diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 6476035..16d5165 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1384,23 +1384,37 @@ gen_dh() {
 	out_file="$EASYRSA_PKI/dh.pem"
 
 	# check to see if we already have a dh parameters file
-	if [ -e "$EASYRSA_PKI/dh.pem" ]; then
+	if [ -e "$out_file" ]; then
 		if [ "$EASYRSA_BATCH" ]; then
 			# if batch is enabled, die
-			die "file $EASYRSA_PKI/dh.pem already exists!"
+			die "\
+DH parameters file already exists
+at: $out_file"
 		else
 			# warn the user, give them a chance to force overwrite
-			confirm "Overwrite?  " "yes" "*** File $EASYRSA_PKI/dh.pem already exists! ***"
+			confirm "Overwrite?  " "yes" "\
+DH parameters file already exists
+at: $out_file"
 		fi
 	fi
 
-	"$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \
-		die "Failed to build DH params"
+	# Create a temp file, otherwise user abort leaves an incomplete dh.pem
+	tmp_dh_file="$(easyrsa_mktemp)" || die "Failed to create temp DH file"
+
+	# Generate dh.pem
+	"$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" "$EASYRSA_KEY_SIZE" || \
+		die "Failed to generate DH params"
+
+	# Validate dh.pem
+	"$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" -check -noout || \
+		die "Failed to validate DH params"
+
+	mv -f "$tmp_dh_file" "$out_file" || die "Failed to move temp DH file"
 
-	[ "$EASYRSA_SILENT" ] || print # Separate Notice below
 	notice "\
 
-DH parameters of size $EASYRSA_KEY_SIZE created at $out_file"
+DH parameters of size $EASYRSA_KEY_SIZE created
+at: $out_file"
 
 	return 0
 } # => gen_dh()