clean up openssl req;

1 files changed, 247 insertions, 248 deletions

diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
index d728e90e5d..a181d5f8bb 100644
--- a/src/usr.sbin/openssl/openssl.1
+++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.35 2004/02/06 13:28:15 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.36 2004/02/18 21:06:40 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -4282,49 +4282,50 @@ Multiple files can be specified separated by a
 .Sh REQ
 .Nm openssl req
 .Bk -words
-.Op Fl inform Ar DER | PEM
-.Op Fl outform Ar DER | PEM
-.Op Fl in Ar file
-.Op Fl passin Ar arg
-.Op Fl out Ar file
-.Op Fl passout Ar arg
-.Op Fl text
-.Op Fl pubkey
-.Op Fl noout
-.Op Fl verify
+.Op Fl asn1-kludge
+.Op Fl batch
+.Op Fl md2 | md4 | md5 | sha1
 .Op Fl modulus
 .Op Fl new
-.Op Fl rand Ar file ...
+.Op Fl newhdr
+.Op Fl nodes
+.Op Fl noout
+.Op Fl pubkey
+.Op Fl subject
+.Op Fl text
+.Op Fl utf8
+.Op Fl verbose
+.Op Fl verify
+.Op Fl x509
+.Op Fl config Ar file
+.Op Fl days Ar n
+.Op Fl engine Ar id
+.Op Fl extensions Ar section
+.Op Fl in Ar file
+.Op Fl inform Ar DER | PEM
+.Op Fl key Ar file
+.Op Fl keyform Ar DER | PEM
+.Op Fl keyout Ar file
+.Op Fl nameopt Ar option
 .Oo Xo
 .Fl newkey
-.Ar rsa : Ns Ar bits
+.Ar dsa : Ns Ar file
 .Xc
 .Oc
 .Oo Xo
 .Fl newkey
-.Ar dsa : Ns Ar file
+.Ar rsa : Ns Ar bits
 .Xc
 .Oc
-.Op Fl nodes
-.Op Fl subject
-.Op Fl key Ar file
-.Op Fl keyform Ar DER | PEM
-.Op Fl keyout Ar file
-.Op Fl md5 | sha1 | md2 | md4
-.Op Fl config Ar file
-.Op Fl subj Ar arg
-.Op Fl x509
-.Op Fl days Ar n
-.Op Fl set_serial Ar n
-.Op Fl asn1-kludge
-.Op Fl newhdr
-.Op Fl extensions Ar section
+.Op Fl out Ar file
+.Op Fl outform Ar DER | PEM
+.Op Fl passin Ar arg
+.Op Fl passout Ar arg
+.Op Fl rand Ar file ...
 .Op Fl reqexts Ar section
-.Op Fl utf8
-.Op Fl nameopt
-.Op Fl batch
-.Op Fl verbose
-.Op Fl engine Ar id
+.Op Fl reqopt Ar option
+.Op Fl set_serial Ar n
+.Op Fl subj Ar arg
 .Ek
 .Pp
 The
@@ -4336,20 +4337,56 @@ for use as root CAs, for example.
 .Pp
 The options are as follows:
 .Bl -tag -width "XXXX"
-.It Fl inform Ar DER | PEM
-This specifies the input format.
-The
-.Ar DER
-argument uses an ASN1 DER-encoded form compatible with the PKCS#10.
-The
-.Ar PEM
-form is the default format:
-it consists of the DER format base64-encoded with additional header and
-footer lines.
-.It Fl outform Ar DER | PEM
-This specifies the output format; the options have the same meaning as the
-.Fl inform
-option.
+.It Fl asn1-kludge
+By default, the
+.Nm req
+command outputs certificate requests containing
+no attributes in the correct PKCS#10 format.
+However certain CAs will only
+accept requests containing no attributes in an invalid form: this
+option produces this invalid format.
+.Pp
+More precisely, the
+.Em Attributes
+in a PKCS#10 certificate request are defined as a SET OF Attribute.
+They are
+.Em not
+optional, so if no attributes are present then they should be encoded as an
+empty SET OF.
+The invalid form does not include the empty
+SET OF, whereas the correct form does.
+.Pp
+It should be noted that very few CAs still require the use of this option.
+.It Fl batch
+Non-interactive mode.
+.It Fl config Ar file
+This allows an alternative configuration file to be specified;
+this overrides the compile time filename or any specified in
+the
+.Ev OPENSSL_CONF
+environment variable.
+.It Fl days Ar n
+When the
+.Fl x509
+option is being used, this specifies the number of
+days to certify the certificate for.
+The default is 30 days.
+.It Fl engine Ar id
+Specifying an engine (by it's unique
+.Ar id
+string) will cause
+.Nm req
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed.
+The engine will then be set as the default for all available algorithms.
+.It Fl extensions Ar section , Fl reqexts Ar section
+These options specify alternative sections to include certificate
+extensions (if the
+.Fl x509
+option is present) or certificate request extensions.
+This allows several different sections to
+be used in the same configuration file to specify requests for
+a variety of purposes.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4360,35 +4397,47 @@ A request is only read if the creation options
 and
 .Fl newkey
 are not specified.
-.It Fl passin Ar arg
-The input file password source.
-For more information about the format of
-.Ar arg ,
-see the
-.Sx PASS PHRASE ARGUMENTS
-section above.
-.It Fl out Ar file
-This specifies the output
+.It Fl inform Ar DER | PEM
+This specifies the input format.
+The
+.Ar DER
+argument uses an ASN1 DER-encoded form compatible with the PKCS#10.
+The
+.Ar PEM
+form is the default format:
+it consists of the DER format base64-encoded with additional header and
+footer lines.
+.It Fl key Ar file
+This specifies the file to read the private key from.
+It also accepts PKCS#8 format private keys for PEM format files.
+.It Fl keyform Ar DER | PEM
+The format of the private key file specified in the
+.Fl key
+argument.
+.Ar PEM
+is the default.
+.It Fl keyout Ar file
+This gives the
 .Ar file
-to write to, or standard output by default.
-.It Fl passout Ar arg
-The output file password source.
-For more information about the format of
-.Ar arg ,
-see the
-.Sx PASS PHRASE ARGUMENTS
-section above.
-.It Fl text
-Prints out the certificate request in text form.
-.It Fl pubkey
-Outputs the public key.
-.It Fl noout
-This option prevents output of the encoded version of the request.
+to write the newly created private key to.
+If this option is not specified, then the filename present in the
+configuration file is used.
+.It Fl md2 | md4 | md5 | sha1
+This specifies the message digest to sign the request with.
+This overrides the digest algorithm specified in the configuration file.
+This option is ignored for DSA requests: they always use SHA1.
 .It Fl modulus
 This option prints out the value of the modulus of the public key
 contained in the request.
-.It Fl verify
-Verifies the signature on the request.
+.It Fl nameopt Ar option , Fl reqopt Ar option
+These options determine how the subject or issuer names are displayed.
+The
+.Ar option
+argument can be a single option or multiple options separated by commas.
+Alternatively, these options may be used more than once to set multiple options.
+See the
+.Sx X509
+section below for details.
 .It Fl new
 This option generates a new certificate request.
 It will prompt the user for the relevant field values.
@@ -4399,12 +4448,12 @@ If the
 .Fl key
 option is not used, it will generate a new RSA private
 key using information specified in the configuration file.
-.It Fl rand Ar file ...
-A file or files containing random data used to seed the random number generator,
-or an EGD socket (see
-.Xr RAND_egd 3 ) .
-Multiple files can be specified separated by a
-.Sq \&: .
+.It Fl newhdr
+Adds the word NEW to the PEM file header and footer lines
+on the outputed request.
+Some software
+.Pq Netscape certificate server
+and some CAs need this.
 .It Fl newkey Ar arg
 This option creates a new certificate request and a new private key.
 The argument takes one of two forms:
@@ -4417,36 +4466,46 @@ in size.
 .Ar dsa : Ns Ar file
 generates a DSA key using the parameters in the file
 .Ar file .
-.It Fl key Ar file
-This specifies the file to read the private key from.
-It also accepts PKCS#8 format private keys for PEM format files.
-.It Fl keyform Ar DER | PEM
-The format of the private key file specified in the
-.Fl key
-argument.
-.Ar PEM
-is the default.
-.It Fl keyout Ar file
-This gives the
-.Ar file
-to write the newly created private key to.
-If this option is not specified, then the filename present in the
-configuration file is used.
 .It Fl nodes
 If this option is specified and a private key is created, it
 will not be encrypted.
-.It Fl subject
-Output the request's subject.
-.It Fl md5 | sha1 | md2 | md4
-This specifies the message digest to sign the request with.
-This overrides the digest algorithm specified in the configuration file.
-This option is ignored for DSA requests: they always use SHA1.
-.It Fl config Ar file
-This allows an alternative configuration file to be specified;
-this overrides the compile time filename or any specified in
-the
-.Ev OPENSSL_CONF
-environment variable.
+.It Fl noout
+This option prevents output of the encoded version of the request.
+.It Fl out Ar file
+This specifies the output
+.Ar file
+to write to, or standard output by default.
+.It Fl outform Ar DER | PEM
+This specifies the output format; the options have the same meaning as the
+.Fl inform
+option.
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg ,
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg ,
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl pubkey
+Outputs the public key.
+.It Fl rand Ar file ...
+A file or files containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by a
+.Sq \&: .
+.It Fl set_serial Ar n
+Serial number to use when outputting a self-signed certificate.
+This may be specified as a decimal value or a hex value if preceded by
+.Sq 0x .
+It is possible to use negative serial numbers but this is not recommended.
 .It Fl subj Ar arg
 Sets subject name for new request or supersedes the subject name
 when processing a request.
@@ -4456,6 +4515,19 @@ characters may be escaped by
 .Sq \e
 .Pq backslash ,
 no spaces are skipped.
+.It Fl subject
+Output the request's subject.
+.It Fl text
+Prints out the certificate request in text form.
+.It Fl utf8
+This option causes field values to be interpreted as UTF8 strings;
+by default they are interpreted as ASCII.
+This means that the field values, whether prompted from a terminal or
+obtained from a configuration file, must be valid UTF8 strings.
+.It Fl verbose
+Print extra details about the operations being performed.
+.It Fl verify
+Verifies the signature on the request.
 .It Fl x509
 This option outputs a self-signed certificate instead of a certificate
 request.
@@ -4467,79 +4539,6 @@ are specified in the configuration file.
 Unless specified using the
 .Fl set_serial
 option, 0 will be used for the serial number.
-.It Fl days Ar n
-When the
-.Fl x509
-option is being used, this specifies the number of
-days to certify the certificate for.
-The default is 30 days.
-.It Fl set_serial Ar n
-Serial number to use when outputting a self-signed certificate.
-This may be specified as a decimal value or a hex value if preceded by
-.Sq 0x .
-It is possible to use negative serial numbers but this is not recommended.
-.It Fl extensions Ar section , Fl reqexts Ar section
-These options specify alternative sections to include certificate
-extensions (if the
-.Fl x509
-option is present) or certificate request extensions.
-This allows several different sections to
-be used in the same configuration file to specify requests for
-a variety of purposes.
-.It Fl utf8
-This option causes field values to be interpreted as UTF8 strings;
-by default they are interpreted as ASCII.
-This means that the field values, whether prompted from a terminal or
-obtained from a configuration file, must be valid UTF8 strings.
-.It Fl nameopt Ar option
-Option which determines how the subject or issuer names are displayed.
-The
-.Ar option
-argument can be a single option or multiple options separated by commas.
-Alternatively, the
-.Fl nameopt
-switch may be used more than once to set multiple options.
-See the
-.Sx X509
-section below for details.
-.It Fl asn1-kludge
-By default, the
-.Nm req
-command outputs certificate requests containing
-no attributes in the correct PKCS#10 format.
-However certain CAs will only
-accept requests containing no attributes in an invalid form: this
-option produces this invalid format.
-.Pp
-More precisely, the
-.Em Attributes
-in a PKCS#10 certificate request are defined as a SET OF Attribute.
-They are
-.Em not
-optional, so if no attributes are present then they should be encoded as an
-empty SET OF.
-The invalid form does not include the empty
-SET OF, whereas the correct form does.
-.Pp
-It should be noted that very few CAs still require the use of this option.
-.It Fl newhdr
-Adds the word NEW to the PEM file header and footer lines
-on the outputed request.
-Some software
-.Pq Netscape certificate server
-and some CAs need this.
-.It Fl batch
-Non-interactive mode.
-.It Fl verbose
-Print extra details about the operations being performed.
-.It Fl engine Ar id
-Specifying an engine (by it's unique
-.Ar id
-string) will cause
-.Nm req
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .El
 .Sh REQ CONFIGURATION FILE FORMAT
 The configuration options are specified in the
@@ -4554,16 +4553,18 @@ section is searched too.
 .Pp
 The options available are described in detail below.
 .Bl -tag -width "XXXX"
-.It Ar input_password | output_password
-The passwords for the input private key file
-.Pq if present
-and the output private key file
-.Pq if one will be created .
-The command line options
-.Fl passin
-and
-.Fl passout
-override the configuration file values.
+.It Ar attributes
+This specifies the section containing any request attributes: its format
+is the same as
+.Ar distinguished_name .
+Typically these may contain the
+.Em challengePassword
+or
+.Em unstructuredName
+types.
+They are currently ignored by
+.Nm OpenSSL Ns Li 's
+request signing utilities, but some CAs might want them.
 .It Ar default_bits
 This specifies the default key size in bits.
 If not specified, then 512 is used.
@@ -4579,6 +4580,40 @@ If not specified, the key is written to standard output.
 This can be overridden by the
 .Fl keyout
 option.
+.It Ar default_md
+This option specifies the digest algorithm to use.
+Possible values include
+.Ar md5
+and
+.Ar sha1 .
+If not present, then MD5 is used.
+This option can be overridden on the command line.
+.It Ar distinguished_name
+This specifies the section containing the distinguished name fields to
+prompt for when generating a certificate or certificate request.
+The format is described in the next section.
+.It Ar encrypt_key
+If this is set to
+.Em no
+and a private key is generated, it is
+.Em not
+encrypted.
+This is equivalent to the
+.Fl nodes
+command line option.
+For compatibility,
+.Ar encrypt_rsa_key
+is an equivalent option.
+.It Ar input_password | output_password
+The passwords for the input private key file
+.Pq if present
+and the output private key file
+.Pq if one will be created .
+The command line options
+.Fl passin
+and
+.Fl passout
+override the configuration file values.
 .It Ar oid_file
 This specifies a file containing additional OBJECT IDENTIFIERS.
 Each line of the file should consist of the numerical form of the
@@ -4592,31 +4627,27 @@ object identifier followed by
 .Sq =
 and the numerical form.
 The short and long names are the same when this option is used.
+.It Ar prompt
+If set to the value
+.Em no ,
+this disables prompting of certificate fields
+and just takes values from the config file directly.
+It also changes the expected format of the
+.Em distinguished_name
+and
+.Em attributes
+sections.
 .It Ar RANDFILE
 This specifies a file in which random number seed information is
 placed and read from, or an EGD socket (see
 .Xr RAND_egd 3 ) .
 It is used for private key generation.
-.It Ar encrypt_key
-If this is set to
-.Em no
-and a private key is generated, it is
-.Em not
-encrypted.
-This is equivalent to the
-.Fl nodes
-command line option.
-For compatibility,
-.Ar encrypt_rsa_key
-is an equivalent option.
-.It Ar default_md
-This option specifies the digest algorithm to use.
-Possible values include
-.Ar md5
-and
-.Ar sha1 .
-If not present, then MD5 is used.
-This option can be overridden on the command line.
+.It Ar req_extensions
+This specifies the configuration file section containing a list of
+extensions to add to the certificate request.
+It can be overridden by the
+.Fl reqexts
+command line switch.
 .It Ar string_mask
 This option masks out the use of certain string types in certain
 fields.
@@ -4652,12 +4683,13 @@ certain software has problems with
 and
 .Em UTF8Strings :
 in particular Netscape.
-.It Ar req_extensions
-This specifies the configuration file section containing a list of
-extensions to add to the certificate request.
-It can be overridden by the
-.Fl reqexts
-command line switch.
+.It Ar utf8
+If set to the value
+.Em yes ,
+then field values are interpreted as UTF8 strings;
+by default they are interpreted as ASCII.
+This means that the field values, whether prompted from a terminal or
+obtained from a configuration file, must be valid UTF8 strings.
 .It Ar x509_extensions
 This specifies the configuration file section containing a list of
 extensions to add to a certificate generated when the
@@ -4666,39 +4698,6 @@ switch is used.
 It can be overridden by the
 .Fl extensions
 command line switch.
-.It Ar prompt
-If set to the value
-.Em no ,
-this disables prompting of certificate fields
-and just takes values from the config file directly.
-It also changes the expected format of the
-.Em distinguished_name
-and
-.Em attributes
-sections.
-.It Ar utf8
-If set to the value
-.Em yes ,
-then field values are interpreted as UTF8 strings;
-by default they are interpreted as ASCII.
-This means that the field values, whether prompted from a terminal or
-obtained from a configuration file, must be valid UTF8 strings.
-.It Ar attributes
-This specifies the section containing any request attributes: its format
-is the same as
-.Ar distinguished_name .
-Typically these may contain the
-.Em challengePassword
-or
-.Em unstructuredName
-types.
-They are currently ignored by
-.Nm OpenSSL Ns Li 's
-request signing utilities, but some CAs might want them.
-.It Ar distinguished_name
-This specifies the section containing the distinguished name fields to
-prompt for when generating a certificate or certificate request.
-The format is described in the next section.
 .El
 .Sh REQ DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
 There are two separate formats for the distinguished name and attribute
@@ -4796,7 +4795,7 @@ options in the configuration file.
 Any additional fields will be treated as though they were a
 .Em DirectoryString .
 .Sh REQ EXAMPLES
-Examine and verify certificate request:
+Examine and verify a certificate request:
 .Pp
 .Dl $ openssl req -in req.pem -text -verify -noout
 .Pp