1*4724848cSchristos=pod 2*4724848cSchristos 3*4724848cSchristos=head1 NAME 4*4724848cSchristos 5*4724848cSchristosopenssl-dhparam, 6*4724848cSchristosdhparam - DH parameter manipulation and generation 7*4724848cSchristos 8*4724848cSchristos=head1 SYNOPSIS 9*4724848cSchristos 10*4724848cSchristosB<openssl dhparam> 11*4724848cSchristos[B<-help>] 12*4724848cSchristos[B<-inform DER|PEM>] 13*4724848cSchristos[B<-outform DER|PEM>] 14*4724848cSchristos[B<-in> I<filename>] 15*4724848cSchristos[B<-out> I<filename>] 16*4724848cSchristos[B<-dsaparam>] 17*4724848cSchristos[B<-check>] 18*4724848cSchristos[B<-noout>] 19*4724848cSchristos[B<-text>] 20*4724848cSchristos[B<-C>] 21*4724848cSchristos[B<-2>] 22*4724848cSchristos[B<-5>] 23*4724848cSchristos[B<-rand file...>] 24*4724848cSchristos[B<-writerand file>] 25*4724848cSchristos[B<-engine id>] 26*4724848cSchristos[I<numbits>] 27*4724848cSchristos 28*4724848cSchristos=head1 DESCRIPTION 29*4724848cSchristos 30*4724848cSchristosThis command is used to manipulate DH parameter files. 31*4724848cSchristos 32*4724848cSchristos=head1 OPTIONS 33*4724848cSchristos 34*4724848cSchristos=over 4 35*4724848cSchristos 36*4724848cSchristos=item B<-help> 37*4724848cSchristos 38*4724848cSchristosPrint out a usage message. 39*4724848cSchristos 40*4724848cSchristos=item B<-inform DER|PEM> 41*4724848cSchristos 42*4724848cSchristosThis specifies the input format. The B<DER> option uses an ASN1 DER encoded 43*4724848cSchristosform compatible with the PKCS#3 DHparameter structure. The PEM form is the 44*4724848cSchristosdefault format: it consists of the B<DER> format base64 encoded with 45*4724848cSchristosadditional header and footer lines. 46*4724848cSchristos 47*4724848cSchristos=item B<-outform DER|PEM> 48*4724848cSchristos 49*4724848cSchristosThis specifies the output format, the options have the same meaning and default 50*4724848cSchristosas the B<-inform> option. 51*4724848cSchristos 52*4724848cSchristos=item B<-in> I<filename> 53*4724848cSchristos 54*4724848cSchristosThis specifies the input filename to read parameters from or standard input if 55*4724848cSchristosthis option is not specified. 56*4724848cSchristos 57*4724848cSchristos=item B<-out> I<filename> 58*4724848cSchristos 59*4724848cSchristosThis specifies the output filename parameters to. Standard output is used 60*4724848cSchristosif this option is not present. The output filename should B<not> be the same 61*4724848cSchristosas the input filename. 62*4724848cSchristos 63*4724848cSchristos=item B<-dsaparam> 64*4724848cSchristos 65*4724848cSchristosIf this option is used, DSA rather than DH parameters are read or created; 66*4724848cSchristosthey are converted to DH format. Otherwise, "strong" primes (such 67*4724848cSchristosthat (p-1)/2 is also prime) will be used for DH parameter generation. 68*4724848cSchristos 69*4724848cSchristosDH parameter generation with the B<-dsaparam> option is much faster, 70*4724848cSchristosand the recommended exponent length is shorter, which makes DH key 71*4724848cSchristosexchange more efficient. Beware that with such DSA-style DH 72*4724848cSchristosparameters, a fresh DH key should be created for each use to 73*4724848cSchristosavoid small-subgroup attacks that may be possible otherwise. 74*4724848cSchristos 75*4724848cSchristos=item B<-check> 76*4724848cSchristos 77*4724848cSchristosPerforms numerous checks to see if the supplied parameters are valid and 78*4724848cSchristosdisplays a warning if not. 79*4724848cSchristos 80*4724848cSchristos=item B<-2>, B<-5> 81*4724848cSchristos 82*4724848cSchristosThe generator to use, either 2 or 5. If present then the 83*4724848cSchristosinput file is ignored and parameters are generated instead. If not 84*4724848cSchristospresent but B<numbits> is present, parameters are generated with the 85*4724848cSchristosdefault generator 2. 86*4724848cSchristos 87*4724848cSchristos=item B<-rand file...> 88*4724848cSchristos 89*4724848cSchristosA file or files containing random data used to seed the random number 90*4724848cSchristosgenerator. 91*4724848cSchristosMultiple files can be specified separated by an OS-dependent character. 92*4724848cSchristosThe separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for 93*4724848cSchristosall others. 94*4724848cSchristos 95*4724848cSchristos=item [B<-writerand file>] 96*4724848cSchristos 97*4724848cSchristosWrites random data to the specified I<file> upon exit. 98*4724848cSchristosThis can be used with a subsequent B<-rand> flag. 99*4724848cSchristos 100*4724848cSchristos=item I<numbits> 101*4724848cSchristos 102*4724848cSchristosThis option specifies that a parameter set should be generated of size 103*4724848cSchristosI<numbits>. It must be the last option. If this option is present then 104*4724848cSchristosthe input file is ignored and parameters are generated instead. If 105*4724848cSchristosthis option is not present but a generator (B<-2> or B<-5>) is 106*4724848cSchristospresent, parameters are generated with a default length of 2048 bits. 107*4724848cSchristos 108*4724848cSchristos=item B<-noout> 109*4724848cSchristos 110*4724848cSchristosThis option inhibits the output of the encoded version of the parameters. 111*4724848cSchristos 112*4724848cSchristos=item B<-text> 113*4724848cSchristos 114*4724848cSchristosThis option prints out the DH parameters in human readable form. 115*4724848cSchristos 116*4724848cSchristos=item B<-C> 117*4724848cSchristos 118*4724848cSchristosThis option converts the parameters into C code. The parameters can then 119*4724848cSchristosbe loaded by calling the get_dhNNNN() function. 120*4724848cSchristos 121*4724848cSchristos=item B<-engine id> 122*4724848cSchristos 123*4724848cSchristosSpecifying an engine (by its unique B<id> string) will cause B<dhparam> 124*4724848cSchristosto attempt to obtain a functional reference to the specified engine, 125*4724848cSchristosthus initialising it if needed. The engine will then be set as the default 126*4724848cSchristosfor all available algorithms. 127*4724848cSchristos 128*4724848cSchristos=back 129*4724848cSchristos 130*4724848cSchristos=head1 WARNINGS 131*4724848cSchristos 132*4724848cSchristosThe program B<dhparam> combines the functionality of the programs B<dh> and 133*4724848cSchristosB<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh> 134*4724848cSchristosprograms are retained for now but may have different purposes in future 135*4724848cSchristosversions of OpenSSL. 136*4724848cSchristos 137*4724848cSchristos=head1 NOTES 138*4724848cSchristos 139*4724848cSchristosPEM format DH parameters use the header and footer lines: 140*4724848cSchristos 141*4724848cSchristos -----BEGIN DH PARAMETERS----- 142*4724848cSchristos -----END DH PARAMETERS----- 143*4724848cSchristos 144*4724848cSchristosOpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 145*4724848cSchristosDH. 146*4724848cSchristos 147*4724848cSchristosThis program manipulates DH parameters not keys. 148*4724848cSchristos 149*4724848cSchristos=head1 BUGS 150*4724848cSchristos 151*4724848cSchristosThere should be a way to generate and manipulate DH keys. 152*4724848cSchristos 153*4724848cSchristos=head1 SEE ALSO 154*4724848cSchristos 155*4724848cSchristosL<dsaparam(1)> 156*4724848cSchristos 157*4724848cSchristos=head1 COPYRIGHT 158*4724848cSchristos 159*4724848cSchristosCopyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. 160*4724848cSchristos 161*4724848cSchristosLicensed under the OpenSSL license (the "License"). You may not use 162*4724848cSchristosthis file except in compliance with the License. You can obtain a copy 163*4724848cSchristosin the file LICENSE in the source distribution or at 164*4724848cSchristosL<https://www.openssl.org/source/license.html>. 165*4724848cSchristos 166*4724848cSchristos=cut 167