1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-dhparam - DH parameter manipulation and generation 7 8=head1 SYNOPSIS 9 10B<openssl dhparam> 11[B<-help>] 12[B<-inform> B<DER>|B<PEM>] 13[B<-outform> B<DER>|B<PEM>] 14[B<-in> I<filename>] 15[B<-out> I<filename>] 16[B<-dsaparam>] 17[B<-check>] 18[B<-noout>] 19[B<-text>] 20[B<-verbose>] 21[B<-quiet>] 22[B<-2>] 23[B<-3>] 24[B<-5>] 25{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} 26{- $OpenSSL::safe::opt_provider_synopsis -} 27[I<numbits>] 28 29=head1 DESCRIPTION 30 31This command is used to manipulate DH parameter files. 32 33See L<openssl-genpkey(1)/EXAMPLES> for examples on how to generate 34a key using a named safe prime group without generating intermediate 35parameters. 36 37=head1 OPTIONS 38 39=over 4 40 41=item B<-help> 42 43Print out a usage message. 44 45=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> 46 47The input format and output format; the default is B<PEM>. 48The object is compatible with the PKCS#3 B<DHparameter> structure. 49See L<openssl-format-options(1)> for details. 50 51=item B<-in> I<filename> 52 53This specifies the input filename to read parameters from or standard input if 54this option is not specified. 55 56=item B<-out> I<filename> 57 58This specifies the output filename parameters to. Standard output is used 59if this option is not present. The output filename should B<not> be the same 60as the input filename. 61 62=item B<-dsaparam> 63 64If this option is used, DSA rather than DH parameters are read or created; 65they are converted to DH format. Otherwise, safe primes (such 66that (p-1)/2 is also prime) will be used for DH parameter generation. 67 68DH parameter generation with the B<-dsaparam> option is much faster. 69Beware that with such DSA-style DH parameters, a fresh DH key should be 70created for each use to avoid small-subgroup attacks that may be possible 71otherwise. 72 73=item B<-check> 74 75Performs numerous checks to see if the supplied parameters are valid and 76displays a warning if not. 77 78=item B<-2>, B<-3>, B<-5> 79 80The generator to use, either 2, 3 or 5. If present then the 81input file is ignored and parameters are generated instead. If not 82present but I<numbits> is present, parameters are generated with the 83default generator 2. 84 85=item I<numbits> 86 87This option specifies that a parameter set should be generated of size 88I<numbits>. It must be the last option. If this option is present then 89the input file is ignored and parameters are generated instead. If 90this option is not present but a generator (B<-2>, B<-3> or B<-5>) is 91present, parameters are generated with a default length of 2048 bits. 92The minimum length is 512 bits. The maximum length is 10000 bits. 93 94=item B<-noout> 95 96This option inhibits the output of the encoded version of the parameters. 97 98=item B<-text> 99 100This option prints out the DH parameters in human readable form. 101 102{- $OpenSSL::safe::opt_engine_item -} 103 104{- $OpenSSL::safe::opt_r_item -} 105 106{- $OpenSSL::safe::opt_provider_item -} 107 108=item B<-verbose> 109 110This option enables the output of progress messages, which is handy when 111running commands interactively that may take a long time to execute. 112 113=item B<-quiet> 114 115This option suppresses the output of progress messages, which may be 116undesirable in batch scripts or pipelines. 117 118=back 119 120=head1 NOTES 121 122This command replaces the B<dh> and B<gendh> commands of previous 123releases. 124 125=head1 SEE ALSO 126 127L<openssl(1)>, 128L<openssl-pkeyparam(1)>, 129L<openssl-dsaparam(1)>, 130L<openssl-genpkey(1)>. 131 132=head1 HISTORY 133 134The B<-engine> option was deprecated in OpenSSL 3.0. 135 136The B<-C> option was removed in OpenSSL 3.0. 137 138=head1 COPYRIGHT 139 140Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. 141 142Licensed under the Apache License 2.0 (the "License"). You may not use 143this file except in compliance with the License. You can obtain a copy 144in the file LICENSE in the source distribution or at 145L<https://www.openssl.org/source/license.html>. 146 147=cut 148