I have a standard implementation of OpenSSL, with Diffie-Hellman prime in the SSL certificate. The DH cipher suite is enabled. Is it safe to keep one prime there forever, or should I rather periodically regenerate it? Why? If yes, what's some sane period to do so: day, week, month? If the adversary has a log of a passively intercepted DHE-RSA-AES256-SHA secured SSL communication, presuming the ephemeral key was correctly generated and disposed of after the transaction, will the eventual physical retrieval of the DH prime (and the rest of the certificate) allow him to decode the captured log? I am rather inexperienced in this area, don't want to make a mistake, and generation of 2048-bit primes is CPU-hungry enough to not decide to just throw it in without a good reason.