Consider adding support for generating Diffie-Hellman parameters

[hkjn]

Hey CF folks,

First of all, thanks for the excellent package. I've been moving over my hkjn/openvpn image and associated hkjn/pki helper to use keys and certs generated by your tools instead of ones from the (somewhat ironically named) EasyRSA.

I couldn't find a way to use cfssl to generate Diffie-Hellman parameters, which is needed to set up OpenVPN.

I can of course use openssl for this:

openssl dhparam -out dh.pem 4096

But it would be nice if I didn't have to! That way, I could entirely get rid of the dependency on openvpn.

Let me know whether you think this would make sense.

[kisom]

Hello, @hkjn. This would be interesting, and would probably make the most sense to add a new subcommand (like serve or sign). It's not something that makes sense for us to spend time on, though; we'd be happy to review a PR if that's something you'd want to do.

[hkjn]

Thanks for the reply.

I'm not a cryptographer, so I wouldn't trust myself to get the details right around efficiently selecting appropriate primes, using randomness securely &c.

It's good to know you'd be open for such a contribution though. Let me know if we should keep this issue open as a feature request, or document it in another way.