[How To] Create a 2048 DHparm key

By default DH Parameters are just 1024bits in Ubuntu 12.04.5 LTS which is considered weak by todays standards. You will need to create a new one of either 2048Bit or 4096Bit depending on your certificates public key size.

Create a folder to hold the dhparams…

mkdir /etc/ssl/dh

Move to that directory

cd /etc/ssl/dh

Create the new DH Parameters, at 2048Bit

 openssl dhparam -out RSA2048.pem -5 2048

And 4096Bit (this will take some time)

openssl dhparam -out RSA4096.pem -5 4096

You can also create DSA versions, at 2048Bit…

openssl dhparam -dsaparam -out DSA2048.pem 2048

And 4096Bit

openssl dhparam -dsaparam -out DSA4096.pem 4096

Now you can add the directives to your servers, Courier-Imap, Dovecot, Nginx and Postfix.

Courier-Imap
Courier-IMAP Directive
TLS_DHPARAMS=/etc/ssl/dh/RSA2048.pem

Dovecot (creates it’s own)

ssl_dh_parameters_length = 2048

Nginx

ssl_dhparam /etc/ssl/dh/RSA2048.pem;

Postfix

smtpd_tls_dh1024_param_file = /etc/ssl/dh/RSA2048.pem

Enjoy!