diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
index 1feed5c11..61c85fe4d 100644
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@@ -2177,13 +2177,14 @@ static int DH_param_check(WOLFSSL_DH* dh_key)
                 WOLFSSL_MSG("dh_key->g is not suitable generator");
                 ret = WOLFSSL_FAILURE;
             }
-
+#ifdef WOLFSSL_KEY_GEN
         /* test if the number q is prime. */
         if (ret == WOLFSSL_SUCCESS &&
             (wolfSSL_BN_is_prime_ex(dh_key->q, 64, ctx, NULL) <= 0)) {
             WOLFSSL_MSG("dh_key->q is not prime or error during check.");
             ret = WOLFSSL_FAILURE;
         } /* else TO DO check q div q - 1. need BN_div */
+#endif
     }
     
     /* clean up */
@@ -2203,6 +2204,9 @@ int wolfSSL_EVP_PKEY_param_check(WOLFSSL_EVP_PKEY_CTX* ctx)
 {
     int type;
     int ret;
+    WOLFSSL_DH* dh_key = NULL;
+    
+    (void)dh_key;
     
     /* sanity check */
     if (ctx == NULL) {
@@ -2232,7 +2236,13 @@ int wolfSSL_EVP_PKEY_param_check(WOLFSSL_EVP_PKEY_CTX* ctx)
         #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) \
                                         && (HAVE_FIPS_VERSION>2))
         case EVP_PKEY_DH:
-            ret = DH_param_check(wolfSSL_EVP_PKEY_get1_DH(ctx->pkey));
+            dh_key = wolfSSL_EVP_PKEY_get1_DH(ctx->pkey);
+            if (dh_key != NULL) {
+                ret = DH_param_check(dh_key);
+                wolfSSL_DH_free(dh_key);
+            }
+            else
+                ret = WOLFSSL_FAILURE;
             return ret;
         #endif
         #endif