LinuxCommandLibrary

dhparam.1s

Generate Diffie-Hellman parameters for secure communication

SYNOPSIS

dhparam [options] [numbits]

PARAMETERS

-help
    Print detailed help message

-in filename
    Input file for parameters

-out filename
    Output file for parameters

-inform PEM|DER
    Input format (default PEM)

-outform PEM|DER
    Output format (default PEM)

-noout
    Do not output encoded parameters

-text
    Print parameters as readable text

-C
    Output parameters as C code

-dsaparam
    Read/use DSA-style parameters (g=2)

-check
    Verify DH parameter consistency

-2
    Use legacy generator 2

-rand files
    Read randomness from files

-genkey
    Generate a DH private key

-privkey
    Include private key in output (with -genkey)

-engine id
    Use specific crypto engine

DESCRIPTION

The dhparam command from OpenSSL generates or processes Diffie-Hellman (DH) parameters, essential for secure key exchange in protocols like SSL/TLS, especially for enabling ephemeral Diffie-Hellman (DHE/ECDHE) cipher suites that provide Perfect Forward Secrecy (PFS).

DH parameters consist of a large safe prime p and a generator g. Servers use these to negotiate session keys securely without reusing long-term keys. Modern security standards recommend at least 2048-bit parameters; 3072 or 4096 bits offer stronger protection against attacks like Logjam.

Typical usage: dhparam -out dhparams.pem 2048 creates a PEM file with 2048-bit parameters. This file is then referenced in server configs (e.g., Apache's SSLOpenSSLConfCmd or Nginx's ssl_dhparam).

The tool supports checking parameter validity, format conversion (PEM/DER), text output, and even C code generation for embedded use. Generating large parameters is computationally intensive, often taking minutes to hours depending on bit length and hardware.

Deprecated in favor of built-in server generation in some cases, but still widely used for custom, verified parameters from trusted sources.

CAVEATS

Generating large parameters (>4096 bits) is very slow on standard CPUs.
Pre-generated parameters from /etc/ssl/dhparam.pem or trusted repos are recommended over self-generation.
Use only RFC 7919-compliant safe primes.

EXAMPLE

dhparam -out /etc/dhparams.pem 2048
Generates and saves 2048-bit parameters.

dhparam -check -in dhparams.pem
Validates existing file.

SECURITY NOTE

Avoid weak <2048-bit params. Reload server after updating dhparam file.

HISTORY

Introduced in SSLeay 0.6.6 (1995), integrated into OpenSSL 0.9.2 (1998). Enhanced parameter generation in OpenSSL 1.0.2 (2015) for RFC 5114 support; OpenSSL 3.0 (2021) added providers and improved RNG.

SEE ALSO

dsaparam(1), openssl(1), dh(3)

Copied to clipboard