root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Command docs: replacables are in italics, options always start with a dash 

Quite a lot of replacables were still bold, and some options were
mentioned without a beginning dash.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
This commit is contained in:
Richard Levitte 2019-10-01 18:16:29 +02:00
parent fed8bd90e4
commit 2f0ea93658
45 changed files with 343 additions and 337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/man1/CA.pl.pod
View File

@ -120,7 +120,7 @@ Verifies certificates against the CA certificate for "demoCA". If no
certificates are specified on the command line it tries to verify the file
"newcert.pem". Invokes B<openssl verify> command.
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
The purpose of these parameters is to allow optional parameters to be supplied
to B<openssl> that this command executes. The B<-extra-cmd> are specific to the

12
doc/man1/openssl-asn1parse.pod
View File

@ -39,7 +39,7 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
The input format. I<DER> is binary format and I<PEM> (the default) is base64
The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.
=item B<-in> I<filename>
@ -88,12 +88,12 @@ option can be used multiple times to "drill down" into a nested structure.
=item B<-genstr> I<string>, B<-genconf> I<file>
Generate encoded data based on B<string>, B<file> or both using
L<ASN1_generate_nconf(3)> format. If B<file> only is
Generate encoded data based on I<string>, I<file> or both using
L<ASN1_generate_nconf(3)> format. If I<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
file using the B<out> option.
file using the B<-out> option.
=item B<-strictpem>
@ -105,8 +105,8 @@ END marker in a PEM file.
=item B<-item> I<name>
Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
print out the fields of any supported ASN.1 structure if the type is known.
Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used
to print out the fields of any supported ASN.1 structure if the type is known.
=back

14
doc/man1/openssl-ca.pod
View File

@ -251,7 +251,7 @@ used).
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ca>
Specifying an engine (by its unique I<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -259,7 +259,7 @@ for all available algorithms.
=item B<-subj> I<arg>
Supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
@ -291,7 +291,7 @@ support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
If B<-multi-rdn> is not used then the UID value is I<123456+CN=John Doe>.
=item B<-rand> I<files>
@ -353,9 +353,9 @@ Updates the database index to purge expired certificates.
=item B<-crl_reason> I<reason>
Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
In practice B<removeFromCRL> is not particularly useful because it is only used
@ -364,14 +364,14 @@ in delta CRLs which are not currently implemented.
=item B<-crl_hold> I<instruction>
This sets the CRL revocation reason code to B<certificateHold> and the hold
instruction to B<instruction> which must be an OID. Although any OID can be
instruction to I<instruction> which must be an OID. Although any OID can be
used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
=item B<-crl_compromise> I<time>
This sets the revocation reason to B<keyCompromise> and the compromise time to
B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
=item B<-crl_CA_compromise> I<time>

8
doc/man1/openssl-ciphers.pod
View File

@ -22,7 +22,7 @@ B<openssl> B<ciphers>
[B<-stdname>]
[B<-convert> I<name>]
[B<-ciphersuites> I<val>]
[B<cipherlist>]
[I<cipherlist>]
=for comment ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp
@ -87,7 +87,7 @@ Precede each cipher suite by its standard name.
=item B<-convert> I<name>
Convert a standard cipher B<name> to its OpenSSL name.
Convert a standard cipher I<name> to its OpenSSL name.
=item B<-ciphersuites> I<val>
@ -147,8 +147,8 @@ will not moved to the end of the list.
The cipher string B<@STRENGTH> can be used at any point to sort the current
cipher list in order of encryption algorithm key length.
The cipher string B<@SECLEVEL=n> can be used at any point to set the security
level to B<n>, which should be a number between zero and five, inclusive.
The cipher string B<@SECLEVEL>=I<n> can be used at any point to set the security
level to I<n>, which should be a number between zero and five, inclusive.
See L<SSL_CTX_set_security_level> for a description of what each level means.
The cipher list can be prefixed with the B<DEFAULT> keyword, which enables

12
doc/man1/openssl-cmds.pod
View File

@ -57,13 +57,13 @@ x509
=for comment generic
B<openssl> B<cmd> [B<-help>] [B<...>]
B<openssl> I<cmd> B<-help> | [I<-option> | I<-option> I<arg>] ... [I<arg>] ...
=head1 DESCRIPTION
Every B<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
It has its own detailed manual page at B<openssl-cmd(1)>. For example, to view
the manual page for the B<openssl dgst> command, type B<man openssl-dgst>.
Every I<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
It has its own detailed manual page at B<openssl-I<cmd>>(1). For example, to
view the manual page for the B<openssl dgst> command, type C<man openssl-dgst>.
=head1 OPTIONS
@ -132,8 +132,8 @@ L<openssl-x509(1)>,
=head1 HISTORY
Initially, the manual page entry for the B<openssl cmd> command used
to be available at B<cmd(1)>. Later, the alias B<openssl-cmd(1)> was
Initially, the manual page entry for the C<openssl I<cmd>> command used
to be available at I<cmd>(1). Later, the alias B<openssl-I<cmd>>(1) was
introduced, which made it easier to group the openssl commands using
the L<apropos(1)> command or the shell's tab completion.

10
doc/man1/openssl-cms.pod
View File

@ -385,7 +385,7 @@ the signers certificates. The certificates should be in PEM format.
=item B<-certsout> I<file>
Any certificates contained in the message are written to B<file>.
Any certificates contained in the message are written to I<file>.
=item B<-signer> I<file>
@ -446,14 +446,14 @@ content encryption key using an AES key in the B<KEKRecipientInfo> type.
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
B<KEKRecipientInfo> structures.
=item B<-econtent_type> I<type>
Set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
Set the encapsulated content type to I<type> if not supplied the B<Data> type
is used. The I<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey> I<file>
@ -766,7 +766,7 @@ No revocation checking is done on the signer's certificate.
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0.
The B<keyopt> option was added in OpenSSL 1.0.2.
The B<-keyopt> option was added in OpenSSL 1.0.2.
Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.

4
doc/man1/openssl-crl.pod
View File

@ -95,12 +95,12 @@ Output the nextUpdate field.
=item B<-CAfile> I<file>
Verify the signature on a CRL by looking up the issuing certificate in
B<file>.
I<file>.
=item B<-CApath> I<dir>
Verify the signature on a CRL by looking up the issuing certificate in
B<dir>. This directory must be a standard certificate directory: that
I<dir>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.

14
doc/man1/openssl-dgst.pod
View File

@ -39,7 +39,7 @@ signatures using message digests.
The generic name, B<dgst>, may be used with an option specifying the
algorithm to be used.
The default digest is I<sha256>.
The default digest is B<sha256>.
A supported I<digest> name may also be used as the command name.
To see the list of supported algorithms, use the I<list --digest-commands>
command.
@ -60,7 +60,7 @@ supported digests, use the command C<list --digest-commands>.
=item B<-c>
Print out the digest in two digit groups separated by colons, only relevant if
B<hex> format output is used.
the B<-hex> option is given as well.
=item B<-d>
@ -103,7 +103,7 @@ Names and values of these options are algorithm-specific.
=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
The private key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<filename>
@ -144,13 +144,13 @@ Following options are supported by both by B<HMAC> and B<gost-mac>:
=over 4
=item B<key:string>
=item B<key>:I<string>
Specifies MAC key as alphanumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the MAC algorithm for example exactly 32 chars for gost-mac.
=item B<hexkey:string>
=item B<hexkey>:I<string>
Specifies MAC key in hexadecimal form (two hex digits per byte).
Key length must conform to any restrictions of the MAC algorithm
@ -179,7 +179,7 @@ Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
=item B<-engine> I<id>
Use engine B<id> for operations (including private key storage).
Use engine I<id> for operations (including private key storage).
This engine is not used as source for digest algorithms, unless it is
also specified in the configuration file or B<-engine_impl> is also
specified.
@ -187,7 +187,7 @@ specified.
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
engine B<id> for digest operations.
engine I<id> for digest operations.
=item I<file> ...

4
doc/man1/openssl-dhparam.pod
View File

@ -83,7 +83,7 @@ displays a warning if not.
The generator to use, either 2, 3 or 5. If present then the
input file is ignored and parameters are generated instead. If not
present but B<numbits> is present, parameters are generated with the
present but I<numbits> is present, parameters are generated with the
default generator 2.
=item B<-rand> I<files>
@ -122,7 +122,7 @@ be loaded by calling the get_dhNNNN() function.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dhparam>
Specifying an engine (by its unique I<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

6
doc/man1/openssl-dsa.pod
View File

@ -75,7 +75,7 @@ prompted for.
=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@ -87,7 +87,7 @@ filename.
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
@ -125,7 +125,7 @@ a public key.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dsa>
Specifying an engine (by its unique I<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

8
doc/man1/openssl-dsaparam.pod
View File

@ -49,7 +49,7 @@ as the B<-inform> option.
=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified. If the B<numbits> parameter is included then
this option is not specified. If the I<numbits> parameter is included then
this option will be ignored.
=item B<-out> I<filename>
@ -90,7 +90,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
Specifying an engine (by its unique I<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -99,10 +99,10 @@ for all available algorithms.
Print extra details about the operations being performed.
=item B<numbits>
=item I<numbits>
This option specifies that a parameter set should be generated of size
B<numbits>. It must be the last option. If this option is included then
I<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
=back

8
doc/man1/openssl-ec.pod
View File

@ -68,7 +68,7 @@ prompted for.
=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@ -80,7 +80,7 @@ filename.
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-des>|B<-des3>|B<-idea>
@ -113,7 +113,7 @@ By default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
=item B<-conv_form>
=item B<-conv_form> I<arg>
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
@ -143,7 +143,7 @@ This option checks the consistency of an EC private or public key.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ec>
Specifying an engine (by its unique I<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

4
doc/man1/openssl-ecparam.pod
View File

@ -96,7 +96,7 @@ to get a list of all currently implemented EC parameters.
If this options is specified B<ecparam> will print out a list of all
currently implemented EC parameters names and exit.
=item B<-conv_form>
=item B<-conv_form> I<arg>
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
@ -139,7 +139,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ecparam>
Specifying an engine (by its unique I<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

8
doc/man1/openssl-enc.pod
View File

@ -72,7 +72,7 @@ The output filename, standard output by default.
=item B<-pass> I<arg>
The password source. For more information about the format of B<arg>
The password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-e>
@ -104,7 +104,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument.
=item B<-kfile> I<filename>
Read the password to derive the key from the first line of B<filename>.
Read the password to derive the key from the first line of I<filename>.
This is for compatibility with previous versions of OpenSSL. Superseded by
the B<-pass> argument.
@ -202,7 +202,7 @@ This can be used with a subsequent B<-rand> flag.
=head1 NOTES
The program can be called either as B<openssl cipher> or
B<openssl enc -cipher>. The first form doesn't work with
B<openssl enc -I<cipher>>. The first form doesn't work with
engine-provided ciphers, because this form is processed before the
configuration file is read and any ENGINEs loaded.
Use the B<list> command to get a list of supported ciphers.
@ -251,7 +251,7 @@ Blowfish and RC5 algorithms use a 128 bit key.
Note that some of these ciphers can be disabled at compile time
and some are available only if an appropriate engine is configured
in the configuration file. The output of the B<enc> command run with
the B<-ciphers> option (that is B<openssl enc -ciphers>) produces a
the B<-I<ciphers>> option (that is B<openssl enc -I<ciphers>>) produces a
list of ciphers, supported by your version of OpenSSL, including
ones provided by configured engines.

11
doc/man1/openssl-engine.pod
View File

@ -15,14 +15,14 @@ B<openssl engine>
[B<-c>]
[B<-t>]
[B<-tt>]
[B<-pre> I<command>]
[B<-post> I<command>]
[B<-pre> I<command>] ...
[B<-post> I<command>] ...
[I<engine> ...]
=head1 DESCRIPTION
The B<engine> command is used to query the status and capabilities
of the specified B<engine>'s.
of the specified I<engine>'s.
Engines may be specified before and after all other command-line flags.
Only those specified are queried.
@ -56,10 +56,13 @@ Displays an error trace for any unavailable engine.
Command-line configuration of engines.
The B<-pre> command is given to the engine before it is loaded and
the B<-post> command is given after the engine is loaded.
The I<command> is of the form I<cmd:val> where I<cmd> is the command,
The I<command> is of the form I<cmd>:I<val> where I<cmd> is the command,
and I<val> is the value for the command.
See the example below.
These two options are cumulative, so they may be given more than once in the
same command.
=back
=head1 EXAMPLES

2
doc/man1/openssl-errstr.pod
View File

@ -6,7 +6,7 @@ openssl-errstr - lookup error codes
=head1 SYNOPSIS
B<openssl errstr error_code>
B<openssl errstr> I<error_code>
=head1 DESCRIPTION

6
doc/man1/openssl-fipsinstall.pod
View File

@ -83,20 +83,20 @@ Common control strings used for fipsinstall are:
=over 4
=item B<key:string>
=item B<key>:I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
=item B<hexkey:string>
=item B<hexkey>:I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
=item B<digest:string>
=item B<digest>:I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).

12
doc/man1/openssl-gendsa.pod
View File

@ -25,7 +25,7 @@ B<openssl> B<gendsa>
[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-verbose>]
[B<paramfile>]
[I<paramfile>]
=for comment ifdef engine
@ -67,7 +67,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<gendsa>
Specifying an engine (by its unique I<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -76,11 +76,11 @@ for all available algorithms.
Print extra details about the operations being performed.
=item B<paramfile>
=item I<paramfile>
This option specifies the DSA parameter file to use. The parameters in this
file determine the size of the private key. DSA parameters can be generated
and examined using the B<openssl dsaparam> command.
The DSA parameter file to use. The parameters in this file determine
the size of the private key. DSA parameters can be generated and
examined using the B<openssl dsaparam> command.
=back

59
doc/man1/openssl-genpkey.pod
View File

@ -15,7 +15,7 @@ B<openssl> B<genpkey>
[B<-engine> I<id>]
[B<-paramfile> I<file>]
[B<-algorithm> I<alg>]
[B<-pkeyopt> I<opt:value>]
[B<-pkeyopt> I<opt>:I<value>]
[B<-genparam>]
[B<-text>]
@ -44,7 +44,7 @@ This specifies the output format DER or PEM. The default format is PEM.
=item B<-pass> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-I<cipher>>
@ -54,7 +54,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<genpkey>
Specifying an engine (by its unique I<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
@ -79,9 +79,9 @@ will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
below for more details.
=item B<-pkeyopt> I<opt:value>
=item B<-pkeyopt> I<opt>:I<value>
Set the public key algorithm option B<opt> to B<value>. The precise set of
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See L<KEY GENERATION OPTIONS> and
L<PARAMETER GENERATION OPTIONS> below for more details.
@ -138,22 +138,23 @@ Note: by default an B<RSA-PSS> key has no parameter restrictions.
=over 4
=item B<rsa_keygen_bits:numbits>, B<rsa_keygen_primes:numprimes>, B<rsa_keygen_pubexp:value>
=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>,
B<rsa_keygen_pubexp>:I<value>
These options have the same meaning as the B<RSA> algorithm.
=item B<rsa_pss_keygen_md:digest>
=item B<rsa_pss_keygen_md>:I<digest>
If set the key is restricted and can only use B<digest> for signing.
If set the key is restricted and can only use I<digest> for signing.
=item B<rsa_pss_keygen_mgf1_md:digest>
=item B<rsa_pss_keygen_mgf1_md>:I<digest>
If set the key is restricted and can only use B<digest> as it's MGF1
If set the key is restricted and can only use I<digest> as it's MGF1
parameter.
=item B<rsa_pss_keygen_saltlen:len>
=item B<rsa_pss_keygen_saltlen>:I<len>
If set the key is restricted and B<len> specifies the minimum salt length.
If set the key is restricted and I<len> specifies the minimum salt length.
=back
@ -163,14 +164,14 @@ The EC key generation options can also be used for parameter generation.
=over 4
=item B<ec_paramgen_curve:curve>
=item B<ec_paramgen_curve>:I<curve>
The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
=item B<ec_param_enc:encoding>
=item B<ec_param_enc>:I<encoding>
The encoding to use for parameters. The "encoding" parameter must be either
"named_curve" or "explicit". The default value is "named_curve".
The encoding to use for parameters. The I<encoding> parameter must be either
B<named_curve> or B<explicit>. The default value is B<named_curve>.
=back
@ -184,16 +185,16 @@ below.
=over 4
=item B<dsa_paramgen_bits:numbits>
=item B<dsa_paramgen_bits>:I<numbits>
The number of bits in the generated prime. If not specified 2048 is used.
=item B<dsa_paramgen_q_bits:numbits>
=item B<dsa_paramgen_q_bits>:I<numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 224 is used.
=item B<dsa_paramgen_md:digest>
=item B<dsa_paramgen_md>:I<digest>
The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
or B<sha256>. If set, then the number of bits in B<q> will match the output size
@ -208,30 +209,30 @@ or B<sha256> if it is 256.
=over 4
=item B<dh_paramgen_prime_len:numbits>
=item B<dh_paramgen_prime_len>:I<numbits>
The number of bits in the prime parameter B<p>. The default is 2048.
The number of bits in the prime parameter I<p>. The default is 2048.
=item B<dh_paramgen_subprime_len:numbits>
=item B<dh_paramgen_subprime_len>:I<numbits>
The number of bits in the sub prime parameter B<q>. The default is 256 if the
The number of bits in the sub prime parameter I<q>. The default is 256 if the
prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
=item B<dh_paramgen_generator:value>
=item B<dh_paramgen_generator>:I<value>
The value to use for the generator B<g>. The default is 2.
The value to use for the generator I<g>. The default is 2.
=item B<dh_paramgen_type:value>
=item B<dh_paramgen_type>:I<value>
The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
The default is 0.
=item B<dh_rfc5114:num>
=item B<dh_rfc5114>:I<num>
If this option is set, then the appropriate RFC5114 parameters are used
instead of generating new parameters. The value B<num> can take the
values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
instead of generating new parameters. The value I<num> can be one of
1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter

9
doc/man1/openssl-genrsa.pod
View File

@ -22,8 +22,7 @@ B<openssl> B<genrsa>
[B<-des>]
[B<-des3>]
[B<-idea>]
[B<-f4>]
[B<-3>]
[B<-f4>|B<-3>]
[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
@ -80,16 +79,16 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<genrsa>
Specifying an engine (by its unique I<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-primes> I<num>
Specify the number of primes to use while generating the RSA key. The B<num>
Specify the number of primes to use while generating the RSA key. The I<num>
parameter must be a positive integer that is greater than 1 and less than 16.
If B<num> is greater than 2, then the generated key is called a 'multi-prime'
If I<num> is greater than 2, then the generated key is called a 'multi-prime'
RSA key, which is defined in RFC 8017.
=item B<-verbose>

20
doc/man1/openssl-mac.pod
View File

@ -12,7 +12,7 @@ B<openssl mac>
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-binary>]
B<mac_name>
I<mac_name>
=head1 DESCRIPTION
@ -51,55 +51,55 @@ Common parameter names used by EVP_MAC_CTX_get_params() are:
=over 4
=item B<key:string>
=item B<key:>I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
=item B<hexkey:string>
=item B<hexkey:>I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
=item B<digest:string>
=item B<digest:>I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the MAC algorithm.
To see the list of supported digests, use the command I<list -digest-commands>.
=item B<cipher:string>
=item B<cipher:>I<string>
Used by CMAC and GMAC to specify the cipher algorithm.
For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC or
DES-EDE3-CBC.
For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.
=item B<iv:string>
=item B<iv:>I<string>
Used by GMAC to specify an IV as an alphanumeric string (use if the IV contains
printable characters only).
=item B<hexiv:string>
=item B<hexiv:>I<string>
Used by GMAC to specify an IV in hexadecimal form (two hex digits per byte).
=item B<outlen:int>
=item B<outlen:>I<int>
Used by KMAC128 or KMAC256 to specify an output length.
The default sizes are 32 or 64 bytes respectively.
=item B<custom:string>
=item B<custom:>I<string>
Used by KMAC128 or KMAC256 to specify a customization string.
The default is the empty string "".
=back
=item B<mac_name>
=item I<mac_name>
Specifies the name of a supported MAC algorithm which will be used.
To see the list of supported MAC's use the command I<list -mac-algorithms>.

69
doc/man1/openssl-ocsp.pod
View File

@ -26,7 +26,7 @@ B<openssl> B<ocsp>
[B<-nonce>]
[B<-no_nonce>]
[B<-url> I<URL>]
[B<-host> I<host:port>]
[B<-host> I<host>:I<port>]
[B<-multi> I<process-count>]
[B<-header>]
[B<-path>]
@ -121,27 +121,27 @@ specify output filename, default is standard output.
=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
multiple times. The certificate specified in B<filename> must be in
multiple times. The certificate specified in I<filename> must be in
PEM format. This option B<MUST> come before any B<-cert> options.
=item B<-cert> I<filename>
Add the certificate B<filename> to the request. The issuer certificate
is taken from the previous B<issuer> option, or an error occurs if no
Add the certificate I<filename> to the request. The issuer certificate
is taken from the previous B<-issuer> option, or an error occurs if no
issuer certificate is specified.
=item B<-serial> I<num>
Same as the B<cert> option except the certificate with serial number
Same as the B<-cert> option except the certificate with serial number
B<num> is added to the request. The serial number is interpreted as a
decimal integer unless preceded by B<0x>. Negative integers can also
be specified by preceding the value by a B<-> sign.
=item B<-signer> I<filename>, B<-signkey> I<filename>
Sign the OCSP request using the certificate specified in the B<signer>
option and the private key specified by the B<signkey> option. If
the B<signkey> option is not present then the private key is read
Sign the OCSP request using the certificate specified in the B<-signer>
option and the private key specified by the B<-signkey> option. If
the B<-signkey> option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the OCSP request is not signed.
@ -152,10 +152,10 @@ Additional certificates to include in the signed request.
=item B<-nonce>, B<-no_nonce>
Add an OCSP nonce extension to a request or disable OCSP nonce addition.
Normally if an OCSP request is input using the B<reqin> option no
nonce is added: using the B<nonce> option will force addition of a nonce.
If an OCSP request is being created (using B<cert> and B<serial> options)
a nonce is automatically added specifying B<no_nonce> overrides this.
Normally if an OCSP request is input using the B<-reqin> option no
nonce is added: using the B<-nonce> option will force addition of a nonce.
If an OCSP request is being created (using B<-cert> and B<-serial> options)
a nonce is automatically added specifying B<-no_nonce> overrides this.
=item B<-req_text>, B<-resp_text>, B<-text>
@ -163,28 +163,28 @@ Print out the text form of the OCSP request, response or both respectively.
=item B<-reqout> I<file>, B<-respout> I<file>
Write out the DER encoded certificate request or response to B<file>.
Write out the DER encoded certificate request or response to I<file>.
=item B<-reqin> I<file>, B<-respin> I<file>
Read OCSP request or response file from B<file>. These option are ignored
Read OCSP request or response file from I<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
with B<serial>, B<cert> and B<host> options).
with B<-serial>, B<-cert> and B<-host> options).
=item B<-url> I<responder_url>
Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
=item B<-host> I<hostname:port>, B<-path> I<pathname>
=item B<-host> I<hostname>:I<port>, B<-path> I<pathname>
If the B<host> option is present then the OCSP request is sent to the host
B<hostname> on port B<port>. B<path> specifies the HTTP pathname to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
If the B<-host> option is present then the OCSP request is sent to the host
I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
to use or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
=item B<-header> I<name=value>
=item B<-header> I<name>=I<value>
Adds the header B<name> with the specified B<value> to the OCSP request
Adds the header I<name> with the specified I<value> to the OCSP request
that is sent to the responder.
This may be repeated.
@ -303,7 +303,7 @@ seconds, the default value is 5 minutes.
If the B<notAfter> time is omitted from a response then this means that new
status information is immediately available. In this case the age of the
B<notBefore> field is checked to see it is not older than B<age> seconds old.
B<notBefore> field is checked to see it is not older than I<age> seconds old.
By default this additional check is not performed.
=item B<-rcid> I<digest>
@ -327,21 +327,22 @@ digest used by subsequent certificate identifiers.
=item B<-index> I<indexfile>
The B<indexfile> parameter is the name of a text index file in B<ca>
The I<indexfile> parameter is the name of a text index file in B<ca>
format containing certificate revocation information.
If the B<index> option is specified the B<ocsp> utility is in responder
If the B<-index> option is specified the B<ocsp> utility is in responder
mode, otherwise it is in client mode. The request(s) the responder
processes can be either specified on the command line (using B<issuer>
and B<serial> options), supplied in a file (using the B<reqin> option)
or via external OCSP clients (if B<port> or B<url> is specified).
processes can be either specified on the command line (using B<-issuer>
and B<-serial> options), supplied in a file (using the B<-reqin> option)
or via external OCSP clients (if B<-port> or B<-url> is specified).
If the B<index> option is present then the B<CA> and B<rsigner> options
If the B<-index> option is present then the B<-CA> and B<-rsigner> options
must also be present.
=item B<-CA> I<file>
CA certificate corresponding to the revocation information in B<indexfile>.
CA certificate corresponding to the revocation information in the index
file given with B<-index>.
=item B<-rsigner> I<file>
@ -363,7 +364,7 @@ subject name.
=item B<-rkey> I<file>
The private key to sign OCSP responses with: if not present the file
specified in the B<rsigner> option is used.
specified in the B<-rsigner> option is used.
=item B<-rsigopt> I<nm>:I<v>
@ -383,7 +384,7 @@ running instead of terminating upon receiving a malformed request.
=item B<-nrequest> I<number>
The OCSP server will exit after receiving B<number> requests, default unlimited.
The OCSP server will exit after receiving I<number> requests, default unlimited.
=item B<-nmin> I<minutes>, B<-ndays> I<days>
@ -403,8 +404,8 @@ the OCSP request checked using the responder certificate's public key.
Then a normal certificate verify is performed on the OCSP responder certificate
building up a certificate chain in the process. The locations of the trusted
certificates used to build the chain can be specified by the B<CAfile>
and B<CApath> options or they will be looked for in the standard OpenSSL
certificates used to build the chain can be specified by the B<-CAfile>
and B<-CApath> options or they will be looked for in the standard OpenSSL
certificates directory.
If the initial verify fails then the OCSP verify process halts with an
@ -452,7 +453,7 @@ format of revocation is also inefficient for large quantities of revocation
data.
It is possible to run the B<ocsp> application in responder mode via a CGI
script using the B<reqin> and B<respout> options.
script using the B<-reqin> and B<-respout> options.
=head1 EXAMPLES

5
doc/man1/openssl-passwd.pod
View File

@ -32,8 +32,9 @@ The B<passwd> command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
The Unix standard algorithm B<crypt> and the MD5-based BSD password
algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available.
The Unix standard algorithm B<-crypt> and the MD5-based BSD password
algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are
available.
=head1 OPTIONS

10
doc/man1/openssl-pkcs12.pod
View File

@ -79,13 +79,13 @@ default. They are all written in PEM format.
=item B<-passin> I<arg>
The PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg>
the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
=item B<-password> I<arg>
@ -207,13 +207,13 @@ displays them.
=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
@ -312,7 +312,7 @@ Do not load the trusted CA certificates from the default directory location.
=item B<-CSP> I<name>
Write B<name> as a Microsoft CSP name.
Write I<name> as a Microsoft CSP name.
=back

10
doc/man1/openssl-pkcs8.pod
View File

@ -75,7 +75,7 @@ prompted for.
=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@ -87,7 +87,7 @@ filename.
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-iter> I<count>
@ -121,7 +121,7 @@ This can be used with a subsequent B<-rand> flag.
This option sets the PKCS#5 v2.0 algorithm.
The B<alg> argument is the encryption algorithm to use, valid values include
The I<alg> argument is the encryption algorithm to use, valid values include
B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
is used.
@ -142,7 +142,7 @@ If not specified PKCS#5 v2.0 form is used.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
Specifying an engine (by its unique I<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -156,7 +156,7 @@ B<-scrypt_p> and B<-v2> options.
=item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
Sets the scrypt B<N>, B<r> or B<p> parameters.
Sets the scrypt I<N>, I<r> or I<p> parameters.
=back

8
doc/man1/openssl-pkey.pod
View File

@ -57,7 +57,7 @@ prompted for.
=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@ -67,9 +67,9 @@ option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
=item B<-passout> I<password>
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-traditional>
@ -109,7 +109,7 @@ the input is a public key.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkey>
Specifying an engine (by its unique I<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

2
doc/man1/openssl-pkeyparam.pod
View File

@ -50,7 +50,7 @@ Do not output the encoded version of the parameters.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
Specifying an engine (by its unique I<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

61
doc/man1/openssl-pkeyutl.pod
View File

@ -29,8 +29,8 @@ B<openssl> B<pkeyutl>
[B<-derive>]
[B<-kdf> I<algorithm>]
[B<-kdflen> I<length>]
[B<-pkeyopt> I<opt:value>]
[B<-pkeyopt_passin> I<opt:passarg>]
[B<-pkeyopt> I<opt>:I<value>]
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
[B<-asn1parse>]
[B<-rand> I<files>]
@ -82,7 +82,7 @@ default.
=item B<-sigfile> I<file>
Signature file, required for B<verify> operations only
Signature file, required for B<-verify> operations only
=item B<-inkey> I<file>
@ -94,7 +94,7 @@ The key format PEM, DER or ENGINE. Default is PEM.
=item B<-passin> I<arg>
The input key password source. For more information about the format of B<arg>
The input key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-peerkey> I<file>
@ -103,7 +103,7 @@ The peer key file, used by key derivation (agreement) operations.
=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
The peer key format PEM, DER or ENGINE. Default is PEM.
The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
=item B<-pubin>
@ -146,7 +146,7 @@ Derive a shared secret using the peer key.
=item B<-kdf> I<algorithm>
Use key derivation function B<algorithm>. The supported algorithms are
Use key derivation function I<algorithm>. The supported algorithms are
at present B<TLS1-PRF> and B<HKDF>.
Note: additional parameters and the KDF output length will normally have to be
set for this to work.
@ -157,16 +157,16 @@ for the supported string parameters of each algorithm.
Set the output length for KDF.
=item B<-pkeyopt> I<opt:value>
=item B<-pkeyopt> I<opt>:I<value>
Public key options specified as opt:value. See NOTES below for more details.
=item B<-pkeyopt_passin> I<opt:passarg>
=item B<-pkeyopt_passin> I<opt>[:I<passarg>]
Allows reading a public key option B<opt> from stdin or a password source. If
only opt is specified, the user will be prompted to enter the value on stdin.
Alternatively, passarg can be specified which can be any value supported by
B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
Allows reading a public key option I<opt> from stdin or a password source.
If only I<opt> is specified, the user will be prompted to enter a password on
stdin. Alternatively, I<passarg> can be specified which can be any value
supported by B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
=item B<-hexdump>
@ -191,7 +191,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
Specifying an engine (by its unique I<id> string) will cause B<pkeyutl>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -199,7 +199,7 @@ for all available algorithms.
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
engine B<id> for crypto operations.
engine I<id> for crypto operations.
=back
@ -208,9 +208,9 @@ engine B<id> for crypto operations.
The operations and options supported vary according to the key algorithm
and its implementation. The OpenSSL operations and options are indicated below.
Unless otherwise mentioned all algorithms support the B<digest:alg> option
Unless otherwise mentioned all algorithms support the B<digest:>I<alg> option
which specifies the digest in use for sign, verify and verifyrecover operations.
The value B<alg> should represent a digest name as used in the
The value I<alg> should represent a digest name as used in the
EVP_get_digestbyname() function for example B<sha1>. This value is not used to
hash the input data. It is used (by some algorithms) for sanity-checking the
lengths of data passed in to the B<pkeyutl> and for creating the structures that
@ -237,9 +237,9 @@ B<pkeyopt> values are supported:
=over 4
=item B<rsa_padding_mode:mode>
=item B<rsa_padding_mode:>I<mode>
This sets the RSA padding mode. Acceptable values for B<mode> are B<pkcs1> for
This sets the RSA padding mode. Acceptable values for I<mode> are B<pkcs1> for
PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
@ -257,15 +257,15 @@ verify and verifyrecover are can be performed in this mode.
For B<pss> mode only sign and verify are supported and the digest type must be
specified.
=item B<rsa_pss_saltlen:len>
=item B<rsa_pss_saltlen:>I<len>
For B<pss> mode only this option specifies the salt length. Three special
values are supported: "digest" sets the salt length to the digest length,
"max" sets the salt length to the maximum permissible value. When verifying
"auto" causes the salt length to be automatically determined based on the
values are supported: B<digest> sets the salt length to the digest length,
B<max> sets the salt length to the maximum permissible value. When verifying
B<auto> causes the salt length to be automatically determined based on the
B<PSS> block structure.
=item B<rsa_mgf1_md:digest>
=item B<rsa_mgf1_md:>I<digest>
For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
explicitly set in PSS mode then the signing digest is used.
@ -276,11 +276,12 @@ explicitly set in PSS mode then the signing digest is used.
The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
supports the sign and verify operations with PSS padding. The following
additional B<pkeyopt> values are supported:
additional B<-pkeyopt> values are supported:
=over 4
=item B<rsa_padding_mode:mode>, B<rsa_pss_saltlen:len>, B<rsa_mgf1_md:digest>
=item B<rsa_padding_mode:>I<mode>, B<rsa_pss_saltlen:>I<len>,
B<rsa_mgf1_md:>I<digest>
These have the same meaning as the B<RSA> algorithm with some additional
restrictions. The padding mode can only be set to B<pss> which is the
@ -319,8 +320,8 @@ no additional options.
These algorithms only support signing and verifying. OpenSSL only implements the
"pure" variants of these algorithms so raw data can be passed directly to them
without hashing them first. The option "-rawin" must be used with these
algorithms with no "-digest" specified. Additionally OpenSSL only supports
without hashing them first. The option B<-rawin> must be used with these
algorithms with no B<-digest> specified. Additionally OpenSSL only supports
"oneshot" operation with these algorithms. This means that the entire file to
be signed/verified must be read into memory before processing it. Signing or
Verifying very large files should be avoided. Additionally the size of the file
@ -331,17 +332,17 @@ must be known for this to work. If the size of the file cannot be determined
The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For
the sign and verify operations, SM2 requires an ID string to be passed in. The
following B<pkeyopt> value is supported:
following B<-pkeyopt> value is supported:
=over 4
=item B<sm2_id:string>
=item B<sm2_id:>I<string>
This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.
Otherwise the verification will fail.
=item B<sm2_hex_id:hex_string>
=item B<sm2_hex_id:>I<hex_string>
This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.

6
doc/man1/openssl-prime.pod
View File

@ -41,16 +41,16 @@ Generate a prime number.
=item B<-bits> I<num>
Generate a prime with B<num> bits.
Generate a prime with I<num> bits.
=item B<-safe>
When used with B<-generate>, generates a "safe" prime. If the number
generated is B<n>, then check that B<(n-1)/2> is also prime.
generated is I<n>, then check that C<(I<n>-1)/2> is also prime.
=item B<-checks> I<num>
Perform the checks B<num> times to see that the generated number
Perform the checks I<num> times to see that the generated number
is prime. The default is 20.
=back

10
doc/man1/openssl-rehash.pod
View File

@ -45,17 +45,17 @@ but often B</usr/local/ssl/certs>) is processed.
In order for a directory to be processed, the user must have write
permissions on that directory, otherwise an error will be generated.
The links created are of the form C<HHHHHHHH.D>, where each B<H>
is a hexadecimal character and B<D> is a single decimal digit.
The links created are of the form I<HHHHHHHH.D>, where each I<H>
is a hexadecimal character and I<D> is a single decimal digit.
When processing a directory, B<rehash> will first remove all links
that have a name in that syntax, even if they are being used for some
other purpose.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after
the period, like this: C<HHHHHHHH.rD>.
the period, like this: I<HHHHHHHH.>B<r>I<D>.
Multiple objects may have the same hash; they will be indicated by
incrementing the B<D> value. Duplicates are found by comparing the
incrementing the I<D> value. Duplicates are found by comparing the
full SHA-1 fingerprint. A warning will be displayed if a duplicate
is found.
@ -75,7 +75,7 @@ a certificate or CRL:
$OPENSSL x509 -hash -fingerprint -noout -in FILENAME
$OPENSSL crl -hash -fingerprint -noout -in FILENAME
where B<FILENAME> is the filename. It must output the hash of the
where I<FILENAME> is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign.

56
doc/man1/openssl-req.pod
View File

@ -22,8 +22,7 @@ B<openssl> B<req>
[B<-new>]
[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-newkey> I<rsa:bits>]
[B<-newkey> I<alg:file>]
[B<-newkey> I<arg>]
[B<-nodes>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>]
@ -103,7 +102,7 @@ default.
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-text>
@ -157,32 +156,33 @@ This can be used with a subsequent B<-rand> flag.
=item B<-newkey> I<arg>
This option creates a new certificate request and a new private
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
key. The argument takes one of several forms.
B<rsa:>I<nbits>, where
I<nbits> is the number of bits, generates an RSA key I<nbits>
in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
the default key size, specified in the configuration file is used.
All other algorithms support the B<-newkey> I<alg:file> form, where file may be
an algorithm parameter file, created by the B<genpkey -genparam> command
or and X.509 certificate for a key with appropriate algorithm.
All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
may be an algorithm parameter file, created with B<genpkey -genparam>
or an X.509 certificate for a key with appropriate algorithm.
B<param:file> generates a key using the parameter file or certificate B<file>,
the algorithm is determined by the parameters. B<algname:file> use algorithm
B<algname> and parameter file B<file>: the two algorithms must match or an
error occurs. B<algname> just uses algorithm B<algname>, and parameters,
if necessary should be specified via B<-pkeyopt> parameter.
B<param:>I<file> generates a key using the parameter file or certificate
I<file>, the algorithm is determined by the parameters. I<algname>:I<file>
use algorithm I<algname> and parameter file I<file>: the two algorithms must
match or an error occurs. I<algname> just uses algorithm I<algname>, and
parameters, if necessary should be specified via B<-pkeyopt> parameter.
B<dsa:filename> generates a DSA key using the parameters
in the file B<filename>. B<ec:filename> generates EC key (usable both with
ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
34.10-2001 key (requires B<ccgost> engine configured in the configuration
B<dsa:>I<filename> generates a DSA key using the parameters
in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
34.10-2001 key (requires B<gost> engine configured in the configuration
file). If just B<gost2001> is specified a parameter set should be
specified by B<-pkeyopt> I<paramset:X>
=item B<-pkeyopt> I<opt>:I<value>
=item B<-pkeyopt> I<opt:value>
Set the public key algorithm option B<opt> to B<value>. The precise set of
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
@ -249,7 +249,7 @@ This option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
using the B<set_serial> option, a large random number will be used for
using the B<-set_serial> option, a large random number will be used for
the serial number.
If existing request is specified with the B<-in> option, it is converted
@ -258,7 +258,7 @@ to the self signed certificate otherwise new request is created.
=item B<-days> I<n>
When the B<-x509> option is being used this specifies the number of
days to certify the certificate for, otherwise it is ignored. B<n> should
days to certify the certificate for, otherwise it is ignored. I<n> should
be a positive integer. The default is 30 days.
=item B<-set_serial> I<n>
@ -304,13 +304,13 @@ configuration file, must be valid UTF8 strings.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-reqopt>
=item B<-reqopt> I<option>
Customise the output format used with B<-text>. The B<option> argument can be
Customise the output format used with B<-text>. The I<option> argument can be
a single option or multiple options separated by commas.
See discussion of the B<-certopt> parameter in the L<x509(1)>
@ -331,14 +331,14 @@ Print extra details about the operations being performed.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<req>
Specifying an engine (by its unique I<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-keygen_engine> I<id>
Specifies an engine (by its unique B<id> string) which would be used
Specifies an engine (by its unique I<id> string) which would be used
for key generation operations.
=item B<-sm2-id>

8
doc/man1/openssl-rsa.pod
View File

@ -75,7 +75,7 @@ prompted for.
=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@ -85,9 +85,9 @@ option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
=item B<-passout> I<password>
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
@ -134,7 +134,7 @@ Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<rsa>
Specifying an engine (by its unique I<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

24
doc/man1/openssl-s_client.pod
View File

@ -283,7 +283,7 @@ Extra certificate and private key format respectively.
=item B<-pass> I<arg>
the private key password source. For more information about the format of B<arg>
the private key password source. For more information about the format of I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-verify> I<depth>
@ -302,7 +302,7 @@ abort the handshake with a fatal error.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
@ -360,7 +360,7 @@ at a positive depth or else "matched EE certificate" at depth 0.
=item B<-dane_tlsa_rrdata> I<rrdata>
Use one or more times to specify the RRDATA fields of the DANE TLSA
RRset associated with the target service. The B<rrdata> value is
RRset associated with the target service. The I<rrdata> value is
specied in "presentation form", that is four whitespace separated
fields that specify the usage, selector, matching type and associated
data, with the last of these encoded in hexadecimal. Optional
@ -481,19 +481,19 @@ Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity> I<identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
Use the PSK identity I<identity> when using a PSK cipher suite.
The default value is "Client_identity" (without the quotes).
=item B<-psk> I<key>
Use the PSK key B<key> when using a PSK cipher suite. The key is
Use the PSK key I<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
=item B<-psk_session> I<file>
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
@ -622,7 +622,7 @@ colon (":") separated list of TLSv1.3 ciphersuite names.
=item B<-starttls> I<protocol>
Send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
I<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
@ -659,16 +659,16 @@ Disable RFC4507bis session ticket support.
=item B<-sess_out> I<filename>
Output SSL session to B<filename>.
Output SSL session to I<filename>.
=item B<-sess_in> I<sess.pem>
=item B<-sess_in> I<filename>
Load SSL session from B<filename>. The client will attempt to resume a
Load SSL session from I<filename>. The client will attempt to resume a
connection from this session.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<s_client>
Specifying an engine (by its unique I<id> string) will cause B<s_client>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -702,7 +702,7 @@ response (if any) is printed out.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
The B<protocols> list is a comma-separated list of protocol names that
The I<protocols> list is a comma-separated list of protocol names that
the client should advertise support for. The list should contain the most
desirable protocols first. Protocol names are printable ASCII strings,
for example "http/1.1" or "spdy/3".

18
doc/man1/openssl-s_server.pod
View File

@ -274,7 +274,7 @@ provided to the client.
=item B<-nameopt> I<val>
Option which determines how the subject or issuer names are displayed. The
B<val> argument can be a single option or multiple options separated by
I<val> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
@ -441,7 +441,7 @@ used in conjunction with B<-early_data>.
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (eg. with a certain prefix).
@ -475,7 +475,7 @@ a verbose printout of the OCSP response.
=item B<-status_timeout> I<int>
Sets the timeout for OCSP response to B<int> seconds.
Sets the timeout for OCSP response to I<int> seconds.
=item B<-status_url> I<val>
@ -652,24 +652,24 @@ Turns on non blocking I/O.
=item B<-psk_identity> I<val>
Expect the client to send PSK identity B<val> when using a PSK
Expect the client to send PSK identity I<val> when using a PSK
cipher suite, and warn if they do not. By default, the expected PSK
identity is the string "Client_identity".
=item B<-psk_hint> I<val>
Use the PSK identity hint B<val> when using a PSK cipher suite.
Use the PSK identity hint I<val> when using a PSK cipher suite.
=item B<-psk> I<val>
Use the PSK key B<val> when using a PSK cipher suite. The key is
Use the PSK key I<val> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
=item B<-psk_session> I<file>
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-listen>
@ -713,7 +713,7 @@ disabling the ephemeral DH cipher suites.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
The B<val> list is a comma-separated list of supported protocol
The I<val> list is a comma-separated list of supported protocol
names. The list should contain the most desirable protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
@ -721,7 +721,7 @@ The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
=item B<-engine> I<val>
Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
Specifying an engine (by its unique id string in I<val>) will cause B<s_server>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

8
doc/man1/openssl-s_time.pod
View File

@ -8,7 +8,7 @@ openssl-s_time - SSL/TLS performance timing program
B<openssl> B<s_time>
[B<-help>]
[B<-connect> I<host:port>]
[B<-connect> I<host>:I<port>]
[B<-www> I<page>]
[B<-cert> I<filename>]
[B<-key> I<filename>]
@ -48,7 +48,7 @@ transferred (if any), and calculates the average time spent for one connection.
Print out a usage message.
=item B<-connect> I<host:port>
=item B<-connect> I<host>:I<port>
This specifies the host and optional port to connect to.
@ -80,7 +80,7 @@ will never fail due to a server certificate verify failure.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
@ -161,7 +161,7 @@ To connect to an SSL HTTP server and get the default page the command
openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
would typically be used (https uses port 443). 'commoncipher' is a cipher to
would typically be used (https uses port 443). I<commoncipher> is a cipher to
which both client and server can agree, see the L<ciphers(1)> command
for details.

8
doc/man1/openssl-sess_id.pod
View File

@ -9,7 +9,7 @@ openssl-sess_id - SSL/TLS session handling utility
B<openssl> B<sess_id>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>|B<MSS>]
[B<-outform> B<DER>|B<PEM>|B<NSS>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-text>]
@ -41,9 +41,9 @@ format base64 encoded with additional header and footer lines.
=item B<-outform> B<DER>|B<PEM>|B<NSS>
This specifies the output format. The B<PEM> and B<DER> options have the same meaning
and default as the B<-inform> option. The B<NSS> option outputs the session id and
the master key in NSS keylog format.
This specifies the output format. The B<PEM> and B<DER> options have the same
meaning and default as the B<-inform> option. The B<NSS> option outputs the
session id and the master key in NSS keylog format.
=item B<-in> I<filename>

2
doc/man1/openssl-smime.pod
View File

@ -295,7 +295,7 @@ specified, the argument is given to the engine as a key identifier.
=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
The private key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-rand> I<files>

14
doc/man1/openssl-speed.pod
View File

@ -28,7 +28,7 @@ B<openssl speed>
This command is used to test the performance of cryptographic algorithms.
To see the list of supported algorithms, use the I<list --digest-commands>
or I<list --cipher-commands> command. The global CSPRNG is denoted by
the I<rand> algorithm name.
the B<rand> algorithm name.
=head1 OPTIONS
@ -40,7 +40,7 @@ Print out a usage message.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<speed>
Specifying an engine (by its unique I<id> string) will cause B<speed>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -54,8 +54,8 @@ of hardware engines.
=item B<-evp> I<algo>
Use the specified cipher or message digest algorithm via the EVP interface.
If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a
TLS-like sequence. And if B<algo> is a multi-buffer capable cipher, e.g.
If I<algo> is an AEAD cipher, then you can pass B<-aead> to benchmark a
TLS-like sequence. And if I<algo> is a multi-buffer capable cipher, e.g.
aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
=item B<-hmac> I<digest>
@ -84,16 +84,16 @@ This can be used with a subsequent B<-rand> flag.
=item B<-primes> I<num>
Generate a B<num>-prime RSA key and use it to run the benchmarks. This option
Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
is only effective if RSA algorithm is specified to test.
=item B<-seconds> I<num>
Run benchmarks for B<num> seconds.
Run benchmarks for I<num> seconds.
=item B<-bytes> I<num>
Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
=item I<algorithm> ...

8
doc/man1/openssl-spkac.pod
View File

@ -49,7 +49,7 @@ default.
=item B<-key> I<keyfile>
Create an SPKAC file using the private key in B<keyfile>. The
Create an SPKAC file using the private key in I<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
@ -58,9 +58,9 @@ present.
Whether the key format is PEM, DER, or an engine-backed key.
The default is PEM.
=item B<-passin> I<password>
=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-challenge> I<string>
@ -94,7 +94,7 @@ Verifies the digital signature on the supplied SPKAC.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<spkac>
Specifying an engine (by its unique I<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

4
doc/man1/openssl-srp.pod
View File

@ -32,7 +32,7 @@ At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
can be specified.
These options take zero or more usernames as parameters and perform the
appropriate operation on the SRP file.
For B<-list>, if no B<user> is given then all users are displayed.
For B<-list>, if no I<user> is given then all users are displayed.
The configuration file to use, and the section within the file, can be
specified with the B<-config> and B<-name> flags, respectively.
@ -42,7 +42,7 @@ just specify the file to operate on.
The B<-userinfo> option specifies additional information to add when
adding or modifying a user.
The B<-gn> flag specifies the B<g> and B<N> values, using one of
The B<-gn> flag specifies the I<g> and I<N> values, using one of
the strengths defined in IETF RFC 5054.
The B<-passin> and B<-passout> arguments are parsed as described in

6
doc/man1/openssl-storeutl.pod
View File

@ -49,7 +49,7 @@ this option prevents output of the PEM data.
=item B<-passin> I<arg>
the key password source. For more information about the format of B<arg>
the key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-text>
@ -59,7 +59,7 @@ B<openssl x509>, B<openssl pkey>, etc.
=item B<-engine> I<id>
specifying an engine (by its unique B<id> string) will cause B<storeutl>
specifying an engine (by its unique I<id> string) will cause B<storeutl>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed.
The engine will then be set as the default for all available algorithms.
@ -80,7 +80,7 @@ returned.
=item B<-subject> I<arg>
Search for an object having the subject name B<arg>.
Search for an object having the subject name I<arg>.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted but are ignored for the search. That is,

2
doc/man1/openssl-ts.pod
View File

@ -314,7 +314,7 @@ instead of DER. (Optional)
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ts>
Specifying an engine (by its unique I<id> string) will cause B<ts>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. Default is built-in. (Optional)

56
doc/man1/openssl-verify.pod
View File

@ -52,7 +52,7 @@ B<openssl> B<verify>
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
[B<-->]
[certificates]
[I<certificate> ...]
=for comment ifdef engine sm2-id sm2-hex-id
@ -70,14 +70,14 @@ Print out a usage message.
=item B<-CAfile> I<file>
A B<file> of trusted certificates.
A I<file> of trusted certificates.
The file should contain one or more certificates in PEM format.
=item B<-CApath> I<directory>
A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this
form ("hash" is the hashed certificate subject name: see the B<-hash> option
of the form: F<I<hash>.0> or have symbolic links to them of this
form (I<hash> is the hashed certificate subject name: see the B<-hash> option
of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates.
@ -95,8 +95,8 @@ Allow the verification of proxy certificates.
=item B<-attime> I<timestamp>
Perform validation checks using time specified by B<timestamp> and not
current system time. B<timestamp> is the number of seconds since
Perform validation checks using time specified by I<timestamp> and not
current system time. I<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
=item B<-check_ss_sig>
@ -106,9 +106,9 @@ because it doesn't add any security.
=item B<-CRLfile> I<file>
The B<file> should contain one or more CRLs in PEM format.
The I<file> should contain one or more CRLs in PEM format.
This option can be specified more than once to include CRLs from multiple
B<files>.
I<file>s.
=item B<-crl_download>
@ -126,7 +126,7 @@ to look up valid CRLs.
=item B<-engine> I<id>
Specifying an engine B<id> will cause L<verify(1)> to attempt to load the
Specifying an engine I<id> will cause L<verify(1)> to attempt to load the
specified engine.
The engine will then be set as the default for all its supported algorithms.
If you want to load certificates or CRLs that require engine support via any of
@ -159,7 +159,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
@ -177,8 +177,8 @@ trusted certificate that might not be self-signed.
=item B<-policy> I<arg>
Enable policy processing and add B<arg> to the user-initial-policy-set (see
RFC5280). The policy B<arg> can be an object name an OID in numeric form.
Enable policy processing and add I<arg> to the user-initial-policy-set (see
RFC5280). The policy I<arg> can be an object name an OID in numeric form.
This argument can appear more than once.
=item B<-policy_check>
@ -224,22 +224,22 @@ effect.
=item B<-untrusted> I<file>
A B<file> of additional untrusted certificates (intermediate issuer CAs) used
A I<file> of additional untrusted certificates (intermediate issuer CAs) used
to construct a certificate chain from the subject certificate to a trust-anchor.
The B<file> should contain one or more certificates in PEM format.
The I<file> should contain one or more certificates in PEM format.
This option can be specified more than once to include untrusted certificates
from multiple B<files>.
from multiple I<file>s.
=item B<-trusted> I<file>
A B<file> of trusted certificates, which must be self-signed, unless the
A I<file> of trusted certificates, which must be self-signed, unless the
B<-partial_chain> option is specified.
The B<file> contains one or more certificates in PEM format.
The I<file> contains one or more certificates in PEM format.
With this option, no additional (e.g., default) certificate lists are
consulted.
That is, the only trust-anchors are those listed in B<file>.
That is, the only trust-anchors are those listed in I<file>.
This option can be specified more than once to include trusted certificates
from multiple B<files>.
from multiple I<file>s.
This option implies the B<-no-CAfile> and B<-no-CApath> options.
This option cannot be used in combination with either of the B<-CAfile> or
B<-CApath> options.
@ -254,11 +254,11 @@ Print extra information about the operations being performed.
=item B<-auth_level> I<level>
Set the certificate chain authentication security level to B<level>.
Set the certificate chain authentication security level to I<level>.
The authentication security level determines the acceptable signature and
public key strength when verifying certificate chains.
For a certificate chain to validate, the public keys of all the certificates
must meet the specified security B<level>.
must meet the specified security I<level>.
The signature algorithm security level is enforced for all the certificates in
the chain except for the chain's I<trust anchor>, which is either directly
trusted or validated by means other than its signature.
@ -272,30 +272,30 @@ shorter than 1024 bits.
=item B<-verify_depth> I<num>
Limit the certificate chain to B<num> intermediate CA certificates.
A maximal depth chain can have up to B<num+2> certificates, since neither the
Limit the certificate chain to I<num> intermediate CA certificates.
A maximal depth chain can have up to I<num>+2 certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
B<-verify_depth> limit.
=item B<-verify_email> I<email>
Verify if the B<email> matches the email address in Subject Alternative Name or
Verify if I<email> matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
=item B<-verify_hostname> I<hostname>
Verify if the B<hostname> matches DNS name in Subject Alternative Name or
Verify if I<hostname> matches DNS name in Subject Alternative Name or
Common Name in the subject certificate.
=item B<-verify_ip> I<ip>
Verify if the B<ip> matches the IP address in Subject Alternative Name of
Verify if I<ip> matches the IP address in Subject Alternative Name of
the subject certificate.
=item B<-verify_name> I<name>
Use default verification policies like trust model and required certificate
policies identified by B<name>.
policies identified by I<name>.
The trust model determines which auxiliary trust or reject OIDs are applicable
to verifying the given certificate chain.
See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line
@ -335,7 +335,7 @@ Indicates the last option. All arguments following this are assumed to be
certificate files. This is useful if the first certificate filename begins
with a B<->.
=item B<certificates>
=item I<certificate> ...
One or more certificates to verify. If no certificates are given, B<verify>
will attempt to read a certificate from standard input. Certificates must be

16
doc/man1/openssl-x509.pod
View File

@ -136,7 +136,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<x509>
Specifying an engine (by its unique I<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@ -170,7 +170,7 @@ See the L<x509v3_config(5)> manual page for the extension names.
=item B<-certopt> I<option>
Customise the output format used with B<-text>. The B<option> argument
Customise the output format used with B<-text>. The I<option> argument
can be a single option or multiple options separated by commas. The
B<-certopt> switch may be also be used more than once to set multiple
options. See the B<TEXT OPTIONS> section for more information.
@ -231,7 +231,7 @@ Outputs the issuer name.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the B<NAME OPTIONS> section for more information.
@ -257,7 +257,7 @@ Prints out the start and expiry dates of a certificate.
=item B<-checkend> I<arg>
Checks if the certificate expires within the next B<arg> seconds and exits
Checks if the certificate expires within the next I<arg> seconds and exits
nonzero if yes it will expire or zero if not.
=item B<-fingerprint>
@ -372,7 +372,7 @@ Names and values of these options are algorithm-specific.
=item B<-passin> I<arg>
The key password source. For more information about the format of B<arg>
The key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-clrext>
@ -470,7 +470,7 @@ Instead, the B<-subj> and <-force_pubkey> options need to be given.
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in B<filename>
When a certificate is created set its public key to the key in I<filename>
instead of the key contained in the input or given with the B<-signkey> option.
This option is useful for creating self-issued certificates that are not
@ -499,8 +499,8 @@ or certificate request.
=head2 Name Options
The B<nameopt> command line switch determines how the subject and issuer
names are displayed. If no B<nameopt> switch is present the default "oneline"
The B<-nameopt> command line switch determines how the subject and issuer
names are displayed. If no B<-nameopt> switch is present the default "oneline"
format is used which is compatible with previous versions of OpenSSL.
Each option is described in detail below, all options can be preceded by
a B<-> to turn the option off. Only the first four will normally be used.

36
doc/man1/openssl.pod
View File

@ -8,10 +8,10 @@ openssl - OpenSSL command line tool
B<openssl>
I<command>
[ I<command_opts> ]
[ I<command_args> ]
[ I<command_opts> ... ]
[ I<command_args> ... ]
B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<mac-algorithms> | B<public-key-algorithms>]
B<openssl> B<list> [ B<-standard-commands> | B<-digest-commands> | B<-cipher-commands> | B<-cipher-algorithms> | B<-digest-algorithms> | B<-mac-algorithms> | B<-public-key-algorithms>]
B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
@ -52,18 +52,18 @@ B<openssl.cnf> in the default certificate storage area, whose value
depends on the configuration flags specified when the OpenSSL
was built.
The list parameters B<standard-commands>, B<digest-commands>,
and B<cipher-commands> output a list (one entry per line) of the names
The list options B<-standard-commands>, B<-digest-commands>,
and B<-cipher-commands> output a list (one entry per line) of the names
of all standard commands, message digest commands, or cipher commands,
respectively, that are available in the present B<openssl> utility.
The list parameters B<cipher-algorithms>, B<digest-algorithms>,
and B<mac-algorithms> list all cipher, message digest, and message
The list parameters B<-cipher-algorithms>, B<-digest-algorithms>,
and B<-mac-algorithms> list all cipher, message digest, and message
authentication code names, one entry per line. Aliases are listed as:
from => to
The list parameter B<public-key-algorithms> lists all supported public
The list parameter B<-public-key-algorithms> lists all supported public
key algorithms.
The command B<no->I<XXX> tests whether a command of the
@ -514,29 +514,29 @@ L<passphrase-encoding(7)>.
=over 4
=item B<pass:password>
=item B<pass:>I<password>
The actual password is B<password>. Since the password is visible
The actual password is I<password>. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
=item B<env:var>
=item B<env:>I<var>
Obtain the password from the environment variable B<var>. Since
Obtain the password from the environment variable I<var>. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
=item B<file:pathname>
=item B<file:>I<pathname>
The first line of B<pathname> is the password. If the same B<pathname>
The first line of I<pathname> is the password. If the same I<pathname>
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
password. B<pathname> need not refer to a regular file: it could for example
password. I<pathname> need not refer to a regular file: it could for example
refer to a device or named pipe.
=item B<fd:number>
=item B<fd:>I<number>
Read the password from the file descriptor B<number>. This can be used to
Read the password from the file descriptor I<number>. This can be used to
send the data via a pipe for example.
=item B<stdin>
@ -671,7 +671,7 @@ L<x509v3_config(5)>
=head1 HISTORY
The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0;
For notes on the availability of other commands, see their individual
manual pages.