jmc wrote a combination man page that covers all openssl(1) functionality,

based on the pod files from openssl.  This may need by-hand updating once
in a while, but at least now people can read a real man page instead of
the mess that the openssl team provides us with.

3 files changed, 7618 insertions, 3 deletions

diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index 0ab8c2e360..930c5f56af 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2002/10/09 08:22:49 fgsch Exp $
+# $OpenBSD: Makefile,v 1.4 2003/03/05 20:59:15 deraadt Exp $
 
 .include <bsd.own.mk>           # for NOMAN
 
@@ -173,7 +173,6 @@ MANALL=	\
         dsa.cat3 \
         lh_stats.cat3 \
         lhash.cat3 \
-        openssl.cat1 \
         rsa.cat3 \
         ssl.cat3
 
diff --git a/src/usr.sbin/openssl/Makefile b/src/usr.sbin/openssl/Makefile
index ee8f5b8c5c..c1563892b3 100644
--- a/src/usr.sbin/openssl/Makefile
+++ b/src/usr.sbin/openssl/Makefile
@@ -6,7 +6,7 @@ BINGRP= bin
 BINMODE= 555
 BINDIR= /usr/sbin
 LDADD=  -lssl -lcrypto
-NOMAN= not yet kiddies
+MAN1=   openssl.1
 
 SSLEAYDIST= lib/libssl/src
 
diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
new file mode 100644
index 0000000000..1d826d8b0f
--- /dev/null
+++ b/src/usr.sbin/openssl/openssl.1
@@ -0,0 +1,7616 @@
+.\" ====================================================================
+.\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\" ====================================================================
+.\"
+.\" This product includes cryptographic software written by Eric Young
+.\" (eay@cryptsoft.com).  This product includes software written by Tim
+.\" Hudson (tjh@cryptsoft.com).
+.\"
+.\" 
+.\" Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+.\" All rights reserved.
+.\"
+.\" This package is an SSL implementation written
+.\" by Eric Young (eay@cryptsoft.com).
+.\" The implementation was written so as to conform with Netscapes SSL.
+.\" 
+.\" This library is free for commercial and non-commercial use as long as
+.\" the following conditions are aheared to.  The following conditions
+.\" apply to all code found in this distribution, be it the RC4, RSA,
+.\" lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+.\" included with this distribution is covered by the same copyright terms
+.\" except that the holder is Tim Hudson (tjh@cryptsoft.com).
+.\" 
+.\" Copyright remains Eric Young's, and as such any Copyright notices in
+.\" the code are not to be removed.
+.\" If this package is used in a product, Eric Young should be given attribution
+.\" as the author of the parts of the library used.
+.\" This can be in the form of a textual message at program startup or
+.\" in documentation (online or textual) provided with the package.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"    "This product includes cryptographic software written by
+.\"     Eric Young (eay@cryptsoft.com)"
+.\"    The word 'cryptographic' can be left out if the rouines from the library
+.\"    being used are not cryptographic related :-).
+.\" 4. If you include any Windows specific code (or a derivative thereof) from 
+.\"    the apps directory (application code) you must include an
+.\"    acknowledgement:
+.\"    "This product includes software written by Tim Hudson
+.\"     (tjh@cryptsoft.com)"
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\" 
+.\" The licence and distribution terms for any publically available version or
+.\" derivative of this code cannot be changed.  i.e. this code cannot simply be
+.\" copied and put under another distribution licence
+.\" [including the GNU Public Licence.]
+.\"
+.\" ssl(1)
+.\"
+.Dd February, 28 2003
+.Dt OPENSSL 1
+.Os
+.Sh NAME
+.Nm openssl
+.Nd OpenSSL command line tool
+.Sh SYNOPSIS
+.Nm
+.Cm command
+.Op Ar command_opts
+.Op Ar command_args
+.Pp
+.Nm
+.Bk -words
+.Oo Cm list-standard-commands Li |\ \&
+.Cm list-message-digest-commands |
+.Cm \  \  \  \  list-cipher-commands
+.Oc
+.Ek
+.Pp
+.Nm
+.Cm no- Ns Ar XXX
+.Op Ar arbitrary options
+.Pp
+.Sh DESCRIPTION
+.Nm OpenSSL
+is a cryptography toolkit implementing the Secure Sockets Layer
+(SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
+related cryptography standards required by them.
+.Pp
+The
+.Nm
+program is a command line tool for using the various
+cryptography functions of
+.Nm OpenSSL Ns Li 's
+.Em crypto
+library from the shell. 
+It can be used for 
+.Pp
+.Bl -bullet -compact
+.It
+Creation of RSA, DH and DSA key parameters
+.It
+Creation of X.509 certificates, CSRs and CRLs 
+.It
+Calculation of Message Digests
+.It
+Encryption and Decryption with Ciphers
+.It
+SSL/TLS Client and Server Tests
+.It
+Handling of S/MIME signed or encrypted mail
+.El
+.Sh COMMAND SUMMARY
+The
+.Nm
+program provides a rich variety of commands
+.Po Cm command\ \&
+in the
+.Sx SYNOPSIS
+above
+.Pc ,
+each of which often has a wealth of options and arguments
+.Po Ar command_opts\ \&
+and
+.Ar command_args
+in the
+.Sx SYNOPSIS
+.Pc .
+.Pp
+The pseudo-commands
+.Cm list-standard-commands , list-message-digest-commands ,
+and
+.Cm list-cipher-commands
+output a list (one entry per line) of the names
+of all standard commands, message digest commands, or cipher commands,
+respectively, that are available in the present
+.Nm
+utility.
+.Pp
+The pseudo-command
+.Cm no- Ns Ar XXX
+tests whether a command of the
+specified name is available.
+If no command named
+.Ar XXX
+exists,
+it returns 0 (success) and prints
+.Cm no- Ns Ar XXX ;
+otherwise it returns 1 and prints
+.Ar XXX .
+In both cases, the output goes to
+.Em stdout
+and nothing is printed to
+.Em stderr .
+Additional command line arguments are always ignored.
+Since for each cipher there is a command of the same name,
+this provides an easy way for shell scripts to test for the
+availability of ciphers in the
+.Nm
+program.
+.Pp
+.Sy Note:
+.Cm no- Ns Ar XXX
+is not able to detect pseudo-commands such as
+.Cm quit ,
+.Cm list- Ns Ar ... Ns Cm -commands ,
+or
+.Cm no- Ns Ar XXX
+itself.
+.Sh STANDARD COMMANDS
+.Bl -tag -width "asn1parse"
+.It Cm asn1parse
+Parse an ASN.1 sequence.
+.It Cm ca
+Certificate Authority (CA) Management.
+.It Cm ciphers
+Cipher Suite Description Determination.
+.It Cm crl
+Certificate Revocation List (CRL) Management.
+.It Cm crl2pkcs7
+CRL to PKCS#7 Conversion.
+.It Cm dgst
+Message Digest Calculation.
+.It Cm dh
+Diffie-Hellman Parameter Management.
+Obsoleted by
+.Cm dhparam .
+.It Cm dhparam
+Generation and Management of Diffie-Hellman Parameters.
+.It Cm dsa
+DSA Data Management.
+.It Cm dsaparam
+DSA Parameter Generation.
+.It Cm enc
+Encoding with Ciphers.
+.It Cm errstr
+Error Number to Error String Conversion.
+.It Cm gendh
+Generation of Diffie-Hellman Parameters.
+Obsoleted by
+.Cm dhparam .
+.It Cm gendsa
+Generation of DSA Parameters.
+.It Cm genrsa
+Generation of RSA Parameters.
+.It Cm nseq
+Create or examine a netscape certificate sequence.
+.It Cm ocsp
+Online Certificate Status Protocol utility.
+.It Cm passwd
+Generation of hashed passwords.
+.It Cm pkcs7
+PKCS#7 Data Management.
+.It Cm pkcs8
+PKCS#8 Data Management.
+.It Cm pkcs12
+PKCS#12 Data Management.
+.It Cm rand
+Generate pseudo-random bytes.
+.It Cm req
+X.509 Certificate Signing Request (CSR) Management.
+.It Cm rsa
+RSA Data Management.
+.It Cm rsautl
+RSA utility for signing, verification, encryption, and decryption.
+.It Cm s_client
+This implements a generic SSL/TLS client which can establish a transparent
+connection to a remote server speaking SSL/TLS.
+It's intended for testing purposes only and provides only rudimentary
+interface functionality but internally uses mostly all functionality of the
+.Nm OpenSSL
+.Em ssl
+library.
+.It Cm s_server
+This implements a generic SSL/TLS server which accepts connections from remote
+clients speaking SSL/TLS.
+It's intended for testing purposes only and provides only rudimentary
+interface functionality but internally uses mostly all functionality of the
+.Nm OpenSSL
+.Em ssl
+library.
+It provides both an own command line oriented protocol for testing
+SSL functions and a simple HTTP response
+facility to emulate an SSL/TLS-aware webserver.
+.It Cm s_time
+SSL Connection Timer.
+.It Cm sess_id
+SSL Session Data Management.
+.It Cm smime
+S/MIME mail processing.
+.It Cm speed
+Algorithm Speed Measurement.
+.It Cm spkac
+SPKAC printing and generating utility.
+.It Cm verify
+X.509 Certificate Verification.
+.It Cm version
+.Nm OpenSSL
+Version Information.
+.It Cm x509
+X.509 Certificate Data Management.
+.El
+.Sh MESSAGE DIGEST COMMANDS
+.Bl -tag -width "asn1parse"
+.It Cm md2
+MD2 Digest.
+.It Cm md5
+MD5 Digest.
+.It Cm mdc2
+MDC2 Digest.
+.It Cm rmd160
+RMD-160 Digest.
+.It Cm sha
+SHA Digest.
+.It Cm sha1
+SHA-1 Digest.
+.El
+.Sh ENCODING AND CIPHER COMMANDS
+.Bl -tag -width "asn1parse"
+.It Cm base64
+Base64 Encoding.
+.It Cm bf bf-cbc bf-cfb bf-ecb bf-ofb
+Blowfish Cipher.
+.It Cm cast cast-cbc
+CAST Cipher.
+.It Cm cast5-cbc cast5-cfb cast5-ecb cast5-ofb
+CAST5 Cipher.
+.It Cm des des-cbc des-cfb des-ecb des-ede des-ede-cbc
+.It Cm des-ede-cfb des-ede-ofb des-ofb
+DES Cipher.
+.It Cm des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
+Triple-DES Cipher.
+.It Cm idea idea-cbc idea-cfb idea-ecb idea-ofb
+IDEA Cipher.
+.It Cm rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb
+RC2 Cipher.
+.It Cm rc4
+RC4 Cipher.
+.It Cm rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb
+RC5 Cipher.
+.El
+.Sh PASS PHRASE ARGUMENTS
+Several commands accept password arguments, typically using
+.Fl passin
+and
+.Fl passout
+for input and output passwords, respectively.
+These allow the password to be obtained from a variety of sources.
+Both of these options take a single argument whose format is described below.
+If no password argument is given and a password is required then the user is
+prompted to enter one: this will typically be read from the current
+terminal with echoing turned off.
+.Bl -tag -width "fd:number"
+.It Ar pass:password
+The actual password is
+.Ar password .
+Since the password is visible to utilities
+(like
+.Xr ps 1
+under Unix) this form should only be used where security is not important.
+.It Ar env:var
+Obtain the password from the environment variable
+.Ar var .
+Since the environment of other processes is visible on certain platforms
+(e.g.
+.Xr ps 1
+under certain Unix OSes) this option should be used with caution.
+.It Ar file:pathname
+The first line of
+.Ar pathname
+is the password.
+If the same
+.Ar pathname
+argument is supplied to
+.Fl passin
+and
+.Fl passout
+then the first line will be used for the input password and the next line
+for the output password.
+.Ar pathname
+need not refer to a regular file:
+it could, for example, refer to a device or named pipe.
+.It Ar fd:number
+Read the password from the file descriptor
+.Ar number .
+This can be used to send the data via a pipe for example.
+.It Ar stdin
+Read the password from standard input.
+.\"
+.\" ASN1PARSE
+.\"
+.Sh ASN1PARSE
+.Pp
+.Nm "openssl asn1parse"
+.Op Fl inform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl noout
+.Op Fl offset Ar number
+.Op Fl length Ar number
+.Op Fl i
+.Op Fl oid Ar filename
+.Op Fl strparse Ar offset
+.Pp
+The
+.Nm asn1parse
+command is a diagnostic utility that can parse ASN.1 structures.
+It can also be used to extract data from ASN.1 formatted data.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+The input format.
+.Ar DER
+is binary format and
+.Ar PEM
+(the default) is base64 encoded.
+.It Fl in Ar filename
+The input file; default is standard input.
+.It Fl out Ar filename
+Output file to place the
+.Em DER
+encoded data into.
+If this option is not present then no data will be output.
+This is most useful when combined with the
+.Fl strparse
+option.
+.It Fl noout
+Don't output the parsed version of the input file.
+.It Fl offset Ar number
+Starting offset to begin parsing; default is start of file.
+.It Fl length Ar number
+Number of bytes to parse; default is until end of file.
+.It Fl i
+Indents the output according to the "depth" of the structures.
+.It Fl oid Ar filename
+A file containing additional OBJECT IDENTIFIERs (OIDs).
+The format of this file is described in the
+.Sx ASN1PARSE NOTES
+section below.
+.It Fl strparse Ar offset
+Parse the contents octets of the ASN.1 object starting at
+.Ar offset .
+This option can be used multiple times to "drill down" into a nested structure.
+.Sh ASN1PARSE OUTPUT
+The output will typically contain lines like this:
+.Pp
+.Bd -literal
+  0:d=0  hl=4 l= 681 cons: SEQUENCE
+.Pp
+\&.....
+.Pp
+  229:d=3  hl=3 l= 141 prim: BIT STRING        
+  373:d=2  hl=3 l= 162 cons: cont [ 3 ]        
+  376:d=3  hl=3 l= 159 cons: SEQUENCE          
+  379:d=4  hl=2 l=  29 cons: SEQUENCE          
+  381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
+  386:d=5  hl=2 l=  22 prim: OCTET STRING      
+  410:d=4  hl=2 l= 112 cons: SEQUENCE          
+  412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
+  417:d=5  hl=2 l= 105 prim: OCTET STRING      
+  524:d=4  hl=2 l=  12 cons: SEQUENCE
+.Pp
+\&.....
+.Ed
+.Pp
+This example is part of a self-signed certificate.
+Each line starts with the offset in decimal.
+.Cm d=XX
+specifies the current depth.
+The depth is increased within the scope of any SET or SEQUENCE.
+.Cm hl=XX
+gives the header length (tag and length octets) of the current type.
+.Cm l=XX
+gives the length of the contents octets.
+.Pp
+The
+.Fl i
+option can be used to make the output more readable.
+.Pp
+Some knowledge of the ASN.1 structure is needed to interpret the output. 
+.Pp
+In this example the BIT STRING at offset 229 is the certificate public key.
+The contents octets of this will contain the public key information.
+This can be examined using the option
+.Fl strparse Cm 229
+to yield:
+.Pp
+.Bd -literal
+\&    0:d=0  hl=3 l= 137 cons: SEQUENCE          
+\&    3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
+\&  135:d=1  hl=2 l=   3 prim: INTEGER           :010001
+.Sh ASN1PARSE NOTES
+If an OID is not part of
+.Nm OpenSSL Ns Li 's
+internal table it will be represented in
+numerical form (for example 1.2.3.4).
+The file passed to the
+.Fl oid
+option allows additional OIDs to be included.
+Each line consists of three columns,
+the first column is the OID in numerical format and should be followed by
+whitespace.
+The second column is the "short name" which is a single word followed
+by whitespace.
+The final column is the rest of the line and is the "long name".
+.Nm asn1parse
+displays the long name.
+Example:
+.Pp
+"1.2.3.4        shortName       A long name"
+.Sh ASN1PARSE BUGS
+There should be options to change the format of input lines.
+The output of some ASN.1 types is not well handled (if at all).
+.\"
+.\" ca
+.\"
+.Sh CA
+.Nm openssl ca
+.Bk -words
+.Op Fl verbose
+.Op Fl config Ar filename
+.Op Fl name Ar section
+.Op Fl gencrl
+.Op Fl revoke Ar file
+.Op Fl subj Ar arg
+.Op Fl crldays Ar days
+.Op Fl crlhours Ar hours
+.Op Fl crlexts Ar section
+.Op Fl startdate Ar date
+.Op Fl enddate Ar date
+.Op Fl days Ar arg
+.Op Fl md Ar arg
+.Op Fl policy Ar arg
+.Op Fl keyfile Ar arg
+.Op Fl key Ar arg
+.Op Fl passin Ar arg
+.Op Fl cert Ar file
+.Op Fl in Ar file
+.Op Fl out Ar file
+.Op Fl notext
+.Op Fl outdir Ar dir
+.Op Fl infiles
+.Op Fl spkac Ar file
+.Op Fl ss_cert Ar file
+.Op Fl preserveDN
+.Op Fl noemailDN
+.Op Fl batch
+.Op Fl msie_hack
+.Op Fl extensions Ar section
+.Op Fl extfile Ar section
+.Ek
+.Pp
+The
+.Nm ca
+command is a minimal CA application.
+It can be used to sign certificate requests in a variety of forms
+and generate CRLs.
+It also maintains a text database of issued certificates and their status.
+.Pp
+The options descriptions will be divided into each purpose.
+.Sh CA OPTIONS
+.Bl -tag -width Ds
+.It Fl config Ar filename
+Specifies the configuration file to use.
+.It Fl name Ar section
+Specifies the configuration file
+.Ar section
+to use (overrides
+.Cm default_ca
+in the
+.Cm ca
+section).
+.It Fl in Ar filename
+An input
+.Ar filename
+containing a single certificate request to be signed by the CA.
+.It Fl ss_cert Ar filename
+A single self-signed certificate to be signed by the CA.
+.It Fl spkac Ar filename
+A file containing a single Netscape signed public key and challenge,
+and additional field values to be signed by the CA.
+See the
+.Sx CA NOTES
+section for information on the required format.
+.It Fl infiles
+If present, this should be the last option; all subsequent arguments
+are assumed to be the names of files containing certificate requests. 
+.It Fl out Ar filename
+The output file to output certificates to.
+The default is standard output.
+The certificate details will also be printed out to this file.
+.It Fl outdir Ar directory
+The
+.Ar directory
+to output certificates to.
+The certificate will be written to a filename consisting of the
+serial number in hex with ".pem" appended.
+.It Fl cert
+The CA certificate file.
+.It Fl keyfile Ar filename
+The private key to sign requests with.
+.It Fl key Ar password
+The password used to encrypt the private key.
+Since on some systems the command line arguments are visible
+(e.g. Unix with the
+.Xr ps 1
+utility) this option should be used with caution.
+.It Fl passin Ar arg
+The key password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl verbose
+This prints extra details about the operations being performed.
+.It Fl notext
+Don't output the text form of a certificate to the output file.
+.It Fl startdate Ar date
+This allows the start date to be explicitly set.
+The format of the date is YYMMDDHHMMSSZ
+(the same as an ASN1 UTCTime structure).
+.It Fl enddate Ar date
+This allows the expiry date to be explicitly set.
+The format of the date is YYMMDDHHMMSSZ
+(the same as an ASN1 UTCTime structure).
+.It Fl days Ar arg
+The number of days to certify the certificate for.
+.It Fl md Ar alg
+The message digest to use.
+Possible values include
+.Ar md5 , sha1
+and
+.Ar mdc2 .
+This option also applies to CRLs.
+.It Fl policy Ar arg
+This option defines the CA "policy" to use.
+This is a section in the configuration file which decides which fields
+should be mandatory or match the CA certificate.
+Check out the
+.Sx CA POLICY FORMAT
+section for more information.
+.It Fl msie_hack
+This is a legacy option to make
+.Nm ca
+work with very old versions of the IE certificate enrollment control
+"certenr3".
+It used UniversalStrings for almost everything.
+Since the old control has various security bugs,
+its use is strongly discouraged.
+The newer control "Xenroll" does not need this option.
+.It Fl preserveDN
+Normally the DN order of a certificate is the same as the order of the
+fields in the relevant policy section.
+When this option is set, the order is the same as the request.
+This is largely for compatibility with the older IE enrollment control
+which would only accept certificates if their DNs matched the order of the
+request.
+This is not needed for Xenroll.
+.It Fl noemailDN
+The DN of a certificate can contain the EMAIL field if present in the
+request DN, however it is good policy just having the e-mail set into
+the
+.Em altName
+extension of the certificate.
+When this option is set the EMAIL field is removed from the certificate's
+subject and set only in the, eventually present, extensions.
+The
+.Ar email_in_dn
+keyword can be used in the configuration file to enable this behaviour.
+.It Fl batch
+This sets the batch mode.
+In this mode no questions will be asked
+and all certificates will be certified automatically.
+.It Fl extensions Ar section
+The section of the configuration file containing certificate extensions
+to be added when a certificate is issued (defaults to
+.Em x509_extensions
+unless the
+.Fl extfile
+option is used).
+If no extension section is present, then a V1 certificate is created.
+If the extension section is present (even if it is empty),
+then a V3 certificate is created.
+.It Fl extfile Ar file
+An additional configuration
+.Ar file
+to read certificate extensions from
+(using the default section unless the
+.Fl extensions
+option is also used).
+.El
+.Sh CRL OPTIONS
+.Bl -tag -width Ds
+.It Fl gencrl
+This option generates a CRL based on information in the index file.
+.It Fl crldays Ar num
+The number of days before the next CRL is due.
+This is the days from now to place in the CRL
+.Em nextUpdate
+field.
+.It Fl crlhours Ar num
+The number of hours before the next CRL is due.
+.It Fl revoke Ar filename
+A
+.Ar filename
+containing a certificate to revoke.
+.It Fl subj Ar arg
+Supersedes the subject name given in the request.
+The
+.Ar arg
+must be formatted as
+.Ar /type0=value0/type1=value1/type2=... ;
+characters may be escaped by \e (backslash), no spaces are skipped.
+.It Fl crlexts Ar section
+The
+.Ar section
+of the configuration file containing CRL extensions to include.
+If no CRL extension section is present then a V1 CRL is created;
+if the CRL extension section is present (even if it is empty)
+then a V2 CRL is created.
+The CRL extensions specified are CRL extensions and
+.Em not
+CRL entry extensions.
+It should be noted that some software (for example Netscape)
+can't handle V2 CRLs. 
+.El
+.Sh CA CONFIGURATION FILE OPTIONS
+The section of the configuration file containing options for
+.Nm ca
+is found as follows:
+If the
+.Fl name
+command line option is used, then it names the section to be used.
+Otherwise the section to be used must be named in the
+.Em default_ca
+option of the
+.Em ca
+section of the configuration file (or in the default section of the
+configuration file).
+Besides
+.Em default_ca ,
+the following options are read directly from the
+.Em ca
+section:
+.Pp
+  RANDFILE
+  preserve
+  msie_hack
+.Pp
+With the exception of RANDFILE, this is probably a bug and may
+change in future releases.
+.Pp
+Many of the configuration file options are identical to command line
+options.
+Where the option is present in the configuration file and the command line,
+the command line value is used.
+Where an option is described as mandatory, then it must be present in
+the configuration file or the command line equivalent (if any) used.
+.Pp
+.Bl -tag -width Ds
+.It Ar oid_file
+This specifies a file containing additional OBJECT IDENTIFIERS.
+Each line of the file should consist of the numerical form of the
+object identifier followed by whitespace, then the short name followed
+by whitespace and finally the long name. 
+.It Ar oid_section
+This specifies a section in the configuration file containing extra
+object identifiers.
+Each line should consist of the short name of the object identifier
+followed by
+.Cm =
+and the numerical form.
+The short and long names are the same when this option is used.
+.It Ar new_certs_dir
+The same as the
+.Fl outdir
+command line option.
+It specifies the directory where new certificates will be placed.
+Mandatory.
+.It Ar certificate
+The same as
+.Fl cert.
+It gives the file containing the CA certificate.
+Mandatory.
+.It Ar private_key
+Same as the
+.Fl keyfile
+option.
+The file containing the CA private key.
+Mandatory.
+.It Ar RANDFILE
+A file used to read and write random number seed information,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+.It Ar default_days
+The same as the
+.Fl days
+option.
+The number of days to certify a certificate for. 
+.It Ar default_startdate
+The same as the
+.Fl startdate
+option.
+The start date to certify a certificate for.
+If not set, the current time is used.
+.It Ar default_enddate
+The same as the
+.Fl enddate
+option.
+Either this option or
+.Ar default_days
+(or the command line equivalents) must be present.
+.It Ar default_crl_hours default_crl_days
+The same as the
+.Fl crlhours
+and the
+.Fl crldays
+options.
+These will only be used if neither command line option is present.
+At least one of these must be present to generate a CRL.
+.It Ar default_md
+The same as the
+.Fl md
+option.
+The message digest to use.
+Mandatory.
+.It Ar database
+The text database file to use.
+Mandatory.
+This file must be present, though initially it will be empty.
+.It Ar serialfile
+A text file containing the next serial number to use in hex.
+Mandatory.
+This file must be present and contain a valid serial number.
+.It Ar x509_extensions
+The same as
+.Fl extensions .
+.It Ar crl_extensions
+the same as
+.Fl crlexts .
+.It Ar preserve
+The same as
+.Fl preserveDN .
+.It Ar email_in_dn
+The same as
+.Fl noemailDN .
+If the EMAIL field is to be removed from the DN of the certificate,
+simply set this to 'no'.
+If not present the default is to allow for the EMAIL field in the
+certificate's DN.
+.It Ar msie_hack
+The same as
+.Fl msie_hack .
+.It Ar policy
+The same as
+.Fl policy .
+Mandatory.
+See the
+.Sx CA POLICY FORMAT
+section for more information.
+.It Ar nameopt , certopt
+These options allow the format used to display the certificate details
+when asking the user to confirm signing.
+All the options supported by the
+.Nm x509
+utilities'
+.Fl nameopt
+and
+.Fl certopt
+switches can be used here, except that
+.Ar no_signame
+and
+.Ar no_sigdump
+are permanently set and cannot be disabled
+(this is because the certificate signature cannot be displayed because
+the certificate has not been signed at this point).
+.Pp
+For convenience the values
+.Em default_ca
+are accepted by both to produce a reasonable output.
+.Pp
+If neither option is present the format used in earlier versions of
+.Nm OpenSSL
+is used.
+Use of the old format is
+.Em strongly
+discouraged because it only displays fields mentioned in the
+.Ar policy
+section,
+mishandles multicharacter string types and does not display extensions.
+.It Ar copy_extensions
+Determines how extensions in certificate requests should be handled.
+If set to
+.Ar none
+or this option is not present, then extensions are
+ignored and not copied to the certificate.
+If set to
+.Ar copy
+then any extensions present in the request that are not already present
+are copied to the certificate.
+If set to
+.Ar copyall
+then all extensions in the request are copied to the certificate:
+if the extension is already present in the certificate it is deleted first.
+See the
+.Sx CA WARNINGS
+section before using this option.
+.Pp
+The main use of this option is to allow a certificate request to supply
+values for certain extensions such as
+.Em subjectAltName .
+.El
+.Sh CA POLICY FORMAT
+The policy section consists of a set of variables corresponding to
+certificate DN fields.
+If the value is "match" then the field value
+must match the same field in the CA certificate.
+If the value is "supplied" then it must be present.
+If the value is "optional" then it may be present.
+Any fields not mentioned in the policy section
+are silently deleted, unless the
+.Fl preserveDN
+option is set,
+but this can be regarded more of a quirk than intended behaviour.
+.Sh SPKAC FORMAT
+The input to the
+.Fl spkac
+command line option is a Netscape signed public key and challenge.
+This will usually come from the
+.Em KEYGEN
+tag in an HTML form to create a new private key. 
+It is, however, possible to create SPKACs using the
+.Nm spkac
+utility.
+.Pp
+The file should contain the variable SPKAC set to the value of
+the SPKAC and also the required DN components as name value pairs.
+If it's necessary to include the same component twice then it can be
+preceded by a number and a '.'.
+.Sh CA EXAMPLES
+.Sy Note:
+these examples assume that the
+.Nm ca
+directory structure is already set up and the relevant files already exist.
+This usually involves creating a CA certificate and private key with
+.Cm req ,
+a serial number file and an empty index file and placing them in
+the relevant directories.
+.Pp
+To use the sample configuration file below, the directories
+.Pa demoCA ,
+.Pa demoCA/private
+and
+.Pa demoCA/newcerts
+would be created.
+The CA certificate would be copied to
+.Pa demoCA/cacert.pem
+and its private key to
+.Pa demoCA/private/cakey.pem .
+A file
+.Pa demoCA/serial
+would be created containing, for example, "01" and the empty index file
+.Pa demoCA/index.txt .
+.Pp
+Sign a certificate request:
+.Pp
+\& $ openssl ca -in req.pem -out newcert.pem
+.Pp
+Sign a certificate request, using CA extensions:
+.Pp
+\& $ openssl ca -in req.pem -extensions v3_ca -out newcert.pem
+.Pp
+Generate a CRL:
+.Pp
+\& $ openssl ca -gencrl -out crl.pem
+.Pp
+Sign several requests:
+.Pp
+\& $ openssl ca -infiles req1.pem req2.pem req3.pem
+.Pp
+Certify a Netscape SPKAC:
+.Pp
+\& $ openssl ca -spkac spkac.txt
+.Pp
+A sample SPKAC file (the SPKAC line has been truncated for clarity):
+.Pp
+.Bd -literal
+\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
+\& CN=Steve Test
+\& emailAddress=steve@openssl.org
+\& 0.OU=OpenSSL Group
+\& 1.OU=Another Group
+.Ed
+.Pp
+A sample configuration file with the relevant sections for
+.Nm ca :
+.Pp
+.Bd -literal
+\& [ ca ]
+\& default_ca      = CA_default            # The default ca section
+.Pp
+\& [ CA_default ]
+.Pp
+\& dir            = ./demoCA              # top dir
+\& database       = $dir/index.txt        # index file
+\& new_certs_dir  = $dir/newcerts         # new certs dir
+.Pp
+\& certificate    = $dir/cacert.pem       # The CA cert
+\& serial         = $dir/serial           # serial no file
+\& private_key    = $dir/private/cakey.pem# CA private key
+\& RANDFILE       = $dir/private/.rand    # random number file
+.Pp
+\& default_days   = 365                   # how long to certify for
+\& default_crl_days= 30                   # how long before next CRL
+\& default_md     = md5                   # md to use
+.Pp
+\& policy         = policy_any            # default policy
+\& email_in_dn    = no                    # Don't add the email into cert DN
+.Pp
+\& nameopt        = default_ca            # Subject name display option
+\& certopt        = default_ca            # Certificate display option
+\& copy_extensions = none                 # Don't copy extensions from request
+.Pp
+\& [ policy_any ]
+\& countryName            = supplied
+\& stateOrProvinceName    = optional
+\& organizationName       = optional
+\& organizationalUnitName = optional
+\& commonName             = supplied
+\& emailAddress           = optional
+.Ed
+.Sh CA WARNINGS
+The
+.Nm ca
+command is quirky and at times downright unfriendly.
+.Pp
+The
+.Nm ca
+utility was originally meant as an example of how to do things in a CA.
+It was not supposed to be used as a full blown CA itself;
+nevertheless some people are using it for this purpose.
+.Pp
+The
+.Nm ca
+command is effectively a single user command: no locking is
+done on the various files and attempts to run more than one
+.Nm ca
+command on the same database can have unpredictable results.
+.Sh CA FILES
+.Sy Note:
+the location of all files can change either by compile time options,
+configuration file entries, environment variables or command line options.
+The values below reflect the default values.
+.Pp
+.Bd -literal
+/usr/local/ssl/lib/openssl.cnf - master configuration file
+\&./demoCA                       - main CA directory
+\&./demoCA/cacert.pem            - CA certificate
+\&./demoCA/private/cakey.pem     - CA private key
+\&./demoCA/serial                - CA serial number file
+\&./demoCA/serial.old            - CA serial number backup file
+\&./demoCA/index.txt             - CA text database file
+\&./demoCA/index.txt.old         - CA text database backup file
+\&./demoCA/certs                 - certificate output file
+\&./demoCA/.rnd                  - CA random seed information
+.Ed
+.Sh CA ENVIRONMENT VARIABLES
+.Em OPENSSL_CONF
+reflects the location of the master configuration file;
+it can be overridden by the
+.Fl config
+command line option.
+.Sh CA RESTRICTIONS
+The text database index file is a critical part of the process,
+and if corrupted it can be difficult to fix.
+It is theoretically possible to rebuild the index file from all the
+issued certificates and a current CRL; however there is no option to do this.
+.Pp
+CRL entry extensions cannot currently be created; only CRL extensions
+can be added.
+.Pp
+V2 CRL features like delta CRL support and CRL numbers are not currently
+supported.
+.Pp
+Although several requests can be input and handled at once, it is only
+possible to include one SPKAC or self-signed certificate.
+.Sh CA BUGS
+The use of an in-memory text database can cause problems when large
+numbers of certificates are present because, as the name implies,
+the database has to be kept in memory.
+.Pp
+It is not possible to certify two certificates with the same DN; this
+is a side effect of how the text database is indexed and it cannot easily
+be fixed without introducing other problems.
+Some S/MIME clients can use two certificates with the same DN for separate
+signing and encryption keys.
+.Pp
+The
+.Nm ca
+command really needs rewriting or the required functionality
+exposed at either a command or interface level so a more friendly utility
+(perl script or GUI) can handle things properly.
+The scripts
+.Nm CA.sh
+and
+.Nm CA.pl
+help a little but not very much.
+.Pp
+Any fields in a request that are not present in a policy are silently
+deleted.
+This does not happen if the
+.Fl preserveDN
+option is used.
+To enforce the absence of the EMAIL field within the DN, as suggested
+by RFCs, regardless of the contents of the request's subject the
+.Fl noemailDN
+option can be used.
+The behaviour should be more friendly and configurable.
+.Pp
+Cancelling some commands by refusing to certify a certificate can
+create an empty file.
+.Sh CA WARNINGS
+The
+.Ar copy_extensions
+option should be used with caution.
+If care is not taken then it can be a security risk.
+For example, if a certificate request contains a
+.Em basicConstraints
+extension with CA:TRUE and the
+.Ar copy_extensions
+value is set to
+.Ar copyall
+and the user does not spot
+this when the certificate is displayed, then this will hand the requestor
+a valid CA certificate.
+.Pp
+This situation can be avoided by setting
+.Ar copy_extensions
+to
+.Ar copy
+and including
+.Em basicConstraints
+with CA:FALSE in the configuration file.
+Then if the request contains a
+.Em basicConstraints
+extension, it will be ignored.
+.Pp
+It is advisable to also include values for other extensions such
+as
+.Ar keyUsage
+to prevent a request supplying its own values.
+.Pp
+Additional restrictions can be placed on the CA certificate itself.
+For example if the CA certificate has:
+.Pp
+\& basicConstraints = CA:TRUE, pathlen:0
+.Pp
+then even if a certificate is issued with CA:TRUE it will not be valid.
+.\"
+.\" CIPHERS
+.\"
+.Sh CIPHERS
+.Nm openssl ciphers
+.Op Fl v
+.Op Fl ssl2
+.Op Fl ssl3
+.Op Fl tls1
+.Op Cm cipherlist
+.Pp
+The
+.Nm cipherlist
+command converts
+.Nm OpenSSL
+cipher lists into ordered SSL cipher preference lists.
+It can be used as a test tool to determine the appropriate cipherlist.
+.Pp
+The options are as follows:
+.Bl -tag -width -Ds
+.It Fl v
+Verbose option.
+List ciphers with a complete description of protocol version
+(SSLv2 or SSLv3; the latter includes TLS), key exchange,
+authentication, encryption and mac algorithms used along with any key size
+restrictions and whether the algorithm is classed as an
+.Em export
+cipher.
+Note that without the
+.Fl v
+option, ciphers may seem to appear twice in a cipher list;
+this is when similar ciphers are available for
+SSL v2 and for SSL v3/TLS v1.
+.It Fl ssl3
+Only include SSL v3 ciphers.
+.It Fl ssl2
+Only include SSL v2 ciphers.
+.It Fl tls1
+Only include TLS v1 ciphers.
+.It Fl h , ?
+Print a brief usage message.
+.It Fl cipherlist
+A cipher list to convert to a cipher preference list.
+If it is not included, then the default cipher list will be used.
+The format is described below.
+.El
+.Sh CIPHERS LIST FORMAT
+The cipher list consists of one or more
+.Em cipher strings
+separated by colons.
+Commas or spaces are also acceptable separators, but colons are normally used.
+.Pp
+The actual
+.Em cipher string
+can take several different forms:
+.Pp
+It can consist of a single cipher suite such as
+.Em RC4-SHA .
+.Pp
+It can represent a list of cipher suites containing a certain algorithm,
+or cipher suites of a certain type.
+For example
+.Em SHA1
+represents all cipher suites using the digest algorithm SHA1, and
+.Em SSLv3
+represents all SSL v3 algorithms.
+.Pp
+Lists of cipher suites can be combined in a single
+.Em cipher string
+using the
+.Cm +
+character.
+This is used as a logical
+.Em and
+operation.
+For example,
+.Em SHA1+DES
+represents all cipher suites containing the SHA1 and the DES algorithms.
+.Pp
+Each cipher string can be optionally preceded by the characters
+.Cm ! , -
+or
+.Cm + .
+.Pp
+If
+.Cm !
+is used, then the ciphers are permanently deleted from the list.
+The ciphers deleted can never reappear in the list even if they are
+explicitly stated.
+.Pp
+If
+.Cm -
+is used, then the ciphers are deleted from the list, but some or
+all of the ciphers can be added again by later options.
+.br
+.Pp
+If
+.Cm +
+is used, then the ciphers are moved to the end of the list.
+This option doesn't add any new ciphers, it just moves matching existing ones.
+.Pp
+If none of these characters is present, then the string is just interpreted
+as a list of ciphers to be appended to the current preference list.
+If the list includes any ciphers already present they will be ignored;
+that is, they will not be moved to the end of the list.
+.Pp
+Additionally the cipher string
+.Em @STRENGTH
+can be used at any point to sort the current cipher list in order of
+encryption algorithm key length.
+.Sh CIPHERS STRINGS
+The following is a list of all permitted cipher strings and their meanings.
+.Bl -tag -width Ds
+.It Ar DEFAULT
+The default cipher list.
+This is determined at compile time and is normally
+.Ar ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH .
+This must be the first
+.Ar cipher string
+specified.
+.It Ar COMPLEMENTOFDEFAULT
+The ciphers included in
+.Ar ALL ,
+but not enabled by default.
+Currently this is
+.Ar ADH .
+Note that this rule does not cover
+.Ar eNULL ,
+which is not included by
+.Ar ALL
+(use
+.Ar COMPLEMENTOFALL
+if necessary).
+.It Ar ALL
+All ciphers suites except the
+.Ar eNULL
+ciphers which must be explicitly enabled.
+.It Ar COMPLEMENTOFALL
+The cipher suites not enabled by
+.Ar ALL ,
+currently being
+.Ar eNULL .
+.It Ar HIGH
+"High" encryption cipher suites.
+This currently means those with key lengths larger than 128 bits.
+.It Ar MEDIUM
+"Medium" encryption cipher suites, currently those using 128 bit encryption.
+.It Ar LOW
+"Low" encryption cipher suites, currently those using 64 or 56 bit encryption
+algorithms, but excluding export cipher suites.
+.It Ar EXP , EXPORT
+Export encryption algorithms.
+Including 40 and 56 bits algorithms.
+.It Ar EXPORT40
+40 bit export encryption algorithms
+.It Ar EXPORT56
+56 bit export encryption algorithms.
+.It Ar eNULL, NULL
+The "NULL" ciphers; that is those offering no encryption.
+Because these offer no encryption at all and are a security risk
+they are disabled unless explicitly included.
+.It Ar aNULL
+The cipher suites offering no authentication.
+This is currently the anonymous DH algorithms.
+These cipher suites are vulnerable to a "man in the middle"
+attack and so their use is normally discouraged.
+.It Ar kRSA , RSA
+Cipher suites using RSA key exchange.
+.It Ar kEDH
+Cipher suites using ephemeral DH key agreement.
+.It Ar kDHr , kDHd
+Cipher suites using DH key agreement and DH certificates signed by
+CAs with RSA and DSS keys respectively.
+Not implemented.
+.It Ar aRSA
+Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
+.It Ar aDSS , DSS
+Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
+.It Ar aDH
+Cipher suites effectively using DH authentication, i.e. the certificates carry
+DH keys.
+Not implemented.
+.It Ar kFZA , aFZA , eFZA , FZA
+Ciphers suites using FORTEZZA key exchange, authentication, encryption
+or all FORTEZZA algorithms.
+Not implemented.
+.It Ar TLSv1 , SSLv3 , SSLv2
+TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively.
+.It Ar DH
+Cipher suites using DH, including anonymous DH.
+.It Ar ADH
+Anonymous DH cipher suites.
+.It Ar 3DES
+Cipher suites using triple DES.
+.It Ar DES
+Cipher suites using DES (not triple DES).
+.It Ar RC4
+Cipher suites using RC4.
+.It Ar RC2
+Cipher suites using RC2.
+.It Ar IDEA
+Cipher suites using IDEA.
+.It Ar MD5
+Cipher suites using MD5.
+.It Ar SHA1 , SHA
+Cipher suites using SHA1.
+.El
+.Sh CIPHERS SUITE NAMES
+The following lists give the SSL or TLS cipher suites names from the
+relevant specification and their
+.Nm OpenSSL
+equivalents.
+.Pp
+.Cm SSL v3.0 cipher suites
+.Pp
+.Bd -literal
+\& SSL_RSA_WITH_NULL_MD5                   NULL-MD5
+\& SSL_RSA_WITH_NULL_SHA                   NULL-SHA
+\& SSL_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+\& SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
+\& SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
+\& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+\& SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+\& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+\& SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+\& SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+.Ed
+.Pp
+.Bd -literal
+\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& SSL_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& SSL_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+\& SSL_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+\& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+\& SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+.Ed
+.Pp
+.Bd -literal
+\& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+\& SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+\& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+\& SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+.Ed
+.Pp
+.Bd -literal
+\& SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
+\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
+\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.
+.Ed
+.Pp
+.Cm TLS v1.0 cipher suites
+.Pp
+.Bd -literal
+\& TLS_RSA_WITH_NULL_MD5                   NULL-MD5
+\& TLS_RSA_WITH_NULL_SHA                   NULL-SHA
+\& TLS_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+\& TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
+\& TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+\& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+\& TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+\& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+\& TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+\& TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+.Ed
+.Pp
+.Bd -literal
+\& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& TLS_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+\& TLS_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+\& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+\& TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+.Ed
+.Pp
+.Bd -literal
+\& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+\& TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+\& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+\& TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+.Ed
+.Pp
+.Cm Additional Export 1024 and other cipher suites
+.Pp
+.Sy Note:
+These ciphers can also be used in SSL v3.
+.Pp
+.Bd -literal
+\& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     EXP1024-DES-CBC-SHA
+\& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      EXP1024-RC4-SHA
+\& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
+\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
+\& TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+.Ed
+.Pp
+.Cm SSL v2.0 cipher suites
+.Bd -literal
+.Pp
+\& SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
+\& SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+\& SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
+\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+\& SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
+\& SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
+.Ed
+.Pp
+.Sh CIPHERS NOTES
+The non-ephemeral DH modes are currently unimplemented in
+.Nm OpenSSL
+because there is no support for DH certificates.
+.Pp
+Some compiled versions of
+.Nm OpenSSL
+may not include all the ciphers
+listed here because some ciphers were excluded at compile time.
+.Sh CIPHERS EXAMPLES
+Verbose listing of all
+.Nm OpenSSL
+ciphers including NULL ciphers:
+.Pp
+\& $ openssl ciphers -v 'ALL:eNULL'
+.Pp
+Include all ciphers except NULL and anonymous DH then sort by
+strength:
+.Pp
+\& $ openssl ciphers -v 'ALL:!ADH:@STRENGTH'
+.Pp
+Include only 3DES ciphers and then place RSA ciphers last:
+.Pp
+\& $ openssl ciphers -v '3DES:+RSA'
+.Pp
+Include all RC4 ciphers but leave out those without authentication:
+.Pp
+\& $ openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
+.Pp
+Include all ciphers with RSA authentication but leave out ciphers without
+encryption:
+.Pp
+\& $ openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
+.Sh CIPHERS HISTORY
+The
+.Ar COMPLENTOFALL
+and
+.Ar COMPLEMENTOFDEFAULT
+selection options were added in version 0.9.7.
+.\"
+.\" crl
+.\"
+.Sh CRL
+.Nm openssl crl
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl text
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl noout
+.Op Fl hash
+.Op Fl issuer
+.Op Fl lastupdate
+.Op Fl nextupdate
+.Op Cm CAfile Ar file
+.Op Cm CApath Ar dir
+.Pp
+The
+.Nm crl
+command processes CRL files in
+.Ar DER
+or
+.Ar PEM
+format.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+.Ar DER
+format is DER encoded CRL structure.
+.Ar PEM
+(the default) is a base64 encoded version of the DER form with header
+and footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the output format; the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input filename to read from or standard input if this
+option is not specified.
+.It Fl out Ar filename
+Specifies the output filename to write to, or standard output by
+default.
+.It Fl text
+Print out the CRL in text form.
+.It Fl noout
+Don't output the encoded version of the CRL.
+.It Fl hash
+Output a hash of the issuer name.
+This can be used to lookup CRLs in a directory by issuer name.
+.It Fl issuer
+Output the issuer name.
+.It Fl lastupdate
+Output the
+.Ar lastUpdate
+field.
+.It Fl nextupdate
+Output the
+.Ar nextUpdate
+field.
+.It Fl CAfile Ar file
+Verify the signature on a CRL by looking up the issuing certificate in
+.Ar file .
+.It Fl CApath Ar dir
+Verify the signature on a CRL by looking up the issuing certificate in
+.Ar dir .
+This directory must be a standard certificate directory,
+i.e. a hash of each subject name (using
+.Cm x509 Fl hash )
+should be linked to each certificate.
+.El
+.Sh CRL NOTES
+The PEM CRL format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN X509 CRL-----
+\& -----END X509 CRL-----
+.Ed
+.Sh CRL EXAMPLES
+Convert a CRL file from
+.Ar PEM
+to
+.Ar DER :
+.Pp
+\& $ openssl crl -in crl.pem -outform DER -out crl.der
+.Pp
+Output the text form of a
+.Ar DER
+encoded certificate:
+.Pp
+\& $ openssl crl -in crl.der -text -noout
+.Sh CRL BUGS
+Ideally it should be possible to create a CRL using appropriate options
+and files too.
+.\"
+.\" CRL2PKCS7
+.\"
+.Sh CRL2PKCS7
+.Nm openssl crl2pkcs7
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl certfile Ar filename
+.Op Fl nocrl
+.Pp
+The
+.Nm crl2pkcs7
+command takes an optional CRL and one or more
+certificates and converts them into a PKCS#7 degenerate
+"certificates only" structure.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+This specifies the CRL input format.
+.Ar DER
+format is DER encoded CRL structure.
+.Ar PEM
+(the default) is a base64 encoded version of the DER form with header
+and footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the PKCS#7 structure output format.
+.Ar DER
+format is DER encoded PKCS#7 structure.
+.Ar PEM
+(the default) is a base64 encoded version of the DER form with header
+and footer lines.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read a CRL from or standard input if this option is not specified.
+.It Fl out Ar filename
+Specifies the output
+.Ar filename
+to write the PKCS#7 structure to or standard output by default.
+.It Fl certfile Ar filename
+Specifies a
+.Ar filename
+containing one or more certificates in
+.Ar PEM
+format.
+All certificates in the file will be added to the PKCS#7 structure.
+This option can be used more than once to read certificates form multiple
+files.
+.It Fl nocrl
+Normally a CRL is included in the output file.
+With this option, no CRL is
+included in the output file and a CRL is not read from the input file.
+.El
+.Sh CRL2PKCS7 EXAMPLES
+Create a PKCS#7 structure from a certificate and CRL:
+.Pp
+\& $ openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
+.Pp
+Creates a PKCS#7 structure in
+.Ar DER
+format with no CRL from several
+different certificates:
+.Pp
+.Bd -literal
+\& $ openssl crl2pkcs7 -nocrl -certfile newcert.pem 
+\&         -certfile demoCA/cacert.pem -outform DER -out p7.der
+.Ed
+.Sh CRL2PKCS7 NOTES
+The output file is a PKCS#7 signed data structure containing no signers and
+just certificates and an optional CRL.
+.Pp
+This utility can be used to send certificates and CAs to Netscape as part of
+the certificate enrollment process.
+This involves sending the DER encoded output
+as MIME type
+.Em application/x-x509-user-cert .
+.Pp
+The
+.Ar PEM
+encoded form with the header and footer lines removed can be used to
+install user certificates and CAs in MSIE using the Xenroll control.
+.\"
+.\" DGST
+.\"
+.Sh DGST
+.Nm openssl dgst
+.Op Cm -md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1
+.Op Fl c
+.Op Fl d
+.Op Fl hex
+.Op Fl binary
+.Op Fl out Ar filename
+.Op Fl sign Ar filename
+.Op Fl verify Ar filename
+.Op Fl prverify Ar filename
+.Op Fl rand Ar file ...
+.Op Fl signature Ar filename
+.Op Ar file ...
+.Pp
+.Cm md5|md4|md2|sha1|sha|mdc2|ripemd160
+.Op Fl c
+.Op Fl d
+.Op Ar file ...
+.Pp
+The digest functions output the message digest of a supplied
+.Ar file
+or
+.Ar files
+in hexadecimal form.
+They can also be used for digital signing and verification.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl c
+Print out the digest in two digit groups separated by colons, only relevant if
+.Em hex
+format output is used.
+.It Fl d
+Print out BIO debugging information.
+.It Fl hex
+Digest is to be output as a hex dump.
+This is the default case for a "normal"
+digest as opposed to a digital signature.
+.It Fl binary
+Output the digest or signature in binary form.
+.It Fl out Ar filename
+Filename to output to, or standard output by default.
+.It Fl sign Ar filename
+Digitally sign the digest using the private key in
+.Ar filename .
+.It Fl verify Ar filename
+Verify the signature using the the public key in
+.Ar filename.
+The output is either "Verification OK" or "Verification Failure".
+.It Fl prverify Ar filename
+Verify the signature using the private key in
+.Ar filename .
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number
+generator, or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others. 
+.It Fl signature Ar filename
+The actual signature to verify.
+.It Ar file ...
+File or files to digest.
+If no files are specified then standard input is used.
+.El
+.Sh DGST NOTES
+The digest of choice for all new applications is SHA1.
+Other digests are, however, still widely used.
+.Pp
+If you wish to sign or verify data using the DSA algorithm then the dss1
+digest must be used.
+.Pp
+A source of random numbers is required for certain signing algorithms, in
+particular DSA.
+.Pp
+The signing and verify options should only be used if a single file is
+being signed or verified.
+.\"
+.\" DH
+.\"
+.Sh DH
+Diffie-Hellman Parameter Management. The
+.Nm dh
+command has been replaced by
+.Nm dhparam.
+See
+.Sx DHPARAM
+below.
+.\"
+.\" DHPARAM
+.\"
+.Sh DHPARAM
+.Nm openssl dhparam
+.Bk -words
+.Op Fl inform Ar DER|PEM
+.Op Fl outform Ar DER|PEM
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl dsaparam
+.Op Fl noout
+.Op Fl text
+.Op Fl C
+.Op Fl 2
+.Op Fl 5
+.Op Fl rand Ar file ...
+.Op Ar numbits
+.Ek
+.Pp
+The
+.Nm dhparam
+command is used to manipulate DH parameter files.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+The argument
+.Ar DER
+uses an ASN1 DER encoded form compatible with the PKCS#3 DHparameter
+structure.
+The
+.Ar PEM
+form is the default format:
+it consists of the DER format base64 encoded with
+additional header and footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read parameters from or standard input if this option is not specified.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write parameters to.
+Standard output is used if this option is not present.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl dsaparam
+If this option is used, DSA rather than DH parameters are read or created;
+they are converted to DH format.
+Otherwise, "strong" primes (such that (p-1)/2 is also prime)
+will be used for DH parameter generation.
+.Pp
+DH parameter generation with the
+.Fl dsaparam
+option is much faster,
+and the recommended exponent length is shorter,
+which makes DH key exchange more efficient.
+Beware that with such DSA-style DH parameters,
+a fresh DH key should be created for each use to
+avoid small-subgroup attacks that may be possible otherwise.
+.It Fl 2 , 5
+The generator to use, either 2 or 5.
+2 is the default.
+If present then the input file is ignored and parameters are generated instead.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified, separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Ar numbits
+This argument specifies that a parameter set should be generated of size
+.Ar numbits .
+It must be the last option.
+If not present, then a value of 512 is used.
+If this value is present then the input file is ignored and 
+parameters are generated instead.
+.It Fl noout
+This option inhibits the output of the encoded version of the parameters.
+.It Fl text
+This option prints out the DH parameters in human readable form.
+.It Fl C
+This option converts the parameters into C code.
+The parameters can then be loaded by calling the
+.Cm get_dh Ns Ar numbits Ns Li ()
+function.
+.Sh DHPARAM WARNINGS
+The program
+.Nm dhparam
+combines the functionality of the programs
+.Nm dh
+and
+.Nm gendh
+in previous versions of
+.Nm OpenSSL
+and
+.Nm SSLeay .
+The
+.Nm dh
+and
+.Nm gendh
+programs are retained for now, but may have different purposes in future 
+versions of
+.Nm OpenSSL .
+.Sh DHPARAM NOTES
+.Ar PEM
+format DH parameters use the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN DH PARAMETERS-----
+\& -----END DH PARAMETERS-----
+.Ed
+.Pp
+.Nm OpenSSL
+currently only supports the older PKCS#3 DH,
+not the newer X9.42 DH.
+.Pp
+This program manipulates DH parameters not keys.
+.Sh DHPARAM BUGS
+There should be a way to generate and manipulate DH keys.
+.Sh DHPARAM HISTORY
+The
+.Nm dhparam
+command was added in
+.Nm OpenSSL
+0.9.5.
+The
+.Fl dsaparam
+option was added in
+.Nm OpenSSL
+0.9.6.
+.\"
+.\" DSA
+.\"
+.Sh DSA
+.Nm openssl dsa
+.Bk -words
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl passin Ar arg
+.Op Fl out Ar filename
+.Op Fl passout Ar arg
+.Op Fl des
+.Op Fl des3
+.Op Fl idea
+.Op Fl text
+.Op Fl noout
+.Op Fl modulus
+.Op Fl pubin
+.Op Fl pubout
+.Ek
+.Pp
+The
+.Nm dsa
+command processes DSA keys.
+They can be converted between various forms and their components printed out.
+.Pp
+.Sy Note:
+This command uses the traditional
+.Nm SSLeay
+compatible format for private key encryption:
+newer applications should use the more secure PKCS#8 format using the
+.Nm pkcs8
+command.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+The
+.Ar DER
+argument with a private key uses an ASN1 DER encoded form of an ASN.1
+SEQUENCE consisting of the values of version (currently zero), p, q, g,
+the public and private key components respectively as ASN.1 INTEGERs.
+When used with a public key it uses a
+.Em SubjectPublicKeyInfo
+structure:
+It is an error if the key is not DSA.
+.Pp
+The
+.Ar PEM
+form is the default format:
+It consists of the DER format base64
+encoded with additional header and footer lines.
+In the case of a private key, PKCS#8 format is also accepted.
+.It Fl outform Ar DER|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read a key from or standard input if this option is not specified.
+If the key is encrypted a pass phrase will be prompted for.
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write a key to, or standard output if not specified.
+If any encryption options are set then a pass phrase will be
+prompted for.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Cm -des|-des3|-idea
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers, respectively, before outputting it.
+A pass phrase is prompted for.
+If none of these options is specified, the key is written in plain text.
+This means that using the
+.Nm dsa
+utility to read in an encrypted key with no encryption option can be used to
+remove the pass phrase from a key,
+or by setting the encryption options it can be use to add or change
+the pass phrase.
+These options can only be used with
+.Ar PEM
+format output files.
+.It Fl text
+Prints out the public, private key components and parameters.
+.It Fl noout
+This option prevents output of the encoded version of the key.
+.It Fl modulus
+This option prints out the value of the public key component of the key.
+.It Fl pubin
+By default a private key is read from the input file.
+With this option a public key is read instead.
+.It Fl pubout
+By default a private key is output.
+With this option a public key will be output instead.
+This option is automatically set if the input is a public key.
+.Sh DSA NOTES
+The
+.Ar PEM
+private key format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN DSA PRIVATE KEY-----
+\& -----END DSA PRIVATE KEY-----
+.Ed
+.Pp
+The
+.Ar PEM
+public key format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN PUBLIC KEY-----
+\& -----END PUBLIC KEY-----
+.Ed
+.Sh DSA EXAMPLES
+To remove the pass phrase on a DSA private key:
+.Pp
+\& $ openssl dsa -in key.pem -out keyout.pem
+.Pp
+To encrypt a private key using triple DES:
+.Pp
+\& $ openssl dsa -in key.pem -des3 -out keyout.pem
+.Pp
+To convert a private key from PEM to DER format: 
+.Pp
+\& $ openssl dsa -in key.pem -outform DER -out keyout.der
+.Pp
+To print out the components of a private key to standard output:
+.Pp
+\& $ openssl dsa -in key.pem -text -noout
+.Pp
+To just output the public part of a private key:
+.Pp
+\& $ openssl dsa -in key.pem -pubout -out pubkey.pem
+.\"
+.\" DSAPARAM
+.\"
+.Sh DSAPARAM
+.Nm openssl dsaparam
+.Op Fl inform Ar DER|PEM
+.Op Fl outform Ar DER|PEM
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl noout
+.Op Fl text
+.Op Fl C
+.Op Fl rand Ar file ...
+.Op Fl genkey
+.Op Ar numbits
+.Pp
+The
+.Nm dsaparam
+command is used to manipulate or generate \s-1DSA\s0 parameter files.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+The
+.Ar DER
+argument uses an ASN1 DER encoded form compatible with RFC2459 (PKIX)
+DSS-Parms that is a SEQUENCE consisting of p, q and g, respectively.
+The
+.Ar PEM
+form is the default format:
+it consists of the DER format base64 encoded with additional header
+and footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the output format; the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read parameters from, or standard input if this option is not specified.
+If the
+.Ar numbits
+parameter is included then this option will be ignored.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write parameters to.
+Standard output is used if this option is not present.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl noout
+This option inhibits the output of the encoded version of the parameters.
+.It Fl text
+This option prints out the DSA parameters in human readable form.
+.It Fl C
+This option converts the parameters into C code.
+The parameters can then be loaded by calling the
+.Cm get_dsa Ns Ar XXX Ns Li ()
+function.
+.It Fl genkey
+This option will generate a DSA either using the specified or generated
+parameters.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number
+generator, or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified, separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Ar numbits
+This option specifies that a parameter set should be generated of size
+.Ar numbits .
+It must be the last option.
+If this option is included, then the input file (if any) is ignored.
+.El
+.Sh DSAPARAM NOTES
+.Ar PEM
+format DSA parameters use the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN DSA PARAMETERS-----
+\& -----END DSA PARAMETERS-----
+.Ed
+.Pp
+DSA parameter generation is a slow process and as a result the same set of
+DSA parameters is often used to generate several distinct keys.
+.\"
+.\" ENC
+.\"
+.Sh ENC
+.Nm openssl enc
+.Fl ciphername
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl pass Ar arg
+.Op Fl e
+.Op Fl d
+.Op Fl a
+.Op Fl A
+.Op Fl k Ar password
+.Op Fl kfile Ar filename
+.Op Fl K Ar key
+.Op Fl iv Ar IV
+.Op Fl p
+.Op Fl P
+.Op Fl bufsize Ar number
+.Op Fl nopad
+.Op Fl debug
+.Pp
+The symmetric cipher commands allow data to be encrypted or decrypted
+using various block and stream ciphers using keys based on passwords
+or explicitly provided. Base64 encoding or decoding can also be performed
+either by itself or in addition to the encryption or decryption.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl in Ar filename
+The input
+.Ar filename ,
+standard input by default.
+.It Fl out Ar filename
+The output
+.Ar filename ,
+standard output by default.
+.It Fl pass Ar arg
+The password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl salt
+Use a
+.Ar salt
+in the key derivation routines.
+This option should
+.Em ALWAYS
+be used unless compatibility with previous versions of
+.Nm OpenSSL
+or
+.Nm SSLeay
+is required.
+This option is only present on
+.Nm OpenSSL
+versions 0.9.5 or above.
+.It Fl nosalt
+Don't use a
+.Ar salt
+in the key derivation routines.
+This is the default for compatibility with previous versions of
+.Nm OpenSSL
+and
+.Nm SSLeay .
+.It Fl e
+Encrypt the input data: this is the default.
+.It Fl d
+Decrypt the input data.
+.It Fl a
+Base64 process the data.
+This means that if encryption is taking place, the data is base64 encoded
+after encryption.
+If decryption is set, then the input data is base64 decoded before
+being decrypted.
+.It Fl A
+If the
+.Fl a
+option is set, then base64 process the data on one line.
+.It Fl k Ar password
+The
+.Ar password
+to derive the key from.
+This is for compatibility with previous versions of
+.Nm OpenSSL .
+Superseded by the
+.Fl pass
+option.
+.It Fl kfile Ar filename
+Read the password to derive the key from the first line of
+.Ar filename .
+This is for compatibility with previous versions of
+.Nm OpenSSL .
+Superseded by the
+.Fl pass
+option.
+.It Fl S Ar salt
+The actual
+.Ar salt
+to use:
+this must be represented as a string comprised only of hex digits.
+.It Fl K Ar key
+The actual
+.Ar key
+to use:
+this must be represented as a string comprised only of hex digits.
+If only the key is specified, the
+.Ar IV
+must additionally specified using the
+.Fl iv
+option.
+When both a
+.Ar key
+and a
+.Ar password
+are specified, the
+.Ar key
+given with the
+.Fl K
+option will be used and the
+.Ar IV
+generated from the password will be taken.
+It probably does not make much sense to specify both
+.Ar key
+and
+.Ar password .
+.It Fl iv Ar IV
+The actual
+.Ar IV
+to use:
+this must be represented as a string comprised only of hex digits.
+When only the
+.Ar key
+is specified using the
+.Fl K
+option, the
+.Ar IV
+must explicitly be defined.
+When a password is being specified using one of the other options,
+the
+.Ar IV
+is generated from this password.
+.It Fl p
+Print out the key and
+.Ar IV
+used.
+.It Fl P
+Print out the
+.Ar key
+and
+.Ar IV
+used then immediately exit:
+don't do any encryption or decryption.
+.It Fl bufsize Ar number
+Set the buffer size for I/O.
+.It Fl nopad
+Disable standard block padding.
+.It Fl debug
+Debug the BIOs used for I/O.
+.El
+.Sh ENC NOTES
+The program can be called either as
+.Nm openssl ciphername
+or
+.Nm openssl enc -ciphername .
+.Pp
+A password will be prompted for to derive the
+.Ar key
+and
+.Ar IV
+if necessary.
+.Pp
+The
+.Fl salt
+option should
+.Em ALWAYS
+be used if the key is being derived from a password unless compatibility
+with previous versions of
+.Nm OpenSSL
+and
+.Nm SSLeay
+is necessary.
+.Pp
+Without the
+.Fl salt
+option it is possible to perform efficient dictionary
+attacks on the password and to attack stream cipher encrypted data.
+The reason for this is that without the
+.Ar salt
+the same password always generates the same encryption key.
+When the
+.Ar salt
+is being used the first eight bytes of the encrypted data are reserved
+for the
+.Ar salt :
+it is generated at random when encrypting a file and read from the
+encrypted file when it is decrypted.
+.Pp
+Some of the ciphers do not have large keys and others have security
+implications if not used correctly.
+A beginner is advised to just use a strong block cipher in CBC mode
+such as bf or des3.
+.Pp
+All the block ciphers normally use PKCS#5 padding also known as standard block
+padding:
+this allows a rudimentary integrity or password check to be performed.
+However, since the chance of random data passing the test is
+better than 1 in 256, it isn't a very good test.
+.Pp
+If padding is disabled then the input data must be a multiple of the cipher
+block length.
+.Pp
+All RC2 ciphers have the same key and effective key length.
+.Pp
+Blowfish and RC5 algorithms use a 128 bit key.
+.Sh ENC SUPPORTED CIPHERS
+.Bd -literal
+\& base64             Base 64
+.Ed
+.Pp
+.Bd -literal
+\& bf-cbc             Blowfish in CBC mode
+\& bf                 Alias for bf-cbc
+\& bf-cfb             Blowfish in CFB mode
+\& bf-ecb             Blowfish in ECB mode
+\& bf-ofb             Blowfish in OFB mode
+.Ed
+.Pp
+.Bd -literal
+\& cast-cbc           CAST in CBC mode
+\& cast               Alias for cast-cbc
+\& cast5-cbc          CAST5 in CBC mode
+\& cast5-cfb          CAST5 in CFB mode
+\& cast5-ecb          CAST5 in ECB mode
+\& cast5-ofb          CAST5 in OFB mode
+.Ed
+.Pp
+.Bd -literal
+\& des-cbc            DES in CBC mode
+\& des                Alias for des-cbc
+\& des-cfb            DES in CBC mode
+\& des-ofb            DES in OFB mode
+\& des-ecb            DES in ECB mode
+.Ed
+.Pp
+.Bd -literal
+\& des-ede-cbc        Two key triple DES EDE in CBC mode
+\& des-ede            Alias for des-ede
+\& des-ede-cfb        Two key triple DES EDE in CFB mode
+\& des-ede-ofb        Two key triple DES EDE in OFB mode
+.Ed
+.Pp
+.Bd -literal
+\& des-ede3-cbc       Three key triple DES EDE in CBC mode
+\& des-ede3           Alias for des-ede3-cbc
+\& des3               Alias for des-ede3-cbc
+\& des-ede3-cfb       Three key triple DES EDE CFB mode
+\& des-ede3-ofb       Three key triple DES EDE in OFB mode
+.Ed
+.Pp
+.Bd -literal
+\& desx               DESX algorithm.
+.Ed
+.Pp
+.Bd -literal
+\& idea-cbc           IDEA algorithm in CBC mode
+\& idea               same as idea-cbc
+\& idea-cfb           IDEA in CFB mode
+\& idea-ecb           IDEA in ECB mode
+\& idea-ofb           IDEA in OFB mode
+.Ed
+.Pp
+.Bd -literal
+\& rc2-cbc            128 bit RC2 in CBC mode
+\& rc2                Alias for rc2-cbc
+\& rc2-cfb            128 bit RC2 in CBC mode
+\& rc2-ecb            128 bit RC2 in CBC mode
+\& rc2-ofb            128 bit RC2 in CBC mode
+\& rc2-64-cbc         64 bit RC2 in CBC mode
+\& rc2-40-cbc         40 bit RC2 in CBC mode
+.Ed
+.Pp
+.Bd -literal
+\& rc4                128 bit RC4
+\& rc4-64             64 bit RC4
+\& rc4-40             40 bit RC4
+.Ed
+.Pp
+.Bd -literal
+\& rc5-cbc            RC5 cipher in CBC mode
+\& rc5                Alias for rc5-cbc
+\& rc5-cfb            RC5 cipher in CBC mode
+\& rc5-ecb            RC5 cipher in CBC mode
+\& rc5-ofb            RC5 cipher in CBC mode
+.Ed
+.Sh ENC EXAMPLES
+Just base64 encode a binary file:
+.Pp
+\& $ openssl base64 -in file.bin -out file.b64
+.Pp
+Decode the same file:
+.Pp
+\& $ openssl base64 -d -in file.b64 -out file.bin
+.Pp
+Encrypt a file using triple DES in CBC mode using a prompted password:
+.Pp
+\& $ openssl des3 -salt -in file.txt -out file.des3
+.Pp
+Decrypt a file using a supplied password:
+.Pp
+\& $ openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
+.Pp
+Encrypt a file then base64 encode it (so it can be sent via mail for example)
+using Blowfish in CBC mode:
+.Pp
+\& $ openssl bf -a -salt -in file.txt -out file.bf
+.Pp
+Base64 decode a file then decrypt it:
+.Pp
+\& $ openssl bf -d -salt -a -in file.bf -out file.txt
+.Pp
+Decrypt some data using a supplied 40 bit RC4 key:
+.Pp
+\& $ openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
+.Sh ENC BUGS
+The
+.Fl A
+option when used with large files doesn't work properly.
+.Pp
+There should be an option to allow an iteration count to be included.
+.Pp
+The
+.Nm enc
+program only supports a fixed number of algorithms with certain parameters.
+Therefore it is not possible to use RC2 with a 76-bit key
+or RC4 with an 84-bit key with this program.
+.\"
+.\" ERRSTR
+.\"
+.Sh ERRSTR
+The
+.Nm errstr
+utility is undocumented.
+.\"
+.\" GENDH
+.\"
+.Sh GENDH
+Generation of Diffie-Hellman Parameters. Replaced by
+.Nm dhparam.
+See
+.Sx DHPARAM
+above.
+.\"
+.\" GENDSA
+.\"
+.Sh GENDSA
+.Nm openssl gendsa
+.Op Fl out Ar filename
+.Op Fl des
+.Op Fl des3
+.Op Fl idea
+.Op Fl rand Ar file ...
+.Op Ar paramfile
+.Pp
+The
+.Nm gendsa
+command generates a DSA private key from a DSA parameter file
+(which will be typically generated by the
+.Nm openssl dsaparam
+command).
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Cm -des|-des3|-idea
+These options encrypt the private key with the DES, triple DES,
+or the IDEA ciphers, respectively, before outputting it.
+A pass phrase is prompted for.
+If none of these options is specified, no encryption is used.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number
+generator, or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Ar paramfile
+This option specifies the DSA parameter file to use.
+The parameters in this file determine the size of the private key.
+DSA parameters can be generated and examined using the
+.Nm openssl dsaparam
+command.
+.Sh GENDSA NOTES
+DSA key generation is little more than random number generation so it is
+much quicker that RSA key generation for example.
+.\"
+.\" GENRSA
+.\"
+.Sh GENRSA
+.Nm openssl genrsa
+.Op Fl out Ar filename
+.Op Fl passout Ar arg
+.Op Fl des
+.Op Fl des3
+.Op Fl idea
+.Op Fl f4
+.Op Fl 3
+.Op Fl rand Ar file ...
+.Op Ar numbits
+.Pp
+The
+.Nm genrsa
+command generates an RSA private key.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl out Ar filename
+The output
+.Ar filename .
+If this argument is not specified then standard output is used.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Cm -des|-des3|-idea
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers, respectively, before outputting it.
+If none of these options is specified, no encryption is used.
+If encryption is used a pass phrase is prompted for,
+if it is not supplied via the
+.Fl passout
+option.
+.It Cm -F4|-3
+The public exponent to use, either 65537 or 3.
+The default is 65537.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number
+generator, or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Ar numbits
+The size of the private key to generate in bits.
+This must be the last option specified.
+The default is 512.
+.Sh GENRSA NOTES
+RSA private key generation essentially involves the generation of two prime
+numbers.
+When generating a private key, various symbols will be output to
+indicate the progress of the generation.
+A
+.Em \&.
+represents each number which has passed an initial sieve test,
+.Em \&+
+means a number has passed a single round of the Miller-Rabin primality test.
+A newline means that the number has passed all the prime tests
+(the actual number depends on the key size).
+.Pp
+Because key generation is a random process the time taken to generate a key
+may vary somewhat.
+.Sh GENRSA BUGS
+A quirk of the prime generation algorithm is that it cannot generate small
+primes.
+Therefore the number of bits should not be less that 64.
+For typical private keys this will not matter because for security reasons
+they will be much larger (typically 1024 bits).
+.\"
+.\" NSEQ
+.\"
+.Sh NSEQ
+.Nm openssl nseq
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl toseq
+.Pp
+The
+.Nm nseq
+command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read or standard input if this option is not specified.
+.It Fl out Ar filename
+Specifies the output
+.Ar filename
+or standard output by default.
+.It Fl toseq
+Normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it.
+With the
+.Fl toseq
+option the situation is reversed:
+a Netscape certificate sequence is created from a file of certificates.
+.El
+.Sh NSEQ EXAMPLES
+Output the certificates in a Netscape certificate sequence:
+.Bd -literal
+\& $ openssl nseq -in nseq.pem -out certs.pem
+.Ed
+.Pp
+Create a Netscape certificate sequence:
+.Pp
+.Bd -literal
+\& $ openssl nseq -in certs.pem -toseq -out nseq.pem
+.Ed
+.Sh NSEQ NOTES
+The
+.Em PEM
+encoded form uses the same headers and footers as a certificate:
+.Pp
+.Bd -literal
+\& -----BEGIN CERTIFICATE-----
+\& -----END CERTIFICATE-----
+.Ed
+.Pp
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser:
+for example during certificate enrollment.
+It is used by Netscape certificate server for example.
+.Sh NSEQ BUGS
+This program needs a few more options:
+like allowing
+.Em DER
+or
+.Em PEM
+input and output files and allowing multiple certificate files to be used.
+.\"
+.\" OCSP
+.\"
+.Sh OCSP
+.Nm openssl ocsp
+.Bk -words
+.Op Fl out Ar file
+.Op Fl issuer Ar file
+.Op Fl cert Ar file
+.Op Fl serial Ar n
+.Op Fl req_text
+.Op Fl resp_text
+.Op Fl text
+.Op Fl reqout Ar file
+.Op Fl respout Ar file
+.Op Fl reqin Ar file
+.Op Fl respin Ar file
+.Op Fl nonce
+.Op Fl no_nonce
+.Op Fl url Ar responder_url
+.Op Fl host Ar host:n
+.Op Fl path
+.Op Fl CApath Ar file
+.Op Fl CAfile Ar file
+.Op Fl VAfile Ar file
+.Op Fl verify_certs Ar file
+.Op Fl noverify
+.Op Fl trust_other
+.Op Fl no_intern
+.Op Fl no_sig_verify
+.Op Fl no_cert_verify
+.Op Fl no_chain
+.Op Fl no_cert_checks
+.Op Fl validity_period Ar nsec
+.Op Fl status_age Ar nsec
+.Ek
+.br
+.Pp
+.Sy WARNING:
+this documentation is preliminary and subject to change.
+.Pp
+The Online Certificate Status Protocol (OCSP) enables applications to
+determine the (revocation) state of an identified certificate (RFC 2560).
+.Pp
+The
+.Nm ocsp
+command performs many common OCSP tasks.
+It can be used to print out requests and responses,
+create requests and send queries to an OCSP responder and behave like
+a mini OCSP server itself.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl out Ar filename
+Specify output
+.Ar filename ,
+default is standard output.
+.It Fl issuer Ar filename
+This specifies the current issuer certificate.
+This option can be used multiple times.
+The certificate specified in
+.Ar filename
+must be in
+.Ar PEM
+format.
+.It Fl cert Ar filename
+Add the certificate
+.Ar filename
+to the request.
+The issuer certificate is taken from the previous
+.Fl issuer
+option, or an error occurs if no issuer certificate is specified.
+.It Fl serial Ar num
+Same as the
+.Fl cert
+option except the certificate with serial number
+.Ar num
+is added to the request.
+The serial number is interpreted as a decimal integer unless preceded by
+.Em 0x .
+Negative integers can also be specified by preceding the value by a `-' sign.
+.It Fl signer Ar filename , Fl signkey Ar filename
+Sign the OCSP request using the certificate specified in the
+.Fl signer
+option and the private key specified by the
+.Fl signkey
+option.
+If the
+.Fl signkey
+option is not present then the private key is read from the same file
+as the certificate.
+If neither option is specified then the OCSP request is not signed.
+.It Fl nonce , no_nonce
+Add an OCSP
+.Em nonce
+extension to a request or disable an OCSP
+.Em nonce
+addition.
+Normally, if an OCSP request is input using the
+.Fl respin
+option no
+.Em nonce
+is added:
+using the
+.Fl nonce
+option will force addition of a
+.Em nonce .
+If an OCSP request is being created (using the
+.Fl cert
+and
+.Fl serial
+options)
+a
+.Em nonce
+is automatically added; specifying
+.Fl no_nonce
+overrides this.
+.It Fl req_text , resp_text , text
+Print out the text form of the OCSP request, response or both, respectively.
+.It Fl reqout Ar file , Fl respout Ar file
+Write out the DER encoded certificate request or response to
+.Ar file .
+.It Fl reqin Ar file , Fl respin Ar file
+Read an OCSP request or response file from
+.Ar file .
+These option are ignored
+if an OCSP request or response creation is implied by other options
+(for example with the
+.Fl serial , cert
+and
+.Fl host
+options).
+.It Fl url Ar responder_url
+Specify the responder URL.
+Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
+.It Fl host Ar hostname:port , Fl path Ar pathname
+If the
+.Fl host
+option is present, then the OCSP request is sent to the host
+.Ar hostname
+on port
+.Ar port .
+.Fl path
+specifies the HTTP path name to use, or "/" by default.
+.It Fl CAfile Ar file , Fl CApath Ar pathname
+.Ar file
+or
+.Ar pathname
+containing trusted CA certificates.
+These are used to verify the signature on the OCSP response.
+.It Fl verify_certs Ar file
+.Ar file
+containing additional certificates to search when attempting to locate
+the OCSP response signing certificate.
+Some responders omit the actual signer's certificate from the response:
+this option can be used to supply the necessary certificate in such cases.
+.It Fl trust_other
+The certificates specified by the
+.Fl verify_certs
+option should be explicitly trusted and no additional checks will be
+performed on them.
+This is useful when the complete responder certificate chain is not available
+or trusting a root CA is not appropriate.
+.It Fl VAfile Ar file
+.Ar file
+containing explicitly trusted responder certificates.
+Equivalent to the
+.Fl verify_certs
+and
+.Fl trust_other
+options.
+.It Fl noverify
+Don't attempt to verify the OCSP response signature or the
+.Em nonce
+values.
+This option will normally only be used for debugging
+since it disables all verification of the responders certificate.
+.It Fl no_intern
+Ignore certificates contained in the OCSP response
+when searching for the signer's certificate.
+With this option the signer's certificate must be specified with either the
+.Fl verify_certs
+or
+.Fl VAfile
+options.
+.It Fl no_sig_verify
+Don't check the signature on the OCSP response.
+Since this option tolerates invalid signatures on OCSP responses,
+it will normally only be used for testing purposes.
+.It Fl no_cert_verify
+Don't verify the OCSP response signers certificate at all.
+Since this option allows the OCSP response to be signed by any certificate,
+it should only be used for testing purposes.
+.It Fl no_chain
+Do not use certificates in the response as additional untrusted CA
+certificates.
+.It Fl no_cert_checks
+Don't perform any additional checks on the OCSP response signers certificate.
+That is, do not make any checks to see if the signers certificate is authorised
+to provide the necessary status information:
+as a result this option should only be used for testing purposes.
+.It Fl validity_period Ar nsec , Fl status_age Ar age
+These options specify the range of times, in seconds, which will be tolerated
+in an OCSP response.
+Each certificate status response includes a
+.Em notBefore
+time and an optional
+.Em notAfter
+time.
+The current time should fall between these two values,
+but the interval between the two times may be only a few seconds.
+In practice the OCSP responder and clients' clocks may not be precisely
+synchronised and so such a check may fail.
+To avoid this the
+.Fl validity_period
+option can be used to specify an acceptable error range in seconds,
+the default value is 5 minutes.
+.Pp
+If the
+.Em notAfter
+time is omitted from a response then this means that new status
+information is immediately available.
+In this case the age of the
+.Em notBefore
+field is checked to see it is not older than
+.Ar age
+seconds old.
+By default this additional check is not performed.
+.El
+.Sh OCSP SERVER OPTIONS
+.Pp
+.Bl -tag -with DS
+.It Fl index Ar indexfile
+.Ar indexfile
+is a text index file in
+.Nm ca
+format containing certificate revocation information.
+.Pp
+If the
+.Fl index
+option is specified, the
+.Nm ocsp
+utility is in
+.Em responder
+mode, otherwise it is in
+.Em client
+mode.
+The request(s) the responder processes can be either specified on
+the command line (using the
+.Fl issuer
+and
+.Fl serial
+options), supplied in a file (using the
+.Fl respin
+option) or via external OCSP clients (if
+.Ar port
+or
+.Ar url
+is specified).
+.Pp
+If the
+.Fl index
+option is present, then the
+.Fl CA
+and
+.Fl rsigner
+options must also be present.
+.It Fl CA Ar file
+CA certificate corresponding to the revocation information in
+.Ar indexfile .
+.It Fl rsigner Ar file
+The certificate to sign OCSP responses with.
+.It Fl rother Ar file
+Additional certificates to include in the OCSP response.
+.It Fl resp_no_certs
+Don't include any certificates in the OCSP response.
+.It Fl resp_key_id
+Identify the signer certificate using the key ID,
+default is to use the subject name.
+.It Fl rkey Ar file
+The private key to sign OCSP responses with;
+if not present the file specified in the
+.Fl rsigner
+option is used.
+.It Fl port Ar portnum
+Port to listen for OCSP requests on.
+The port may also be specified using the
+.Fl url
+option.
+.It Fl nrequest Ar number
+The OCSP server will exit after receiving
+.Ar number
+requests, default unlimited. 
+.It Fl nmin Ar minutes , Fl ndays Ar days
+Number of
+.Ar minutes
+or
+.Ar days
+when fresh revocation information is available: used in the
+.Ar nextUpdate
+field.
+If neither option is present then the
+.Em nextUpdate
+field is omitted meaning fresh revocation information is immediately available.
+.El
+.Sh OCSP RESPONSE VERIFICATION
+OCSP Response follows the rules specified in RFC2560.
+.Pp
+Initially the OCSP responder certificate is located and the signature on
+the OCSP request checked using the responder certificate's public key.
+.Pp
+Then a normal certificate verify is performed on the OCSP responder certificate
+building up a certificate chain in the process.
+The locations of the trusted certificates used to build the chain can be
+specified by the
+.Fl CAfile
+and
+.Fl CApath
+options or they will be looked for in the standard
+.Nm OpenSSL
+certificates
+directory.
+.Pp
+If the initial verify fails then the OCSP verify process halts with an
+error.
+.Pp
+Otherwise the issuing CA certificate in the request is compared to the OCSP
+responder certificate: if there is a match then the OCSP verify succeeds.
+.Pp
+Otherwise the OCSP responder certificate's CA is checked against the issuing
+CA certificate in the request.
+If there is a match and the OCSPSigning extended key usage is present
+in the OCSP responder certificate, then the OCSP verify succeeds.
+.Pp
+Otherwise the root CA of the OCSP responders CA is checked to see if it
+is trusted for OCSP signing.
+If it is, the OCSP verify succeeds.
+.Pp
+If none of these checks is successful then the OCSP verify fails.
+.Pp
+What this effectively means is that if the OCSP responder certificate is
+authorised directly by the CA it is issuing revocation information about
+(and it is correctly configured) then verification will succeed.
+.Pp
+If the OCSP responder is a
+.Em global responder
+which can give details about multiple CAs and has its own separate
+certificate chain, then its root CA can be trusted for OCSP signing.
+For example:
+.Pp
+.Bd -literal
+\& $ openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
+.Ed
+.Pp
+Alternatively the responder certificate itself can be explicitly trusted
+with the
+.Fl VAfile
+option.
+.Sh OCSP NOTES
+As noted, most of the verify options are for testing or debugging purposes.
+Normally only the
+.Fl CApath , CAfile
+and (if the responder is a 'global VA')
+.Fl VAfile
+options need to be used.
+.Pp
+The OCSP server is only useful for test and demonstration purposes:
+it is not really usable as a full OCSP responder.
+It contains only a very simple HTTP request handling and can only handle
+the POST form of OCSP queries.
+It also handles requests serially, meaning it cannot respond to
+new requests until it has processed the current one.
+The text index file format of revocation is also inefficient for large
+quantities of revocation data.
+.Pp
+It is possible to run the
+.Nm ocsp
+application in
+.Em responder
+mode via a CGI script using the
+.Fl respin
+and
+.Fl respout
+options.
+.Sh OCSP EXAMPLES
+Create an OCSP request and write it to a file:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout \e
+        req.der
+.Ed
+.Pp
+Send a query to an OCSP responder with URL
+.Pa http://ocsp.myhost.com/ ,
+save the response to a file and print it out in text form:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e
+\&       -url http://ocsp.myhost.com/ -resp_text -respout resp.der
+.Ed
+.Pp
+Read in an OCSP response and print out text form:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -respin resp.der -text
+.Ed
+.Pp
+OCSP server on port 8888 using a standard
+.Nm ca
+configuration, and a separate responder certificate.
+All requests and responses are printed to a file:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem \e
+        -CA demoCA/cacert.pem -text -out log.txt
+.Ed
+.Pp
+As above, but exit after processing one request:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem \e
+        -CA demoCA/cacert.pem -nrequest 1
+.Ed
+.Pp
+Query status information using internally generated request:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e
+        demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1
+.Ed
+.Pp
+Query status information using request read from a file, write response to a
+second file:
+.Pp
+.Bd -literal
+\& $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e
+        demoCA/cacert.pem -reqin req.der -respout resp.der
+.Ed
+.\"
+.\" PASSWD
+.\"
+.Sh PASSWD
+.Nm openssl passwd
+.Op Fl crypt
+.Op Fl 1
+.Op Fl apr1
+.Op Fl salt Ar string
+.Op Fl in Ar file
+.Op Fl stdin
+.Op Fl noverify
+.Op Fl quiet
+.Op Fl table
+.Op Ar password
+.Pp
+The
+.Nm passwd
+command computes the hash of a password typed at run-time
+or the hash of each password in a list.
+The password list is taken from the named
+.Ar file
+for option
+.Fl in ,
+from stdin for option
+.Fl stdin,
+or from the command line, or from the terminal otherwise.
+The Unix standard algorithm
+.Em crypt
+and the MD5-based BSD password algorithm
+.Em 1
+and its Apache variant
+.Em apr1
+are available.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl crypt
+Use the
+.Em crypt
+algorithm (default).
+.It Fl 1
+Use the MD5 based BSD password algorithm
+.Em 1 .
+.It Fl apr1
+Use the
+.Em apr1
+algorithm (Apache variant of the BSD algorithm).
+.It Fl salt Ar string
+Use the specified
+.Ar salt .
+When reading a password from the terminal, this implies
+.Fl noverify .
+.It Fl in Ar file
+Read passwords from
+.Ar file .
+.It Fl stdin
+Read passwords from
+.Em stdin .
+.It Fl noverify
+Don't verify when reading a password from the terminal.
+.It Fl quiet
+Don't output warnings when passwords given at the command line are truncated.
+.It Fl table
+In the output list, prepend the cleartext password and a TAB character
+to each password hash.
+.El
+.Sh PASSWD EXAMPLES
+.Pp
+.Bl -tag -width Ds
+.It $ openssl passwd -crypt -salt xx password
+prints
+.Em xxj31ZMTZzkVA .
+.It $ openssl passwd -1 -salt xxxxxxxx password
+prints
+.Em $1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1 .
+.It $ openssl passwd -apr1 -salt xxxxxxxx password
+prints
+.Em $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 .
+.\"
+.\" PKCS7
+.\"
+.Sh PKCS7
+.Nm openssl pkcs7
+.Bk -words
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl print_certs
+.Op Fl text
+.Op Fl noout
+.Ek
+.br
+.Pp
+The
+.Nm pkcs7
+command processes PKCS#7 files in
+.Em DER
+or
+.Em PEM
+format.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+.Ar DER
+format is DER encoded PKCS#7 v1.5 structure.
+.Ar PEM
+(the default) is a base64 encoded version of the DER form with header
+and footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read from or standard input if this option is not specified.
+.It Fl out Ar filename
+Specifies the output
+.Ar filename
+to write to or standard output by default.
+.It Fl print_certs
+Prints out any certificates or CRLs contained in the file.
+They are preceded by their subject and issuer names in one line format.
+.It Fl text
+Prints out certificate details in full rather than just subject and
+issuer names.
+.It Fl noout
+Don't output the encoded version of the PKCS#7 structure
+(or certificates if
+.Fl print_certs
+is set).
+.Sh PKCS7 EXAMPLES
+Convert a PKCS#7 file from
+.Em PEM
+to
+.Em DER :
+.Pp
+\& $ openssl pkcs7 -in file.pem -outform DER -out file.der
+.Pp
+Output all certificates in a file:
+.Pp
+\& $ openssl pkcs7 -in file.pem -print_certs -out certs.pem
+.Sh PKCS7 NOTES
+The
+.Em PEM
+PKCS#7 format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN PKCS7-----
+\& -----END PKCS7-----
+.Ed
+.Pp
+For compatibility with some CAs it will also accept:
+.Pp
+.Bd -literal
+\& -----BEGIN CERTIFICATE-----
+\& -----END CERTIFICATE-----
+.Ed
+.Sh PKCS7 RESTRICTIONS
+There is no option to print out all the fields of a PKCS#7 file.
+.Pp
+The PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315.
+They cannot currently parse, for example, the new CMS as described in RFC2630.
+.\"
+.\" PKCS8
+.\"
+.Sh PKCS8
+.Nm openssl pkcs8
+.Bk -words
+.Op Fl topk8
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl passin Ar arg
+.Op Fl out Ar filename
+.Op Fl passout Ar arg
+.Op Fl noiter
+.Op Fl nocrypt
+.Op Fl nooct
+.Op Fl embed
+.Op Fl nsdb
+.Op Fl v2 Ar alg
+.Op Fl v1 Ar alg
+.Ek
+.Pp
+The
+.Nm pkcs8
+command processes private keys in PKCS#8 format.
+It can handle both unencrypted PKCS#8 PrivateKeyInfo format
+and EncryptedPrivateKeyInfo format with a variety of PKCS#5
+(v1.5 and v2.0) and PKCS#12 algorithms.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl topk8
+Normally a PKCS#8 private key is expected on input and a traditional format
+private key will be written.
+With the
+.Fl topk8
+option the situation is reversed:
+it reads a traditional format private key and writes a PKCS#8 format key.
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+If a PKCS#8 format key is expected on input,
+then either a
+.Em DER
+or
+.Em PEM
+encoded version of a PKCS#8 key will be expected.
+Otherwise the
+.Em DER
+or
+.Em PEM
+format of the traditional format private key is used.
+.It Fl outform Ar DER|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read a key from or standard input if this option is not specified.
+If the key is encrypted a pass phrase will be prompted for.
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write a key to or standard output by default.
+If any encryption options are set then a pass phrase will be prompted for.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl nocrypt
+PKCS#8 keys generated or input are normally PKCS#8
+.Em EncryptedPrivateKeyInfo
+structures using an appropriate password based encryption algorithm.
+With this option an unencrypted
+.Em PrivateKeyInfo
+structure is expected or output.
+This option does not encrypt private keys at all and should only be used
+when absolutely necessary.
+Certain software such as some versions of Java code signing software used
+unencrypted private keys.
+.It Fl nooct
+This option generates RSA private keys in a broken format that some software
+uses.
+Specifically the private key should be enclosed in a OCTET STRING,
+but some software just includes the structure itself without the
+surrounding OCTET STRING.
+.It Fl embed
+This option generates DSA keys in a broken format.
+The DSA parameters are embedded inside the
+.Em PrivateKey
+structure.
+In this form the OCTET STRING contains an ASN1 SEQUENCE consisting of
+two structures:
+a SEQUENCE containing the parameters and an ASN1 INTEGER containing
+the private key.
+.It Fl nsdb
+This option generates DSA keys in a broken format compatible with Netscape
+private key databases.
+The
+.Em PrivateKey
+contains a SEQUENCE consisting of the public and private keys, respectively.
+.It Fl v2 Ar alg
+This option enables the use of PKCS#5 v2.0 algorithms.
+Normally PKCS#8 private keys are encrypted with the password based
+encryption algorithm called
+.Em pbeWithMD5AndDES-CBC ;
+this uses 56 bit DES encryption but it was the strongest encryption
+algorithm supported in PKCS#5 v1.5.
+Using the
+.Fl v2
+option PKCS#5 v2.0 algorithms are used which can use any
+encryption algorithm such as 168 bit triple DES or 128 bit RC2, however
+not many implementations support PKCS#5 v2.0 yet.
+If using private keys with
+.Nm OpenSSL
+then this doesn't matter.
+.Pp
+The
+.Ar alg
+argument is the encryption algorithm to use, valid values include
+.Ar des , des3
+and
+.Ar rc2 .
+It is recommended that
+.Ar des3
+is used.
+.It Fl v1 Ar alg
+This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use.
+A complete list of possible algorithms is included below.
+.Sh PKCS8 NOTES
+The encrypted form of a
+.Em PEM
+encoded PKCS#8 file uses the following
+headers and footers:
+.Pp
+.Bd -literal
+\& -----BEGIN ENCRYPTED PRIVATE KEY-----
+\& -----END ENCRYPTED PRIVATE KEY-----
+.Ed
+.Pp
+The unencrypted form uses:
+.Pp
+.Bd -literal
+\& -----BEGIN PRIVATE KEY-----
+\& -----END PRIVATE KEY-----
+.Ed
+.Pp
+Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
+counts are more secure that those encrypted using the traditional
+.Nm SSLeay
+compatible formats.
+So if additional security is considered, important the keys should be converted.
+.Pp
+The default encryption is only 56 bits because this is the encryption
+that most current implementations of PKCS#8 will support.
+.Pp
+Some software may use PKCS#12 password based encryption algorithms
+with PKCS#8 format private keys: these are handled automatically
+but there is no option to produce them.
+.Pp
+It is possible to write out
+.Em DER
+encoded encrypted private keys in PKCS#8 format because the encryption
+details are included at an ASN1
+level whereas the traditional format includes them at a
+.Em PEM
+level.
+.Sh PKCS#5 V1.5 AND PKCS#12 ALGORITHMS
+Various algorithms can be used with the
+.Fl v1
+command line option, including PKCS#5 v1.5 and PKCS#12.
+These are described in more detail below.
+.Pp
+.Bd -literal -offset indent
+.It Ar \  \  PBE-MD2-DES PBE-MD5-DES
+.br
+These algorithms were included in the original PKCS#5 v1.5 specification.
+They only offer 56 bits of protection since they both use DES.
+.It Ar \  \  PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES
+.br
+These algorithms are not mentioned in the original PKCS#5 v1.5 specification
+but they use the same key derivation algorithm and are supported by some
+software.
+They are mentioned in PKCS#5 v2.0.
+They use either 64 bit RC2 or 56 bit DES.
+.It Ar \  \  PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40
+.br
+These algorithms use the PKCS#12 password based encryption algorithm and
+allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.
+.Ed
+.Sh PKCS8 EXAMPLES
+Convert a private from traditional to PKCS#5 v2.0 format using triple DES:
+.Pp
+\& $ openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
+.Pp
+Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (DES):
+.Pp
+\& $ openssl pkcs8 -in key.pem -topk8 -out enckey.pem
+.Pp
+Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm (3DES):
+.Pp
+\& $ openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
+.Pp
+Read a DER unencrypted PKCS#8 format private key:
+.Pp
+\& $ openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
+.Pp
+Convert a private key from any PKCS#8 format to traditional format:
+.Pp
+\& $ openssl pkcs8 -in pk8.pem -out key.pem
+.Sh PKCS8 STANDARDS
+Test vectors from this PKCS#5 v2.0 implementation were posted to the
+pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
+counts, several people confirmed that they could decrypt the private
+keys produced and therefore it can be assumed that the PKCS#5 v2.0
+implementation is reasonably accurate at least as far as these
+algorithms are concerned.
+.Pp
+The format of PKCS#8 DSA (and other) private keys is not well documented:
+it is hidden away in PKCS#11 v2.01, section 11.9.;
+.Nm OpenSSL Ns Li 's
+default DSA PKCS#8 private key format complies with this standard.
+.Sh PKCS8 BUGS
+There should be an option that prints out the encryption algorithm
+in use and other details such as the iteration count.
+.Pp
+PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
+key format; for
+.Nm OpenSSL
+compatibility, several of the utilities use the old format at present.
+.\"
+.\" PKCS12
+.\"
+.Sh PKCS12
+.Nm "openssl pkcs12"
+.Op Fl export
+.Op Fl chain
+.Op Fl inkey Ar filename
+.Op Fl certfile Ar filename
+.Op Fl name Ar name
+.Op Fl caname Ar name
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl noout
+.Op Fl nomacver
+.Op Fl nocerts
+.Op Fl clcerts
+.Op Fl cacerts
+.Op Fl nokeys
+.Op Fl info
+.Op Fl des
+.Op Fl des3
+.Op Fl idea
+.Op Fl nodes
+.Op Fl noiter
+.Op Fl maciter
+.Op Fl twopass
+.Op Fl descert
+.Op Fl certpbe
+.Op Fl keypbe
+.Op Fl keyex
+.Op Fl keysig
+.Op Fl password Ar arg
+.Op Fl passin Ar arg
+.Op Fl passout Ar arg
+.Op Fl rand Ar file ...
+.Pp
+The
+.Nm pkcs12
+command allows PKCS#12 files (sometimes referred to as PFX files)
+to be created and parsed.
+PKCS#12 files are used by several programs including Netscape, MSIE
+and MS Outlook.
+.Pp
+There are a lot of options; the meaning of some depends on whether a
+PKCS#12 file is being created or parsed.
+By default a PKCS#12 file is parsed;
+a PKCS#12 file can be created by using the
+.Fl export
+option (see below).
+.Sh PKCS12 PARSING OPTIONS
+.Bd -ragged -offset indent
+.It Fl in Ar filename
+This specifies the
+.Ar filename
+of the PKCS#12 file to be parsed.
+Standard input is used by default.
+.It Fl out Ar filename
+The
+.Ar filename
+to write certificates and private keys to, standard output by default.
+They are all written in
+.Em PEM
+format.
+.It Fl pass Ar arg , Fl passin Ar arg
+The PKCS#12 file (i.e. input file) password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl passout Ar arg
+Pass phrase source to encrypt any outputed private keys with.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl noout
+This option inhibits output of the keys and certificates to the output file
+version of the PKCS#12 file.
+.It Fl clcerts
+Only output client certificates (not CA certificates).
+.It Fl cacerts
+Only output CA certificates (not client certificates).
+.It Fl nocerts
+No certificates at all will be output.
+.It Fl nokeys
+No private keys will be output.
+.It Fl info
+Output additional information about the PKCS#12 file structure,
+algorithms used and iteration counts.
+.It Fl des
+Use DES to encrypt private keys before outputting.
+.It Fl des3
+Use triple DES to encrypt private keys before outputting, this is the default.
+.It Fl idea
+Use IDEA to encrypt private keys before outputting.
+.It Fl nodes
+Don't encrypt the private keys at all.
+.It Fl nomacver
+Don't attempt to verify the integrity MAC before reading the file.
+.It Fl twopass
+Prompt for separate integrity and encryption passwords: most software
+always assumes these are the same so this option will render such
+PKCS#12 files unreadable.
+.Ed
+.Sh PKCS12 FILE CREATION OPTIONS
+.Bd -ragged -offset indent
+.It Fl export
+This option specifies that a PKCS#12 file will be created rather than
+parsed.
+.It Fl out Ar filename
+This specifies
+.Ar filename
+to write the PKCS#12 file to.
+Standard output is used by default.
+.It Fl in Ar filename
+The
+.Ar filename
+to read certificates and private keys from, standard input by default.
+They must all be in
+.Em PEM
+format.
+The order doesn't matter but one private key and its corresponding
+certificate should be present.
+If additional certificates are present, they will also be included
+in the PKCS#12 file.
+.It Fl inkey Ar filename
+File to read private key from.
+If not present then a private key must be present in the input file.
+.It Fl name Ar friendlyname
+This specifies the "friendly name" for the certificate and private key.
+This name is typically displayed in list boxes by software importing the file.
+.It Fl certfile Ar filename
+A filename to read additional certificates from.
+.It Fl caname Ar friendlyname
+This specifies the "friendly name" for other certificates.
+This option may be used multiple times to specify names for all certificates
+in the order they appear.
+Netscape ignores friendly names on other certificates,
+whereas MSIE displays them.
+.It Fl pass Ar arg , Fl passout Ar arg
+The PKCS#12 file (i.e. output file) password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl passin Ar password
+Pass phrase source to decrypt any input private keys with.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl chain
+If this option is present then an attempt is made to include the entire
+certificate chain of the user certificate.
+The standard CA store is used for this search.
+If the search fails it is considered a fatal error.
+.It Fl descert
+Encrypt the certificate using triple DES; this may render the PKCS#12
+file unreadable by some "export grade" software.
+By default the private key is encrypted using triple DES and the
+certificate using 40 bit RC2.
+.It Fl keypbe Ar alg , Fl certpbe Ar alg
+These options allow the algorithm used to encrypt the private key and
+certificates to be selected.
+Although any PKCS#5 v1.5 or PKCS#12 algorithms can be selected,
+it is advisable only to use PKCS#12 algorithms.
+See the list in the
+.Sx PKCS12 NOTES
+section for more information.
+.It Fl keyex | keysig
+Specifies that the private key is to be used for key exchange or just signing.
+This option is only interpreted by MSIE and similar MS software.
+Normally "export grade" software will only allow 512 bit RSA keys to be
+used for encryption purposes, but arbitrary length keys for signing.
+The
+.Fl keysig
+option marks the key for signing only.
+Signing only keys can be used for S/MIME signing,
+authenticode (ActiveX control signing) and SSL client authentication;
+however, due to a bug only MSIE 5.0 and later support
+the use of signing only keys for SSL client authentication.
+.It Fl nomaciter , noiter
+These options affect the iteration counts on the MAC and key algorithms.
+Unless you wish to produce files compatible with MSIE 4.0 you should leave
+these options alone.
+.Pp
+To discourage attacks by using large dictionaries of common passwords the
+algorithm that derives keys from passwords can have an iteration count applied
+to it: this causes a certain part of the algorithm to be repeated and slows it
+down.
+The MAC is used to check the file integrity but since it will normally
+have the same password as the keys and certificates it could also be attacked.
+By default both MAC and encryption iteration counts are set to 2048;
+using these options the MAC and encryption iteration counts can be set to 1.
+Since this reduces the file security you should not use these options
+unless you really have to.
+Most software supports both MAC and key iteration counts.
+MSIE 4.0 doesn't support MAC iteration counts, so it needs the
+.Fl nomaciter
+option.
+.It Fl maciter
+This option is included for compatibility with previous versions, it used
+to be needed to use MAC iterations counts but they are now used by default.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.Ed
+.Sh PKCS12 NOTES
+Although there are a large number of options,
+most of them are very rarely used.
+For PKCS#12 file parsing only
+.Fl in
+and
+.Fl out
+need to be used for PKCS#12 file creation.
+.Fl export
+and
+.Fl name
+are also used.
+.Pp
+If none of the
+.Fl clcerts , cacerts
+or
+.Fl nocerts
+options are present then all certificates will be output in the order
+they appear in the input PKCS#12 files.
+There is no guarantee that the first certificate present is
+the one corresponding to the private key.
+Certain software which requires a private key and certificate and assumes
+the first certificate in the file is the one corresponding to the private key:
+this may not always be the case.
+Using the
+.Fl clcerts
+option will solve this problem by only outputting the certificate
+corresponding to the private key.
+If the CA certificates are required then they can be output to a separate
+file using the
+.Fl nokeys
+and
+.Fl cacerts
+options to just output CA certificates.
+.Pp
+The
+.Fl keypbe
+and
+.Fl certpbe
+algorithms allow the precise encryption algorithms for private keys
+and certificates to be specified.
+Normally the defaults are fine but occasionally software can't handle
+triple DES encrypted private keys;
+then the option
+.Fl keypbe Ar PBE-SHA1-RC2-40
+can be used to reduce the private key encryption to 40 bit RC2.
+A complete description of all algorithms is contained in the
+.Sx PKCS8
+section above.
+.Sh PKCS12 EXAMPLES
+Parse a PKCS#12 file and output it to a file:
+.Pp
+\& $ openssl pkcs12 -in file.p12 -out file.pem
+.Pp
+Output only client certificates to a file:
+.Pp
+\& $ openssl pkcs12 -in file.p12 -clcerts -out file.pem
+.Pp
+Don't encrypt the private key:
+.Pp
+\& $ openssl pkcs12 -in file.p12 -out file.pem -nodes
+.br
+.Pp
+Print some info about a PKCS#12 file:
+.Pp
+\& $ openssl pkcs12 -in file.p12 -info -noout
+.Pp
+Create a PKCS#12 file:
+.Pp
+.Bd -literal
+\& $ openssl pkcs12 -export -in file.pem -out file.p12 \e
+        -name "My Certificate"
+.Ed
+.Pp
+Include some extra certificates:
+.Pp
+.Bd -literal
+\& $ openssl pkcs12 -export -in file.pem -out file.p12 \e
+        -name "My Certificate" -certfile othercerts.pem
+.Ed
+.Sh PKCS12 BUGS
+Some would argue that the PKCS#12 standard is one big bug :\-)
+.Pp
+Versions of
+.Nm OpenSSL
+before 0.9.6a had a bug in the PKCS#12 key generation routines.
+Under rare circumstances this could produce a PKCS#12 file encrypted
+with an invalid key.
+As a result some PKCS#12 files which triggered this bug
+from other implementations (MSIE or Netscape) could not be decrypted
+by
+.Nm OpenSSL
+and similarly
+.Nm OpenSSL
+could produce PKCS#12 files which could not be decrypted by other
+implementations.
+The chances of producing such a file are relatively small: less than 1 in 256.
+.Pp
+A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
+files can no longer be parsed by the fixed version.
+Under such circumstances the
+.Nm pkcs12
+utility will report that the MAC is OK but fail with a decryption
+error when extracting private keys.
+.Pp
+This problem can be resolved by extracting the private keys and certificates
+from the PKCS#12 file using an older version of
+.Nm OpenSSL
+and recreating
+the PKCS#12 file from the keys and certificates using a newer version of
+.Nm OpenSSL .
+For example:
+.Pp
+.Bd -literal
+\& $ old-openssl -in bad.p12 -out keycerts.pem
+\& $ openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12
+.Ed
+.\"
+.\" RAND
+.\"
+.Sh RAND
+.Cm openssl rand
+.Op Fl out Ar file
+.Op Fl rand Ar file
+.Op Fl base64
+.Ar num
+.Pp
+The
+.Nm rand
+command outputs
+.Ar num
+pseudo-random bytes after seeding
+the random number generator once.
+As in other
+.Nm openssl
+command line tools, PRNG seeding uses the file
+.Pa $HOME/.rnd
+or
+.Pa .rnd
+in addition to the files given in the
+.Fl rand
+option.
+A new
+.Pa $HOME/.rnd
+or
+.Pa .rnd
+file will be written back if enough
+seeding was obtained from these sources.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl out Ar file
+Write to
+.Ar file
+instead of standard output.
+.It Fl rand Ar file ...
+Use specified
+.Ar file
+or
+.Ar file Ns Li s
+or EGD socket (see
+.Xr RAND_egd 3 )
+for seeding the random number generator.
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Fl base64
+Perform
+.Em base64
+encoding on the output.
+.El
+.\"
+.\" REQ
+.\"
+.Sh REQ
+.Nm openssl req
+.Bk -words
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl passin Ar arg
+.Op Fl out Ar filename
+.Op Fl passout Ar arg
+.Op Fl text
+.Op Fl pubkey
+.Op Fl noout
+.Op Fl verify
+.Op Fl modulus
+.Op Fl new
+.Op Fl rand Ar file ...
+.Op Fl newkey Ar rsa:bits
+.Op Fl newkey Ar dsa:file
+.Op Fl nodes
+.Op Fl key Ar filename
+.Op Fl keyform Ar PEM|DER
+.Op Fl keyout Ar filename
+.Op Fl Op Cm md5|sha1|md2|mdc2
+.Op Fl config Ar filename
+.Op Fl subj Ar arg
+.Op Fl x509
+.Op Fl days Ar n
+.Op Fl set_serial Ar n
+.Op Fl asn1-kludge
+.Op Fl newhdr
+.Op Fl extensions Ar section
+.Op Fl reqexts Ar section
+.Op Fl utf8
+.Op Fl nameopt
+.Op Fl batch
+.Op Fl verbose
+.Ek
+.Pp
+The
+.Nm req
+command primarily creates and processes certificate requests
+in PKCS#10 format.
+It can additionally create self-signed certificates,
+for use as root CAs, for example.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+The
+.Ar DER
+argument uses an ASN1 DER encoded
+form compatible with the PKCS#10.
+The
+.Ar PEM
+form is the default format:
+it consists of the DER format base64 encoded with additional header and
+footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read a request from, or standard input
+if this option is not specified.
+A request is only read if the creation options
+.Fl new
+and
+.Fl newkey
+are not specified.
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write to, or standard output by default.
+.It Fl passout Ar arg
+The output file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl text
+Prints out the certificate request in text form.
+.It Fl pubkey
+Outputs the public key.
+.It Fl noout
+This option prevents output of the encoded version of the request.
+.It Fl modulus
+This option prints out the value of the modulus of the public key
+contained in the request.
+.It Fl verify
+Verifies the signature on the request.
+.It Fl new
+This option generates a new certificate request.
+It will prompt the user for the relevant field values.
+The actual fields prompted for and their maximum and minimum sizes
+are specified in the configuration file and any requested extensions.
+.Pp
+If the
+.Fl key
+option is not used it will generate a new RSA private
+key using information specified in the configuration file.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Fl newkey Ar arg
+This option creates a new certificate request and a new private key.
+The argument takes one of two forms:
+.Ar rsa:nbits ,
+where
+.Ar nbits
+is the number of bits, generates an RSA key
+.Ar nbits
+in size.
+.Ar dsa:filename
+generates a DSA key using the parameters in the file
+.Ar filename.
+.It Fl key Ar filename
+This specifies the file to read the private key from.
+It also accepts PKCS#8 format private keys for
+.Em PEM
+format files.
+.It Fl keyform Ar PEM|DER
+The format of the private key file specified in the
+.Fl key
+argument.
+.AR PEM
+is the default.
+.It Fl keyout Ar filename
+This gives the
+.Ar filename
+to write the newly created private key to.
+If this option is not specified, then the filename present in the
+configuration file is used.
+.It Fl nodes
+If this option is specified then if a private key is created it
+will not be encrypted.
+.It Fl md5|sha1|md2|mdc2
+This specifies the message digest to sign the request with.
+This overrides the digest algorithm specified in the configuration file.
+This option is ignored for DSA requests: they always use SHA1.
+.It Fl config Ar filename
+This allows an alternative configuration file to be specified;
+this overrides the compile time filename or any specified in
+the
+.Em OPENSSL_CONF
+environment variable.
+.It Fl subj Ar arg
+Sets subject name for new request or supersedes the subject name
+when processing a request.
+The arg must be formatted as
+.Em /type0=value0/type1=value1/type2=... ,
+characters may be escaped by \e (backslash), no spaces are skipped.
+.It Fl x509
+This option outputs a self-signed certificate instead of a certificate
+request.
+This is typically used to generate a test certificate or
+a self-signed root CA.
+The extensions added to the certificate
+(if any) are specified in the configuration file.
+Unless specified using the
+.Fl set_serial
+option, 0 will be used for the serial number.
+.It Fl days Ar n
+When the
+.Fl x509
+option is being used this specifies the number of
+days to certify the certificate for.
+The default is 30 days.
+.It Fl set_serial Ar n
+Serial number to use when outputting a self-signed certificate.
+This may be specified as a decimal value or a hex value if preceded by
+.Em 0x .
+It is possible to use negative serial numbers but this is not recommended.
+.It Fl extensions Ar section , Fl reqexts Ar section
+These options specify alternative sections to include certificate
+extensions (if the
+.Fl x509
+option is present) or certificate request extensions.
+This allows several different sections to
+be used in the same configuration file to specify requests for
+a variety of purposes.
+.It Fl utf8
+This option causes field values to be interpreted as UTF8 strings, by 
+default they are interpreted as ASCII.
+This means that the field values, whether prompted from a terminal or
+obtained from a configuration file, must be valid UTF8 strings.
+.It Fl nameopt Ar option
+Option which determines how the subject or issuer names are displayed.
+The
+.Ar option
+argument can be a single option or multiple options separated by commas.
+Alternatively, the
+.Fl nameopt
+switch may be used more than once to set multiple options.
+See the
+.Sx X509
+section below for details.
+.It Fl asn1-kludge
+By default the
+.Nm req
+command outputs certificate requests containing
+no attributes in the correct PKCS#10 format.
+However certain CAs will only
+accept requests containing no attributes in an invalid form: this
+option produces this invalid format.
+.Pp
+More precisely the
+.Em Attributes
+in a PKCS#10 certificate request are defined as a SET OF Attribute.
+They are
+.Em not
+optional, so if no attributes are present then they should be encoded as an
+empty SET OF.
+The invalid form does not include the empty
+SET OF, whereas the correct form does.
+.Pp
+It should be noted that very few CAs still require the use of this option.
+.It Fl newhdr
+Adds the word NEW to the
+.Em PEM
+file header and footer lines on the outputed request.
+Some software (Netscape certificate server) and some CAs need this.
+.It Fl batch
+Non-interactive mode.
+.It Fl verbose
+Print extra details about the operations being performed.
+.Ed
+.Sh REQ CONFIGURATION FILE FORMAT
+The configuration options are specified in the
+.Em req
+section of the configuration file.
+As with all configuration files, if no value is specified in the specific
+section (i.e.
+.Em req )
+then the initial unnamed or
+.Em default
+section is searched too.
+.Pp
+The options available are described in detail below.
+.Bd -ragged -offset indent
+.It Ar input_password output_password
+The passwords for the input private key file (if present) and
+the output private key file (if one will be created).
+The command line options
+.Fl passin
+and
+.Fl passout
+override the configuration file values.
+.It Ar default_bits
+This specifies the default key size in bits.
+If not specified, then 512 is used.
+It is used if the
+.Fl new
+option is used.
+It can be overridden by using the
+.Fl newkey
+option.
+.It Ar default_keyfile
+This is the default filename to write a private key to.
+If not specified, the key is written to standard output.
+This can be overridden by the
+.Fl keyout
+option.
+.It Ar oid_file
+This specifies a file containing additional OBJECT IDENTIFIERS.
+Each line of the file should consist of the numerical form of the
+object identifier, followed by whitespace, then the short name followed
+by whitespace and finally the long name. 
+.It Ar oid_section
+This specifies a section in the configuration file containing extra
+object identifiers.
+Each line should consist of the short name of the
+object identifier followed by
+.Cm =
+and the numerical form.
+The short and long names are the same when this option is used.
+.It Ar RANDFILE
+This specifies a filename in which random number seed information is
+placed and read from, or an EGD socket (see
+.Xr RAND_egd 3 ) .
+It is used for private key generation.
+.It Ar encrypt_key
+If this is set to
+.Em no
+then if a private key is generated it is
+.Em not
+encrypted.
+This is equivalent to the
+.Fl nodes
+command line option.
+For compatibility,
+.Ar encrypt_rsa_key
+is an equivalent option.
+.It Ar default_md
+This option specifies the digest algorithm to use.
+Possible values include
+.Ar md5, sha1
+and
+.Ar mdc2 .
+If not present then MD5 is used.
+This option can be overridden on the command line.
+.It Ar string_mask
+This option masks out the use of certain string types in certain
+fields.
+Most users will not need to change this option.
+.Pp
+It can be set to several values:
+.Ar default ,
+which is also the default option, uses
+.Em PrintableStrings , T61Strings
+and
+.Em BMPStrings ;
+if the 
+.Ar pkix
+value is used then only
+.Em PrintableStrings
+and
+.Em BMPStrings
+will be used.
+This follows the PKIX recommendation in RFC2459.
+If the
+.Fl utf8only
+option is used then only
+.Em UTF8Strings
+will be used: this is the PKIX recommendation in RFC2459 after 2003.
+Finally, the
+.Ar nombstr
+option just uses
+.Em PrintableStrings
+and
+.Em T61Strings :
+certain software has problems with
+.Em BMPStrings
+and
+.Em UTF8Strings :
+in particular Netscape.
+.It Ar req_extensions
+This specifies the configuration file section containing a list of
+extensions to add to the certificate request.
+It can be overridden by the
+.Fl reqexts
+command line switch.
+.It Ar x509_extensions
+This specifies the configuration file section containing a list of
+extensions to add to a certificate generated when the
+.Fl x509
+switch is used.
+It can be overridden by the
+.Fl extensions
+command line switch.
+.It Ar prompt
+If set to the value
+.Em no ,
+this disables prompting of certificate fields
+and just takes values from the config file directly.
+It also changes the expected format of the
+.Em distinguished_name
+and
+.Em attributes
+sections.
+.It Ar utf8
+If set to the value
+.Em yes ,
+then field values are interpreted as UTF8 strings;
+by default they are interpreted as ASCII.
+This means that the field values, whether prompted from a terminal or
+obtained from a configuration file, must be valid UTF8 strings.
+.It Ar attributes
+This specifies the section containing any request attributes: its format
+is the same as
+.Ar distinguished_name .
+Typically these may contain the
+.Em challengePassword
+or
+.Em unstructuredName
+types.
+They are currently ignored by
+.Nm OpenSSL Ns Li 's
+request signing utilities, but some CAs might want them.
+.It Ar distinguished_name
+This specifies the section containing the distinguished name fields to
+prompt for when generating a certificate or certificate request.
+The format is described in the next section.
+.Ed
+.Sh REQ DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
+There are two separate formats for the distinguished name and attribute
+sections.
+If the
+.Fl prompt
+option is set to
+.Em no
+then these sections just consist of field names and values: for example,
+.Pp
+.Bd -literal
+\& CN=My Name
+\& OU=My Organization
+\& emailAddress=someone@somewhere.org
+.Ed
+.Pp
+This allows external programs (e.g. GUI based) to generate a template file
+with all the field names and values and just pass it to
+.Nm req .
+An example of this kind of configuration file is contained in the
+.Sx REQ EXAMPLES
+section.
+.Pp
+Alternatively if the
+.Fl prompt
+option is absent or not set to
+.Em no ,
+then the file contains field prompting information.
+It consists of lines of the form:
+.Pp
+.Bd -literal
+\& fieldName="prompt"
+\& fieldName_default="default field value"
+\& fieldName_min= 2
+\& fieldName_max= 4
+.Ed
+.Pp
+"fieldName" is the field name being used, for example
+.Em commonName
+(or CN).
+The "prompt" string is used to ask the user to enter the relevant details.
+If the user enters nothing, then the default value is used;
+if no default value is present then the field is omitted.
+A field can still be omitted if a default value is present,
+if the user just enters the '.' character.
+.Pp
+The number of characters entered must be between the
+.Em fieldName_min
+and
+.Em fieldName_max
+limits:
+there may be additional restrictions based on the field being used
+(for example
+.Em countryName
+can only ever be two characters long and must fit in a
+.Em PrintableString ) .
+.Pp
+Some fields (such as
+.Em organizationName )
+can be used more than once in a DN.
+This presents a problem because configuration files will
+not recognize the same name occurring twice.
+To avoid this problem if the
+.Em fieldName
+contains some characters followed by a full stop they will be ignored.
+So, for example, a second
+.Em organizationName
+can be input by calling it "1.organizationName".
+.Pp
+The actual permitted field names are any object identifier short or
+long names.
+These are compiled into
+.Nm OpenSSL
+and include the usual values such as
+.Em commonName , countryName , localityName , organizationName ,
+.Em organizationUnitName , stateOrPrivinceName .
+Additionally
+.Em emailAddress
+is included as well as
+.Em name , surname , givenName initials
+and
+.Em dnQualifier .
+.Pp
+Additional object identifiers can be defined with the
+.Ar oid_file
+or
+.Ar oid_section
+options in the configuration file.
+Any additional fields will be treated as though they were a
+.Em DirectoryString .
+.Sh REQ EXAMPLES
+Examine and verify certificate request:
+.Pp
+\& $ openssl req -in req.pem -text -verify -noout
+.Pp
+Create a private key and then generate a certificate request from it:
+.Pp
+.Bd -literal
+\& $ openssl genrsa -out key.pem 1024
+\& $ openssl req -new -key key.pem -out req.pem
+.Ed
+.Pp
+The same but just using req:
+.Pp
+\& $ openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+.Pp
+Generate a self-signed root certificate:
+.Pp
+\& $ openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+.br
+.Pp
+Example of a file pointed to by the
+.Ar oid_file
+option:
+.Pp
+.Bd -literal
+\& 1.2.3.4        shortName       A longer Name
+\& 1.2.3.6        otherName       Other longer Name
+.Ed
+.Pp
+Example of a section pointed to by
+.Ar oid_section
+making use of variable expansion:
+.Pp
+.Bd -literal
+\& testoid1=1.2.3.5
+\& testoid2=${testoid1}.6
+.Ed
+.Pp
+Sample configuration file prompting for field values:
+.Pp
+.Bd -literal
+\& [ req ]
+\& default_bits           = 1024
+\& default_keyfile        = privkey.pem
+\& distinguished_name     = req_distinguished_name
+\& attributes             = req_attributes
+\& x509_extensions        = v3_ca
+.Pp
+\& dirstring_type = nobmp
+.Pp
+\& [ req_distinguished_name ]
+\& countryName                    = Country Name (2 letter code)
+\& countryName_default            = AU
+\& countryName_min                = 2
+\& countryName_max                = 2
+.Pp
+\& localityName                   = Locality Name (eg, city)
+.Pp
+\& organizationalUnitName         = Organizational Unit Name (eg, section)
+.Pp
+\& commonName                     = Common Name (eg, YOUR name)
+\& commonName_max                 = 64
+.Pp
+\& emailAddress                   = Email Address
+\& emailAddress_max               = 40
+.Pp
+\& [ req_attributes ]
+\& challengePassword              = A challenge password
+\& challengePassword_min          = 4
+\& challengePassword_max          = 20
+.Pp
+\& [ v3_ca ]
+.Pp
+\& subjectKeyIdentifier=hash
+\& authorityKeyIdentifier=keyid:always,issuer:always
+\& basicConstraints = CA:true
+.Ed
+.Pp
+Sample configuration containing all field values:
+.Pp
+.Bd -literal
+\& RANDFILE               = $ENV::HOME/.rnd
+.Pp
+\& [ req ]
+\& default_bits           = 1024
+\& default_keyfile        = keyfile.pem
+\& distinguished_name     = req_distinguished_name
+\& attributes             = req_attributes
+\& prompt                 = no
+\& output_password        = mypass
+.Pp
+\& [ req_distinguished_name ]
+\& C                      = GB
+\& ST                     = Test State or Province
+\& L                      = Test Locality
+\& O                      = Organization Name
+\& OU                     = Organizational Unit Name
+\& CN                     = Common Name
+\& emailAddress           = test@email.address
+.Pp
+\& [ req_attributes ]
+\& challengePassword              = A challenge password
+.Ed
+.Sh REQ NOTES
+The header and footer lines in the
+.Ar PEM
+format are normally:
+.Pp
+.Bd -literal
+\& -----BEGIN CERTIFICATE REQUEST----
+\& -----END CERTIFICATE REQUEST----
+.Ed
+.Pp
+Some software (some versions of Netscape certificate server) instead needs:
+.Pp
+.Bd -literal
+\& -----BEGIN NEW CERTIFICATE REQUEST----
+\& -----END NEW CERTIFICATE REQUEST----
+.Ed
+.Pp
+which is produced with the
+.Fl newhdr
+option but is otherwise compatible.
+Either form is accepted transparently on input.
+.Pp
+The certificate requests generated by Xenroll with MSIE have extensions added.
+It includes the
+.Em keyUsage
+extension which determines the type of
+key (signature only or general purpose) and any additional OIDs entered
+by the script in an
+.Em extendedKeyUsage
+extension.
+.Sh REQ DIAGNOSTICS
+The following messages are frequently asked about:
+.Pp
+.Bd -literal
+\&        Using configuration from /some/path/openssl.cnf
+\&        Unable to load config info
+.Ed
+.Pp
+This is followed some time later by...
+.Pp
+.Bd -literal
+\&        unable to find 'distinguished_name' in config
+\&        problems making Certificate Request
+.Ed
+.Pp
+The first error message is the clue: it can't find the configuration
+file!
+Certain operations (like examining a certificate request) don't
+need a configuration file so its use isn't enforced.
+Generation of certificates or requests, however, do need a configuration file.
+This could be regarded as a bug.
+.Pp
+Another puzzling message is this:
+.Pp
+.Bd -literal
+\&        Attributes:
+\&            a0:00
+.Ed
+.Pp
+This is displayed when no attributes are present and the request includes
+the correct empty SET OF structure (the DER encoding of which is 0xa0 0x00).
+If you just see:
+.Pp
+\&        Attributes:
+.Pp
+then the SET OF is missing and the encoding is technically invalid (but
+it is tolerated).
+See the description of the command line option
+.Fl asn1-kludge
+for more information.
+.Sh REQ ENVIRONMENT VARIABLES
+The variable
+.Em OPENSSL_CONF ,
+if defined, allows an alternative configuration
+file location to be specified; it will be overridden by the
+.Fl config
+command line switch if it is present.
+For compatibility reasons the
+.Em SSLEAY_CONF
+environment variable serves the same purpose but its use is discouraged.
+.Sh REQ BUGS
+.Nm OpenSSL Ns Li 's
+handling of T61Strings (aka TeletexStrings) is broken: it effectively
+treats them as ISO-8859-1 (Latin 1);
+Netscape and MSIE have similar behaviour.
+This can cause problems if you need characters that aren't available in
+.Em PrintableStrings
+and you don't want to or can't use
+.Em BMPStrings .
+.Pp
+As a consequence of the T61String handling the only correct way to represent
+accented characters in
+.Nm OpenSSL
+is to use a
+.Em BMPString :
+unfortunately Netscape currently chokes on these.
+If you have to use accented characters with Netscape
+and MSIE then you currently need to use the invalid T61String form.
+.Pp
+The current prompting is not very friendly.
+It doesn't allow you to confirm what you've just entered.
+Other things like extensions in certificate requests are
+statically defined in the configuration file.
+Some of these, like an email address in
+.Em subjectAltName
+should be input by the user.
+.\"
+.\" RSA
+.\"
+.Sh RSA
+.Cm openssl rsa
+.Op Fl inform Ar PEM|NET|DER
+.Op Fl outform Ar PEM|NET|DER
+.Op Fl in Ar filename
+.Op Fl passin Ar arg
+.Op Fl out Ar filename
+.Op Fl passout Ar arg
+.Op Fl sgckey
+.Op Fl des
+.Op Fl des3
+.Op Fl idea
+.Op Fl text
+.Op Fl noout
+.Op Fl modulus
+.Op Fl check
+.Op Fl pubin
+.Op Fl pubout
+.Pp
+The
+.Nm rsa
+command processes RSA keys.
+They can be converted between various forms and their components printed out.
+.Pp
+.Sy Note :
+this command uses the traditional
+.Nm SSLeay
+compatible format for private key encryption:
+newer applications should use the more secure PKCS#8 format using the
+.Nm pkcs8
+utility.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl inform Ar DER|NET|PEM
+This specifies the input format.
+The
+.Ar DER
+argument
+uses an ASN1 DER encoded form compatible with the PKCS#1
+RSAPrivateKey or SubjectPublicKeyInfo format.
+The
+.Ar PEM
+form is the default format: it consists of the DER format base64
+encoded with additional header and footer lines.
+On input PKCS#8 format private keys are also accepted.
+The
+.Ar NET
+form is a format described in the
+.Sx RSA NOTES
+section.
+.It Fl outform Ar DER|NET|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read a key from or standard input if this
+option is not specified.
+If the key is encrypted, a pass phrase will be prompted for.
+.It Fl passin Ar arg
+The input file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write a key to, or standard output if this option is not specified.
+If any encryption options are set then a pass phrase will be prompted for.
+The output filename should
+.Em not
+be the same as the input filename.
+.It Fl passout Ar password
+The output file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl sgckey
+Use the modified
+.Em NET
+algorithm used with some versions of Microsoft IIS and SGC keys.
+.It Cm -des|-des3|-idea
+These options encrypt the private key with the DES, triple DES, or the 
+IDEA ciphers, respectively, before outputting it.
+A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text.
+This means that using the
+.Nm rsa
+utility to read in an encrypted key with no encryption option can be used
+to remove the pass phrase from a key, or by setting the encryption options
+it can be used to add or change the pass phrase.
+These options can only be used with
+.Ar PEM
+format output files.
+.It Fl text
+Prints out the various public or private key components in
+plain text, in addition to the encoded version. 
+.It Fl noout
+This option prevents output of the encoded version of the key.
+.It Fl modulus
+This option prints out the value of the modulus of the key.
+.It Fl check
+This option checks the consistency of an RSA private key.
+.It Fl pubin
+By default a private key is read from the input file: with this
+option a public key is read instead.
+.It Fl pubout
+By default a private key is output:
+with this option a public key will be output instead.
+This option is automatically set if the input is a public key.
+.Ed
+.Sh RSA NOTES
+The
+.Em PEM
+private key format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN RSA PRIVATE KEY-----
+\& -----END RSA PRIVATE KEY-----
+.Ed
+.Pp
+The
+.Em PEM
+public key format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN PUBLIC KEY-----
+\& -----END PUBLIC KEY-----
+.Ed
+.Pp
+The
+.Em NET
+form is a format compatible with older Netscape servers
+and Microsoft IIS .key files; this uses unsalted RC4 for its encryption.
+It is not very secure and so should only be used when necessary.
+.Pp
+Some newer version of IIS have additional data in the exported .key files.
+To use these with the
+.Nm rsa
+utility, view the file with a binary editor
+and look for the string "private-key", then trace back to the byte
+sequence 0x30, 0x82 (this is an ASN1 SEQUENCE).
+Copy all the data from this point onwards to another file and use that as
+the input to the
+.Nm rsa
+utility with the
+.Fl inform Ar NET
+option.
+If there is an error after entering the password, try the
+.Fl sgckey
+option.
+.Sh RSA EXAMPLES
+To remove the pass phrase on an RSA private key:
+.Pp
+\& $ openssl rsa -in key.pem -out keyout.pem
+.Pp
+To encrypt a private key using triple DES:
+.Pp
+\& $ openssl rsa -in key.pem -des3 -out keyout.pem
+.Pp
+To convert a private key from
+.Em PEM
+to
+.Em DER
+format: 
+.Pp
+\& $ openssl rsa -in key.pem -outform DER -out keyout.der
+.br
+.Pp
+To print out the components of a private key to standard output:
+.Pp
+\& $ openssl rsa -in key.pem -text -noout
+.Pp
+To just output the public part of a private key:
+.Pp
+\& $ openssl rsa -in key.pem -pubout -out pubkey.pem
+.Sh RSA BUGS
+The command line password arguments don't currently work with
+.Em NET
+format.
+.Pp
+There should be an option that automatically handles .key files,
+without having to manually edit them.
+.\"
+.\" RSAUTL
+.\"
+.Sh RSAUTL
+.Nm openssl rsautl
+.Op Fl in Ar file
+.Op Fl out Ar file
+.Op Fl inkey Ar file
+.Op Fl pubin
+.Op Fl certin
+.Op Fl sign
+.Op Fl verify
+.Op Fl encrypt
+.Op Fl decrypt
+.Op Fl pkcs
+.Op Fl ssl
+.Op Fl raw
+.Op Fl hexdump
+.Op Fl asn1parse
+.Pp
+The
+.Nm rsautl
+command can be used to sign, verify, encrypt and decrypt
+data using the RSA algorithm.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read data from or standard input
+if this option is not specified.
+.It Fl out Ar filename
+Specifies the output
+.Ar filename
+to write to or standard output by
+default.
+.It Fl inkey Ar file
+The input key file, by default it should be an RSA private key.
+.It Fl pubin
+The input file is an RSA public key. 
+.It Fl certin
+The input is a certificate containing an RSA public key. 
+.It Fl sign
+Sign the input data and output the signed result.
+This requires an RSA private key.
+.It Fl verify
+Verify the input data and output the recovered data.
+.It Fl encrypt
+Encrypt the input data using an RSA public key.
+.It Fl decrypt
+Decrypt the input data using an RSA private key.
+.It Fl pkcs , oaep , ssl , raw
+The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+special padding used in SSL v2 backwards compatible handshakes,
+or no padding, respectively.
+For signatures, only
+.Fl pkcs
+and
+.Fl raw
+can be used.
+.It Fl hexdump
+Hex dump the output data.
+.It Fl asn1parse
+Asn1parse the output data, this is useful when combined with the
+.Fl verify
+option.
+.El
+.Sh RSAUTL NOTES
+.Nm rsautl ,
+because it uses the RSA algorithm directly, can only be
+used to sign or verify small pieces of data.
+.Sh RSAUTL EXAMPLES
+Sign some data using a private key:
+.Pp
+\& $ openssl rsautl -sign -in file -inkey key.pem -out sig
+.Pp
+Recover the signed data:
+.Pp
+\& $ openssl rsautl -verify -in sig -inkey key.pem
+.Pp
+Examine the raw signed data:
+.Pp
+\& $ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
+.Pp
+.Bd -literal
+\& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64   .....hello world
+.Ed
+.Pp
+The PKCS#1 block formatting is evident from this. If this was done using
+encrypt and decrypt the block would have been of type 2 (the second byte)
+and random padding data visible instead of the 0xff bytes.
+.Pp
+It is possible to analyse the signature of certificates using this
+utility in conjunction with
+.Nm asn1parse .
+Consider the self-signed example in
+.Pa certs/pca-cert.pem :
+Running
+.Nm asn1parse
+as follows yields:
+.Pp
+\& $ openssl asn1parse -in pca-cert.pem
+.Pp
+.Bd -literal
+\&    0:d=0  hl=4 l= 742 cons: SEQUENCE          
+\&    4:d=1  hl=4 l= 591 cons:  SEQUENCE          
+\&    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]        
+\&   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
+\&   13:d=2  hl=2 l=   1 prim:   INTEGER           :00
+\&   16:d=2  hl=2 l=  13 cons:   SEQUENCE          
+\&   18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
+\&   29:d=3  hl=2 l=   0 prim:    NULL              
+\&   31:d=2  hl=2 l=  92 cons:   SEQUENCE          
+\&   33:d=3  hl=2 l=  11 cons:    SET               
+\&   35:d=4  hl=2 l=   9 cons:     SEQUENCE          
+\&   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+\&   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
+\&  ....
+\&  599:d=1  hl=2 l=  13 cons:  SEQUENCE          
+\&  601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
+\&  612:d=2  hl=2 l=   0 prim:   NULL              
+\&  614:d=1  hl=3 l= 129 prim:  BIT STRING
+.Ed
+.Pp
+The final BIT STRING contains the actual signature.
+It can be extracted with:
+.Pp
+\& $ openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
+.Pp
+The certificate public key can be extracted with:
+.Pp
+\& $ openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem
+.Pp
+The signature can be analysed with:
+.Pp
+\& $ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
+.Pp
+.Bd -literal
+\&    0:d=0  hl=2 l=  32 cons: SEQUENCE          
+\&    2:d=1  hl=2 l=  12 cons:  SEQUENCE          
+\&    4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
+\&   14:d=2  hl=2 l=   0 prim:   NULL              
+\&   16:d=1  hl=2 l=  16 prim:  OCTET STRING      
+\&      0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
+.Ed
+.Pp
+This is the parsed version of an ASN1
+.Em DigestInfo
+structure.
+It can be seen that the digest used was md5.
+The actual part of the certificate that was signed can be extracted with:
+.Pp
+\& $ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
+.Pp
+and its digest computed with:
+.Pp
+.Bd -literal
+\& $ openssl md5 -c tbs
+\&   MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
+.Ed
+.Pp
+which it can be seen agrees with the recovered value above.
+.\"
+.\" S_CLIENT
+.\"
+.Sh S_CLIENT
+.Nm openssl s_client
+.Op Fl connect Ar host:port>
+.Op Fl verify Ar depth
+.Op Fl cert Ar filename
+.Op Fl key Ar filename
+.Op Fl CApath Ar directory
+.Op Fl CAfile Ar filename
+.Op Fl reconnect
+.Op Fl pause
+.Op Fl showcerts
+.Op Fl debug
+.Op Fl msg
+.Op Fl nbio_test
+.Op Fl state
+.Op Fl nbio
+.Op Fl crlf
+.Op Fl ign_eof
+.Op Fl quiet
+.Op Fl ssl2
+.Op Fl ssl3
+.Op Fl tls1
+.Op Fl no_ssl2
+.Op Fl no_ssl3
+.Op Fl no_tls1
+.Op Fl bugs
+.Op Fl cipher Ar cipherlist
+.Op Fl engine Ar id
+.Op Fl rand Ar file ...
+.Pp
+The
+.Nm s_client
+command implements a generic SSL/TLS client which connects
+to a remote host using SSL/TLS.
+It is a
+.Em very
+useful diagnostic tool for SSL servers.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl connect Ar host:port
+This specifies the
+.Ar host
+and optional
+.Ar port
+to connect to.
+If not specified then an attempt is made to connect to the local host
+on port 4433.
+.It Fl cert Ar certname
+The certificate to use, if one is requested by the server.
+The default is not to use a certificate.
+.It Fl key Ar keyfile
+The private key to use.
+If not specified then the certificate file will be used.
+.It Fl verify Ar depth
+The verify
+.Ar depth
+to use.
+This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen.
+As a side effect the connection will never fail due to a server
+certificate verify failure.
+.It Fl CApath Ar directory
+The
+.Ar directory
+to use for server certificate verification.
+This directory must be in "hash format", see
+.Fl verify
+for more information.
+These are also used when building the client certificate chain.
+.It Fl CAfile Ar file
+A
+.Ar file
+containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+.It Fl reconnect
+Reconnects to the same server 5 times using the same session ID; this can
+be used as a test that session caching is working.
+.It Fl pause
+Pauses 1 second between each read and write call.
+.It Fl showcerts
+Display the whole server certificate chain: normally only the server
+certificate itself is displayed.
+.It Fl prexit
+Print session information when the program exits.
+This will always attempt
+to print out information even if the connection fails.
+Normally information will only be printed out once if the connection succeeds.
+This option is useful because the cipher in use may be renegotiated
+or the connection may fail because a client certificate is required or is
+requested only after an attempt is made to access a certain URL.
+.Sy Note :
+the output produced by this option is not always accurate because a
+connection might never have been established.
+.It Fl state
+Prints out the SSL session states.
+.It Fl debug
+Print extensive debugging information including a hex dump of all traffic.
+.It Fl msg
+Show all protocol messages with hex dump.
+.It Fl nbio_test
+Tests non-blocking I/O.
+.It Fl nbio
+Turns on non-blocking I/O.
+.It Fl crlf
+This option translates a line feed from the terminal into CR+LF as required
+by some servers.
+.It Fl ign_eof
+Inhibit shutting down the connection when end of file is reached in the
+input.
+.It Fl quiet
+Inhibit printing of session and certificate information.
+This implicitly turns on
+.Fl ign_eof
+as well.
+.It Fl ssl2 , ssl3 , tls1 , no_ssl2 ,
+.It Fl no_ssl3 , no_tls1
+These options disable the use of certain SSL or TLS protocols.
+By default the initial handshake uses a method which should be compatible
+with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+.Pp
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect.
+Some servers only work if TLS is turned off with the
+.Fl no_tls
+option, others will only support SSL v2 and may need the
+.Fl ssl2
+option.
+.It Fl bugs
+There are several known bugs in SSL and TLS implementations.
+Adding this option enables various workarounds.
+.It Fl cipher Ar cipherlist
+This allows the cipher list sent by the client to be modified.
+Although the server determines which cipher suite is used it should take
+the first supported cipher in the list sent by the client.
+See the
+.Sx CIPHERS
+section above for more information.
+.It Fl engine Ar id
+Specifying an engine (by it's unique
+.Ar id
+string) will cause
+.Nm s_client
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed.
+The engine will then be set as the default for all available algorithms.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for
+all others.
+.Ed
+.Sh S_CLIENT CONNECTED COMMANDS
+If a connection is established with an SSL server then any data received
+from the server is displayed and any key presses will be sent to the
+server.
+When used interactively (which means neither
+.Fl quiet
+nor
+.Fl ign_eof
+have been given), the session will be renegotiated if the line begins with an
+.Em R ,
+and if the line begins with a
+.Em Q
+or if end of file is reached, the connection will be closed down.
+.Sh S_CLIENT NOTES
+.Nm s_client
+can be used to debug SSL servers.
+To connect to an SSL HTTP server the command:
+.Pp
+\& $ openssl s_client -connect servername:443
+.Pp
+would typically be used (https uses port 443).
+If the connection succeeds then an HTTP command can be given such as
+"GET" to retrieve a web page.
+.Pp
+If the handshake fails then there are several possible causes; if it is
+nothing obvious like no client certificate then the
+.Fl bugs , ssl2 , ssl3 , tls1 ,
+.Fl no_ssl2 , no_ssl3
+and
+.Fl no_tls1
+options can be tried in case it is a buggy server.
+In particular these options should be tried
+.Em before
+submitting a bug report to an
+.Nm OpenSSL
+mailing list.
+.Pp
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from.
+This is normally because the server is not sending the clients certificate
+authority in its "acceptable CA list" when it
+requests a certificate.
+By using
+.Nm s_client
+the CA list can be viewed and checked.
+However some servers only request client authentication
+after a specific URL is requested.
+To obtain the list in this case it is necessary to use the
+.Fl prexit
+command and send an HTTP request for an appropriate page.
+.Pp
+If a certificate is specified on the command line using the
+.Fl cert
+option it will not be used unless the server specifically requests
+a client certificate.
+Therefore merely including a client certificate
+on the command line is no guarantee that the certificate works.
+.Pp
+If there are problems verifying a server certificate then the
+.Fl showcerts
+option can be used to show the whole chain.
+.Sh S_CLIENT BUGS
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of
+.Nm s_client
+is rather hard to read and not a model of how things should be done.
+A typical SSL client program would be much simpler.
+.Pp
+The
+.Fl verify
+option should really exit if the server verification fails.
+.Pp
+The
+.Fl prexit
+option is a bit of a hack.
+We should really report information whenever a session is renegotiated.
+.\"
+.\" S_SERVER
+.\"
+.Sh S_SERVER
+.Nm openssl s_server
+.Bk -words
+.Op Fl accept Ar port
+.Op Fl context Ar id
+.Op Fl verify Ar depth
+.Op Fl Verify Ar depth
+.Op Fl cert Ar filename
+.Op Fl key Ar keyfile
+.Op Fl dcert Ar filename
+.Op Fl dkey Ar keyfile
+.Op Fl dhparam Ar filename
+.Op Fl nbio
+.Op Fl nbio_test
+.Op Fl crlf
+.Op Fl debug
+.Op Fl msg
+.Op Fl state
+.Op Fl CApath Ar directory
+.Op Fl CAfile Ar filename
+.Op Fl nocert
+.Op Fl cipher Ar cipherlist
+.Op Fl quiet
+.Op Fl no_tmp_rsa
+.Op Fl ssl2
+.Op Fl ssl3
+.Op Fl tls1
+.Op Fl no_ssl2
+.Op Fl no_ssl3
+.Op Fl no_tls1
+.Op Fl no_dhe
+.Op Fl bugs
+.Op Fl hack
+.Op Fl www
+.Op Fl WWW
+.Op Fl HTTP
+.Op Fl engine Ar id
+.Op Fl rand Ar file ...
+.Ek
+.Pp
+The
+.Nm s_server
+command implements a generic SSL/TLS server which listens
+for connections on a given port using SSL/TLS.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl accept Ar port
+The TCP
+.Ar port
+to listen on for connections.
+If not specified, 4433 is used.
+.It Fl context Ar id
+Sets the SSL context id.
+It can be given any string value.
+If this option is not present, a default value will be used.
+.It Fl cert Ar certname
+The certificate to use; most servers cipher suites require the use of a
+certificate and some require a certificate with a certain public key type:
+for example the DSS cipher suites require a certificate containing a DSS
+(DSA) key.
+If not specified then the filename
+.Pa server.pem
+will be used.
+.It Fl key Ar keyfile
+The private key to use.
+If not specified then the certificate file will be used.
+.It Fl dcert Ar filename , Fl dkey Ar keyname
+Specify an additional certificate and private key; these behave in the
+same manner as the
+.Fl cert
+and
+.Fl key
+options except there is no default if they are not specified
+(no additional certificate and key is used).
+As noted above some cipher suites require a certificate containing a key of
+a certain type.
+Some cipher suites need a certificate carrying an RSA key
+and some a DSS (DSA) key.
+By using RSA and DSS certificates and keys
+a server can support clients which only support RSA or DSS cipher suites
+by using an appropriate certificate.
+.It Fl nocert
+If this option is set then no certificate is used.
+This restricts the cipher suites available to the anonymous ones
+(currently just anonymous DH).
+.It Fl dhparam Ar filename
+The DH parameter file to use.
+The ephemeral DH cipher suites generate keys
+using a set of DH parameters.
+If not specified, then an attempt is made to
+load the parameters from the server certificate file.
+If this fails then a static set of parameters hard coded into the
+.Nm s_server
+program will be used.
+.It Fl no_dhe
+If this option is set, then no DH parameters will be loaded, effectively
+disabling the ephemeral DH cipher suites.
+.It Fl no_tmp_rsa
+Certain export cipher suites sometimes use a temporary RSA key; this option
+disables temporary RSA key generation.
+.It Fl verify Ar depth , Fl Verify Ar depth
+The verify
+.Ar depth
+to use.
+This specifies the maximum length of the client certificate chain
+and makes the server request a certificate from the client.
+With the
+.Fl verify
+option a certificate is requested but the client does not have to send one.
+With the
+.Fl Verify
+option the client must supply a certificate or an error occurs.
+.It Fl CApath Ar directory
+The
+.Ar directory
+to use for client certificate verification.
+This directory must be in "hash format", see
+.Fl verify
+for more information.
+These are also used when building the server certificate chain.
+.It Fl CAfile Ar file
+A file containing trusted certificates to use during client authentication
+and to use when attempting to build the server certificate chain.
+The list is also used in the list of acceptable client CAs passed to the
+client when a certificate is requested.
+.It Fl state
+Prints out the SSL session states.
+.It Fl debug
+Print extensive debugging information including a hex dump of all traffic.
+.It Fl msg
+Show all protocol messages with hex dump.
+.It Fl nbio_test
+Tests non blocking I/O.
+.It Fl nbio
+Turns on non blocking I/O.
+.It Fl crlf
+This option translates a line feed from the terminal into CR+LF.
+.It Fl quiet
+Inhibit printing of session and certificate information.
+.It Fl ssl2 , ssl3 , tls1 , no_ssl2 ,
+.It Fl no_ssl3 , no_tls1
+These options disable the use of certain SSL or TLS protocols.
+By default, the initial handshake uses a method which should be compatible
+with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+.It Fl bugs
+There are several known bugs in SSL and TLS implementations.
+Adding this option enables various workarounds.
+.It Fl hack
+This option enables a further workaround for some some early Netscape
+SSL code (?).
+.It Fl cipher Ar cipherlist
+This allows the cipher list used by the server to be modified.
+When the client sends a list of supported ciphers, the first client cipher
+also included in the server list is used.
+Because the client specifies the preference order, the order of the server
+cipherlist irrelevant.
+See the
+.Sx CIPHERS
+section for more information.
+.It Fl www
+Sends a status message back to the client when it connects.
+This includes lots of information about the ciphers used and various
+session parameters.
+The output is in HTML format so this option will normally be used with a
+web browser.
+.It Fl WWW
+Emulates a simple web server.
+Pages will be resolved relative to the current directory;
+for example if the URL
+.Pa https://myhost/page.html
+is requested, the file
+.Pa ./page.html
+will be loaded.
+.It Fl HTTP
+Emulates a simple web server.
+Pages will be resolved relative to the current directory;
+for example if the URL
+.Pa https://myhost/page.html
+is requested the file
+.Pa ./page.html
+will be loaded.
+The files loaded are assumed to contain a complete and correct HTTP
+response (lines that are part of the HTTP response line and headers
+must end with CRLF).
+.It Fl engine Ar id
+Specifying an engine (by it's unique
+.Ar id
+string) will cause
+.Nm s_server
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed.
+The engine will then be set as the default for all available algorithms.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.Ed
+.Sh S_SERVER CONNECTED COMMANDS
+If a connection request is established with an SSL client and neither the
+.Fl www
+nor the
+.Fl WWW
+option has been used, then normally any data received
+from the client is displayed and any key presses will be sent to the client. 
+.Pp
+Certain single letter commands are also recognized which perform special
+operations: these are listed below.
+.Pp
+.Bd -ragged -offset indent
+.It Ar q
+End the current SSL connection, but still accept new connections.
+.It Ar Q
+End the current SSL connection and exit.
+.It Ar r
+Renegotiate the SSL session.
+.It Ar R
+Renegotiate the SSL session and request a client certificate.
+.It Ar P
+Send some plain text down the underlying TCP connection: this should
+cause the client to disconnect due to a protocol violation.
+.It Ar S
+Print out some session cache status information.
+.Ed
+.Sh S_SERVER NOTES
+.Nm s_server
+can be used to debug SSL clients.
+To accept connections from a web browser the command:
+.Pp
+\& $ openssl s_server -accept 443 -www
+.Pp
+can be used for example.
+.Pp
+Most web browsers (in particular Netscape and MSIE) only support RSA cipher
+suites, so they cannot connect to servers which don't use a certificate
+carrying an RSA key or a version of
+.Nm OpenSSL
+with RSA disabled.
+.Pp
+Although specifying an empty list of CAs when requesting a client certificate
+is strictly speaking a protocol violation, some SSL
+clients interpret this to mean any CA is acceptable.
+This is useful for debugging purposes.
+.Pp
+The session parameters can printed out using the
+.Nm sess_id
+program.
+.Sh S_SERVER BUGS
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of
+.Nm s_server
+is rather hard to read and not a model of how things should be done.
+A typical SSL server program would be much simpler.
+.Pp
+The output of common ciphers is wrong: it just gives the list of ciphers that
+.Nm OpenSSL
+recognizes and the client supports.
+.Pp
+There should be a way for the
+.Nm s_server
+program to print out details of any
+unknown cipher suites a client says it supports.
+.\"
+.\" S_TIME
+.\"
+.Sh S_TIME
+The
+.Nm s_time
+utility is undocumented.
+.\"
+.\" SESS_ID
+.\"
+.Sh SESS_ID
+.Nm openssl sess_id
+.Bk -words
+.Op Fl inform Ar PEM|DER
+.Op Fl outform Ar PEM|DER
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl text
+.Op Fl noout
+.Op Fl context Ar ID
+.Ek
+.Pp
+The
+.Nm sess_id
+program processes the encoded version of the SSL
+session structure and optionally prints out SSL
+session details (for example the SSL
+session master key) in human readable format.
+Since this is a diagnostic tool that needs some knowledge of the SSL
+protocol to use properly, most users will not need to use it.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl inform Ar DER|PEM
+This specifies the input format.
+The
+.Ar DER
+argument uses an ASN1 DER encoded
+format containing session details.
+The precise format can vary from one version to the next.
+The
+.Ar PEM
+form is the default format: it consists of the DER
+format base64 encoded with additional header and footer lines.
+.It Fl outform Ar DER|PEM
+This specifies the output format, the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read session information from, or standard input by default.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write session information to, or standard
+output if this option is not specified.
+.It Fl text
+Prints out the various public or private key components in
+plain text in addition to the encoded version. 
+.It Fl cert
+If a certificate is present in the session it will be output using this option,
+if the
+.Fl text
+option is also present then it will be printed out in text form.
+.It Fl noout
+This option prevents output of the encoded version of the session.
+.It Fl context Ar ID
+This option can set the session id so the output session information uses the
+supplied
+.Ar ID .
+The
+.Ar ID
+can be any string of characters.
+This option won't normally be used.
+.Ed
+.Sh SESS_ID OUTPUT
+Typical output:
+.Pp
+.Bd -literal
+\& SSL-Session:
+\&     Protocol  : TLSv1
+\&     Cipher    : 0016
+\&     Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
+\&     Session-ID-ctx: 01000000
+\&     Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
+\&     Key-Arg   : None
+\&     Start Time: 948459261
+\&     Timeout   : 300 (sec)
+\&     Verify return code 0 (ok)
+.Ed
+.Pp
+These are described below in more detail.
+.Bd -ragged -offset indent
+.It Ar Protocol
+This is the protocol in use: TLSv1, SSLv3 or SSLv2.
+.It Ar Cipher
+The cipher used is the actual raw SSL or TLS cipher code;
+see the SSL or TLS specifications for more information.
+.It Ar Session-ID
+The SSL session ID in hex format.
+.It Ar Session-ID-ctx
+The session ID context in hex format.
+.It Ar Master-Key
+This is the SSL session master key.
+.It Ar Key-Arg
+The key argument, this is only used in SSL v2.
+.It Ar Start Time
+This is the session start time, represented as an integer
+in standard Unix format.
+.It Ar Timeout
+The timeout in seconds.
+.It Ar Verify return code
+This is the return code when an SSL client certificate is verified.
+.Ed
+.Sh SESS_ID NOTES
+The
+.Em PEM
+encoded session format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN SSL SESSION PARAMETERS-----
+\& -----END SSL SESSION PARAMETERS-----
+.Ed
+.Pp
+Since the SSL session output contains the master key, it is possible to read
+the contents of an encrypted session using this information.
+Therefore appropriate security precautions
+should be taken if the information is being output by a "real" application.
+This is, however, strongly discouraged and should only be used for
+debugging purposes.
+.Sh SESS_ID BUGS
+The cipher and start time should be printed out in human readable form.
+.\"
+.\" SMIME
+.\"
+.Sh SMIME
+.Nm openssl smime
+.Bk -words
+.Op Fl encrypt
+.Op Fl decrypt
+.Op Fl sign
+.Op Fl verify
+.Op Fl pk7out
+.Op Fl des
+.Op Fl des3
+.Op Fl rc2-40
+.Op Fl rc2-64
+.Op Fl rc2-128
+.Op Fl in Ar file
+.Op Fl certfile Ar file
+.Op Fl signer Ar file
+.Op Fl recip Ar file
+.Op Fl inform Ar SMIME|PEM|DER
+.Op Fl passin Ar arg
+.Op Fl inkey Ar file
+.Op Fl out Ar file
+.Op Fl outform Ar SMIME|PEM|DER
+.Op Fl content Ar file
+.Op Fl to Ar addr
+.Op Fl from Ar addr
+.Op Fl subject Ar s
+.Op Fl text
+.Op Fl rand Ar file ...
+.Op Ar cert.pem ...
+.Ek
+.Pp
+The
+.Nm smime
+command handles
+.Em S/MIME
+mail.
+It can encrypt, decrypt, sign and verify
+.Em S/MIME
+messages.
+.Pp
+There are five operation options that set the type of operation to be performed.
+The meaning of the other options varies according to the operation type.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl encrypt
+Encrypt mail for the given recipient certificates.
+Input file is the message to be encrypted.
+The output file is the encrypted mail in
+.Em MIME
+format.
+.It Fl decrypt
+Decrypt mail using the supplied certificate and private key.
+Expects an encrypted mail message in
+.Em MIME
+format for the input file.
+The decrypted mail is written to the output file.
+.It Fl sign
+Sign mail using the supplied certificate and private key.
+Input file is the message to be signed.
+The signed message in
+.Em MIME
+format is written to the output file.
+.It Fl verify
+Verify signed mail.
+Expects a signed mail message on input and outputs the signed data.
+Both clear text and opaque signing is supported.
+.It Fl pk7out
+Takes an input message and writes out a
+.Em PEM
+encoded PKCS#7 structure.
+.It Fl in Ar filename
+The input message to be encrypted or signed or the
+.Em MIME
+message to
+be decrypted or verified.
+.It Fl inform Ar SMIME|PEM|DER
+This specifies the input format for the PKCS#7 structure.
+The default is
+.Em SMIME
+which reads an
+.Em S/MIME
+format message.
+.Em PEM
+and
+.Em DER
+format change this to expect PEM and DER format PKCS#7 structures
+instead.
+This currently only affects the input format of the PKCS#7
+structure, if no PKCS#7 structure is being input (for example with
+.Fl encrypt
+or
+.Fl sign )
+this option has no effect.
+.It Fl out Ar filename
+The message text that has been decrypted or verified, or the output
+.Em MIME
+format message that has been signed or verified.
+.It Fl outform Ar SMIME|PEM|DER
+This specifies the output format for the PKCS#7 structure.
+The default is
+.Em SMIME
+which writes an
+.Em S/MIME
+format message.
+.Em PEM
+and
+.Em DER
+format change this to write PEM and DER format PKCS#7 structures
+instead.
+This currently only affects the output format of the PKCS#7
+structure; if no PKCS#7 structure is being output (for example with
+.Fl verify
+or
+.Fl decrypt )
+this option has no effect.
+.It Fl content Ar filename
+This specifies a file containing the detached content.
+This is only useful with the
+.Fl verify
+command.
+This is only usable if the PKCS#7 structure is using the detached
+signature form where the content is not included.
+This option will override any content if the input format is
+.Em S/MIME
+and it uses the multipart/signed
+.Em MIME
+content type.
+.It Fl text
+This option adds plain text (text/plain)
+.Em MIME
+headers to the supplied message if encrypting or signing.
+If decrypting or verifying it strips off text headers:
+if the decrypted or verified message is not of
+.Em MIME 
+type text/plain then an error occurs.
+.It Fl CAfile Ar file
+A
+.Ar file
+containing trusted CA certificates, only used with
+.Fl verify .
+.It Fl CApath Ar dir
+A
+.Ar directory
+containing trusted CA certificates, only used with
+.Fl verify .
+This directory must be a standard certificate directory;
+that is, a hash of each subject name (using
+.Nm x509 -hash )
+should be linked to each certificate.
+.It Fl des des3 rc2-40 rc2-64 rc2-128
+The encryption algorithm to use.
+DES (56 bits), triple DES\s0 (168 bits)
+or 40, 64 or 128 bit RC2, respectively; if not specified 40 bit RC2 is
+used.
+Only used with
+.Fl encrypt .
+.It Fl nointern
+When verifying a message, normally certificates (if any) included in
+the message are searched for the signing certificate.
+With this option only the certificates specified in the
+.Fl certfile
+option are used.
+The supplied certificates can still be used as untrusted CAs however.
+.It Fl noverify
+Do not verify the signer's certificate of a signed message.
+.It Fl nochain
+Do not do chain verification of signers' certificates: that is don't
+use the certificates in the signed message as untrusted CAs.
+.It Fl nosigs
+Don't try to verify the signatures on the message.
+.It Fl nocerts
+When signing a message, the signer's certificate is normally included;
+with this option it is excluded.
+This will reduce the size of the signed message but the verifier must
+have a copy of the signer's certificate available locally (passed using the
+.Fl certfile
+option, for example).
+.It Fl noattr
+Normally, when a message is signed a set of attributes are included which
+include the signing time and supported symmetric algorithms.
+With this option they are not included.
+.It Fl binary
+Normally the input message is converted to "canonical" format which is
+effectively using CR and LF as end of line: as required by the
+.Em S/MIME
+specification.
+When this option is present no translation occurs.
+This is useful when handling binary data which may not be in
+.Em MIME
+format.
+.It Fl nodetach
+When signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support
+.Em S/MIME .
+Without this option cleartext signing with the
+.Em MIME
+type multipart/signed is used.
+.It Fl certfile Ar file
+Allows additional certificates to be specified.
+When signing these will be included with the message.
+When verifying these will be searched for the signers' certificates.
+The certificates should be in
+.Em PEM
+format.
+.It Fl signer Ar file
+The signer's certificate when signing a message.
+If a message is being verified, then the signer's certificates will be
+written to this file if the verification was successful.
+.It Fl recip Ar file
+The recipients certificate when decrypting a message.
+This certificate
+must match one of the recipients of the message or an error occurs.
+.It Fl inkey Ar file
+The private key to use when signing or decrypting.
+This must match the corresponding certificate.
+If this option is not specified then the private key must be included
+in the certificate file specified with
+the
+.Fl recip
+or
+.Fl signer
+file.
+.It Fl passin Ar arg
+The private key password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl rand Ar file ...
+A
+.Ar file
+or
+.Ar file Ns Li s
+containing random data used to seed the random number generator,
+or an EGD socket (see
+.Xr RAND_egd 3 ) .
+Multiple files can be specified separated by an OS-dependent character.
+The separator is
+.Cm \&;
+for MS-Windows,
+.Cm \&,
+for OpenVMS, and
+.Cm \&:
+for all others.
+.It Ar cert.pem ...
+One or more certificates of message recipients: used when encrypting
+a message. 
+.It Fl to , from , subject
+The relevant mail headers.
+These are included outside the signed
+portion of a message so they may be included manually.
+If signing, then many
+.Em S/MIME
+mail clients check the signer's certificate email
+address matches that specified in the From: address.
+.Ed
+.Sh SMIME NOTES
+The
+.Em MIME
+message must be sent without any blank lines between the
+headers and the output.
+Some mail programs will automatically add a blank line.
+Piping the mail directly to sendmail is one way to
+achieve the correct format.
+.Pp
+The supplied message to be signed or encrypted must include the
+necessary
+.Em MIME
+headers or many
+.Em S/MIME
+clients won't display it properly (if at all).
+You can use the
+.Fl text
+option to automatically add plain text headers.
+.Pp
+A "signed and encrypted" message is one where a signed message is
+then encrypted.
+This can be produced by encrypting an already signed message:
+see the
+.Sx SMIME EXAMPLES
+section.
+.Pp
+This version of the program only allows one signer per message, but it
+will verify multiple signers on received messages.
+Some
+.Em S/MIME
+clients choke if a message contains multiple signers.
+It is possible to sign messages "in parallel" by signing an already
+signed message.
+.Pp
+The options
+.Fl encrypt
+and
+.Fl decrypt
+reflect common usage in
+.Em S/MIME
+clients.
+Strictly speaking these process PKCS#7 enveloped data: PKCS#7
+encrypted data is used for other purposes.
+.Sh SMIME EXIT CODES
+.Bd -ragged -offset indent
+.It Ar 0
+The operation was completely successful.
+.It Ar 1
+An error occurred parsing the command options.
+.It Ar 2
+One of the input files could not be read.
+.It Ar 3
+An error occurred creating the PKCS#7 file or when reading the
+.Em MIME
+message.
+.It Ar 4
+An error occurred decrypting or verifying the message.
+.It Ar 5
+The message was verified correctly, but an error occurred writing out
+the signers certificates.
+.Ed
+.Sh SMIME EXAMPLES
+Create a cleartext signed message:
+.Pp
+.Bd -literal
+\& $ openssl smime -sign -in message.txt -text -out mail.msg \e
+\&        -signer mycert.pem
+.Ed
+.Pp
+Create an opaque signed message:
+.Pp
+.Bd -literal
+\& $ openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e
+\&        -signer mycert.pem
+.Ed
+.Pp
+Create a signed message, include some additional certificates and
+read the private key from another file:
+.Pp
+.Bd -literal
+\& $ openssl smime -sign -in in.txt -text -out mail.msg \e
+\&        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+.Ed
+.Pp
+Send a signed message under Unix directly to
+.Xr sendmail 8 ,
+including headers:
+.Pp
+.Bd -literal
+\& $ openssl smime -sign -in in.txt -text -signer mycert.pem \e
+\&        -from steve@openssl.org -to someone@somewhere \e
+\&        -subject "Signed message" | sendmail someone@somewhere
+.Ed
+.Pp
+Verify a message and extract the signer's certificate if successful:
+.Pp
+.Bd -literal
+\& $ openssl smime -verify -in mail.msg -signer user.pem \e
+\&      -out signedtext.txt
+.Ed
+.Pp
+Send encrypted mail using triple DES:
+.Pp
+.Bd -literal
+\& $ openssl smime -encrypt -in in.txt -from steve@openssl.org \e
+\&        -to someone@somewhere -subject "Encrypted message" \e
+\&        -des3 user.pem -out mail.msg
+.Ed
+.Pp
+Sign and encrypt mail:
+.Pp
+.Bd -literal
+\& $ openssl smime -sign -in ml.txt -signer my.pem -text \e
+\&        | openssl smime -encrypt -out mail.msg \e
+\&        -from steve@openssl.org -to someone@somewhere \e
+\&        -subject "Signed and Encrypted message" -des3 user.pem
+.Ed
+.Pp
+.Sy Note :
+The encryption command does not include the
+.Fl text
+option because the message being encrypted already has
+.Em MIME
+headers.
+.Pp
+Decrypt mail:
+.Pp
+\& $ openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
+.Pp
+The output from Netscape form signing is a PKCS#7 structure with the
+detached signature format.
+You can use this program to verify the signature by line wrapping the
+base64 encoded structure and surrounding it with:
+.Pp
+.Bd -literal
+\& -----BEGIN PKCS7----
+\& -----END PKCS7----
+.Ed
+.Pp
+and using the command:
+.br
+.Pp
+.Bd -literal
+\& $ openssl smime -verify -inform PEM -in signature.pem
+\&      -content content.txt
+.Ed
+.Pp
+Alternatively, you can base64 decode the signature and use:
+.Pp
+.Bd -literal
+\& $ openssl smime -verify -inform DER -in signature.der
+\&      -content content.txt
+.Ed
+.Sh SMIME BUGS
+The
+.Em MIME
+parser isn't very clever: it seems to handle most messages that I've thrown
+at it, but it may choke on others.
+.Pp
+The code currently will only write out the signer's certificate to a file:
+if the signer has a separate encryption certificate this must be manually
+extracted.
+There should be some heuristic that determines the correct encryption
+certificate.
+.Pp
+Ideally a database should be maintained of a certificate for each email
+address.
+.Pp
+The code doesn't currently take note of the permitted symmetric encryption
+algorithms as supplied in the
+.Em SMIMECapabilities
+signed attribute.
+This means the user has to manually include the correct encryption algorithm.
+It should store the list of permitted ciphers in a database and only use those.
+.Pp
+No revocation checking is done on the signer's certificate.
+.Pp
+The current code can only handle
+.Em S/MIME
+v2 messages, the more complex
+.Em S/MIME
+v3 structures may cause parsing errors.
+.\"
+.\" SPEED
+.\"
+.Sh SPEED
+.Nm openssl speed
+.Op Fl engine Ar id
+.Op Cm md2
+.Op Cm mdc2
+.Op Cm md5
+.Op Cm hmac
+.Op Cm sha1
+.Op Cm rmd160
+.Op Cm idea-cbc
+.Op Cm rc2-cbc
+.Op Cm rc5-cbc
+.Op Cm bf-cbc
+.Op Cm des-cbc
+.Op Cm des-ede3
+.Op Cm rc4
+.Op Cm rsa512
+.Op Cm rsa1024
+.Op Cm rsa2048
+.Op Cm rsa4096
+.Op Cm dsa512
+.Op Cm dsa1024
+.Op Cm dsa2048
+.Op Cm idea
+.Op Cm rc2
+.Op Cm des
+.Op Cm rsa
+.Op Cm blowfish
+.Pp
+The
+.Nm speed
+command is used to test the performance of cryptographic algorithms.
+.Pp
+.Bd -ragged -offset indent
+.It Fl engine Ar id
+Specifying an engine (by it's unique
+.Ar id
+string) will cause
+.Nm speed
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed.
+The engine will then be set as the default
+for all available algorithms.
+.It Cm [zero or more test algorithms]
+If any options are given,
+.Nm speed
+tests those algorithms, otherwise all of the above are tested.
+.Ed
+.\"
+.\" SPKAC
+.\"
+.Sh SPKAC
+.Nm openssl spkac
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl key Ar keyfile
+.Op Fl passin Ar arg
+.Op Fl challenge Ar string
+.Op Fl pubkey
+.Op Fl spkac Ar spkacname
+.Op Fl spksect Ar section
+.Op Fl noout
+.Op Fl verify
+.Pp
+The
+.Nm spkac
+command processes Netscape signed public key and challenge
+(SPKAC) files.
+It can print out their contents, verify the signature and
+produce its own SPKACs from a supplied private key.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read from or standard input if this option is not specified.
+Ignored if the
+.Fl key
+option is used.
+.It Fl out Ar filename
+Specifies the output
+.Ar filename
+to write to or standard output by default.
+.It Fl key Ar keyfile
+Create an SPKAC file using the private key in
+.Ar keyfile .
+The
+.Fl in , noout , spksect
+and
+.Fl verify
+options are ignored if present.
+.It Fl passin Ar password
+The input file password source.
+For more information about the format of
+.Ar arg
+see the
+.Sx PASS PHRASE ARGUMENTS
+section above.
+.It Fl challenge Ar string
+Specifies the challenge string if an SPKAC is being created.
+.It Fl spkac Ar spkacname
+Allows an alternative name for the variable containing the SPKAC.
+The default is "SPKAC".
+This option affects both generated and input SPKAC files.
+.It Fl spksect Ar section
+Allows an alternative name for the
+.Ar section
+containing the SPKAC.
+The default is the default section.
+.It Fl noout
+Don't output the text version of the SPKAC (not used if an
+SPKAC is being created).
+.It Fl pubkey
+Output the public key of an SPKAC (not used if an SPKAC is
+being created).
+.It Fl verify
+Verifies the digital signature on the supplied SPKAC.
+.Ed
+.Sh SPKAC EXAMPLES
+Print out the contents of an SPKAC:
+.Pp
+\& $ openssl spkac -in spkac.cnf
+.Pp
+Verify the signature of an SPKAC:
+.Pp
+\& $ openssl spkac -in spkac.cnf -noout -verify
+.Pp
+Create an SPKAC using the challenge string "hello":
+.Pp
+\& $ openssl spkac -key key.pem -challenge hello -out spkac.cnf
+.Pp
+Example of an SPKAC, (long lines split up for clarity):
+.Pp
+.Bd -literal
+\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
+\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
+\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
+\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
+\& 4=
+.Ed
+.Sh SPKAC NOTES
+A created SPKAC with suitable DN components appended can be fed into
+the
+.Nm ca
+utility.
+.Pp
+SPKACs are typically generated by Netscape when a form is submitted
+containing the
+.Em KEYGEN
+tag as part of the certificate enrollment process.
+.Pp
+The challenge string permits a primitive form of proof of possession
+of private key.
+By checking the SPKAC signature and a random challenge
+string, some guarantee is given that the user knows the private key
+corresponding to the public key being certified.
+This is important in some applications.
+Without this it is possible for a previous SPKAC
+to be used in a "replay attack".
+.\"
+.\" VERIFY
+.\"
+.Sh VERIFY
+.Nm openssl verify
+.Op Fl CApath Ar directory
+.Op Fl CAfile Ar file
+.Op Fl purpose Ar purpose
+.Op Fl untrusted Ar file
+.Op Fl help
+.Op Fl issuer_checks
+.Op Fl verbose
+.Op Fl 
+.Op Ar certificates
+.Pp
+The
+.Nm verify
+command verifies certificate chains.
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl CApath directory
+A
+.Ar directory
+of trusted certificates.
+The certificates should have names of the form
+.Em hash.0 ,
+or have symbolic links to them of this form.
+("hash" is the hashed certificate subject name: see the
+.Fl hash
+option of the
+.Nm x509
+utility).
+Under Unix the
+.Nm c_rehash
+script will automatically create symbolic links to a directory of certificates.
+.It Fl CAfile Ar file
+A
+.Ar file
+of trusted certificates.
+The
+.Ar file
+should contain multiple certificates in
+.Em PEM
+format concatenated together.
+.It Fl untrusted Ar file
+A
+.Ar file
+of untrusted certificates.
+The
+.Ar file
+should contain multiple certificates.
+.It Fl purpose Ar purpose
+The intended use for the certificate.
+Without this option no chain verification will be done.
+Currently accepted uses are
+.Ar sslclient , sslserver ,
+.Ar nssslserver , smimesign ,
+and
+.Ar smimeencrypt .
+See the
+.Sx VERIFY OPERATION
+section for more information.
+.It Fl help
+Prints out a usage message.
+.It Fl verbose
+Print extra information about the operations being performed.
+.It Fl issuer_checks
+Print out diagnostics relating to searches for the issuer certificate
+of the current certificate.
+This shows why each candidate issuer certificate was rejected.
+However the presence of rejection messages
+does not itself imply that anything is wrong: during the normal
+verify process several rejections may take place.
+.It Fl 
+Marks the last option.
+All arguments following this are assumed to be certificate files.
+This is useful if the first certificate filename begins with a
+.Cm \&- .
+.It Ar certificates
+One or more
+.Ar certificates
+to verify.
+If no certificate filenames are included then an attempt is made to read
+a certificate from standard input.
+They should all be in
+.Em PEM
+format.
+.Ed
+.Sh VERIFY OPERATION
+The
+.Nm verify
+program uses the same functions as the internal SSL and S/MIME verification,
+therefore this description applies to these verify operations too.
+.Pp
+There is one crucial difference between the verify operations performed
+by the
+.Nm verify
+program: wherever possible an attempt is made to continue
+after an error, whereas normally the verify operation would halt on the
+first error.
+This allows all the problems with a certificate chain to be determined.
+.Pp
+The verify operation consists of a number of separate steps.
+.Pp
+Firstly a certificate chain is built up starting from the supplied certificate
+and ending in the root CA.
+It is an error if the whole chain cannot be built up.
+The chain is built up by looking up the issuers certificate of the current
+certificate.
+If a certificate is found which is its own issuer it is assumed 
+to be the root CA.
+.Pp
+The process of 'looking up the issuers certificate' itself involves a number
+of steps.
+In versions of
+.Nm OpenSSL
+before 0.9.5a the first certificate whose subject name matched the issuer
+of the current certificate was assumed to be the issuers certificate.
+In
+.Nm OpenSSL
+0.9.6 and later all certificates whose subject name matches the issuer name
+of the current certificate are subject to further tests.
+The relevant authority key identifier components of the current certificate
+(if present) must match the subject key identifier (if present)
+and issuer and serial number of the candidate issuer; in addition the
+.Em keyUsage
+extension of the candidate issuer (if present) must permit certificate signing.
+.Pp
+The lookup first looks in the list of untrusted certificates and if no match
+is found the remaining lookups are from the trusted certificates.
+The root CA is always looked up in the trusted certificate list: if the
+certificate to verify is a root certificate, then an exact match must be
+found in the trusted list.
+.Pp
+The second operation is to check every untrusted certificate's extensions for
+consistency with the supplied purpose.
+If the
+.Fl purpose
+option is not included, then no checks are done.
+The supplied or "leaf" certificate must have extensions compatible with the
+supplied purpose and all other certificates must also be valid
+CA certificates.
+The precise extensions required are described in more detail in
+the
+.Sx X509 CERTIFICATE EXTENSIONS
+section below.
+.Pp
+The third operation is to check the trust settings on the root CA.
+The root CA should be trusted for the supplied purpose.
+For compatibility with previous versions of
+.Nm SSLeay
+and
+.Nm OpenSSL ,
+a certificate with no trust settings is considered to be valid for
+all purposes. 
+.Pp
+The final operation is to check the validity of the certificate chain.
+The validity period is checked against the current system time and the
+.Em notBefore
+and
+.Em notAfter
+dates in the certificate.
+The certificate signatures are also checked at this point.
+.Pp
+If all operations complete successfully, then the certificate is considered
+valid.
+If any operation fails then the certificate is not valid.
+.Sh VERIFY DIAGNOSTICS
+When a verify operation fails, the output messages can be somewhat cryptic.
+The general form of the error message is:
+.Pp
+.Bd -literal
+\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+\& error 24 at 1 depth lookup:invalid CA certificate
+.Ed
+.Pp
+The first line contains the name of the certificate being verified followed by
+the subject name of the certificate.
+The second line contains the error number and the depth.
+The depth is number of the certificate being verified when a
+problem was detected starting with zero for the certificate being verified
+itself, then 1 for the CA that signed the certificate and so on.
+Finally a text version of the error number is presented.
+.Pp
+An exhaustive list of the error codes and messages is shown below; this also
+includes the name of the error code as defined in the header file
+.Aq Pa x509_vfy.h .
+Some of the error codes are defined but never returned: these are described
+as "unused".
+.Pp
+.Bd -ragged -offset indent
+.It Ar "0 X509_V_OK: ok"
+The operation was successful.
+.It Ar 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
+The issuer certificate could not be found: this occurs if the issuer certificate
+of an untrusted certificate cannot be found.
+.It Ar 3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
+The CRL of a certificate could not be found.
+Unused.
+.It Ar 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature
+The certificate signature could not be decrypted.
+This means that the actual signature value could not be determined rather
+than it not matching the expected value.
+This is only meaningful for RSA keys.
+.It Ar 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature
+The CRL signature could not be decrypted: this means that the actual
+signature value could not be determined rather than it not matching the
+expected value.
+Unused.
+.It Ar 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
+The public key in the certificate
+.Em SubjectPublicKeyInfo
+could not be read.
+.It Ar 7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
+The signature of the certificate is invalid.
+.It Ar 8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
+The signature of the certificate is invalid.
+Unused.
+.It Ar 9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
+The certificate is not yet valid: the
+.Em notBefore
+date is after the current time.
+.It Ar 10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
+The certificate has expired; that is, the
+.Em notAfter
+date is before the current time.
+.It Ar 11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
+The CRL is not yet valid.
+Unused.
+.It Ar 12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
+The CRL has expired.
+Unused.
+.It Ar 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field
+The certificate
+.Em notBefore
+field contains an invalid time.
+.It Ar 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field
+The certificate
+.Em notAfter
+field contains an invalid time.
+.It Ar 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field
+The CRL
+.Em lastUpdate
+field contains an invalid time.
+Unused.
+.It Ar 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field
+The CRL
+.Em nextUpdate
+field contains an invalid time.
+Unused.
+.It Ar 17 X509_V_ERR_OUT_OF_MEM: out of memory
+An error occurred trying to allocate memory.
+This should never happen.
+.It Ar 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
+The passed certificate is self-signed and the same certificate cannot be
+found in the list of trusted certificates.
+.It Ar 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
+The certificate chain could be built up using the untrusted certificates but
+the root could not be found locally.
+.It Ar 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
+The issuer certificate of a locally looked up certificate could not be found.
+This normally means the list of trusted certificates is not complete.
+.It Ar 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
+No signatures could be verified because the chain contains only one
+certificate and it is not self-signed.
+.It Ar 22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
+The certificate chain length is greater than the supplied maximum depth.
+Unused.
+.It Ar 23 X509_V_ERR_CERT_REVOKED: certificate revoked
+The certificate has been revoked.
+Unused.
+.It Ar 24 X509_V_ERR_INVALID_CA: invalid CA certificate
+A CA certificate is invalid.
+Either it is not a CA or its extensions are not consistent
+with the supplied purpose.
+.It Ar 25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
+The
+.Em basicConstraints
+pathlength parameter has been exceeded.
+.It Ar 26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
+The supplied certificate cannot be used for the specified purpose.
+.It Ar 27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
+The root CA is not marked as trusted for the specified purpose.
+.It Ar 28 X509_V_ERR_CERT_REJECTED: certificate rejected
+The root CA is marked to reject the specified purpose.
+.It Ar 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
+The current candidate issuer certificate was rejected because its subject name
+did not match the issuer name of the current certificate.
+Only displayed when the
+.Fl issuer_checks
+option is set.
+.It Ar 30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
+The current candidate issuer certificate was rejected because its subject key
+identifier was present and did not match the authority key identifier current
+certificate.
+Only displayed when the
+.Fl issuer_checks
+option is set.
+.It Ar 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
+The current candidate issuer certificate was rejected because its issuer name
+and serial number were present and did not match the authority key identifier
+of the current certificate.
+Only displayed when the
+.Fl issuer_checks
+option is set.
+.It Ar 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
+The current candidate issuer certificate was rejected because its
+.Em keyUsage
+extension does not permit certificate signing.
+.It Ar 50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
+An application specific error.
+Unused.
+.Ed
+.Sh VERIFY BUGS
+Although the issuer checks are a considerable improvement over the old
+technique, they still suffer from limitations in the underlying
+X509_LOOKUP API.
+One consequence of this is that trusted certificates with matching subject
+name must either appear in a file (as specified by the
+.Fl CAfile
+option) or a directory (as specified by
+.Fl CApath ) .
+If they occur in both, then only the certificates in the file will
+be recognised.
+.Pp
+Previous versions of
+.Nm OpenSSL
+assume certificates with matching subject name are identical and
+mishandled them.
+.\"
+.\" VERSION
+.\"
+.Sh VERSION
+.Nm openssl version
+.Op Fl a
+.Op Fl v
+.Op Fl b
+.Op Fl o
+.Op Fl f
+.Op Fl p
+.Pp
+The
+.Nm version
+command is used to print out version information about
+.Nm OpenSSL .
+.Pp
+The options are as follows:
+.Bd -ragged -offset indent
+.It Fl a
+All information: this is the same as setting all the other flags.
+.It Fl v
+The current
+.Nm OpenSSL
+version.
+.It Fl b
+The date the current version of
+.Nm OpenSSL
+was built.
+.It Fl o
+Option information: various options set when the library was built.
+.It Fl c
+Compilation flags.
+.It Fl p
+Platform setting.
+.It Fl d
+.Em OPENSSLDIR
+setting.
+.Ed
+.Sh VERSION NOTES
+The output of
+.Nm openssl version -a
+would typically be used when sending in a bug report.
+.Sh VERSION HISTORY
+The
+.Fl d
+option was added in
+.Nm OpenSSL
+0.9.7.
+.\"
+.\" X509
+.\"
+.Sh X509
+.Nm openssl x509
+.Bk -words
+.Op Fl inform Ar DER|PEM|NET
+.Op Fl outform Ar DER|PEM|NET
+.Op Fl keyform Ar DER|PEM
+.Op Fl CAform Ar DER|PEM
+.Op Fl CAkeyform Ar DER|PEM
+.Op Fl in Ar filename
+.Op Fl out Ar filename
+.Op Fl serial
+.Op Fl hash
+.Op Fl subject
+.Op Fl issuer
+.Op Fl nameopt Ar option
+.Op Fl email
+.Op Fl startdate
+.Op Fl enddate
+.Op Fl purpose
+.Op Fl dates
+.Op Fl modulus
+.Op Fl fingerprint
+.Op Fl alias
+.Op Fl noout
+.Op Fl trustout
+.Op Fl clrtrust
+.Op Fl clrreject
+.Op Fl addtrust Ar arg
+.Op Fl addreject Ar arg
+.Op Fl setalias Ar arg
+.Op Fl days Ar arg
+.Op Fl set_serial Ar n
+.Op Fl signkey Ar filename
+.Op Fl x509toreq
+.Op Fl req
+.Op Fl CA Ar filename
+.Op Fl CAkey Ar filename
+.Op Fl CAcreateserial
+.Op Fl CAserial Ar filename
+.Op Fl text
+.Op Fl C
+.Op Cm -md2|-md5|-sha1|-mdc2
+.Op Fl clrext
+.Op Fl extfile Ar filename
+.Op Fl extensions Ar section
+.Ek
+.Pp
+The
+.Nm x509
+command is a multi-purpose certificate utility.
+It can be used to display certificate information, convert certificates to
+various forms, sign certificate requests like a "mini CA" or edit
+certificate trust settings.
+.Pp
+Since there are a large number of options, they are split up into
+various sections.
+.Sh X509 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
+.Bd -ragged -offset indent
+.It Fl inform Ar DER|PEM|NET
+This specifies the input format.
+Normally the command will expect an X509 certificate,
+but this can change if other options such as
+.Fl req
+are present.
+The
+.Ar DER
+format is the DER encoding of the certificate and
+.Ar PEM
+is the base64 encoding of the DER encoding with header and footer lines added.
+The
+.Ar NET
+option is an obscure Netscape server format that is now
+obsolete.
+.It Fl outform Ar DER|PEM|NET
+This specifies the output format;
+the options have the same meaning as the 
+.Fl inform
+option.
+.It Fl in Ar filename
+This specifies the input
+.Ar filename
+to read a certificate from or standard input if this option is not specified.
+.It Fl out Ar filename
+This specifies the output
+.Ar filename
+to write to or standard output by default.
+.It Fl md2|-md5|-sha1|-mdc2
+The digest to use.
+This affects any signing or display option that uses a message digest,
+such as the
+.Fl fingerprint , signkey
+and
+.Fl CA
+options.
+If not specified then MD5 is used.
+If the key being used to sign with is a DSA key then
+this option has no effect: SHA1 is always used with DSA keys.
+.Ed
+.Sh X509 DISPLAY OPTIONS
+.Sy Note :
+The
+.Fl alias
+and
+.Fl purpose
+options are also display options but are described in the
+.Sx X509 TRUST OPTIONS
+section.
+.Bd -ragged -offset indent
+.It Fl text
+Prints out the certificate in text form.
+Full details are output including the public key, signature algorithms,
+issuer and subject names, serial number, any extensions present and any
+trust settings.
+.It Fl certopt Ar option
+Customise the output format used with
+.Fl text .
+The
+.Ar option
+argument can be a single option or multiple options separated by commas.
+The
+.Fl certopt
+switch may be also be used more than once to set multiple options.
+See the
+.Sx X509 TEXT OPTIONS
+section for more information.
+.It Fl noout
+This option prevents output of the encoded version of the request.
+.It Fl modulus
+This option prints out the value of the modulus of the public key
+contained in the certificate.
+.It Fl serial
+Outputs the certificate serial number.
+.It Fl hash
+Outputs the "hash" of the certificate subject name.
+This is used in
+.Nm OpenSSL
+to form an index to allow certificates in a directory to be looked up
+by subject name.
+.It Fl subject
+Outputs the subject name.
+.It Fl issuer
+Outputs the issuer name.
+.It Fl nameopt Ar option
+Option which determines how the subject or issuer names are displayed.
+The
+.Ar option
+argument can be a single option or multiple options separated by commas.
+Alternatively, the
+.Fl nameopt
+switch may be used more than once to set multiple options.
+See the
+.Sx X509 NAME OPTIONS
+section for more information.
+.It Fl email
+Outputs the email address(es) if any.
+.It Fl startdate
+Prints out the start date of the certificate; that is, the
+.Em notBefore
+date.
+.It Fl enddate
+Prints out the expiry date of the certificate; that is, the
+.Em notAfter
+date.
+.It Fl dates
+Prints out the start and expiry dates of a certificate.
+.It Fl fingerprint
+Prints out the digest of the DER encoded version of the whole certificate
+(see
+.Sx DIGEST OPTIONS ) .
+.It Fl C
+This outputs the certificate in the form of a C source file.
+.Ed
+.Sh X509 TRUST SETTINGS
+Please note these options are currently experimental and may well change.
+.Pp
+A
+.Em trusted certificate
+is an ordinary certificate which has several
+additional pieces of information attached to it such as the permitted
+and prohibited uses of the certificate and an "alias".
+.Pp
+Normally when a certificate is being verified at least one certificate
+must be "trusted".
+By default a trusted certificate must be stored
+locally and must be a root CA: any certificate chain ending in this CA
+is then usable for any purpose.
+.Pp
+Trust settings currently are only used with a root CA.
+They allow a finer control over the purposes the root CA can be used for.
+For example, a CA may be trusted for an SSL client but not for
+SSL server use.
+.Pp
+See the description of the
+.Nm verify
+utility for more information on the meaning of trust settings.
+.Pp
+Future versions of
+.Nm OpenSSL
+will recognize trust settings on any certificate: not just root CAs.
+.Bd -ragged -offset indent
+.It Fl trustout
+This causes
+.Nm x509
+to output a
+.Em trusted certificate .
+An ordinary or trusted certificate can be input, but by default an ordinary
+certificate is output and any trust settings are discarded.
+With the
+.Fl trustout
+option a trusted certificate is output.
+A trusted certificate is automatically output if any trust settings
+are modified.
+.It Fl setalias Ar arg
+Sets the alias of the certificate.
+This will allow the certificate to be referred to using a nickname,
+for example "Steve's Certificate".
+.It Fl alias
+Outputs the certificate alias, if any.
+.It Fl clrtrust
+Clears all the permitted or trusted uses of the certificate.
+.It Fl clrreject
+Clears all the prohibited or rejected uses of the certificate.
+.It Fl addtrust Ar arg
+Adds a trusted certificate use.
+Any object name can be used here, but currently only
+.Ar clientAuth
+.Po Em SSL
+ client use
+.Pc ,
+.Ar serverAuth
+.Po Em SSL
+ server use
+.Pc
+and
+.Ar emailProtection
+.Po Em S/MIME
+ email
+.Pc
+are used.
+Other
+.Nm OpenSSL
+applications may define additional uses.
+.It Fl addreject Ar arg
+Adds a prohibited use.
+It accepts the same values as the
+.Fl addtrust
+option.
+.It Fl purpose
+This option performs tests on the certificate extensions and outputs
+the results.
+For a more complete description see the
+.Sx X509 CERTIFICATE EXTENSIONS
+section.
+.Ed
+.Sh X509 SIGNING OPTIONS
+The
+.Nm x509
+utility can be used to sign certificates and requests: it
+can thus behave like a "mini CA".
+.Pp
+.Bd -ragged -offset indent
+.It Fl signkey Ar filename
+This option causes the input file to be self-signed using the supplied
+private key. 
+.Pp
+If the input file is a certificate, it sets the issuer name to the
+subject name (i.e. makes it self-signed), changes the public key to the
+supplied value and changes the start and end dates.
+The start date is set to the current time and the end date is set to
+a value determined by the
+.Fl days
+option.
+Any certificate extensions are retained unless the
+.Fl clrext
+option is supplied.
+.Pp
+If the input is a certificate request, then a self-signed certificate
+is created using the supplied private key using the subject name in
+the request.
+.It Fl clrext
+Delete any extensions from a certificate.
+This option is used when a certificate is being created from another
+certificate (for example with the
+.Fl signkey
+or the
+.Fl CA
+options).
+Normally all extensions are retained.
+.It Fl keyform Ar PEM|DER
+Specifies the format
+.Po Em DER
+ or
+.Em PEM
+.Pc
+of the private key file used in the
+.Fl signkey
+option.
+.It Fl days Ar arg
+Specifies the number of days to make a certificate valid for.
+The default is 30 days.
+.It Fl x509toreq
+Converts a certificate into a certificate request.
+The
+.Fl signkey
+option is used to pass the required private key.
+.It Fl req
+By default a certificate is expected on input.
+With this option a certificate request is expected instead.
+.It Fl set_serial Ar n
+Specifies the serial number to use.
+This option can be used with either the
+.Fl signkey
+or
+.Fl CA
+options.
+If used in conjunction with the
+.Fl CA
+option, the serial number file (as specified by the
+.Fl CAserial
+or
+.Fl CAcreateserial
+options) is not used.
+.Pp
+The serial number can be decimal or hex (if preceded by
+.Em 0x ) .
+Negative serial numbers can also be specified but their use is not recommended.
+.It Fl CA Ar filename
+Specifies the CA certificate to be used for signing.
+When this option is present
+.Nm x509
+behaves like a "mini CA".
+The input file is signed by the CA using this option;
+that is, its issuer name is set to the subject name of the CA and it is
+digitally signed using the CAs private key.
+.Pp
+This option is normally combined with the
+.Fl req
+option.
+Without the
+.Fl req
+option, the input is a certificate which must be self-signed.
+.It Fl CAkey Ar filename
+Sets the CA private key to sign a certificate with.
+If this option is not specified then it is assumed that the CA private key
+is present in the CA certificate file.
+.It Fl CAserial Ar filename
+Sets the CA serial number file to use.
+.Pp
+When the
+.Fl CA
+option is used to sign a certificate it uses a serial
+number specified in a file.
+This file consist of one line containing an even number of hex digits
+with the serial number to use.
+After each use the serial number is incremented and written out
+to the file again.
+.Pp
+The default filename consists of the CA certificate file base name with
+.Pa .srl
+appended.
+For example if the CA certificate file is called 
+.Pa mycacert.pem ,
+it expects to find a serial number file called
+.Pa mycacert.srl .
+.It Fl CAcreateserial Ar filename
+With this option the CA serial number file is created if it does not exist:
+it will contain the serial number "02" and the certificate being signed will
+have 1 as its serial number.
+Normally if the
+.Fl CA
+option is specified and the serial number file does not exist it is an error.
+.It Fl extfile Ar filename
+File containing certificate extensions to use.
+If not specified, then no extensions are added to the certificate.
+.It Fl extensions Ar section
+The section to add certificate extensions from.
+If this option is not specified then the extensions should either be
+contained in the unnamed (default) section or the default section should
+contain a variable called "extensions" which contains the section to use.
+.Ed
+.Sh X509 NAME OPTIONS
+The
+.Fl nameopt
+command line switch determines how the subject and issuer
+names are displayed.
+If no
+.Fl nameopt
+switch is present, the default "oneline"
+format is used which is compatible with previous versions of
+.Nm OpenSSL .
+Each option is described in detail below, all options can be preceded by
+a
+.Cm \&-
+to turn the option off.
+Only the first four will normally be used.
+.Bd -ragged -offset indent
+.It Ar compat
+Use the old format.
+This is equivalent to specifying no name options at all.
+.It Ar RFC2253
+Displays names compatible with RFC2253; equivalent to
+.Ar esc_2253 , esc_ctrl ,
+.Ar esc_msb , utf8 , dump_nostr , dump_unknown ,
+.Ar dump_der , sep_comma_plus , dn_rev and sname .
+.It Ar oneline
+A oneline format which is more readable than RFC2253.
+It is equivalent to specifying the
+.Ar esc_2253 , esc_ctrl , esc_msb , utf8 ,
+.Ar dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,
+.Ar spc_eq
+and
+.Ar sname
+options.
+.It Ar multiline
+A multiline format.
+It is equivalent to
+.Ar esc_ctrl , esc_msb , sep_multiline ,
+.Ar spc_eq , lname
+and
+.Ar align .
+.It Ar esc_2253
+Escape the "special" characters required by RFC2253 in a field that is
+.Cm \& ,+"<>; .
+Additionally,
+.Cm \&#
+is escaped at the beginning of a string
+and a space character at the beginning or end of a string.
+.It Ar esc_ctrl
+Escape control characters.
+That is, those with ASCII values less than
+0x20 (space) and the delete (0x7f) character.
+They are escaped using the RFC2253 \eXX notation (where XX are two hex
+digits representing the character value).
+.It Ar esc_msb
+Escape characters with the MSB set; that is, with ASCII values larger than
+127.
+.It Ar use_quote
+Escapes some characters by surrounding the whole string with
+.Cm \&"
+characters.
+Without the option, all escaping is done with the
+.Cm \&\e
+character.
+.It Ar utf8
+Convert all strings to UTF8 format first.
+This is required by RFC2253.
+If you are lucky enough to have a UTF8 compatible terminal then the use
+of this option (and
+.Em not
+setting
+.Ar esc_msb )
+may result in the correct display of multibyte (international) characters.
+If this option is not present, then multibyte characters larger than 0xff
+will be represented using the format \eUXXXX for 16 bits and \eWXXXXXXXX
+for 32 bits.
+Also, if this option is off, any UTF8Strings will be converted to their
+character form first.
+.It Ar no_type
+This option does not attempt to interpret multibyte characters in any
+way.
+That is, their content octets are merely dumped as though one octet
+represents each character.
+This is useful for diagnostic purposes but will result in rather odd
+looking output.
+.It Ar show_type
+Show the type of the ASN1 character string.
+The type precedes the field contents.
+For example "BMPSTRING: Hello World".
+.It Ar dump_der
+When this option is set, any fields that need to be hexdumped will
+be dumped using the DER encoding of the field.
+Otherwise just the content octets will be displayed.
+Both options use the RFC2253 #XXXX... format.
+.It Ar dump_nostr
+Dump non-character string types (for example OCTET STRING); if this
+option is not set then non-character string types will be displayed
+as though each content octet represents a single character.
+.It Ar dump_all
+Dump all fields.
+This option, when used with
+.Ar dump_der ,
+allows the DER encoding of the structure to be unambiguously determined.
+.It Ar dump_unknown
+Dump any field whose OID is not recognised by
+.Nm OpenSSL .
+.It Ar sep_comma_plus , sep_comma_plus_space , sep_semi_plus_space , sep_multiline
+These options determine the field separators.
+The first character is between RDNs and the second between multiple AVAs
+(multiple AVAs are very rare and their use is discouraged).
+The options ending in "space" additionally place a space after the
+separator to make it more readable.
+The
+.Ar sep_multiline
+uses a linefeed character for the RDN separator and a spaced
+.Cm \&+
+for the AVA separator.
+It also indents the fields by four characters.
+.It Ar dn_rev
+Reverse the fields of the DN.
+This is required by RFC2253.
+As a side effect, this also reverses the order of multiple AVAs but this is
+permissible.
+.It Ar nofname , sname , lname , oid
+These options alter how the field name is displayed.
+.Ar nofname
+does not display the field at all.
+.Ar sname
+uses the "short name" form (CN for
+.Ar commonName ,
+for example).
+.Ar lname
+uses the long form.
+.Ar oid
+represents the OID in numerical form and is useful for diagnostic purpose.
+.It Ar align
+Align field values for a more readable output.
+Only usable with
+.Ar sep_multiline .
+.It Ar spc_eq
+Places spaces round the
+.Cm \&=
+character which follows the field name.
+.Ed
+.Sh X509 TEXT OPTIONS
+As well as customising the name output format, it is also possible to
+customise the actual fields printed using the
+.Fl certopt
+options when the
+.Fl text
+option is present.
+The default behaviour is to print all fields.
+.Bd -ragged -offset indent
+.It Ar compatible
+Use the old format.
+This is equivalent to specifying no output options at all.
+.It Ar no_header
+Don't print header information: that is, the lines saying "Certificate"
+and "Data".
+.It Ar no_version
+Don't print out the version number.
+.It Ar no_serial
+Don't print out the serial number.
+.It Ar no_signame
+Don't print out the signature algorithm used.
+.It Ar no_validity
+Don't print the validity; that is, the
+.Em notBefore
+and
+.Em notAfter
+fields.
+.It Ar no_subject
+Don't print out the subject name.
+.It Ar no_issuer
+Don't print out the issuer name.
+.It Ar no_pubkey
+Don't print out the public key.
+.It Ar no_sigdump
+Don't give a hexadecimal dump of the certificate signature.
+.It Ar no_aux
+Don't print out certificate trust information.
+.It Ar no_extensions
+Don't print out any X509V3 extensions.
+.It Ar ext_default
+Retain default extension behaviour: attempt to print out unsupported
+certificate extensions.
+.It Ar ext_error
+Print an error message for unsupported certificate extensions.
+.It Ar ext_parse
+ASN1 parse unsupported extensions.
+.It Ar ext_dump
+Hex dump unsupported extensions.
+.It Ar ca_default
+The value used by the
+.Nm ca
+utility, equivalent to
+.Ar no_issuer , no_pubkey , no_header ,
+.Ar no_version , no_sigdump
+and
+.Ar no_signame .
+.Ed
+.Sh X509 EXAMPLES
+.Sy Note :
+In these examples the '\e' means the example should be all on one
+line.
+.Pp
+Display the contents of a certificate:
+.Pp
+\& $ openssl x509 -in cert.pem -noout -text
+.Pp
+Display the certificate serial number:
+.Pp
+\& $ openssl x509 -in cert.pem -noout -serial
+.Pp
+Display the certificate subject name:
+.Pp
+\& $ openssl x509 -in cert.pem -noout -subject
+.Pp
+Display the certificate subject name in RFC2253 form:
+.Pp
+\& $ openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
+.Pp
+Display the certificate subject name in oneline form on a terminal
+supporting UTF8:
+.Pp
+\& $ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb
+.Pp
+Display the certificate MD5 fingerprint:
+.Pp
+\& $ openssl x509 -in cert.pem -noout -fingerprint
+.Pp
+Display the certificate SHA1 fingerprint:
+.Pp
+\& $ openssl x509 -sha1 -in cert.pem -noout -fingerprint
+.Pp
+Convert a certificate from
+.Em PEM
+to
+.Em DER
+format:
+.Pp
+\& $ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
+.Pp
+Convert a certificate to a certificate request:
+.Pp
+\& $ openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
+.Pp
+Convert a certificate request into a self-signed certificate using
+extensions for a CA:
+.Pp
+.Bd -literal
+\& $ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions \e
+\&        v3_ca -signkey key.pem -out cacert.pem
+.Ed
+.Pp
+Sign a certificate request using the CA certificate above and add user
+certificate extensions:
+.Pp
+.Bd -literal
+\& $ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions \e
+        v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial
+.Ed
+.Pp
+Set a certificate to be trusted for SSL
+client use and change set its alias to "Steve's Class 1 CA":
+.Pp
+.Bd -literal
+\& $ openssl x509 -in cert.pem -addtrust sslclient \e
+\&        -alias "Steve's Class 1 CA" -out trust.pem
+.Ed
+.Sh X509 NOTES
+The
+.Em PEM
+format uses the header and footer lines:
+.Pp
+.Bd -literal
+\& -----BEGIN CERTIFICATE----
+\& -----END CERTIFICATE----
+.Ed
+.Pp
+It will also handle files containing:
+.Pp
+.Bd -literal
+\& -----BEGIN X509 CERTIFICATE----
+\& -----END X509 CERTIFICATE----
+.Ed
+.Pp
+Trusted certificates have the lines:
+.Pp
+.Bd -literal
+\& -----BEGIN TRUSTED CERTIFICATE----
+\& -----END TRUSTED CERTIFICATE----
+.Ed
+.Pp
+The conversion to UTF8 format used with the name options assumes that
+T61Strings use the ISO8859-1 character set.
+This is wrong, but Netscape and MSIE do this, as do many certificates.
+So although this is incorrect
+it is more likely to display the majority of certificates correctly.
+.Pp
+The
+.Fl fingerprint
+option takes the digest of the DER encoded certificate.
+This is commonly called a "fingerprint".
+Because of the nature of message digests, the fingerprint of a certificate
+is unique to that certificate and two certificates with the same fingerprint
+can be considered to be the same.
+.Pp
+The Netscape fingerprint uses MD5, whereas MSIE uses SHA1.
+.Pp
+The
+.Fl email
+option searches the subject name and the subject alternative
+name extension.
+Only unique email addresses will be printed out: it will
+not print the same address more than once.
+.Sh X509 CERTIFICATE EXTENSIONS
+The
+.Fl purpose
+option checks the certificate extensions and determines
+what the certificate can be used for.
+The actual checks done are rather
+complex and include various hacks and workarounds to handle broken
+certificates and software.
+.Pp
+The same code is used when verifying untrusted certificates in chains,
+so this section is useful if a chain is rejected by the verify code.
+.Pp
+The
+.Em basicConstraints
+extension CA flag is used to determine whether the
+certificate can be used as a CA.
+If the CA flag is true then it is a CA,
+if the CA flag is false then it is not a CA.
+.Em All
+CAs should have the CA flag set to true.
+.Pp
+If the
+.Em basicConstraints
+extension is absent then the certificate is
+considered to be a "possible CA"; other extensions are checked according
+to the intended use of the certificate.
+A warning is given in this case because the certificate should really not
+be regarded as a CA: however,
+it is allowed to be a CA to work around some broken software.
+.Pp
+If the certificate is a V1 certificate (and thus has no extensions) and
+it is self-signed, it is also assumed to be a CA but a warning is again
+given: this is to work around the problem of Verisign roots which are V1
+self-signed certificates.
+.Pp
+If the
+.Em keyUsage
+extension is present, then additional restraints are
+made on the uses of the certificate.
+A CA certificate
+.Em must
+have the
+.Em keyCertSign
+bit set if the
+.Em keyUsage
+extension is present.
+.Pp
+The extended key usage extension places additional restrictions on the
+certificate uses.
+If this extension is present (whether critical or not)
+the key can only be used for the purposes specified.
+.Pp
+A complete description of each test is given below.
+The comments about
+.Em basicConstraints
+and
+.Em keyUsage
+and V1 certificates above apply to
+.Em all
+CA certificates.
+.Pp
+.Bd -ragged -offset indent
+.It Ar SSL Client
+The extended key usage extension must be absent or include the
+"web client authentication" OID.
+.Ar keyUsage
+must be absent or it must have the
+.Em digitalSignature
+bit set.
+Netscape certificate type must be absent or it must have the SSL
+client bit set.
+.It Ar SSL Client CA
+The extended key usage extension must be absent or include the
+"web client authentication" OID.
+Netscape certificate type must be absent or it must have the SSL CA
+bit set: this is used as a work around if the
+.Em basicConstraints
+extension is absent.
+.It Ar SSL Server
+The extended key usage extension must be absent or include the
+"web server authentication" and/or one of the SGC OIDs.
+.Em keyUsage
+must be absent or it must have the
+.Em digitalSignature
+set, the
+.Em keyEncipherment
+set, or both bits set.
+Netscape certificate type must be absent or have the SSL server bit set.
+.It Ar SSL Server CA
+The extended key usage extension must be absent or include the
+"web server authentication" and/or one of the SGC OIDs.
+Netscape certificate type must be absent or the SSL CA
+bit must be set: this is used as a work around if the
+.Em basicConstraints
+extension is absent.
+.It Ar Netscape SSL Server
+For Netscape SSL clients to connect to an SSL server; it must have the
+.Em keyEncipherment
+bit set if the
+.Em keyUsage
+extension is present.
+This isn't always valid because some cipher suites use the key for
+digital signing.
+Otherwise it is the same as a normal SSL server.
+.It Ar Common S/MIME Client Tests
+The extended key usage extension must be absent or include the
+"email protection" OID.
+Netscape certificate type must be absent or should have the
+.Em S/MIME
+bit set.
+If the
+.Em S/MIME
+bit is not set in netscape certificate type, then the SSL
+client bit is tolerated as an alternative but a warning is shown:
+this is because some Verisign certificates don't set the
+.Em S/MIME
+bit.
+.It Ar S/MIME Signing
+In addition to the common
+.Em S/MIME
+client tests, the
+.Em digitalSignature
+bit must be set if the
+.Em keyUsage
+extension is present.
+.It Ar S/MIME Encryption
+In addition to the common
+.Em S/MIME
+tests, the
+.Em keyEncipherment
+bit must be set if the
+.Em keyUsage
+extension is present.
+.It Ar S/MIME CA
+The extended key usage extension must be absent or include the
+"email protection" OID.
+Netscape certificate type must be absent or must have the
+.Em S/MIME CA
+bit set: this is used as a work around if the
+.Em basicConstraints
+extension is absent. 
+.It Ar CRL Signing
+The
+.Em keyUsage
+extension must be absent or it must have the
+.Em CRL
+signing bit set.
+.It Ar CRL Signing CA
+The normal CA tests apply.
+Except in this case the
+.Em basicConstraints
+extension must be present.
+.Sh X509 BUGS
+Extensions in certificates are not transferred to certificate requests and
+vice versa.
+.Pp
+It is possible to produce invalid certificates or requests by specifying the
+wrong private key or using inconsistent options in some cases: these should
+be checked.
+.Pp
+There should be options to explicitly set such things as start and end dates,
+rather than an offset from the current time.
+.Pp
+The code to implement the verify behaviour described in the
+.Sx X509 TRUST SETTINGS
+is currently being developed.
+It thus describes the intended behaviour rather than the current behaviour.
+It is hoped that it will represent reality in
+.Nm OpenSSL
+0.9.5 and later.
+.\"
+.\" OPENSSL HISTORY
+.\"
+.Sh "HISTORY"
+The
+.Xr openssl 1
+document appeared in
+.Nm OpenSSL
+0.9.2.
+The
+.Cm list- Ns Ar XXX Ns Cm -commands
+pseudo-commands were added in
+.Nm OpenSSL
+0.9.3;
+the
+.Cm no- Ns Ar XXX
+pseudo-commands were added in
+.Nm OpenSSL
+0.9.5a.