1*b077aed3SPierre Pronchery=pod 2*b077aed3SPierre Pronchery{- OpenSSL::safe::output_do_not_edit_headers(); -} 3*b077aed3SPierre Pronchery 4*b077aed3SPierre Pronchery=head1 NAME 5*b077aed3SPierre Pronchery 6*b077aed3SPierre Proncheryopenssl-dhparam - DH parameter manipulation and generation 7*b077aed3SPierre Pronchery 8*b077aed3SPierre Pronchery=head1 SYNOPSIS 9*b077aed3SPierre Pronchery 10*b077aed3SPierre ProncheryB<openssl dhparam> 11*b077aed3SPierre Pronchery[B<-help>] 12*b077aed3SPierre Pronchery[B<-inform> B<DER>|B<PEM>] 13*b077aed3SPierre Pronchery[B<-outform> B<DER>|B<PEM>] 14*b077aed3SPierre Pronchery[B<-in> I<filename>] 15*b077aed3SPierre Pronchery[B<-out> I<filename>] 16*b077aed3SPierre Pronchery[B<-dsaparam>] 17*b077aed3SPierre Pronchery[B<-check>] 18*b077aed3SPierre Pronchery[B<-noout>] 19*b077aed3SPierre Pronchery[B<-text>] 20*b077aed3SPierre Pronchery[B<-2>] 21*b077aed3SPierre Pronchery[B<-3>] 22*b077aed3SPierre Pronchery[B<-5>] 23*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} 24*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_provider_synopsis -} 25*b077aed3SPierre Pronchery[I<numbits>] 26*b077aed3SPierre Pronchery 27*b077aed3SPierre Pronchery=head1 DESCRIPTION 28*b077aed3SPierre Pronchery 29*b077aed3SPierre ProncheryThis command is used to manipulate DH parameter files. 30*b077aed3SPierre Pronchery 31*b077aed3SPierre ProncherySee L<openssl-genpkey(1)/EXAMPLES> for examples on how to generate 32*b077aed3SPierre Proncherya key using a named safe prime group without generating intermediate 33*b077aed3SPierre Proncheryparameters. 34*b077aed3SPierre Pronchery 35*b077aed3SPierre Pronchery=head1 OPTIONS 36*b077aed3SPierre Pronchery 37*b077aed3SPierre Pronchery=over 4 38*b077aed3SPierre Pronchery 39*b077aed3SPierre Pronchery=item B<-help> 40*b077aed3SPierre Pronchery 41*b077aed3SPierre ProncheryPrint out a usage message. 42*b077aed3SPierre Pronchery 43*b077aed3SPierre Pronchery=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> 44*b077aed3SPierre Pronchery 45*b077aed3SPierre ProncheryThe input format and output format; the default is B<PEM>. 46*b077aed3SPierre ProncheryThe object is compatible with the PKCS#3 B<DHparameter> structure. 47*b077aed3SPierre ProncherySee L<openssl-format-options(1)> for details. 48*b077aed3SPierre Pronchery 49*b077aed3SPierre Pronchery=item B<-in> I<filename> 50*b077aed3SPierre Pronchery 51*b077aed3SPierre ProncheryThis specifies the input filename to read parameters from or standard input if 52*b077aed3SPierre Proncherythis option is not specified. 53*b077aed3SPierre Pronchery 54*b077aed3SPierre Pronchery=item B<-out> I<filename> 55*b077aed3SPierre Pronchery 56*b077aed3SPierre ProncheryThis specifies the output filename parameters to. Standard output is used 57*b077aed3SPierre Proncheryif this option is not present. The output filename should B<not> be the same 58*b077aed3SPierre Proncheryas the input filename. 59*b077aed3SPierre Pronchery 60*b077aed3SPierre Pronchery=item B<-dsaparam> 61*b077aed3SPierre Pronchery 62*b077aed3SPierre ProncheryIf this option is used, DSA rather than DH parameters are read or created; 63*b077aed3SPierre Proncherythey are converted to DH format. Otherwise, "strong" primes (such 64*b077aed3SPierre Proncherythat (p-1)/2 is also prime) will be used for DH parameter generation. 65*b077aed3SPierre Pronchery 66*b077aed3SPierre ProncheryDH parameter generation with the B<-dsaparam> option is much faster, 67*b077aed3SPierre Proncheryand the recommended exponent length is shorter, which makes DH key 68*b077aed3SPierre Proncheryexchange more efficient. Beware that with such DSA-style DH 69*b077aed3SPierre Proncheryparameters, a fresh DH key should be created for each use to 70*b077aed3SPierre Proncheryavoid small-subgroup attacks that may be possible otherwise. 71*b077aed3SPierre Pronchery 72*b077aed3SPierre Pronchery=item B<-check> 73*b077aed3SPierre Pronchery 74*b077aed3SPierre ProncheryPerforms numerous checks to see if the supplied parameters are valid and 75*b077aed3SPierre Proncherydisplays a warning if not. 76*b077aed3SPierre Pronchery 77*b077aed3SPierre Pronchery=item B<-2>, B<-3>, B<-5> 78*b077aed3SPierre Pronchery 79*b077aed3SPierre ProncheryThe generator to use, either 2, 3 or 5. If present then the 80*b077aed3SPierre Proncheryinput file is ignored and parameters are generated instead. If not 81*b077aed3SPierre Proncherypresent but I<numbits> is present, parameters are generated with the 82*b077aed3SPierre Proncherydefault generator 2. 83*b077aed3SPierre Pronchery 84*b077aed3SPierre Pronchery=item I<numbits> 85*b077aed3SPierre Pronchery 86*b077aed3SPierre ProncheryThis option specifies that a parameter set should be generated of size 87*b077aed3SPierre ProncheryI<numbits>. It must be the last option. If this option is present then 88*b077aed3SPierre Proncherythe input file is ignored and parameters are generated instead. If 89*b077aed3SPierre Proncherythis option is not present but a generator (B<-2>, B<-3> or B<-5>) is 90*b077aed3SPierre Proncherypresent, parameters are generated with a default length of 2048 bits. 91*b077aed3SPierre ProncheryThe minimim length is 512 bits. The maximum length is 10000 bits. 92*b077aed3SPierre Pronchery 93*b077aed3SPierre Pronchery=item B<-noout> 94*b077aed3SPierre Pronchery 95*b077aed3SPierre ProncheryThis option inhibits the output of the encoded version of the parameters. 96*b077aed3SPierre Pronchery 97*b077aed3SPierre Pronchery=item B<-text> 98*b077aed3SPierre Pronchery 99*b077aed3SPierre ProncheryThis option prints out the DH parameters in human readable form. 100*b077aed3SPierre Pronchery 101*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_engine_item -} 102*b077aed3SPierre Pronchery 103*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_r_item -} 104*b077aed3SPierre Pronchery 105*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_provider_item -} 106*b077aed3SPierre Pronchery 107*b077aed3SPierre Pronchery=back 108*b077aed3SPierre Pronchery 109*b077aed3SPierre Pronchery=head1 NOTES 110*b077aed3SPierre Pronchery 111*b077aed3SPierre ProncheryThis command replaces the B<dh> and B<gendh> commands of previous 112*b077aed3SPierre Proncheryreleases. 113*b077aed3SPierre Pronchery 114*b077aed3SPierre Pronchery=head1 SEE ALSO 115*b077aed3SPierre Pronchery 116*b077aed3SPierre ProncheryL<openssl(1)>, 117*b077aed3SPierre ProncheryL<openssl-pkeyparam(1)>, 118*b077aed3SPierre ProncheryL<openssl-dsaparam(1)>, 119*b077aed3SPierre ProncheryL<openssl-genpkey(1)>. 120*b077aed3SPierre Pronchery 121*b077aed3SPierre Pronchery=head1 HISTORY 122*b077aed3SPierre Pronchery 123*b077aed3SPierre ProncheryThe B<-engine> option was deprecated in OpenSSL 3.0. 124*b077aed3SPierre Pronchery 125*b077aed3SPierre ProncheryThe B<-C> option was removed in OpenSSL 3.0. 126*b077aed3SPierre Pronchery 127*b077aed3SPierre Pronchery=head1 COPYRIGHT 128*b077aed3SPierre Pronchery 129*b077aed3SPierre ProncheryCopyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 130*b077aed3SPierre Pronchery 131*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 132*b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 133*b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 134*b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 135*b077aed3SPierre Pronchery 136*b077aed3SPierre Pronchery=cut 137