[gnutls-help] Generating DH params
n.mavrogiannopoulos at gmail.com
Sat Nov 4 17:17:27 CET 2017
On Thu, 2017-11-02 at 12:09 -0700, Gregory Sloop wrote:
> So, I use certtool to create CA/certs/keys for OpenVPN.
> OpenVPN wants a DH file too, and I used to use EasyRSA or OpenSSL to
> generate this.
> It looks like there's a deprecated option to generate DH in certtool
> - but it's deprecated.
> Should I use it anyway, or is there some way to do what I want with
We no longer recommend to use arbitrary random parameters, but to
utilize the RFC7919 parameters. See more information in the
"In older applications which require to specify explicit DH parameters,
we recommend using certtool (of GnuTLS 3.5.6 or later) with the --get-
dh-params option to obtain the FFDHE parameters discussed above (i.e.,
RFC7919). The output parameters of the tool are in PKCS#3 format and
can be imported by most existing applications. "
More information about the Gnutls-help