Richard Levitte levitte at
Sat Feb 22 09:53:32 UTC 2020

On Sat, 22 Feb 2020 00:51:17 +0100,
Kurt Roeckx wrote:
> Some equivalants:
> openssl dhparam 2048
> openssl genpkey -genparam --algorithm DH -pkeyopt dh_paramgen_prime_len:2048
> openssl dsaparam 2048
> openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:2048

Side note: I never quite understood why we had to have such verbose
pkey opts.  "prime_len" and "bits" would have been enough, the rest is
known by context (the command line already specifies that it wants to
generate domain parameters and that the algorithm is DH, or DSA)

I have to agree with Viktor that some of those pkey commands are
overly complicated at times...  it's a bit hard to undo at this point,
though, apart from creating an entirely new openssl command with a
different, and possibly more intuitive interface.

Something that could be done is to take all those aged commands and
rewrite them as wrappers for genpkey, pkey and pkeyutl.  Simply create
and populate a new argv and call genpkey_main(), pkey_main() or

std::mantra: PR welcome!


Richard Levitte         levitte at
OpenSSL Project

More information about the openssl-project mailing list