On Thu, 2017-11-02 at 12:09 -0700, Gregory Sloop wrote: > So, I use certtool to create CA/certs/keys for OpenVPN. > OpenVPN wants a DH file too, and I used to use EasyRSA or OpenSSL to > generate this. > > It looks like there's a deprecated option to generate DH in certtool > - but it's deprecated. > Should I use it anyway, or is there some way to do what I want with > GNUTLS? >
We no longer recommend to use arbitrary random parameters, but to utilize the RFC7919 parameters. See more information in the documentation [0]. "In older applications which require to specify explicit DH parameters, we recommend using certtool (of GnuTLS 3.5.6 or later) with the --get- dh-params option to obtain the FFDHE parameters discussed above (i.e., RFC7919). The output parameters of the tool are in PKCS#3 format and can be imported by most existing applications. " regards, Nikos [0]. https://www.gnutls.org/manual/html_node/Parameter-generation.html _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
