# Openssl Generate 4096 Bit Key

I'm trying to generate a 4096-bit DH key, but it has taken over 24 hours and the key is still trying to generate. Short cut key to generate return type eclipes. Can I make this faster?

Generate an unencrypted RSA private key: C:Opensslbinopenssl.exe genrsa -out Where: is the desired filename for the private key file is the desired key length of either 1024, 2048, or 4096; For example, type: C:Opensslbinopenssl.exe genrsa -out mykey.key 2048. Encrypted the. For these steps, you will need a command line shell with OpenSSL. Ideally, you should have a private key of your own and a public key from someone else. For demonstration, we will only use a single key pair. Generate Private Key. Run this command to generate a 4096-bit private key and output it to the private.pem file. If you like, you may.

### 2 Replies

You're probably not generating enough entropy on your guest. Try generating system activity, like writing to the disk.

You can also use a program like haveged. I won't speak of the security implications as that's a much more complicated subject, but you should know there could be some.

Diffie-Hellman keys can take a long time to generate because dhparam requires something known as a strong prime. Strong primes provide little to no security benefit but take a lot of effort to produce.

Instead, you should be using the `-dsaparam`

option to decrease generation time by avoiding strong prime effort. Here's an example of that:

`openssl dhparam -dsaparam -out dhparam2.pem 4096`

You can read more about this in the following OpenSSL manpage where you'll find:

-dsaparam

If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, 'strong' primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.

DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.

There's some additional discussion on this topic here, as well:

https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours