xref: /freebsd/crypto/openssl/doc/man1/openssl-dhparam.pod.in (revision a64729f5077d77e13b9497cb33ecb3c82e606ee8)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-dhparam - DH parameter manipulation and generation
7
8=head1 SYNOPSIS
9
10B<openssl dhparam>
11[B<-help>]
12[B<-inform> B<DER>|B<PEM>]
13[B<-outform> B<DER>|B<PEM>]
14[B<-in> I<filename>]
15[B<-out> I<filename>]
16[B<-dsaparam>]
17[B<-check>]
18[B<-noout>]
19[B<-text>]
20[B<-2>]
21[B<-3>]
22[B<-5>]
23{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
24{- $OpenSSL::safe::opt_provider_synopsis -}
25[I<numbits>]
26
27=head1 DESCRIPTION
28
29This command is used to manipulate DH parameter files.
30
31See L<openssl-genpkey(1)/EXAMPLES> for examples on how to generate
32a key using a named safe prime group without generating intermediate
33parameters.
34
35=head1 OPTIONS
36
37=over 4
38
39=item B<-help>
40
41Print out a usage message.
42
43=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
44
45The input format and output format; the default is B<PEM>.
46The object is compatible with the PKCS#3 B<DHparameter> structure.
47See L<openssl-format-options(1)> for details.
48
49=item B<-in> I<filename>
50
51This specifies the input filename to read parameters from or standard input if
52this option is not specified.
53
54=item B<-out> I<filename>
55
56This specifies the output filename parameters to. Standard output is used
57if this option is not present. The output filename should B<not> be the same
58as the input filename.
59
60=item B<-dsaparam>
61
62If this option is used, DSA rather than DH parameters are read or created;
63they are converted to DH format.  Otherwise, "strong" primes (such
64that (p-1)/2 is also prime) will be used for DH parameter generation.
65
66DH parameter generation with the B<-dsaparam> option is much faster,
67and the recommended exponent length is shorter, which makes DH key
68exchange more efficient.  Beware that with such DSA-style DH
69parameters, a fresh DH key should be created for each use to
70avoid small-subgroup attacks that may be possible otherwise.
71
72=item B<-check>
73
74Performs numerous checks to see if the supplied parameters are valid and
75displays a warning if not.
76
77=item B<-2>, B<-3>, B<-5>
78
79The generator to use, either 2, 3 or 5. If present then the
80input file is ignored and parameters are generated instead. If not
81present but I<numbits> is present, parameters are generated with the
82default generator 2.
83
84=item I<numbits>
85
86This option specifies that a parameter set should be generated of size
87I<numbits>. It must be the last option. If this option is present then
88the input file is ignored and parameters are generated instead. If
89this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
90present, parameters are generated with a default length of 2048 bits.
91The minimum length is 512 bits. The maximum length is 10000 bits.
92
93=item B<-noout>
94
95This option inhibits the output of the encoded version of the parameters.
96
97=item B<-text>
98
99This option prints out the DH parameters in human readable form.
100
101{- $OpenSSL::safe::opt_engine_item -}
102
103{- $OpenSSL::safe::opt_r_item -}
104
105{- $OpenSSL::safe::opt_provider_item -}
106
107=back
108
109=head1 NOTES
110
111This command replaces the B<dh> and B<gendh> commands of previous
112releases.
113
114=head1 SEE ALSO
115
116L<openssl(1)>,
117L<openssl-pkeyparam(1)>,
118L<openssl-dsaparam(1)>,
119L<openssl-genpkey(1)>.
120
121=head1 HISTORY
122
123The B<-engine> option was deprecated in OpenSSL 3.0.
124
125The B<-C> option was removed in OpenSSL 3.0.
126
127=head1 COPYRIGHT
128
129Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
130
131Licensed under the Apache License 2.0 (the "License").  You may not use
132this file except in compliance with the License.  You can obtain a copy
133in the file LICENSE in the source distribution or at
134L<https://www.openssl.org/source/license.html>.
135
136=cut
137