Cron job - Generating weekly new DH PARAM files

Generating weekly new DH PARAM files

Hello user!

Just create the following directory:

  1. ~# mkdir -p /etc/dhparam

Create file /usr/local/sbin/gen_dhparam with the following content:

  1. ~# touch /usr/local/sbin/gen_dhparam

Set this file executable:

  1. ~# chmod +x /usr/local/sbin/gen_dhparam

Run the script by:

  1. ~# /usr/local/sbin/gen_dhparam

It will take a long time, but 4 files will be generated in /etc/dhparam:

  1. ~# ll /etc/dhparam
  2. total 32
  3. drwxr-xr-x 2 root root 4096 Oct 9 15:38 ./
  4. drwxr-xr-x 127 root root 12288 Oct 10 11:05 ../
  5. -rw-r--r-- 1 root root 156 Oct 10 11:16 dhparam512.pem
  6. -rw-r--r-- 1 root root 245 Oct 10 11:16 dhparam1024.pem
  7. -rw-r--r-- 1 root root 424 Oct 10 11:17 dhparam2048.pem
  8. -rw-r--r-- 1 root root 769 Oct 10 11:58 dhparam4096.pem

After that just create a symlink /etc/cron.weekly/gen_dhparam to the new script:

  1. ~# ln -s /usr/local/sbin/gen_dhparam /etc/cron.weekly/

With these permissions and owner:

  1. ~# ll /etc/cron.weekly/gen_dhparam
  2. lrwxrwxrwx 1 root root 27 Sep 14 17:31 /etc/cron.weekly/gen_dhparam -> /usr/local/sbin/gen_dhparam*

Last important and final step is the creation of the weekly scheduled task in Plesk "Home > Tools & Settings > Scheduled Tasks" under root.

Or in other location, dependent on the used operation system and software environment:

  1. FILE=`mktemp` ; openssl dhparam -out $FILE 512 && mv -f $FILE /etc/dhparam/dhparam512.pem && FILE=`mktemp` ; openssl dhparam -out $FILE 1024 && mv -f $FILE /etc/dhparam/dhparam1024.pem && FILE=`mktemp` ; openssl dhparam -out $FILE 2048 && mv -f $FILE /etc/dhparam/dhparam2048.pem && FILE=`mktemp` ; openssl dhparam -out $FILE 4096 && mv -f $FILE /etc/dhparam/dhparam4096.pem

Generating weekly new DH PARAM files

DH PARAM weekly cron tab

No guarantees as usual. Thanks for watching.

Have fun with Diffie-Hellman (DH) key-exchange.

    About the Author

    Hola Hello ஹலோ Halo привет Hallo Salut Ciao Olá 你好 Γεια σας もしもし Pozdravljeni สวัสดี Habari ਹੈਲੋ Salve прывітанне


    Comments 3

    • I get an empty key file with this script. When I change the following line from this:

      openssl dhparam $N -out $FILE && cat $FILE >/etc/dhparam/dhparam${N}.pemto this:openssl dhparam -out $FILE $N && cat $FILE >/etc/dhparam/dhparam${N}.pem

      Everything works again. Similar scripts in other places also use this order in the command, which also seems to be what the openssl manpage is suggesting for dhparam.
    • Thank you for this helpful tutorial. This cron task is pretty useful. After the new files are created in /etc/dhparam/ my 2nd cron task runs to replace the dhparam files also in /etc/postfix/ and /etc/nginx/.