understand 'openssl dhparms ....'

Matthias Apitz guru at unixarea.de
Tue Feb 19 08:57:11 UTC 2019


Some years ago (in 2012) I wrote an OpenSSL server, loosely based on the example
sources 'openssl-examples-20020110' which nowadays still exist in 

There was also some guiding available about how to create the necessary
key material, which goes more or less like this:


  $ mkdir newca
  $ cd newca
  $ cp /usr/local/openssl/misc/CA.sh .
  $ ./CA.sh -newca

  will create a new CA. Remember the passphrase as you will need
  it to sign certificates.

  $ cp demoCA/cacert.pem ../root.pem

  Second step

  $ ./CA.sh -newreq

  will create a certificate and a certification request.
  Set the passphrase to 'password' as this is hard-coded in
  the examples' source code. It is important to set the
  [Common Name] to 'localhost'.

  Third step

  $ ./CA.sh -sign

  will sign your newly created certificate. Enter the password for
  your CA which you have defined in step 1.

  Fourth step

  $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
  $ cd ..
  $ ln -s localhost.pem server.pem
  $ ln -s localhost.pem client.pem

  Maybe you also want to issue

  $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM

  in order to update the DH parameters.


What I (today) do not understand is the last step about creating the
file 'dh1024.pem' :-(

Two questions:

1. Why this has no input file? Shouldn't it have on, and which? The man
page says, it would read stdin, but it doesn't do so.

2. When I re-run the examples today the above command does not even
produces a file 'dh1024.pem', but writes the result to stdout:

openssl dhparam 1024 -2 -outform PEM -out dh1024.pem 
.... (lot of random output) ...

How this is supposed to work? Thanks

Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

More information about the openssl-users mailing list