I'm trying to generate a 4096-bit DH key, but it has taken over 24 hours and the key is still trying to generate. Short cut key to generate return type eclipes. Can I make this faster?
Generate an unencrypted RSA private key: C:Opensslbinopenssl.exe genrsa -out Where: is the desired filename for the private key file is the desired key length of either 1024, 2048, or 4096; For example, type: C:Opensslbinopenssl.exe genrsa -out mykey.key 2048. Encrypted the. For these steps, you will need a command line shell with OpenSSL. Ideally, you should have a private key of your own and a public key from someone else. For demonstration, we will only use a single key pair. Generate Private Key. Run this command to generate a 4096-bit private key and output it to the private.pem file. If you like, you may.
You're probably not generating enough entropy on your guest. Try generating system activity, like writing to the disk.
You can also use a program like haveged. I won't speak of the security implications as that's a much more complicated subject, but you should know there could be some.
Diffie-Hellman keys can take a long time to generate because dhparam requires something known as a strong prime. Strong primes provide little to no security benefit but take a lot of effort to produce.
Instead, you should be using the
-dsaparam option to decrease generation time by avoiding strong prime effort. Here's an example of that:
openssl dhparam -dsaparam -out dhparam2.pem 4096
You can read more about this in the following OpenSSL manpage where you'll find:
If this option is used, DSA rather than DH parameters are read or created; they are converted to DH format. Otherwise, 'strong' primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possible otherwise.
There's some additional discussion on this topic here, as well: