[gnutls-help] dh parameters

Sean Greenslade sean at seangreenslade.com
Thu Aug 29 21:14:37 CEST 2019

On August 27, 2019 10:39:49 PM PDT, Gregory Sloop <gregs at sloop.net> wrote:
>For some applications - say OpenVPN servers - I need a dh.pem [dh
>parameters file]
>It looks like GNUTLS doesn't have the option to generate dh params like
>OpenSSL does, but has the following as a option:
>certtool --get-dh-params --outfile dh.pem --sec-param ultra
>1) Will that ^^ do what I want?
>2) So, is there any difference between that and the openssl command to
>generate dh params?
>openssl dhparam -out /config/auth/dh.pem 4096
>3) If the certtool example above isn't adequate, is there a good way to
>accomplish what I want in certtool, or otherwise?
>4) Can someone point me to something that might be accessible to a mere
>mortal [i.e. non-cryptographer] for explanation? :)
>#1 and 3 are the most important for me to get answers to.

As far as I know, both tools can generate DH param files usable by gnutls.

Regarding number 4, this page has some decent explanations if you have a little background in public-private crypto:


The really short version is that these parameters are used during the initial key exchange between the client and server. They are not secrets, however. The reason you may want to generate your own is to prevent certain types of attacks. That said, the attack is currently unfeasible for 4096-bit primes, so it's likely a moot point. See the above link for more details.


More information about the Gnutls-help mailing list