[gnutls-help] Generating DH params

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Sat Nov 4 17:17:27 CET 2017

On Thu, 2017-11-02 at 12:09 -0700, Gregory Sloop wrote:
> So, I use certtool to create CA/certs/keys for OpenVPN.
> OpenVPN wants a DH file too, and I used to use EasyRSA or OpenSSL to
> generate this.
> It looks like there's a deprecated option to generate DH in certtool
> - but it's deprecated.
> Should I use it anyway, or is there some way to do what I want with

We no longer recommend to use arbitrary random parameters, but to
utilize the RFC7919 parameters. See more information in the
documentation [0]. 

"In older applications which require to specify explicit DH parameters,
we recommend using certtool (of GnuTLS 3.5.6 or later) with the --get-
dh-params option to obtain the FFDHE parameters discussed above (i.e.,
RFC7919). The output parameters of the tool are in PKCS#3 format and
can be imported by most existing applications. "



More information about the Gnutls-help mailing list