Georgi Guninski <guninski@guninski.com> writes:
Well openessl appears to support dhparam: https://www.openssl.org/docs/manmaster/apps/dhparam.html
That just indicates support for PKCS #3 DH parameters, not anything else. In any case the page also says: OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 DH. so that explicitly precludes using it in certs, even if code elsewhere would support such usage. I've gone through my (sizeable) cert collection and found a single example of X9.42 certs, created by a USG contracting company paid to develop the code for this and dating from 1996. The certs are signed with a test DSA key, and contain a number of errors (zero-length fields, the DH key is marked as a CA signing key, etc). Peter.