchery
125b077aed3SPierre ProncheryThe B<-C> option was removed in OpenSSL 3.0.
126b077aed3SPierre Pronchery
127b077aed3SPierre Pronchery=head1 COPYRIGHT
128b077aed3SPierre Pronchery
129*aa795734SPierre ProncheryCopyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
130b077aed3SPierre Pronchery
131b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License").  You may not use
132b077aed3SPierre Proncherythis file except in compliance with the License.  You can obtain a copy
133b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at
134b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>.
135b077aed3SPierre Pronchery
136b077aed3SPierre Pronchery=cut
137