Document the -inform, etc., in openssl.pod

Add P12 format description. Remove PEM NOTES sections; it's in openssl.pod Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10142)
2019-10-09 21:48:33 -04:00 · 2019-10-09 21:48:33 -04:00 · 777182a0c7
parent 3c77a41b30
commit 777182a0c7
27 changed files with 303 additions and 368 deletions
--- a/doc/man1/openssl-asn1parse.pod
+++ b/doc/man1/openssl-asn1parse.pod
@ -39,8 +39,8 @@ Print out a usage message.
 =item B<-inform> B<DER>|B<PEM>
-The input format. B<DER> is binary format and B<PEM> (the default) is base64
+The input format; the default is B<PEM>.
-encoded.
+See L<openssl(1)/Format Options> for details.
 =item B<-in> I<filename>
--- a/doc/man1/openssl-ca.pod
+++ b/doc/man1/openssl-ca.pod
@ -135,8 +135,8 @@ The private key to sign requests with.
 =item B<-keyform> B<DER>|B<PEM>
-The format of the data in the private key file.
+The format of the private key file; the default is B<PEM>.
-The default is PEM.
+See L<openssl(1)/Format Options> for details.
 =item B<-sigopt> I<nm>:I<v>
--- a/doc/man1/openssl-cms.pod
+++ b/doc/man1/openssl-cms.pod
@ -25,10 +25,11 @@ B<openssl> B<cms>
 [B<-sign_receipt>]
 [B<-verify_receipt> I<receipt>]
 [B<-in> I<filename>]
 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
 [B<-rctform> B<DER>|B<PEM>|B<SMIME>]
 [B<-out> I<filename>]
 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
 [B<-rctform> B<DER>|B<PEM>|B<SMIME>]
 [B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
 [B<-stream>]
 [B<-indef>]
 [B<-noindef>]
@ -216,33 +217,33 @@ to the B<-verify> operation.
 The input message to be encrypted or signed or the message to be decrypted
 or verified.
 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
 This specifies the input format for the CMS structure. The default
 is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
 format change this to expect PEM and DER format CMS structures
 instead. This currently only affects the input format of the CMS
 structure, if no CMS structure is being input (for example with
 B<-encrypt> or B<-sign>) this option has no effect.
 =item B<-rctform> B<DER>|B<PEM>|B<SMIME>
 Specify the format for a signed receipt for use with the B<-receipt_verify>
 operation.
 =item B<-out> I<filename>
 The message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.
 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
 The input format of the CMS structure (if one is being read);
 the default is B<SMIME>.
 See L<openssl(1)/Format Options> for details.
 =item B<-outform> B<DER>|B<PEM>|B<SMIME>
-This specifies the output format for the CMS structure. The default
+The output format of the CMS structure (if one is being written);
-is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
+the default is B<SMIME>.
-format change this to write PEM and DER format CMS structures
+See L<openssl(1)/Format Options> for details.
-instead. This currently only affects the output format of the CMS
+
-structure, if no CMS structure is being output (for example with
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-B<-verify> or B<-decrypt>) this option has no effect.
+
 The format of the private key file; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-rctform> B<DER>|B<PEM>|B<SMIME>
 The signed receipt format for use with the B<-receipt_verify>; the default
 is B<SMIME>.
 See L<openssl(1)/Format Options> for details.
 =item B<-stream>, B<-indef>, B<-noindef>
--- a/doc/man1/openssl-crl.pod
+++ b/doc/man1/openssl-crl.pod
@ -10,6 +10,7 @@ B<openssl> B<crl>
 [B<-help>]
 [B<-inform> B<DER>|B<PEM>]
 [B<-outform> B<DER>|B<PEM>]
 [B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
 [B<-text>]
 [B<-in> I<filename>]
 [B<-out> I<filename>]
@ -38,16 +39,15 @@ This command processes CRL files in DER or PEM format.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. B<DER> format is DER encoded CRL
+The input and output formats of the CRL; the default is B<PEM>.
-structure. B<PEM> (the default) is a base64 encoded version of
+See L<openssl(1)/Format Options> for details.
 the DER form with header and footer lines.
-=item B<-outform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-This specifies the output format, the options have the same meaning and default
+The format of the private key file; the default is B<PEM>.
-as the B<-inform> option.
+See L<openssl(1)/Format Options> for details.
 =item B<-in> I<filename>
@ -100,13 +100,6 @@ See L<openssl(1)/Trusted Certificate Options> for more information.
 =back
 =head1 NOTES
 The PEM CRL format uses the header and footer lines:
 -----BEGIN X509 CRL-----
 -----END X509 CRL-----
 =head1 EXAMPLES
 Convert a CRL file from PEM to DER:
--- a/doc/man1/openssl-crl2pkcs7.pod
+++ b/doc/man1/openssl-crl2pkcs7.pod
@ -31,15 +31,13 @@ Print out a usage message.
 =item B<-inform> B<DER>|B<PEM>
-This specifies the CRL input format. B<DER> format is DER encoded CRL
+The input format of the CRL; the default is B<PEM>.
-structure.B<PEM> (the default) is a base64 encoded version of
+See L<openssl(1)/Format Options> for details.
 the DER form with header and footer lines. The default format is PEM.
 =item B<-outform> B<DER>|B<PEM>
-This specifies the PKCS#7 structure output format. B<DER> format is DER
+The output format of the PKCS#7 object; the default is B<PEM>.
-encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
+See L<openssl(1)/Format Options> for details.
 the DER form with header and footer lines. The default format is PEM.
 =item B<-in> I<filename>
--- a/doc/man1/openssl-dgst.pod
+++ b/doc/man1/openssl-dgst.pod
@ -17,7 +17,7 @@ B<openssl> B<dgst>|I<digest>
 [B<-r>]
 [B<-out> I<filename>]
 [B<-sign> I<filename>]
-[B<-keyform> I<arg>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
 [B<-passin> I<arg>]
 [B<-verify> I<filename>]
 [B<-prverify> I<filename>]
@ -94,10 +94,10 @@ Digitally sign the digest using the private key in "filename". Note this option
 does not support Ed25519 or Ed448 private keys. Use the L<openssl-pkeyutl(1)>
 command instead for this.
-=item B<-keyform> I<arg>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-Specifies the key format to sign digest with. The DER, PEM, P12,
+The format of the key to sign with; the default is B<PEM>.
-and ENGINE formats are supported.
+See L<openssl(1)/Format Options> for details.
 =item B<-sigopt> I<nm>:I<v>
--- a/doc/man1/openssl-dhparam.pod
+++ b/doc/man1/openssl-dhparam.pod
@ -39,17 +39,11 @@ This command is used to manipulate DH parameter files.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+The input format and output format; the default is B<PEM>.
-form compatible with the PKCS#3 DHparameter structure. The PEM form is the
+The object is compatible with the PKCS#3 B<DHparameter> structure.
-default format: it consists of the B<DER> format base64 encoded with
+See L<openssl(1)/Format Options> for details.
 additional header and footer lines.
 =item B<-outform> B<DER>|B<PEM>
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -130,11 +124,6 @@ may have different purposes in future versions of OpenSSL.
 =head1 NOTES
 PEM format DH parameters use the header and footer lines:
 -----BEGIN DH PARAMETERS-----
 -----END DH PARAMETERS-----
 OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
 DH.
--- a/doc/man1/openssl-dsa.pod
+++ b/doc/man1/openssl-dsa.pod
@ -50,22 +50,16 @@ applications should use the more secure PKCS#8 format using the B<pkcs8>
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option with a private key uses
+The input and formats; the default is B<PEM>.
-an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
+See L<openssl(1)/Format Options> for details.
 version (currently zero), p, q, g, the public and private key components
 respectively as ASN.1 INTEGERs. When used with a public key it uses a
 SubjectPublicKeyInfo structure: it is an error if the key is not DSA.
-The B<PEM> form is the default format: it consists of the B<DER> format base64
+Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
-encoded with additional header and footer lines. In the case of a private key
+B<q>, B<g>, and the public and and private key components.  Public keys
-PKCS#8 format is also accepted.
+are a B<SubjectPublicKeyInfo> structure with the B<DSA> type.
-=item B<-outform> B<DER>|B<PEM>
+The B<PEM> format also accepts PKCS#8 data.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -128,18 +122,6 @@ for all available algorithms.
 =back
 =head1 NOTES
 The PEM private key format uses the header and footer lines:
 -----BEGIN DSA PRIVATE KEY-----
 -----END DSA PRIVATE KEY-----
 The PEM public key format uses the header and footer lines:
 -----BEGIN PUBLIC KEY-----
 -----END PUBLIC KEY-----
 =head1 EXAMPLES
 To remove the pass phrase on a DSA private key:
--- a/doc/man1/openssl-dsaparam.pod
+++ b/doc/man1/openssl-dsaparam.pod
@ -26,6 +26,9 @@ B<openssl dsaparam>
 This command is used to manipulate or generate DSA parameter files.
 DSA parameter generation can be a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.
 =head1 OPTIONS
 =over 4
@ -34,17 +37,13 @@ This command is used to manipulate or generate DSA parameter files.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+The input and formats; the default is B<PEM>.
-form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
+See L<openssl(1)/Format Options> for details.
 of p, q and g respectively. The PEM form is the default format: it consists
 of the B<DER> format base64 encoded with additional header and footer lines.
-=item B<-outform> B<DER>|B<PEM>
+Parameters are a sequence of B<ASN.1 INTEGER>s: B<p>, B<q>, and B<g>.
-
+This is compatible with RFC 2459 B<DSS-Parms> structure.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -99,16 +98,6 @@ the input file (if any) is ignored.
 =back
 =head1 NOTES
 PEM format DSA parameters use the header and footer lines:
 -----BEGIN DSA PARAMETERS-----
 -----END DSA PARAMETERS-----
 DSA parameter generation is a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.
 =head1 SEE ALSO
 L<openssl(1)>,
--- a/doc/man1/openssl-ec.pod
+++ b/doc/man1/openssl-ec.pod
@ -46,19 +46,13 @@ PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option with a private key uses
+The input and formats; the default is B<PEM>.
-an ASN.1 DER encoded SEC1 private key. When used with a public key it
+See L<openssl(1)/Format Options> for details.
 uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
 The B<PEM> form is the default format: it consists of the B<DER> format base64
 encoded with additional header and footer lines. In the case of a private key
 PKCS#8 format is also accepted.
-=item B<-outform> B<DER>|B<PEM>
+Private keys are an SEC1 private key or PKCS#8 format.
-
+Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -146,18 +140,6 @@ for all available algorithms.
 =back
 =head1 NOTES
 The PEM private key format uses the header and footer lines:
 -----BEGIN EC PRIVATE KEY-----
 -----END EC PRIVATE KEY-----
 The PEM public key format uses the header and footer lines:
 -----BEGIN PUBLIC KEY-----
 -----END PUBLIC KEY-----
 =head1 EXAMPLES
 To encrypt a private key using triple DES:
--- a/doc/man1/openssl-ecparam.pod
+++ b/doc/man1/openssl-ecparam.pod
@ -33,6 +33,9 @@ B<openssl ecparam>
 This command is used to manipulate or generate EC parameter files.
 OpenSSL is currently not able to generate new groups and therefore
 this command can only create EC parameters from known (named) curves.
 =head1 OPTIONS
 =over 4
@ -41,17 +44,12 @@ This command is used to manipulate or generate EC parameter files.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
+The input and formats; the default is B<PEM>.
-form compatible with RFC 3279 EcpkParameters. The PEM form is the default
+See L<openssl(1)/Format Options> for details.
 format: it consists of the B<DER> format base64 encoded with additional
 header and footer lines.
-=item B<-outform> B<DER>|B<PEM>
+Parameters are encoded as B<EcpkParameters> as specified in IETF RFC 3279.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -137,16 +135,6 @@ for all available algorithms.
 =back
 =head1 NOTES
 PEM format EC parameters use the header and footer lines:
 -----BEGIN EC PARAMETERS-----
 -----END EC PARAMETERS-----
 OpenSSL is currently not able to generate new groups and therefore
 B<openssl ecparam> can only create EC parameters from known (named) curves.
 =head1 EXAMPLES
 To create EC parameters with the group 'prime192v1':
--- a/doc/man1/openssl-genpkey.pod
+++ b/doc/man1/openssl-genpkey.pod
@ -40,7 +40,8 @@ standard output is used.
 =item B<-outform> B<DER>|B<PEM>
-This specifies the output format DER or PEM. The default format is PEM.
+The output format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-pass> I<arg>
--- a/doc/man1/openssl-nseq.pod
+++ b/doc/man1/openssl-nseq.pod
@ -19,6 +19,11 @@ sequence and prints out the certificates contained in it or takes a
 file of certificates and converts it into a Netscape certificate
 sequence.
 A Netscape certificate sequence is an old Netscape-specific format that
 can be sometimes be sent to browsers as an alternative to the standard PKCS#7
 format when several certificates are sent to the browser, for example during
 certificate enrollment.  It was also used by Netscape certificate server.
 =head1 OPTIONS
 =over 4
@ -55,23 +60,6 @@ Create a Netscape certificate sequence
 openssl nseq -in certs.pem -toseq -out nseq.pem
 =head1 NOTES
 The B<PEM> encoded form uses the same headers and footers as a certificate:
 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----
 A Netscape certificate sequence is a Netscape specific format that can be sent
 to browsers as an alternative to the standard PKCS#7 format when several
 certificates are sent to the browser: for example during certificate enrollment.
 It is used by Netscape certificate server for example.
 =head1 BUGS
 This program needs a few more options: like allowing DER or PEM input and
 output files and allowing multiple certificate files to be used.
 =head1 COPYRIGHT
 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
--- a/doc/man1/openssl-pkcs7.pod
+++ b/doc/man1/openssl-pkcs7.pod
@ -21,7 +21,11 @@ B<openssl> B<pkcs7>
 =head1 DESCRIPTION
-This command processes PKCS#7 files in DER or PEM format.
+This command processes PKCS#7 files.  Note that it only understands PKCS#7
 v 1.5 as specified in IETF RFC 2315.  It cannot currently parse CMS as
 described in IETF RFC 2630.
 There is no option to print out all the fields of a PKCS#7 file.
 =head1 OPTIONS
@ -31,16 +35,12 @@ This command processes PKCS#7 files in DER or PEM format.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. B<DER> format is DER encoded PKCS#7
+The input and formats; the default is B<PEM>.
-v1.5 structure.B<PEM> (the default) is a base64 encoded version of
+See L<openssl(1)/Format Options> for details.
 the DER form with header and footer lines.
-=item B<-outform> B<DER>|B<PEM>
+The data is a PKCS#7 Version 1.5 structure.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -86,25 +86,6 @@ Output all certificates in a file:
 openssl pkcs7 -in file.pem -print_certs -out certs.pem
 =head1 NOTES
 The PEM PKCS#7 format uses the header and footer lines:
 -----BEGIN PKCS7-----
 -----END PKCS7-----
 For compatibility with some CAs it will also accept:
 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----
 =head1 RESTRICTIONS
 There is no option to print out all the fields of a PKCS#7 file.
 This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
 cannot currently parse, for example, the new CMS as described in RFC2630.
 =head1 SEE ALSO
 L<openssl(1)>,
--- a/doc/man1/openssl-pkcs8.pod
+++ b/doc/man1/openssl-pkcs8.pod
@ -52,15 +52,27 @@ Normally a PKCS#8 private key is expected on input and a private key will be
 written to the output file. With the B<-topk8> option the situation is
 reversed: it reads a private key and writes a PKCS#8 format key.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format: see L<KEY FORMATS> for more details. The default
+The input and formats; the default is B<PEM>.
-format is PEM.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
+If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
 not used) then the input file must be in PKCS#8 format. An encrypted
 key is expected unless B<-nocrypt> is included.
 If B<-topk8> is not used and B<PEM> mode is set the output file will be an
 unencrypted private key in PKCS#8 format. If the B<-traditional> option is
 used then a traditional format private key is written instead.
 If B<-topk8> is not used and B<DER> mode is set the output file will be an
 unencrypted private key in traditional DER format.
 If B<-topk8> is used then any supported private key can be used for the input
 file in a format specified by B<-inform>. The output file will be encrypted
 PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
 is included.
 This specifies the output format: see L<KEY FORMATS> for more details. The default
 format is PEM.
 =item B<-traditional>
@ -148,27 +160,6 @@ Sets the scrypt I<N>, I<r> or I<p> parameters.
 =back
 =head1 KEY FORMATS
 Various different formats are used by this command. These are detailed
 below.
 If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
 not used) then the input file must be in PKCS#8 format. An encrypted
 key is expected unless B<-nocrypt> is included.
 If B<-topk8> is not used and B<PEM> mode is set the output file will be an
 unencrypted private key in PKCS#8 format. If the B<-traditional> option is
 used then a traditional format private key is written instead.
 If B<-topk8> is not used and B<DER> mode is set the output file will be an
 unencrypted private key in traditional DER format.
 If B<-topk8> is used then any supported private key can be used for the input
 file in a format specified by B<-inform>. The output file will be encrypted
 PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
 is included.
 =head1 NOTES
 By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
@ -178,17 +169,6 @@ Some older implementations do not support PKCS#5 v2.0 format and require
 the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
 encryption algorithms such as 56 bit DES.
 The encrypted form of a PEM encode PKCS#8 files uses the following
 headers and footers:
 -----BEGIN ENCRYPTED PRIVATE KEY-----
 -----END ENCRYPTED PRIVATE KEY-----
 The unencrypted form uses:
 -----BEGIN PRIVATE KEY-----
 -----END PRIVATE KEY-----
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
--- a/doc/man1/openssl-pkey.pod
+++ b/doc/man1/openssl-pkey.pod
@ -40,14 +40,10 @@ converted between various forms and their components printed out.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format DER or PEM. The default format is PEM.
+The input and formats; the default is B<PEM>.
-
+See L<openssl(1)/Format Options> for details.
 =item B<-outform> B<DER>|B<PEM>
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
--- a/doc/man1/openssl-pkeyutl.pod
+++ b/doc/man1/openssl-pkeyutl.pod
@ -90,7 +90,8 @@ The input key file, by default it should be a private key.
 =item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-The key format PEM, DER or ENGINE. Default is PEM.
+The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-passin> I<arg>
@ -103,7 +104,8 @@ The peer key file, used by key derivation (agreement) operations.
 =item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
-The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
+The peer key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-pubin>
--- a/doc/man1/openssl-req.pod
+++ b/doc/man1/openssl-req.pod
@ -67,17 +67,12 @@ for use as root CAs for example.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+The input and formats; the default is B<PEM>.
-form compatible with the PKCS#10. The B<PEM> form is the default format: it
+See L<openssl(1)/Format Options> for details.
 consists of the B<DER> format base64 encoded with additional header and
 footer lines.
-=item B<-outform> B<DER>|B<PEM>
+The data is a PKCS#10 object.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -182,8 +177,8 @@ accepts PKCS#8 format private keys for PEM format files.
 =item B<-keyform> B<DER>|B<PEM>
-The format of the private key file specified in the B<-key>
+The format of the private key; the default is B<PEM>.
-argument. PEM is the default.
+See L<openssl(1)/Format Options> for details.
 =item B<-keyout> I<filename>
@ -628,23 +623,10 @@ on the command line:
 =head1 NOTES
 The header and footer lines in the B<PEM> format are normally:
 -----BEGIN CERTIFICATE REQUEST-----
 -----END CERTIFICATE REQUEST-----
 some software (some versions of Netscape certificate server) instead needs:
 -----BEGIN NEW CERTIFICATE REQUEST-----
 -----END NEW CERTIFICATE REQUEST-----
 which is produced with the B<-newhdr> option but is otherwise compatible.
 Either form is accepted transparently on input.
 The certificate requests generated by B<Xenroll> with MSIE have extensions
 added. It includes the B<keyUsage> extension which determines the type of
 key (signature only or general purpose) and any additional OIDs entered
-by the script in an extendedKeyUsage extension.
+by the script in an B<extendedKeyUsage> extension.
 =head1 DIAGNOSTICS
--- a/doc/man1/openssl-rsa.pod
+++ b/doc/man1/openssl-rsa.pod
@ -54,18 +54,16 @@ L<openssl-pkcs8(1)> command.
 Print out a usage message.
 =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
 The input and formats; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-inform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
-form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
+On input, PKCS#8 format private keys are also accepted.
 The B<PEM> form is the default format: it consists of the B<DER> format base64
 encoded with additional header and footer lines. On input PKCS#8 format private
 keys are also accepted.
 =item B<-outform> B<DER>|B<PEM>
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -137,23 +135,6 @@ for all available algorithms.
 =back
 =head1 NOTES
 The PEM private key format uses the header and footer lines:
 -----BEGIN RSA PRIVATE KEY-----
 -----END RSA PRIVATE KEY-----
 The PEM public key format uses the header and footer lines:
 -----BEGIN PUBLIC KEY-----
 -----END PUBLIC KEY-----
 The PEM B<RSAPublicKey> format uses the header and footer lines:
 -----BEGIN RSA PUBLIC KEY-----
 -----END RSA PUBLIC KEY-----
 =head1 EXAMPLES
 To remove the pass phrase on an RSA private key:
--- a/doc/man1/openssl-rsautl.pod
+++ b/doc/man1/openssl-rsautl.pod
@ -57,7 +57,8 @@ The input key file, by default it should be an RSA private key.
 =item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-The key format PEM, DER or ENGINE.
+The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-pubin>
--- a/doc/man1/openssl-s_client.pod
+++ b/doc/man1/openssl-s_client.pod
@ -22,6 +22,7 @@ B<openssl> B<s_client>
 [B<-verify_return_error>]
 [B<-cert> I<filename>]
 [B<-certform> B<DER>|B<PEM>]
 [B<-CRLform> B<DER>|B<PEM>]
 [B<-key> I<filename>]
 [B<-keyform> B<DER>|B<PEM>]
 [B<-cert_chain> I<filename>]
@ -244,6 +245,11 @@ not to use a certificate.
 The certificate format to use: DER or PEM. PEM is the default.
 =item B<-CRLform> B<DER>|B<PEM>
 The CRL format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-key> I<keyfile>
 The private key to use. If not specified then the certificate file will
@ -251,7 +257,8 @@ be used.
 =item B<-keyform> I<format>
-The private format to use: DER or PEM. PEM is the default.
+The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-cert_chain>
@ -280,6 +287,7 @@ B<-xcert> I<infile>, B<-xchain> options.
 =item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
 Extra certificate and private key format respectively.
 See L<openssl(1)/Format Options> for details.
 =item B<-pass> I<arg>
--- a/doc/man1/openssl-s_server.pod
+++ b/doc/man1/openssl-s_server.pod
@ -23,7 +23,7 @@ B<openssl> B<s_server>
 [B<-serverinfo> I<val>]
 [B<-certform> B<DER>|B<PEM>]
 [B<-key> I<infile>]
-[B<-keyform> I<format>]
+[B<-keyform> B<DER>|B<PEM>]
 [B<-pass> I<val>]
 [B<-dcert> I<infile>]
 [B<-dcertform> B<DER>|B<PEM>]
@ -64,7 +64,6 @@ B<openssl> B<s_server>
 [B<-verifyCApath> I<dir>]
 [B<-no_cache>]
 [B<-ext_cache>]
 [B<-CRLform> B<DER>|B<PEM>]
 [B<-verify_return_error>]
 [B<-verify_quiet>]
 [B<-build_chain>]
@ -151,6 +150,7 @@ B<openssl> B<s_server>
 [B<-xcert>]
 [B<-xchain>]
 [B<-xchain_build>]
 [B<-CRLform> B<DER>|B<PEM>]
 [B<-xcertform> B<DER>|B<PEM>]
 [B<-xkeyform> B<DER>|B<PEM>]
 [B<-nbio>]
@ -290,22 +290,25 @@ followed by "length" bytes of extension data).  If the client sends
 an empty TLS ClientHello extension matching the type, the corresponding
 ServerHello extension will be returned.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
-The certificate format to use: DER or PEM. PEM is the default.
+The certificate and CRL format; the default is PEM.
 See L<openssl(1)/Format Options> for details.
 =item B<-key> I<infile>
 The private key to use. If not specified then the certificate file will
 be used.
-=item B<-keyform> I<format>
+=item B<-keyform> B<DER>|B<PEM>]
-The private format to use: DER or PEM. PEM is the default.
+The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-pass> I<val>
-The private key password source. For more information about the format of B<val>
+The private key password source.
 For more information about the format of I<val>,
 see L<openssl(1)/Pass Phrase Options>.
 =item B<-dcert> I<infile>, B<-dkey> I<infile>
@ -325,9 +328,16 @@ A file containing trusted certificates to use when attempting to build the
 server certificate chain when a certificate specified via the B<-dcert> option
 is in use.
-=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>, B<-dpass> I<val>
+=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
-Additional certificate and private key format and passphrase respectively.
+The format of the certificate and private key; the default is B<PEM>
 see L<openssl(1)/Format Options>.
 =item B<-dpass> I<val>
 The passphrase for the additional private key.
 For more information about the format of I<val>,
 see L<openssl(1)/Pass Phrase Options>.
 =item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
@ -344,7 +354,9 @@ B<-xcert> I<infile>, B<-xchain> options.
 =item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
-Extra certificate and private key format respectively.
+The format for the extra certificate and private key, respectively;
 the default format is B<PEM>.
 see L<openssl(1)/Pass Phrase Options>.
 =item B<-nbio_test>
--- a/doc/man1/openssl-sess_id.pod
+++ b/doc/man1/openssl-sess_id.pod
@ -24,6 +24,9 @@ the SSL session master key) in human readable format. Since this is a
 diagnostic tool that needs some knowledge of the SSL protocol to use
 properly, most users will not need to use it.
 The precise format of the data can vary across OpenSSL versions and
 is not documented.
 =head1 OPTIONS
 =over 4
@ -32,18 +35,13 @@ properly, most users will not need to use it.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>|B<NSS>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
+The input and output formats; the default is PEM.
-format containing session details. The precise format can vary from one version
+See L<openssl(1)/Format Options> for details.
 to the next.  The B<PEM> form is the default format: it consists of the B<DER>
 format base64 encoded with additional header and footer lines.
-=item B<-outform> B<DER>|B<PEM>|B<NSS>
+For B<NSS> output, the session ID and master key are reported in NSS "keylog"
-
+format.
 This specifies the output format. The B<PEM> and B<DER> options have the same
 meaning and default as the B<-inform> option. The B<NSS> option outputs the
 session id and the master key in NSS keylog format.
 =item B<-in> I<filename>
@ -134,11 +132,6 @@ This is the return code when an SSL client certificate is verified.
 =head1 NOTES
 The PEM encoded session format uses the header and footer lines:
 -----BEGIN SSL SESSION PARAMETERS-----
 -----END SSL SESSION PARAMETERS-----
 Since the SSL session output contains the master key it is
 possible to read the contents of an encrypted session using this
 information. Therefore appropriate security precautions should be taken if
--- a/doc/man1/openssl-smime.pod
+++ b/doc/man1/openssl-smime.pod
@ -53,10 +53,11 @@ B<openssl> B<smime>
 [B<-signer> I<file>]
 [B<-recip> I< file>]
 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
 [B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
 [B<-passin> I<arg>]
 [B<-inkey> I<file_or_id>]
 [B<-out> I<file>]
 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
 [B<-content> I<file>]
 [B<-to> I<addr>]
 [B<-from> I<ad>]
@ -126,28 +127,27 @@ Resign a message: take an existing message and one or more new signers.
 The input message to be encrypted or signed or the MIME message to
 be decrypted or verified.
 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
 This specifies the input format for the PKCS#7 structure. The default
 is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
 format change this to expect PEM and DER format PKCS#7 structures
 instead. This currently only affects the input format of the PKCS#7
 structure, if no PKCS#7 structure is being input (for example with
 B<-encrypt> or B<-sign>) this option has no effect.
 =item B<-out> I<filename>
 The message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.
 =item B<-inform> B<DER>|B<PEM>|B<SMIME>
 The input format of the PKCS#7 (S/MIME) structure (if one is being read);
 the default is B<SMIME>.
 See L<openssl(1)/Format Options> for details.
 =item B<-outform> B<DER>|B<PEM>|B<SMIME>
-This specifies the output format for the PKCS#7 structure. The default
+The output format of the PKCS#7 (S/MIME) structure (if one is being written);
-is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
+the default is B<SMIME>.
-format change this to write PEM and DER format PKCS#7 structures
+See L<openssl(1)/Format Options> for details.
-instead. This currently only affects the output format of the PKCS#7
+
-structure, if no PKCS#7 structure is being output (for example with
+=item B<-keyform> B<DER>|B<PEM>
-B<-verify> or B<-decrypt>) this option has no effect.
+
 The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-stream>, B<-indef>, B<-noindef>
--- a/doc/man1/openssl-spkac.pod
+++ b/doc/man1/openssl-spkac.pod
@ -55,8 +55,8 @@ present.
 =item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-Whether the key format is PEM, DER, or an engine-backed key.
+The key format; the default is B<PEM>.
-The default is PEM.
+See L<openssl(1)/Format Options> for details.
 =item B<-passin> I<arg>
--- a/doc/man1/openssl-x509.pod
+++ b/doc/man1/openssl-x509.pod
@ -90,18 +90,13 @@ various sections.
 Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format normally the command will expect an X509
+The input and formats; the default is B<PEM>.
-certificate but this can change if other options such as B<-req> are
+See L<openssl(1)/Format Options> for details.
 present. The DER format is the DER encoding of the certificate and PEM
 is the base64 encoding of the DER encoding with header and footer lines
 added. The default format is PEM.
-=item B<-outform> B<DER>|B<PEM>
+The input is normally an X.509 certificate, but this can change if other
-
+options such as B<-req> are used.
 This specifies the output format, the options have the same meaning and default
 as the B<-inform> option.
 =item B<-in> I<filename>
@ -376,8 +371,13 @@ retained.
 =item B<-keyform> B<DER>|B<PEM>
-Specifies the format (DER or PEM) of the private key file used in the
+The key format; the default is B<PEM>.
-B<-signkey> option.
+See L<openssl(1)/Format Options> for details.
 =item B<-CAform> B<DER>|B<PEM>, B<-CAkeyform> B<DER>|B<PEM>
 The format for the CA certificate and key; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 =item B<-days> I<arg>
@ -782,21 +782,6 @@ Set a certificate to be trusted for SSL client use and change set its alias to
 =head1 NOTES
 The PEM format uses the header and footer lines:
 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----
 it will also handle files containing:
 -----BEGIN X509 CERTIFICATE-----
 -----END X509 CERTIFICATE-----
 Trusted certificates have the lines
 -----BEGIN TRUSTED CERTIFICATE-----
 -----END TRUSTED CERTIFICATE-----
 The conversion to UTF8 format used with the name options assumes that
 T61Strings use the ISO8859-1 character set. This is wrong but Netscape
 and MSIE do this as do many certificates. So although this is incorrect
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@ -516,6 +516,109 @@ parameters start with a minus sign:
 =back
 =head2 Format Options
 Several OpenSSL commands can take input or generate output in a variety
 of formats. The list of acceptable formats, and the default, is
 described in each command documentation.  The list of formats is
 described below. Both uppercase and lowercase are accepted.
 =over 4
 =item B<DER>
 A binary format, encoded or parsed according to Distinguished Encoding Rules
 (DER) of the ASN.1 data language.
 =item B<ENGINE>
 Used to specify that the cryptographic material is in an OpenSSL B<engine>.
 An engine must be configured or specified using the B<-engine> option.
 In addition, the B<-input> flag can be used to name a specific object in
 the engine.
 A password, such as the B<-passin> flag often must be specified as well.
 =item B<P12>
 A DER-encoded file containing a PKCS#12 object.
 It might be necessary to provide a decryption password to retrieve
 the private key.
 =item B<PEM>
 A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is
 a block of base-64 encoding (defined in IETF RFC 4648), with specific
 lines used to mark the start and end:
 Text before the BEGIN line is ignored.
 ----- BEGIN object-type -----
 OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
 xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
 UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
 ----- END object-type -----
 Text after the END line is also ignored
 The I<object-type> must match the type of object that is expected.
 For example a C<BEGIN X509 CERTIFICATE> will not match if the command
 is trying to read a private key. The types supported include:
 ANY PRIVATE KEY
 CERTIFICATE
 CERTIFICATE REQUEST
 CMS
 DH PARAMETERS
 DSA PARAMETERS
 DSA PUBLIC KEY
 EC PARAMETERS
 EC PRIVATE KEY
 ECDSA PUBLIC KEY
 ENCRYPTED PRIVATE KEY
 PARAMETERS
 PKCS #7 SIGNED DATA
 PKCS7
 PRIVATE KEY
 PUBLIC KEY
 RSA PRIVATE KEY
 SSL SESSION PARAMETERS
 TRUSTED CERTIFICATE
 X509 CRL
 X9.42 DH PARAMETERS
 The following legacy I<object-type>'s are also supported for compatibility
 with earlier releases:
 DSA PRIVATE KEY
 NEW CERTIFICATE REQUEST
 RSA PUBLIC KEY
 X509 CERTIFICATE
 =item B<SMIME>
 An S/MIME object as described in IETF RFC 8551.
 Earlier versions were known as CMS and are compatible.
 Note that the parsing is simple and might fail to parse some legal data.
 =back
 The options to specify the format are as follows. Refer to the individual
 manpage to see which options are accepted.
 =over 4
 =item B<-inform> I<format>, B<-outform> I<format>
 The format of the input or output streams.
 =item B<-keyform> I<format>
 Format of a private key input source.
 =item B<-CRLform> I<fornat>
 Format of a CRL input source.
 =back
 =head2 Pass Phrase Options
 Several commands accept password arguments, typically using B<-passin>