diff --git a/src/freedombone-addcert b/src/freedombone-addcert
index 1874e195..145e4984 100755
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -35,6 +35,7 @@ LOCATION="Freedomville"
 ORGANISATION="Freedombone"
 UNIT="Freedombone Unit"
 EXTENSIONS=""
+NODH=
 
 function show_help {
     echo ''
@@ -50,6 +51,7 @@ function show_help {
     echo '  -l --location [locn]       Optional location name'
     echo '  -o --organisation [name]   Optional organisation name'
     echo '  -u --unit [name]           Optional unit name'
+    echo '     --nodh                  Do not calculate DH params'
     echo '     --ca                    Certificate authority cert'
     echo ''
     exit 0
@@ -90,6 +92,9 @@ case $key in
     --ca)
     EXTENSIONS="-extensions v3_ca"
     ;;
+    --nodh)
+    NODH="true"
+    ;;
     *)
     # unknown option
     ;;
@@ -108,7 +113,9 @@ if ! which openssl > /dev/null ;then
 fi
 
 openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt
-openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
+if [ ! $NODH ]; then
+    openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
+fi
 chmod 400 /etc/ssl/private/$HOSTNAME.key
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt
 chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam
diff --git a/src/freedombone-clientcert b/src/freedombone-clientcert
index f0ab6102..02c4aa70 100755
--- a/src/freedombone-clientcert
+++ b/src/freedombone-clientcert
@@ -98,7 +98,7 @@ fi
 chmod 600 /etc/dovecot/passwd-file
 
 # create a user cert
-freedombone-addcert -h $USERNAME
+freedombone-addcert -h $USERNAME --nodh
 
 # create a certificate request
 openssl req -new -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$USERNAME" -key /etc/ssl/private/$USERNAME.key -out /etc/ssl/requests/$USERNAME.csr
@@ -108,6 +108,7 @@ openssl ca -config /etc/ssl/dovecot-ca.cnf -in /etc/ssl/requests/$USERNAME.csr -
 
 # move the cert to the user's home
 mkdir /home/$USERNAME/emailcert
+shred -zu /etc/ssl/certs/$USERNAME.dhparam
 mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert
 cp /etc/ssl/certs/dovecot-ca.crt /home/$USERNAME/emailcert
 mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert