Consistently mark up various ASN.1 type names defined in standards

related to X.509 with .Vt such that they can be searched for.

48 files changed, 481 insertions, 315 deletions

diff --git a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
index 18e50e24c0..8a829a5e2d 100644
--- a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
+++ b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.1 2016/12/23 22:21:40 schwarze Exp $
+.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt ACCESS_DESCRIPTION_NEW 3
 .Os
 .Sh NAME
@@ -42,8 +42,9 @@ policy data.
 .Fn ACCESS_DESCRIPTION_new
 allocates and initializes an empty
 .Vt ACCESS_DESCRIPTION
-object, representing an ASN.1 AccessDescription structure
-defined in RFC 5280 section 4.2.2.1.
+object, representing an ASN.1
+.Vt AccessDescription
+structure defined in RFC 5280 section 4.2.2.1.
 It can hold a pointer to a
 .Vt GENERAL_NAME
 object documented in
@@ -90,8 +91,9 @@ allocates and initializes an empty
 .Vt AUTHORITY_INFO_ACCESS
 object, which is a
 .Vt STACK_OF(ACCESS_DESCRIPTION)
-and represents an ASN.1 AuthorityInfoAccessSyntax structure
-defined in RFC 5280 section 4.2.2.1.
+and represents an ASN.1
+.Vt AuthorityInfoAccessSyntax
+structure defined in RFC 5280 section 4.2.2.1.
 If can be used for the authority information access extension of
 certificates and certificate revocation lists and for the subject
 information access extension of certificates.
diff --git a/src/lib/libcrypto/man/ASN1_STRING_length.3 b/src/lib/libcrypto/man/ASN1_STRING_length.3
index f43d61819f..2c797481d7 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_length.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_length.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ASN1_STRING_length.3,v 1.5 2016/11/10 11:44:52 schwarze Exp $
+.\"     $OpenBSD: ASN1_STRING_length.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 99d63d46 Tue Jun 21 07:03:34 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 10 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt ASN1_STRING_LENGTH 3
 .Os
 .Sh NAME
@@ -182,12 +182,11 @@ and the functions call the
 .Vt ASN1_STRING
 equivalents.
 .Vt ASN1_STRING
-is also used for some
-.Sy CHOICE
-types which consist entirely of primitive string types such as
-.Sy DirectoryString
+is also used for some CHOICE types which consist entirely of primitive
+string types such as
+.Vt DirectoryString
 and
-.Sy Time .
+.Vt Time .
 .Pp
 These functions should
 .Em not
@@ -195,19 +194,20 @@ be used to examine or modify
 .Vt ASN1_INTEGER
 or
 .Vt ASN1_ENUMERATED
-types: the relevant
-.Sy INTEGER
-or
-.Sy ENUMERATED
-utility functions should be used instead.
+types: the relevant INTEGER or ENUMERATED utility functions should
+be used instead.
 .Pp
 In general it cannot be assumed that the data returned by
 .Fn ASN1_STRING_data
 is NUL terminated, and it may contain embedded NUL characters.
 The actual format of the data will depend on the actual string type itself:
-for example for an IA5String the data will be ASCII,
-for a BMPString two bytes per character in big endian format,
-UTF8String will be in UTF8 format.
+for example for an
+.Vt IA5String
+the data will be ASCII, for a
+.Vt BMPString
+two bytes per character in big endian format, and a
+.Vt UTF8String
+will be in UTF8 format.
 .Pp
 Similar care should be take to ensure the data is in the correct format
 when calling
diff --git a/src/lib/libcrypto/man/ASN1_generate_nconf.3 b/src/lib/libcrypto/man/ASN1_generate_nconf.3
index bcf55d724b..5e1ba0a817 100644
--- a/src/lib/libcrypto/man/ASN1_generate_nconf.3
+++ b/src/lib/libcrypto/man/ASN1_generate_nconf.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.8 2016/12/11 18:06:09 schwarze Exp $
+.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.9 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 05ea606a Fri May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 11 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt ASN1_GENERATE_NCONF 3
 .Os
 .Sh NAME
@@ -285,15 +285,20 @@ if an error occurred.
 The error codes can be obtained by
 .Xr ERR_get_error 3 .
 .Sh EXAMPLES
-A simple IA5String:
+A simple
+.Vt IA5String :
 .Pp
 .Dl IA5STRING:Hello World
 .Pp
-An IA5String explicitly tagged:
+An
+.Vt IA5String
+explicitly tagged:
 .Pp
 .Dl EXPLICIT:0,IA5STRING:Hello World
 .Pp
-An IA5String explicitly tagged using APPLICATION tagging:
+An
+.Vt IA5String
+explicitly tagged using APPLICATION tagging:
 .Pp
 .Dl EXPLICIT:0A,IA5STRING:Hello World
 .Pp
@@ -302,7 +307,8 @@ A BITSTRING with bits 1 and 5 set and all others zero:
 .Dl FORMAT:BITLIST,BITSTRING:1,5
 .Pp
 A more complex example using a config file to produce a
-SEQUENCE consisting of a BOOL an OID and a UTF8String:
+SEQUENCE consisting of a BOOL an OID and a
+.Vt UTF8String :
 .Bd -literal -offset indent
 asn1 = SEQUENCE:seq_section
 
@@ -313,7 +319,9 @@ field2 = OID:commonName
 field3 = UTF8:Third field
 .Ed
 .Pp
-This example produces an RSAPrivateKey structure.
+This example produces an
+.Vt RSAPrivateKey
+structure.
 This is the key contained in the file
 .Pa client.pem
 in all OpenSSL distributions.
@@ -349,7 +357,8 @@ coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\e
 628657053A
 .Ed
 .Pp
-This example is the corresponding public key in a SubjectPublicKeyInfo
+This example is the corresponding public key in an ASN.1
+.Vt SubjectPublicKeyInfo
 structure:
 .Bd -literal -offset 2n
 # Start with a SEQUENCE
diff --git a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3 b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
index 5186fea0f3..94d6e14abb 100644
--- a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
+++ b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.1 2016/12/23 14:37:08 schwarze Exp $
+.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt AUTHORITY_KEYID_NEW 3
 .Os
 .Sh NAME
@@ -35,8 +35,9 @@ for signing it.
 .Fn AUTHORITY_KEYID_new
 allocates and initializes an empty
 .Vt AUTHORITY_KEYID
-object, representing an ASN.1 AuthorityKeyIdentifier structure
-defined in RFC 5280 section 4.2.1.1.
+object, representing an ASN.1
+.Vt AuthorityKeyIdentifier
+structure defined in RFC 5280 section 4.2.1.1.
 It can hold an issuer name, a serial number, and a key identifier.
 .Pp
 .Fn AUTHORITY_KEYID_free
diff --git a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
index 1293be0050..c133bb1c35 100644
--- a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.1 2016/12/23 17:02:41 schwarze Exp $
+.\"     $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt BASIC_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -31,8 +31,9 @@
 .Fn BASIC_CONSTRAINTS_new
 allocates and initializes an empty
 .Vt BASIC_CONSTRAINTS
-object, representing an ASN.1 BasicConstraints structure
-defined in RFC 5280 section 4.2.1.9.
+object, representing an ASN.1
+.Vt BasicConstraints
+structure defined in RFC 5280 section 4.2.1.9.
 .Pp
 This object contains two fields.
 The field
diff --git a/src/lib/libcrypto/man/DIST_POINT_new.3 b/src/lib/libcrypto/man/DIST_POINT_new.3
index 8498e5a7d0..bbd4855e11 100644
--- a/src/lib/libcrypto/man/DIST_POINT_new.3
+++ b/src/lib/libcrypto/man/DIST_POINT_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DIST_POINT_new.3,v 1.1 2016/12/23 15:25:19 schwarze Exp $
+.\"     $OpenBSD: DIST_POINT_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt DIST_POINT_NEW 3
 .Os
 .Sh NAME
@@ -52,8 +52,9 @@ where to obtain certificate revocation lists that might later revoke it.
 .Fn DIST_POINT_new
 allocates and initializes an empty
 .Vt DIST_POINT
-object, representing an ASN.1 DistributionPoint structure
-defined in RFC 5280 section 4.2.1.13.
+object, representing an ASN.1
+.Vt DistributionPoint
+structure defined in RFC 5280 section 4.2.1.13.
 It can hold issuer names, distribution point names, and reason flags.
 .Fn DIST_POINT_free
 frees
@@ -64,8 +65,9 @@ allocates and initializes an empty
 .Vt CRL_DIST_POINTS
 object, which is a
 .Vt STACK_OF(DIST_POINT)
-and represents the ASN.1 CRLDistributionPoints structure
-defined in RFC 5280 section 4.2.1.13.
+and represents the ASN.1
+.Vt CRLDistributionPoints
+structure defined in RFC 5280 section 4.2.1.13.
 It can be used as an extension in
 .Vt X509
 and in
@@ -78,8 +80,9 @@ frees
 .Fn DIST_POINT_NAME_new
 allocates and initializes an empty
 .Vt DIST_POINT_NAME
-object, representing an ASN.1 DistributionPointName structure
-defined in RFC 5280 section 4.2.1.13.
+object, representing an ASN.1
+.Vt DistributionPointName
+structure defined in RFC 5280 section 4.2.1.13.
 It is used by the
 .Vt DIST_POINT
 and
@@ -93,8 +96,9 @@ frees
 .Fn ISSUING_DIST_POINT_new
 allocates and initializes an empty
 .Vt ISSUING_DIST_POINT
-object, representing an ASN.1 IssuingDistributionPoint structure
-defined in RFC 5280 section 5.2.5.
+object, representing an ASN.1
+.Vt IssuingDistributionPoint
+structure defined in RFC 5280 section 5.2.5.
 Using this extension, a CRL can specify which distribution point
 it was issued from and which kinds of certificates and revocation
 reasons it covers.
diff --git a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
index 2e55f6cbed..ae23b46c15 100644
--- a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
+++ b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.2 2016/12/14 07:00:35 jmc Exp $
+.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt ESS_SIGNING_CERT_NEW 3
 .Os
 .Sh NAME
@@ -41,14 +41,16 @@
 .Fn ESS_ISSUER_SERIAL_free "ESS_ISSUER_SERIAL *issuer_serial"
 .Sh DESCRIPTION
 The signing certificate may be included in the signedAttributes
-field of a SignerInfo structure to mitigate simple substitution and
-re-issue attacks.
+field of a
+.Vt SignerInfo
+structure to mitigate simple substitution and re-issue attacks.
 .Pp
 .Fn ESS_SIGNING_CERT_new
 allocates and initializes an empty
 .Vt ESS_SIGNING_CERT
-object, representing an ASN.1 SigningCertificate structure
-defined in RFC 2634 section 5.4.
+object, representing an ASN.1
+.Vt SigningCertificate
+structure defined in RFC 2634 section 5.4.
 It can hold the certificate used for signing the data,
 additional authorization certificates that can be used during
 validation, and policies applying to the certificate.
@@ -59,8 +61,9 @@ frees
 .Fn ESS_CERT_ID_new
 allocates and initializes an empty
 .Vt ESS_CERT_ID
-object, representing an ASN.1 ESSCertID structure
-defined in RFC 2634 section 5.4.1.
+object, representing an ASN.1
+.Vt ESSCertID
+structure defined in RFC 2634 section 5.4.1.
 Such objects can be used inside
 .Vt ESS_SIGNING_CERT
 objects, and each one can hold a SHA1 hash of one certificate.
@@ -71,8 +74,9 @@ frees
 .Fn ESS_ISSUER_SERIAL_new
 allocates and initializes an empty
 .Vt ESS_ISSUER_SERIAL
-object, representing an ASN.1 IssuerSerial structure
-defined in RFC 2634 section 5.4.1.
+object, representing an ASN.1
+.Vt IssuerSerial
+structure defined in RFC 2634 section 5.4.1.
 It can hold an issuer name and a serial number and can be included in an
 .Vt ESS_CERT_ID
 object, which is useful for additional authorization certificates,
diff --git a/src/lib/libcrypto/man/EVP_EncryptInit.3 b/src/lib/libcrypto/man/EVP_EncryptInit.3
index 1a7fe40a66..c328edf4f6 100644
--- a/src/lib/libcrypto/man/EVP_EncryptInit.3
+++ b/src/lib/libcrypto/man/EVP_EncryptInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_EncryptInit.3,v 1.4 2016/11/26 20:26:25 schwarze Exp $
+.\"     $OpenBSD: EVP_EncryptInit.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 26 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt EVP_ENCRYPTINIT 3
 .Os
 .Sh NAME
@@ -664,7 +664,9 @@ If the cipher is a stream cipher then
 is returned.
 .Pp
 .Fn EVP_CIPHER_param_to_asn1
-sets the AlgorithmIdentifier "parameter" based on the passed cipher.
+sets the ASN.1
+.Vt AlgorithmIdentifier
+parameter based on the passed cipher.
 This will typically include any parameters and an IV.
 The cipher IV (if any) must be set when this call is made.
 This call should be made before the cipher is actually "used" (before any
@@ -675,8 +677,9 @@ calls, for example).
 This function may fail if the cipher does not have any ASN.1 support.
 .Pp
 .Fn EVP_CIPHER_asn1_to_param
-sets the cipher parameters based on an ASN.1 AlgorithmIdentifier
-"parameter".
+sets the cipher parameters based on an ASN.1
+.Vt AlgorithmIdentifier
+parameter.
 The precise effect depends on the cipher.
 In the case of RC2, for example, it will set the IV and effective
 key length.
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index 0ed3678a99..0c30fcb5ef 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.5 2016/11/27 15:27:19 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL e03af178 Dec 11 17:05:57 2014 -0500
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 27 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt EVP_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -205,9 +205,10 @@ Two RSA padding modes behave differently if
 .Fn EVP_PKEY_CTX_set_signature_md
 is used.
 If this macro is called for PKCS#1 padding, the plaintext buffer is an
-actual digest value and is encapsulated in a DigestInfo structure
-according to PKCS#1 when signing and this structure is expected (and
-stripped off) when verifying.
+actual digest value and is encapsulated in a
+.Vt DigestInfo
+structure according to PKCS#1 when signing and this structure is
+expected (and stripped off) when verifying.
 If this control is not used with RSA and PKCS#1 padding then the
 supplied data is used directly and not encapsulated.
 In the case of X9.31 padding for RSA the algorithm identifier byte is
diff --git a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
index ae986839fb..8910fb58f8 100644
--- a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
+++ b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.1 2016/12/23 20:43:02 schwarze Exp $
+.\"     $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt EXTENDED_KEY_USAGE_NEW 3
 .Os
 .Sh NAME
@@ -41,8 +41,9 @@ allocates and initializes an empty
 .Vt EXTENDED_KEY_USAGE
 object, which is a
 .Vt STACK_OF(ASN1_OBJECT)
-and represents an ASN.1 ExtKeyUsageSyntax structure
-defined in RFC 5280 section 4.2.1.12.
+and represents an ASN.1
+.Vt ExtKeyUsageSyntax
+structure defined in RFC 5280 section 4.2.1.12.
 It can hold key purpose identifiers.
 .Pp
 .Fn EXTENDED_KEY_USAGE_free
diff --git a/src/lib/libcrypto/man/GENERAL_NAME_new.3 b/src/lib/libcrypto/man/GENERAL_NAME_new.3
index c4e8fce764..a5537323ae 100644
--- a/src/lib/libcrypto/man/GENERAL_NAME_new.3
+++ b/src/lib/libcrypto/man/GENERAL_NAME_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.1 2016/12/23 00:40:16 schwarze Exp $
+.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt GENERAL_NAME_NEW 3
 .Os
 .Sh NAME
@@ -46,21 +46,26 @@
 .Ft void
 .Fn OTHERNAME_free "OTHERNAME *name"
 .Sh DESCRIPTION
-Even though the X.501 Name documented in
+Even though the X.501
+.Vt Name
+documented in
 .Xr X509_NAME_new 3
 is a complicated multi-layered structure, it is very rigid and not
 flexible enough to represent various entities that many people want
 to use as names in certificates.
-For that reason, X.509 extensions use the X.509 GeneralName
-wrapper structure rather than using the X.501 Name structure
-directly, at the expense of adding one or two additional layers
-of indirection.
+For that reason, X.509 extensions use the X.509
+.Vt GeneralName
+wrapper structure rather than using the X.501
+.Vt Name
+structure directly, at the expense of adding one or two additional
+layers of indirection.
 .Pp
 .Fn GENERAL_NAME_new
 allocates and initializes an empty
 .Vt GENERAL_NAME
-object, representing the ASN.1 GeneralName structure
-defined in RFC 5280 section 4.2.1.6.
+object, representing the ASN.1
+.Vt GeneralName
+structure defined in RFC 5280 section 4.2.1.6.
 It can for example hold an
 .Vt X509_name
 object, an IP address, a DNS host name, a uniform resource identifier,
@@ -78,8 +83,9 @@ allocates and initializes an empty
 .Vt GENERAL_NAMES
 object, which is a
 .Vt STACK_OF(GENERAL_NAME)
-and represents the ASN.1 GeneralNames structure
-defined in RFC 5280 section 4.2.1.6.
+and represents the ASN.1
+.Vt GeneralNames
+structure defined in RFC 5280 section 4.2.1.6.
 It is used by extension structures that can contain multiple names,
 for example key identifier, alternative name, and distribution point
 extensions.
@@ -90,8 +96,9 @@ frees
 .Fn EDIPARTYNAME_new
 allocates and initializes an empty
 .Vt EDIPARTYNAME
-object, representing the ASN.1 EDIPartyName structure
-defined in RFC 5280 section 4.2.1.6, where
+object, representing the ASN.1
+.Vt EDIPartyName
+structure defined in RFC 5280 section 4.2.1.6, where
 .Dq EDI
 stands for
 .Dq electronic data identifier .
@@ -104,8 +111,9 @@ frees
 .Fn OTHERNAME_new
 allocates and initializes an empty
 .Vt OTHERNAME
-object, representing the ASN.1 OtherName structure
-defined in RFC 5280 section 4.2.1.6.
+object, representing the ASN.1
+.Vt OtherName
+structure defined in RFC 5280 section 4.2.1.6.
 It can hold data of any
 .Vt ASN1_TYPE
 together with a type identifier.
diff --git a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
index 1105bead0b..5ef737cb4e 100644
--- a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.1 2016/12/23 17:41:29 schwarze Exp $
+.\"     $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt NAME_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -41,8 +41,9 @@ certification path.
 .Fn NAME_CONSTRAINTS_new
 allocates and initializes an empty
 .Vt NAME_CONSTRAINTS
-object, representing an ASN.1 NameConstraints structure
-defined in RFC 5280 section 4.2.1.10.
+object, representing an ASN.1
+.Vt NameConstraints
+structure defined in RFC 5280 section 4.2.1.10.
 It consists of two
 .Vt STACK_OF(GENERAL_SUBTREE)
 objects, one specifying permitted names, the other excluded names.
@@ -53,8 +54,9 @@ frees
 .Fn GENERAL_SUBTREE_new
 allocates and initializes an empty
 .Vt GENERAL_SUBTREE
-object, representing an ASN.1 GeneralSubtree structure
-defined in RFC 5280 section 4.2.1.10.
+object, representing an ASN.1
+.Vt GeneralSubtree
+structure defined in RFC 5280 section 4.2.1.10.
 It is a trivial wrapper around the
 .Vt GENERAL_NAME
 object documented in
diff --git a/src/lib/libcrypto/man/OCSP_CRLID_new.3 b/src/lib/libcrypto/man/OCSP_CRLID_new.3
index fbc54ec71a..450b57c93e 100644
--- a/src/lib/libcrypto/man/OCSP_CRLID_new.3
+++ b/src/lib/libcrypto/man/OCSP_CRLID_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.2 2016/12/15 15:22:17 schwarze Exp $
+.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 15 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt OCSP_CRLID_NEW 3
 .Os
 .Sh NAME
@@ -38,9 +38,14 @@
 If a client asks about the validity of a certificate and it turns
 out to be invalid, the responder may optionally communicate which
 certificate revocation list the certificate was found on.
-The required data is stored as an ASN.1 CrlID structure in the
-singleExtensions field of the SingleResponse structure.
-The CrlID is represented by an
+The required data is stored as an ASN.1
+.Vt CrlID
+structure in the singleExtensions field of the
+.Vt SingleResponse
+structure.
+The
+.Vt CrlID
+is represented by an
 .Vt OCSP_CRLID
 object, which will be stored inside the
 .Vt OCSP_SINGLERESP
@@ -66,7 +71,9 @@ at which the CRL was created.
 Each argument can be
 .Dv NULL ,
 in which case the respective field is omitted.
-The resulting CrlID structure is encoded in ASN.1 using
+The resulting
+.Vt CrlID
+structure is encoded in ASN.1 using
 .Xr X509V3_EXT_i2d 3
 with criticality 0.
 .Sh RETURN VALUES
diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
index 0d0009186a..664a750665 100644
--- a/src/lib/libcrypto/man/OCSP_REQUEST_new.3
+++ b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.6 2016/12/24 01:29:40 schwarze Exp $
+.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.7 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt OCSP_REQUEST_NEW 3
 .Os
 .Sh NAME
@@ -133,7 +133,9 @@
 .Fn OCSP_REQUEST_new
 allocates and initializes an empty
 .Vt OCSP_REQUEST
-object, representing an ASN.1 OCSPRequest structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt OCSPRequest
+structure defined in RFC 6960.
 .Fn OCSP_REQUEST_free
 frees
 .Fa req .
@@ -141,7 +143,9 @@ frees
 .Fn OCSP_SIGNATURE_new
 allocates and initializes an empty
 .Vt OCSP_SIGNATURE
-object, representing an ASN.1 Signature structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt Signature
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_REQUEST .
 .Fn OCSP_SIGNATURE_free
@@ -151,7 +155,9 @@ frees
 .Fn OCSP_REQINFO_new
 allocates and initializes an empty
 .Vt OCSP_REQINFO
-object, representing an ASN.1 TBSRequest structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt TBSRequest
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_REQUEST .
 It asks about the validity of one or more certificates.
@@ -162,7 +168,9 @@ frees
 .Fn OCSP_ONEREQ_new
 allocates and initializes an empty
 .Vt OCSP_ONEREQ
-object, representing an ASN.1 Request structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt Request
+structure defined in RFC 6960.
 Such objects are used inside
 .Vt OCSP_REQINFO .
 Each one asks about the validity of one certificiate.
diff --git a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3 b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
index 6179da3a5b..5f42c781fd 100644
--- a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
+++ b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_SERVICELOC_new.3,v 1.4 2016/12/15 15:22:17 schwarze Exp $
+.\"     $OpenBSD: OCSP_SERVICELOC_new.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 15 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt OCSP_SERVICELOC_NEW 3
 .Os
 .Sh NAME
@@ -38,10 +38,14 @@ Due to restrictions of network routing, a client may be unable to
 directly contact the authoritative OCSP server for a certificate
 that needs to be checked.
 In that case, the request can be sent via a proxy server.
-An ASN.1 ServiceLocator structure is included in the
-singleRequestExtensions field of the Request structure to indicate
-where to forward the request.
-The ServiceLocator is represented by a
+An ASN.1
+.Vt ServiceLocator
+structure is included in the singleRequestExtensions field of the
+.Vt Request
+structure to indicate where to forward the request.
+The
+.Vt ServiceLocator
+is represented by a
 .Vt OCSP_SERVICELOC
 object, which will be stored inside the
 .Vt OCSP_ONEREQ
@@ -65,9 +69,12 @@ If
 .Fa urls
 or its first element is
 .Dv NULL ,
-the locator field is omitted from the ServiceLocator structure
-and only the issuer is included.
-The resulting ServiceLocator structure is encoded in ASN.1 using
+the locator field is omitted from the
+.Vt ServiceLocator
+structure and only the issuer is included.
+The resulting
+.Vt ServiceLocator
+structure is encoded in ASN.1 using
 .Xr X509V3_EXT_i2d 3
 with criticality 0.
 .Sh RETURN VALUES
diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3
index 103b9a4a9f..77559ba469 100644
--- a/src/lib/libcrypto/man/OCSP_cert_to_id.3
+++ b/src/lib/libcrypto/man/OCSP_cert_to_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.5 2016/12/14 16:20:28 schwarze Exp $
+.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt OCSP_CERT_TO_ID 3
 .Os
 .Sh NAME
@@ -118,7 +118,9 @@
 .Fn OCSP_CERTID_new
 allocates and initializes an empty
 .Vt OCSP_CERTID
-object, representing an ASN.1 CertID structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt CertID
+structure defined in RFC 6960.
 It can store hashes of an issuer's distinguished name and public
 key together with a serial number of a certificate.
 It is used by the
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
index 23aaa26e38..d06540d716 100644
--- a/src/lib/libcrypto/man/OCSP_resp_find_status.3
+++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_resp_find_status.3,v 1.4 2016/12/12 22:48:02 schwarze Exp $
+.\"     $OpenBSD: OCSP_resp_find_status.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL c952780c Jun 21 07:03:34 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 12 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt OCSP_RESP_FIND_STATUS 3
 .Os
 .Sh NAME
@@ -140,7 +140,9 @@
 .Fn OCSP_SINGLERESP_new
 allocates and initializes an empty
 .Vt OCSP_SINGLERESP
-object, representing an ASN.1 SingleResponse structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt SingleResponse
+structure defined in RFC 6960.
 Each such object can store the server's answer regarding the validity
 of one individual certificate.
 Such objects are used inside the
@@ -156,7 +158,9 @@ frees
 .Fn OCSP_CERTSTATUS_new
 allocates and initializes an empty
 .Vt OCSP_CERTSTATUS
-object, representing an ASN.1 CertStatus structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt CertStatus
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_SINGLERESP .
 .Fn OCSP_CERTSTATUS_free
@@ -166,7 +170,9 @@ frees
 .Fn OCSP_REVOKEDINFO_new
 allocates and initializes an empty
 .Vt OCSP_REVOKEDINFO
-object, representing an ASN.1 RevokedInfo structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt RevokedInfo
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_CERTSTATUS .
 .Fn OCSP_REVOKEDINFO_free
diff --git a/src/lib/libcrypto/man/OCSP_response_status.3 b/src/lib/libcrypto/man/OCSP_response_status.3
index 33a9dfb1a2..1ffa8a728e 100644
--- a/src/lib/libcrypto/man/OCSP_response_status.3
+++ b/src/lib/libcrypto/man/OCSP_response_status.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_response_status.3,v 1.3 2016/12/12 18:45:29 schwarze Exp $
+.\"     $OpenBSD: OCSP_response_status.3,v 1.4 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 12 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt OCSP_RESPONSE_STATUS 3
 .Os
 .Sh NAME
@@ -122,7 +122,9 @@
 .Fn OCSP_RESPONSE_new
 allocates and initializes an empty
 .Vt OCSP_RESPONSE
-object, representing an ASN.1 OCSPResponse structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt OCSPResponse
+structure defined in RFC 6960.
 .Fn OCSP_RESPONSE_free
 frees
 .Fa resp .
@@ -130,7 +132,9 @@ frees
 .Fn OCSP_RESPBYTES_new
 allocates and initializes an empty
 .Vt OCSP_RESPBYTES
-object, representing an ASN.1 ResponseBytes structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt ResponseBytes
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_RESPONSE .
 .Fn OCSP_RESPBYTES_free
@@ -140,7 +144,9 @@ frees
 .Fn OCSP_BASICRESP_new
 allocates and initializes an empty
 .Vt OCSP_BASICRESP
-object, representing an ASN.1 BasicOCSPResponse structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt BasicOCSPResponse
+structure defined in RFC 6960.
 .Vt OCSP_RESPBYTES
 contains the DER-encoded form of an
 .Vt OCSP_BASICRESP
@@ -152,7 +158,9 @@ frees
 .Fn OCSP_RESPDATA_new
 allocates and initializes an empty
 .Vt OCSP_RESPDATA
-object, representing an ASN.1 ResponseData structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt ResponseData
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_BASICRESP .
 .Fn OCSP_RESPDATA_free
@@ -162,7 +170,9 @@ frees
 .Fn OCSP_RESPID_new
 allocates and initializes an empty
 .Vt OCSP_RESPID
-object, representing an ASN.1 ResponderID structure defined in RFC 6960.
+object, representing an ASN.1
+.Vt ResponderID
+structure defined in RFC 6960.
 Such an object is used inside
 .Vt OCSP_RESPDATA .
 .Fn OCSP_RESPID_free
diff --git a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
index 6d3ede45c2..5d0852be25 100644
--- a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
+++ b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.6 2016/12/06 14:45:08 schwarze Exp $
+.\"     $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.7 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PEM_READ_BIO_PRIVATEKEY 3
 .Os
 .Sh NAME
@@ -747,8 +747,9 @@ and
 .Fn PEM_write_PKCS8PrivateKey
 write a private key in an
 .Vt EVP_PKEY
-structure in PKCS#8 EncryptedPrivateKeyInfo format using PKCS#5
-v2.0 password based encryption algorithms.
+structure in PKCS#8
+.Vt EncryptedPrivateKeyInfo
+format using PKCS#5 v2.0 password based encryption algorithms.
 The
 .Fa enc
 argument specifies the encryption algorithm to use: unlike all other PEM
@@ -758,13 +759,15 @@ If
 .Fa enc
 is
 .Dv NULL ,
-then no encryption is used and a PKCS#8 PrivateKeyInfo structure
-is used instead.
+then no encryption is used and a PKCS#8
+.Vt PrivateKeyInfo
+structure is used instead.
 .Pp
 .Fn PEM_write_bio_PKCS8PrivateKey_nid
 and
 .Fn PEM_write_PKCS8PrivateKey_nid
-also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo.
+also write out a private key as a PKCS#8
+.Vt EncryptedPrivateKeyInfo .
 However they use PKCS#5 v1.5 or PKCS#12 encryption algorithms instead.
 The algorithm to use is specified in the
 .Fa nid
@@ -789,7 +792,9 @@ The
 functions process a public key using an
 .Vt EVP_PKEY
 structure.
-The public key is encoded as a SubjectPublicKeyInfo structure.
+The public key is encoded as an ASN.1
+.Vt SubjectPublicKeyInfo
+structure.
 .Pp
 The
 .Sy RSAPrivateKey
@@ -805,15 +810,18 @@ The
 functions process an RSA public key using an
 .Vt RSA
 structure.
-The public key is encoded using a PKCS#1 RSAPublicKey structure.
+The public key is encoded using a PKCS#1
+.Vt RSAPublicKey
+structure.
 .Pp
 The
 .Sy RSA_PUBKEY
 functions also process an RSA public key using an
 .Vt RSA
 structure.
-However the public key is encoded using a SubjectPublicKeyInfo structure
-and an error occurs if the public key is not RSA.
+However the public key is encoded using an ASN.1
+.Vt SubjectPublicKeyInfo
+structure and an error occurs if the public key is not RSA.
 .Pp
 The
 .Sy DSAPrivateKey
@@ -829,8 +837,9 @@ The
 functions process a DSA public key using a
 .Vt DSA
 structure.
-The public key is encoded using a SubjectPublicKeyInfo structure and an
-error occurs if the public key is not DSA.
+The public key is encoded using an ASN.1
+.Vt SubjectPublicKeyInfo
+structure and an error occurs if the public key is not DSA.
 .Pp
 The
 .Sy DSAparams
@@ -906,7 +915,9 @@ structure.
 .Pp
 The
 .Sy PKCS7
-functions process a PKCS#7 ContentInfo using a
+functions process a PKCS#7
+.Vt ContentInfo
+using a
 .Vt PKCS7
 structure.
 .Pp
diff --git a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
index 8cb6835194..603c27bed1 100644
--- a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
+++ b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.1 2016/12/22 16:05:22 schwarze Exp $
+.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 22 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PKCS12_SAFEBAG_NEW 3
 .Os
 .Sh NAME
@@ -37,8 +37,9 @@
 .Fn PKCS12_SAFEBAG_new
 allocates and initializes an empty
 .Vt PKCS12_SAFEBAG
-object, representing an ASN.1 SafeBag structure
-defined in RFC 7292 section 4.2.
+object, representing an ASN.1
+.Vt SafeBag
+structure defined in RFC 7292 section 4.2.
 It can hold a pointer to a
 .Vt PKCS12_BAGS
 object together with a type identifier and optional attributes.
@@ -49,7 +50,9 @@ frees
 .Fn PKCS12_BAGS_new
 allocates and initializes an empty
 .Vt PKCS12_BAGS
-object, representing the bagValue field of an ASN.1 SafeBag structure.
+object, representing the bagValue field of an ASN.1
+.Vt SafeBag
+structure.
 It is used in
 .Vt PKCS12_SAFEBAG
 and can hold a DER-encoded X.509 certificate,
diff --git a/src/lib/libcrypto/man/PKCS12_new.3 b/src/lib/libcrypto/man/PKCS12_new.3
index 426074c9b1..0f54048724 100644
--- a/src/lib/libcrypto/man/PKCS12_new.3
+++ b/src/lib/libcrypto/man/PKCS12_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_new.3,v 1.1 2016/12/22 16:05:22 schwarze Exp $
+.\"     $OpenBSD: PKCS12_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 22 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PKCS12_NEW 3
 .Os
 .Sh NAME
@@ -37,7 +37,9 @@
 .Fn PKCS12_new
 allocates and initializes an empty
 .Vt PKCS12
-object, representing an ASN.1 PFX (personal information exchange)
+object, representing an ASN.1
+.Vt PFX
+.Pq personal information exchange
 structure defined in RFC 7292 section 4.
 It can hold a pointer to a
 .Vt PKCS7
@@ -53,8 +55,9 @@ frees
 .Fn PKCS12_MAC_DATA_new
 allocates and initializes an empty
 .Vt PKCS12_MAC_DATA
-object, representing an ASN.1 MacData structure
-defined in RFC 7292 section 4.
+object, representing an ASN.1
+.Vt MacData
+structure defined in RFC 7292 section 4.
 It is used inside
 .Vt PKCS12
 and can hold a pointer to an
diff --git a/src/lib/libcrypto/man/PKCS7_new.3 b/src/lib/libcrypto/man/PKCS7_new.3
index 9feecbb88b..7f8cffd881 100644
--- a/src/lib/libcrypto/man/PKCS7_new.3
+++ b/src/lib/libcrypto/man/PKCS7_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS7_new.3,v 1.1 2016/12/13 14:31:55 schwarze Exp $
+.\"     $OpenBSD: PKCS7_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 13 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PKCS7_NEW 3
 .Os
 .Sh NAME
@@ -88,8 +88,9 @@ cryptography applied to it, in particular signed and encrypted data.
 .Fn PKCS7_new
 allocates and initializes an empty
 .Vt PKCS7
-object, representing an ASN.1 ContentInfo structure
-defined in RFC 2315 section 7.
+object, representing an ASN.1
+.Vt ContentInfo
+structure defined in RFC 2315 section 7.
 It is the top-level data structure able to hold any kind of content
 that can be transmitted using PKCS#7.
 It can be used recursively in
@@ -104,8 +105,9 @@ frees
 .Fn PKCS7_SIGNED_new
 allocates and initializes an empty
 .Vt PKCS7_SIGNED
-object, representing an ASN.1 SignedData structure
-defined in RFC 2315 section 9.
+object, representing an ASN.1
+.Vt SignedData
+structure defined in RFC 2315 section 9.
 It can be used inside
 .Vt PKCS7
 objects and holds any kind of content together with signatures by
@@ -118,8 +120,9 @@ frees
 .Fn PKCS7_ENVELOPE_new
 allocates and initializes an empty
 .Vt PKCS7_ENVELOPE
-object, representing an ASN.1 EnvelopedData structure
-defined in RFC 2315 section 10.
+object, representing an ASN.1
+.Vt EnvelopedData
+structure defined in RFC 2315 section 10.
 It can be used inside
 .Vt PKCS7
 objects and holds any kind of encrypted content together with
@@ -131,8 +134,9 @@ frees
 .Fn PKCS7_SIGN_ENVELOPE_new
 allocates and initializes an empty
 .Vt PKCS7_SIGN_ENVELOPE
-object, representing an ASN.1 SignedAndEnvelopedData structure
-defined in RFC 2315 section 11.
+object, representing an ASN.1
+.Vt SignedAndEnvelopedData
+structure defined in RFC 2315 section 11.
 It can be used inside
 .Vt PKCS7
 objects and holds any kind of encrypted content together with
@@ -146,8 +150,9 @@ frees
 .Fn PKCS7_DIGEST_new
 allocates and initializes an empty
 .Vt PKCS7_DIGEST
-object, representing an ASN.1 DigestedData structure
-defined in RFC 2315 section 12.
+object, representing an ASN.1
+.Vt DigestedData
+structure defined in RFC 2315 section 12.
 It can be used inside
 .Vt PKCS7
 objects and holds any kind of content together with a message digest
@@ -159,8 +164,9 @@ frees
 .Fn PKCS7_ENCRYPT_new
 allocates and initializes an empty
 .Vt PKCS7_ENCRYPT
-object, representing an ASN.1 EncryptedData structure
-defined in RFC 2315 section 13.
+object, representing an ASN.1
+.Vt EncryptedData
+structure defined in RFC 2315 section 13.
 It can be used inside
 .Vt PKCS7
 objects and holds any kind of encrypted content.
@@ -172,8 +178,9 @@ frees
 .Fn PKCS7_ENC_CONTENT_new
 allocates and initializes an empty
 .Vt PKCS7_ENC_CONTENT
-object, representing an ASN.1 EncryptedContentInfo structure
-defined in RFC 2315 section 10.1.
+object, representing an ASN.1
+.Vt EncryptedContentInfo
+structure defined in RFC 2315 section 10.1.
 It can be used inside
 .Vt PKCS7_ENVELOPE ,
 .Vt PKCS7_SIGN_ENVELOPE ,
@@ -188,8 +195,9 @@ frees
 .Fn PKCS7_SIGNER_INFO_new
 allocates and initializes an empty
 .Vt PKCS7_SIGNER_INFO
-object, representing an ASN.1 SignerInfo structure
-defined in RFC 2315 section 9.2.
+object, representing an ASN.1
+.Vt SignerInfo
+structure defined in RFC 2315 section 9.2.
 It can be used inside
 .Vt PKCS7_SIGNED
 and
@@ -203,8 +211,9 @@ frees
 .Fn PKCS7_RECIP_INFO_new
 allocates and initializes an empty
 .Vt PKCS7_RECIP_INFO
-object, representing an ASN.1 RecipientInfo structure
-defined in RFC 2315 section 10.2.
+object, representing an ASN.1
+.Vt RecipientInfo
+structure defined in RFC 2315 section 10.2.
 It can be used inside
 .Vt PKCS7_ENVELOPE
 and
@@ -218,8 +227,9 @@ frees
 .Fn PKCS7_ISSUER_AND_SERIAL_new
 allocates and initializes an empty
 .Vt PKCS7_ISSUER_AND_SERIAL
-object, representing an ASN.1 IssuerAndSerialNumber structure
-defined in RFC 2315 section 6.7.
+object, representing an ASN.1
+.Vt IssuerAndSerialNumber
+structure defined in RFC 2315 section 6.7.
 It can be used inside
 .Vt PKCS7_SIGNER_INFO
 and
diff --git a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
index d522dab9f8..8c6dba3514 100644
--- a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
+++ b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.1 2016/12/22 12:10:06 schwarze Exp $
+.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 22 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PKCS8_PRIV_KEY_INFO_NEW 3
 .Os
 .Sh NAME
@@ -31,8 +31,9 @@
 .Fn PKCS8_PRIV_KEY_INFO_new
 allocates and initializes an empty
 .Vt PKCS8_PRIV_KEY_INFO
-object, representing an ASN.1 PrivateKeyInfo structure
-defined in RFC 5208 section 5.
+object, representing an ASN.1
+.Vt PrivateKeyInfo
+structure defined in RFC 5208 section 5.
 It can hold a private key together with information about the
 algorithm to be used with it and optional attributes.
 .Pp
diff --git a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
index 3200b85fb4..888859b1e6 100644
--- a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
+++ b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.2 2016/12/24 08:19:04 jmc Exp $
+.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PKEY_USAGE_PERIOD_NEW 3
 .Os
 .Sh NAME
@@ -31,8 +31,9 @@
 .Fn PKEY_USAGE_PERIOD_new
 allocates and initializes an empty
 .Vt PKEY_USAGE_PERIOD
-object, representing an ASN.1 PrivateKeyUsagePeriod structure
-defined in RFC 3280 section 4.2.1.4.
+object, representing an ASN.1
+.Vt PrivateKeyUsagePeriod
+structure defined in RFC 3280 section 4.2.1.4.
 It could be used in
 .Vt X509
 certificates to specify a validity period for the private key
@@ -59,7 +60,8 @@ Certificate Revocation List (CRL) Profile,
 section 4.2.1.4: Private Key Usage Period
 .Pp
 RFC 3280 was obsoleted by RFC 5280, which says: "Section 4.2.1.4
-in RFC 3280, which specified the PrivateKeyUsagePeriod certificate
-extension but deprecated its use, was removed.
+in RFC 3280, which specified the
+.Vt PrivateKeyUsagePeriod
+certificate extension but deprecated its use, was removed.
 Use of this ISO standard extension is neither deprecated
 nor recommended for use in the Internet PKI."
diff --git a/src/lib/libcrypto/man/POLICYINFO_new.3 b/src/lib/libcrypto/man/POLICYINFO_new.3
index a76385fc6b..ea225a2d03 100644
--- a/src/lib/libcrypto/man/POLICYINFO_new.3
+++ b/src/lib/libcrypto/man/POLICYINFO_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: POLICYINFO_new.3,v 1.1 2016/12/23 18:50:23 schwarze Exp $
+.\"     $OpenBSD: POLICYINFO_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt POLICYINFO_NEW 3
 .Os
 .Sh NAME
@@ -70,8 +70,9 @@ restrictions on their intended use.
 .Fn POLICYINFO_new
 allocates and initializes an empty
 .Vt POLICYINFO
-object, representing an ASN.1 PolicyInformation structure
-defined in RFC 5280 section 4.2.1.4.
+object, representing an ASN.1
+.Vt PolicyInformation
+structure defined in RFC 5280 section 4.2.1.4.
 It can hold a policy identifier and optional advisory qualifiers.
 .Fn POLICYINFO_free
 frees
@@ -94,8 +95,9 @@ frees
 .Fn POLICYQUALINFO_new
 allocates and initializes an empty
 .Vt POLICYQUALINFO
-object, representing an ASN.1 PolicyQualifierInfo structure
-defined in RFC 5280 section 4.2.1.4.
+object, representing an ASN.1
+.Vt PolicyQualifierInfo
+structure defined in RFC 5280 section 4.2.1.4.
 It can be used in
 .Vt POLICYINFO
 and it can hold either a uniform resource identifier of a certification
@@ -109,8 +111,9 @@ frees
 .Fn USERNOTICE_new
 allocates and initializes an empty
 .Vt USERNOTICE
-object, representing an ASN.1 UserNotice structure
-defined in RFC 5280 section 4.2.1.4.
+object, representing an ASN.1
+.Vt UserNotice
+structure defined in RFC 5280 section 4.2.1.4.
 It can be used in
 .Vt POLICYQUALINFO
 and it can hold either an
@@ -125,8 +128,9 @@ frees
 .Fn NOTICEREF_new
 allocates and initializes an empty
 .Vt NOTICEREF
-object, representing an ASN.1 NoticeReference structure
-defined in RFC 5280 section 4.2.1.4.
+object, representing an ASN.1
+.Vt NoticeReference
+structure defined in RFC 5280 section 4.2.1.4.
 It can be used in
 .Vt USERNOTICE
 and can hold an organization name and a stack of notice numbers.
@@ -137,8 +141,9 @@ frees
 .Fn POLICY_MAPPING_new
 allocates and initializes an empty
 .Vt POLICY_MAPPING
-object, representing an ASN.1 PolicyMappings structure
-defined in RFC 5280 section 4.2.1.5.
+object, representing an ASN.1
+.Vt PolicyMappings
+structure defined in RFC 5280 section 4.2.1.5.
 It can be used in
 .Vt X509
 CA certificates and can hold a list of pairs of policy identifiers,
@@ -151,8 +156,9 @@ frees
 .Fn POLICY_CONSTRAINTS_new
 allocates and initializes an empty
 .Vt POLICY_CONSTRAINTS
-object, representing an ASN.1 PolicyConstraints structure
-defined in RFC 5280 section 4.2.1.11.
+object, representing an ASN.1
+.Vt PolicyConstraints
+structure defined in RFC 5280 section 4.2.1.11.
 It can be used in
 .Vt X509
 CA certificates to restrict policy mapping and/or to require explicit
diff --git a/src/lib/libcrypto/man/PROXY_POLICY_new.3 b/src/lib/libcrypto/man/PROXY_POLICY_new.3
index eb4e963033..387ee3fb7f 100644
--- a/src/lib/libcrypto/man/PROXY_POLICY_new.3
+++ b/src/lib/libcrypto/man/PROXY_POLICY_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PROXY_POLICY_new.3,v 1.1 2016/12/23 23:19:57 schwarze Exp $
+.\"     $OpenBSD: PROXY_POLICY_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 23 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt PROXY_POLICY_NEW 3
 .Os
 .Sh NAME
@@ -43,8 +43,9 @@ privileges on behalf of the subject of the original certificate.
 .Fn PROXY_POLICY_new
 allocates and initializes an empty
 .Vt PROXY_POLICY
-object, representing an ASN.1 ProxyPolicy structure
-defined in RFC 3820 section 3.8.
+object, representing an ASN.1
+.Vt ProxyPolicy
+structure defined in RFC 3820 section 3.8.
 It defines which privileges are to be delegated.
 .Fn PROXY_POLICY_free
 frees
@@ -53,8 +54,9 @@ frees
 .Fn PROXY_CERT_INFO_EXTENSION_new
 allocates and initializes an empty
 .Vt PROXY_CERT_INFO_EXTENSION
-object, representing an ASN.1 ProxyCertInfo structure
-defined in RFC 3820 section 3.8.
+object, representing an ASN.1
+.Vt ProxyCertInfo
+structure defined in RFC 3820 section 3.8.
 It can contain a
 .Vt PROXY_POLICY
 object, and it can additionally restrict the maximum depth of the
diff --git a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
index 8d6817b8bd..25a1c25ed3 100644
--- a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
+++ b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.1 2016/12/13 20:41:35 schwarze Exp $
+.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 13 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt RSA_PSS_PARAMS_NEW 3
 .Os
 .Sh NAME
@@ -31,8 +31,9 @@
 .Fn RSA_PSS_PARAMS_new
 allocates and initializes an empty
 .Vt RSA_PSS_PARAMS
-object, representing an ASN.1 RSASSA-PSS-params structure
-defined in RFC 8017 appendix A.2.3.
+object, representing an ASN.1
+.Vt RSASSA-PSS-params
+structure defined in RFC 8017 appendix A.2.3.
 It references the hash function and the mask generation function
 and stores the length of the salt and the trailer field number.
 .Fn RSA_PSS_PARAMS_free
diff --git a/src/lib/libcrypto/man/TS_REQ_new.3 b/src/lib/libcrypto/man/TS_REQ_new.3
index d1a0e90f21..35da948436 100644
--- a/src/lib/libcrypto/man/TS_REQ_new.3
+++ b/src/lib/libcrypto/man/TS_REQ_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: TS_REQ_new.3,v 1.3 2016/12/24 01:29:40 schwarze Exp $
+.\"     $OpenBSD: TS_REQ_new.3,v 1.4 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt TS_REQ_NEW 3
 .Os
 .Sh NAME
@@ -67,8 +67,9 @@ which returns time-stamp tokens to the clients.
 .Fn TS_REQ_new
 allocates and initializes an empty
 .Vt TS_REQ
-object, representing an ASN.1 TimeStampReq structure
-defined in RFC 3161 section 2.4.1.
+object, representing an ASN.1
+.Vt TimeStampReq
+structure defined in RFC 3161 section 2.4.1.
 It can hold a hash of the datum to be time-stamped and some
 auxiliary, optional information.
 .Fn TS_REQ_free
@@ -78,8 +79,9 @@ frees
 .Fn TS_RESP_new
 allocates and initializes an empty
 .Vt TS_RESP
-object, representing an ASN.1 TimeStampResp structure
-defined in RFC 3161 section 2.4.2.
+object, representing an ASN.1
+.Vt TimeStampResp
+structure defined in RFC 3161 section 2.4.2.
 It can hold status information and a time-stamp token.
 .Fn TS_RESP_free
 frees
@@ -88,8 +90,9 @@ frees
 .Fn TS_STATUS_INFO_new
 allocates and initializes an empty
 .Vt TS_STATUS_INFO
-object, representing an ASN.1 PKIStatusInfo structure
-defined in RFC 3161 section 2.4.2.
+object, representing an ASN.1
+.Vt PKIStatusInfo
+structure defined in RFC 3161 section 2.4.2.
 It is used inside
 .Vt TS_RESP
 and describes the outcome of one time-stamp request.
@@ -100,8 +103,9 @@ frees
 .Fn TS_TST_INFO_new
 allocates and initializes an empty
 .Vt TS_TST_INFO
-object, representing an ASN.1 TSTInfo structure
-defined in RFC 3161 section 2.4.2.
+object, representing an ASN.1
+.Vt TSTInfo
+structure defined in RFC 3161 section 2.4.2.
 It is the time-stamp token included in a
 .Vt TS_RESP
 object in case of success, and it can hold the hash of the datum
@@ -114,8 +118,9 @@ frees
 .Fn TS_ACCURACY_new
 allocates and initializes an empty
 .Vt TS_ACCURACY
-object, representing an ASN.1 Accuracy structure
-defined in RFC 3161 section 2.4.2.
+object, representing an ASN.1
+.Vt Accuracy
+structure defined in RFC 3161 section 2.4.2.
 It can be used inside a
 .Vt TS_TST_INFO
 object and indicates the maximum error of the time stated in the token.
@@ -126,8 +131,9 @@ frees
 .Fn TS_MSG_IMPRINT_new
 allocates and initializes an empty
 .Vt TS_MSG_IMPRINT
-object, representing an ASN.1 MessageImprint structure
-defined in RFC 3161 section 2.4.1.
+object, representing an ASN.1
+.Vt MessageImprint
+structure defined in RFC 3161 section 2.4.1.
 It is used inside
 .Vt TS_REQ
 and
diff --git a/src/lib/libcrypto/man/X509_ALGOR_dup.3 b/src/lib/libcrypto/man/X509_ALGOR_dup.3
index 7a46b372c2..b1a28e11ba 100644
--- a/src/lib/libcrypto/man/X509_ALGOR_dup.3
+++ b/src/lib/libcrypto/man/X509_ALGOR_dup.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.4 2016/12/15 23:29:38 jmc Exp $
+.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 15 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_ALGOR_DUP 3
 .Os
 .Sh NAME
@@ -115,8 +115,9 @@
 .Fn X509_ALGOR_new
 allocates and initializes an empty
 .Vt X509_ALGOR
-object, representing an ASN.1 AlgorithmIdentifier structure
-defined in RFC 5280 section 4.1.1.2.
+object, representing an ASN.1
+.Vt AlgorithmIdentifier
+structure defined in RFC 5280 section 4.1.1.2.
 Such objects can specify a cryptographic algorithm together
 with algorithm-specific parameters.
 They are used by many other objects, for example certificates,
diff --git a/src/lib/libcrypto/man/X509_CINF_new.3 b/src/lib/libcrypto/man/X509_CINF_new.3
index fdfc4c8c7b..7ac86b6d36 100644
--- a/src/lib/libcrypto/man/X509_CINF_new.3
+++ b/src/lib/libcrypto/man/X509_CINF_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_CINF_new.3,v 1.1 2016/12/16 09:17:59 schwarze Exp $
+.\"     $OpenBSD: X509_CINF_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 16 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_CINF_NEW 3
 .Os
 .Sh NAME
@@ -43,8 +43,9 @@
 .Fn X509_CINF_new
 allocates and initializes an empty
 .Vt X509_CINF
-object, representing an ASN.1 TBSCertificate structure
-defined in RFC 5280 section 4.1.
+object, representing an ASN.1
+.Vt TBSCertificate
+structure defined in RFC 5280 section 4.1.
 It is used inside the
 .Vt X509
 object and holds the main information contained in the X.509
@@ -57,8 +58,9 @@ frees
 .Fn X509_VAL_new
 allocates and initializes an empty
 .Vt X509_VAL
-object, representing an ASN.1 Validity structure
-defined in RFC 5280 section 4.1.
+object, representing an ASN.1
+.Vt Validity
+structure defined in RFC 5280 section 4.1.
 It is used inside the
 .Vt X509_CINF
 object and holds the validity period of the certificate.
diff --git a/src/lib/libcrypto/man/X509_CRL_new.3 b/src/lib/libcrypto/man/X509_CRL_new.3
index 03a0caa5be..2f35b100cb 100644
--- a/src/lib/libcrypto/man/X509_CRL_new.3
+++ b/src/lib/libcrypto/man/X509_CRL_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_CRL_new.3,v 1.2 2016/12/24 01:29:40 schwarze Exp $
+.\"     $OpenBSD: X509_CRL_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_CRL_NEW 3
 .Os
 .Sh NAME
@@ -37,8 +37,9 @@
 .Fn X509_CRL_new
 allocates and initializes an empty
 .Vt X509_CRL
-object, representing an ASN.1 CertificateList structure
-defined in RFC 5280 section 5.1.
+object, representing an ASN.1
+.Vt CertificateList
+structure defined in RFC 5280 section 5.1.
 It can hold a pointer to an
 .Vt X509_CRL_INFO
 object discussed below together with a cryptographic signature
@@ -50,8 +51,9 @@ frees
 .Fn X509_CRL_INFO_new
 allocates and initializes an empty
 .Vt X509_CRL_INFO
-object, representing an ASN.1 TBSCertList structure
-defined in RFC 5280 section 5.1.
+object, representing an ASN.1
+.Vt TBSCertList
+structure defined in RFC 5280 section 5.1.
 It is used inside the
 .Vt X509_CRL
 object and can hold a list of revoked certificates, an issuer name,
diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
index b9a33ce137..850be6e66b 100644
--- a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
+++ b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_EXTENSION_set_object.3,v 1.4 2016/12/24 01:29:40 schwarze Exp $
+.\"     $OpenBSD: X509_EXTENSION_set_object.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_EXTENSION_SET_OBJECT 3
 .Os
 .Sh NAME
@@ -131,8 +131,9 @@
 .Fn X509_EXTENSION_new
 allocates and initializes an empty
 .Vt X509_EXTENSION
-object, representing an ASN.1 Extension structure
-defined in RFC 5280 section 4.1.
+object, representing an ASN.1
+.Vt Extension
+structure defined in RFC 5280 section 4.1.
 It is a wrapper object around specific extension objects of different
 types and stores an extension type identifier and a criticality
 flag in addition to the DER-encoded form of the wrapped object.
diff --git a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
index bfd4fb2536..e11a4b7708 100644
--- a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
+++ b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.5 2016/12/14 21:22:06 jmc Exp $
+.\"     $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_NAME_ENTRY_GET_OBJECT 3
 .Os
 .Sh NAME
@@ -134,9 +134,12 @@
 .Fa "int len"
 .Fc
 .Sh DESCRIPTION
-An X.501 RelativeDistinguishedName is a set of field type and
-value pairs.
-It is the building block for constructing X.501 Name objects.
+An X.501
+.Vt RelativeDistinguishedName
+is a set of field type and value pairs.
+It is the building block for constructing X.501
+.Vt Name
+objects.
 This implementation only supports sets with one element, so an
 .Vt X509_NAME_ENTRY
 object contains only one field type and one value.
@@ -144,8 +147,9 @@ object contains only one field type and one value.
 .Fn X509_NAME_ENTRY_new
 allocates and initializes an empty
 .Vt X509_NAME_ENTRY
-object, representing an ASN.1 RelativeDistinguishedName structure
-defined in RFC 5280 section 4.1.2.4.
+object, representing an ASN.1
+.Vt RelativeDistinguishedName
+structure defined in RFC 5280 section 4.1.2.4.
 .Pp
 .Fn X509_NAME_ENTRY_free
 frees
diff --git a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
index 6260e5f345..50e23829bd 100644
--- a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
+++ b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.5 2016/12/14 16:20:28 schwarze Exp $
+.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_NAME_ADD_ENTRY_BY_TXT 3
 .Os
 .Sh NAME
@@ -197,7 +197,9 @@ can be set to -1 and
 to 0.
 This adds a new entry to the end of
 .Fa name
-as a single valued RelativeDistinguishedName (RDN).
+as a single valued
+.Vt RelativeDistinguishedName
+(RDN).
 .Pp
 .Fa loc
 actually determines the index where the new entry is inserted:
diff --git a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
index 6da0661831..b6571ccc1d 100644
--- a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
+++ b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.5 2016/12/14 16:20:28 schwarze Exp $
+.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_NAME_GET_INDEX_BY_NID 3
 .Os
 .Sh NAME
@@ -103,8 +103,8 @@ These functions allow an
 structure to be examined.
 The
 .Vt X509_NAME
-structure is the same as the
-.Sy Name
+structure is the same as the ASN.1
+.Vt Name
 type defined in RFC 2459 (and elsewhere) and used, for example,
 in certificate subject and issuer names.
 .Pp
@@ -235,7 +235,10 @@ are legacy functions which have various limitations which make them of
 minimal use in practice.
 They can only find the first matching entry and will copy the contents
 of the field verbatim: this can be highly confusing if the target is a
-multicharacter string type like a BMPString or a UTF8String.
+multicharacter string type like a
+.Vt BMPString
+or a
+.Vt UTF8String .
 .Pp
 For a more general solution,
 .Fn X509_NAME_get_index_by_NID
diff --git a/src/lib/libcrypto/man/X509_NAME_new.3 b/src/lib/libcrypto/man/X509_NAME_new.3
index 5666635198..c4efab7784 100644
--- a/src/lib/libcrypto/man/X509_NAME_new.3
+++ b/src/lib/libcrypto/man/X509_NAME_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_new.3,v 1.2 2016/12/24 01:29:40 schwarze Exp $
+.\"     $OpenBSD: X509_NAME_new.3,v 1.3 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_NAME_NEW 3
 .Os
 .Sh NAME
@@ -31,12 +31,16 @@
 .Ft void
 .Fn X509_NAME_free "X509_NAME *name"
 .Sh DESCRIPTION
-An X.501 Name is an ordered sequence of relative distinguished names.
+An X.501
+.Vt Name
+is an ordered sequence of relative distinguished names.
 A relative distinguished name is a set of key-value pairs; see
 .Xr X509_NAME_ENTRY_new 3
 for details.
 .Pp
-Various X.509 structures contain X.501 Name substructures.
+Various X.509 structures contain X.501
+.Vt Name
+substructures.
 They are for example used for the issuers of certificates and
 certificate revocation lists and for the subjects of certificates
 and certificate requests.
@@ -44,8 +48,9 @@ and certificate requests.
 .Fn X509_NAME_new
 allocates and initializes an empty
 .Vt X509_NAME
-object, representing an ASN.1 Name structure
-defined in RFC 5280 section 4.1.2.4.
+object, representing an ASN.1
+.Vt Name
+structure defined in RFC 5280 section 4.1.2.4.
 Data can be added to such objects with the functions described in
 .Xr X509_NAME_add_entry_by_txt 3 ,
 and they can be inspected with the functions described in
diff --git a/src/lib/libcrypto/man/X509_NAME_print_ex.3 b/src/lib/libcrypto/man/X509_NAME_print_ex.3
index 0e3ef11284..1342a200ad 100644
--- a/src/lib/libcrypto/man/X509_NAME_print_ex.3
+++ b/src/lib/libcrypto/man/X509_NAME_print_ex.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_print_ex.3,v 1.5 2016/12/14 16:20:28 schwarze Exp $
+.\"     $OpenBSD: X509_NAME_print_ex.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_NAME_PRINT_EX 3
 .Os
 .Sh NAME
@@ -174,8 +174,8 @@ and
 .Dv XN_FLAG_SEP_MULTILINE
 determine the field separators to use.
 Two distinct separators are used between distinct
-RelativeDistinguishedName components and separate values in the same RDN
-for a multi-valued RDN.
+.Vt RelativeDistinguishedName
+components and separate values in the same RDN for a multi-valued RDN.
 Multi-valued RDNs are currently very rare so the second separator
 will hardly ever be used.
 .Pp
diff --git a/src/lib/libcrypto/man/X509_PUBKEY_new.3 b/src/lib/libcrypto/man/X509_PUBKEY_new.3
index cd178a1ee0..0475fe65b2 100644
--- a/src/lib/libcrypto/man/X509_PUBKEY_new.3
+++ b/src/lib/libcrypto/man/X509_PUBKEY_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_PUBKEY_new.3,v 1.3 2016/12/15 22:24:45 schwarze Exp $
+.\"     $OpenBSD: X509_PUBKEY_new.3,v 1.4 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 15 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_PUBKEY_NEW 3
 .Os
 .Sh NAME
@@ -133,9 +133,10 @@
 .Sh DESCRIPTION
 The
 .Vt X509_PUBKEY
-structure represents the ASN.1 SubjectPublicKeyInfo structure defined
-in RFC 5280 section 4.1 and used in certificates and certificate
-requests.
+structure represents the ASN.1
+.Vt SubjectPublicKeyInfo
+structure defined in RFC 5280 section 4.1 and used in certificates
+and certificate requests.
 .Pp
 .Fn X509_PUBKEY_new
 allocates and initializes an
@@ -179,7 +180,9 @@ and
 .Fn i2d_PUBKEY
 decode and encode an
 .Vt EVP_PKEY
-structure using SubjectPublicKeyInfo format.
+structure using
+.Vt SubjectPublicKeyInfo
+format.
 They otherwise follow the conventions of other ASN.1 functions such as
 .Xr d2i_X509 3 .
 .Pp
@@ -225,7 +228,9 @@ bytes at
 .Pf * Fa pk ,
 and
 .Pf * Fa pa
-is set to the associated AlgorithmIdentifier for the public key.
+is set to the associated
+.Vt AlgorithmIdentifier
+for the public key.
 If the value of any of these parameters is not required,
 it can be set to
 .Dv NULL .
diff --git a/src/lib/libcrypto/man/X509_REQ_new.3 b/src/lib/libcrypto/man/X509_REQ_new.3
index f4089ba2a2..76da125898 100644
--- a/src/lib/libcrypto/man/X509_REQ_new.3
+++ b/src/lib/libcrypto/man/X509_REQ_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_REQ_new.3,v 1.1 2016/12/17 01:08:14 schwarze Exp $
+.\"     $OpenBSD: X509_REQ_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 17 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_REQ_NEW 3
 .Os
 .Sh NAME
@@ -37,8 +37,9 @@
 .Fn X509_REQ_new
 allocates and initializes an empty
 .Vt X509_REQ
-object, representing an ASN.1 CertificationRequest structure
-defined in RFC 2986 section 4.2.
+object, representing an ASN.1
+.Vt CertificationRequest
+structure defined in RFC 2986 section 4.2.
 It can hold a pointer to an
 .Vt X509_REQ_INFO
 object discussed below together with a cryptographic signature and
@@ -50,8 +51,9 @@ frees
 .Fn X509_REQ_INFO_new
 allocates and initializes an empty
 .Vt X509_REQ_INFO
-object, representing an ASN.1 CertificationRequestInfo structure
-defined in RFC 2986 section 4.1.
+object, representing an ASN.1
+.Vt CertificationRequestInfo
+structure defined in RFC 2986 section 4.1.
 It is used inside the
 .Vt X509_REQ
 object and can hold the subject and the public key of the requested
diff --git a/src/lib/libcrypto/man/X509_REVOKED_new.3 b/src/lib/libcrypto/man/X509_REVOKED_new.3
index 2303f9caf2..f06075fcc2 100644
--- a/src/lib/libcrypto/man/X509_REVOKED_new.3
+++ b/src/lib/libcrypto/man/X509_REVOKED_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_REVOKED_new.3,v 1.1 2016/12/16 14:50:58 schwarze Exp $
+.\"     $OpenBSD: X509_REVOKED_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL X509_CRL_get0_by_serial.pod 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 16 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_REVOKED_NEW 3
 .Os
 .Sh NAME
@@ -95,8 +95,9 @@
 allocates and initializes an empty
 .Vt X509_REVOKED
 object, representing one of the elements of
-the revokedCertificates field of the ASN.1 TBSCertList structure
-defined in RFC 5280 section 5.1.
+the revokedCertificates field of the ASN.1
+.Vt TBSCertList
+structure defined in RFC 5280 section 5.1.
 It is used by
 .Vt X509_CRL
 objects and can hold information about one revoked certificate
diff --git a/src/lib/libcrypto/man/X509_SIG_new.3 b/src/lib/libcrypto/man/X509_SIG_new.3
index e4ad5b0085..6d41ababc6 100644
--- a/src/lib/libcrypto/man/X509_SIG_new.3
+++ b/src/lib/libcrypto/man/X509_SIG_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_SIG_new.3,v 1.1 2016/12/22 14:06:51 schwarze Exp $
+.\"     $OpenBSD: X509_SIG_new.3,v 1.2 2016/12/25 22:15:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 22 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_SIG_NEW 3
 .Os
 .Sh NAME
@@ -31,8 +31,10 @@
 .Fn X509_SIG_new
 allocates and initializes an empty
 .Vt X509_SIG
-object, representing an ASN.1 DigestInfo structure defined
-in RFC 2315 section 9.4 and equivalently in RFC 8017 section 9.2.
+object, representing an ASN.1
+.Vt DigestInfo
+structure defined in RFC 2315 section 9.4
+and equivalently in RFC 8017 section 9.2.
 It can hold a message digest together with information about
 the algorithm used.
 .Pp
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index 2f0924c209..3a871ef307 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_STORE_CTX_get_error.3,v 1.4 2016/12/05 13:38:05 schwarze Exp $
+.\"     $OpenBSD: X509_STORE_CTX_get_error.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 5 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -202,7 +202,9 @@ expected value.
 Unused.
 .It Dv X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY : \
  No unable to decode issuer public key
-The public key in the certificate SubjectPublicKeyInfo could not be read.
+The public key in the certificate
+.Vt SubjectPublicKeyInfo
+could not be read.
 .It Dv X509_V_ERR_CERT_SIGNATURE_FAILURE : No certificate signature failure
 The signature of the certificate is invalid.
 .It Dv X509_V_ERR_CRL_SIGNATURE_FAILURE : No CRL signature failure
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 1294ae3edd..dbf82bc974 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_new.3,v 1.9 2016/12/24 01:29:40 schwarze Exp $
+.\"     $OpenBSD: X509_new.3,v 1.10 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 3a59ad98 Dec 11 00:36:06 2015 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -73,8 +73,9 @@
 allocates and initializes an empty
 .Vt X509
 object with reference count 1.
-It represents an ASN.1 Certificate structure
-defined in RFC 5280 section 4.1.
+It represents an ASN.1
+.Vt Certificate
+structure defined in RFC 5280 section 4.1.
 It can hold a public key together with information about the person,
 organization, device, or function the associated private key belongs to.
 .Pp
diff --git a/src/lib/libcrypto/man/d2i_RSAPublicKey.3 b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
index 6f51229ec7..22d904157f 100644
--- a/src/lib/libcrypto/man/d2i_RSAPublicKey.3
+++ b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.5 2016/12/11 12:21:48 schwarze Exp $
+.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 11 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt D2I_RSAPUBLICKEY 3
 .Os
 .Sh NAME
@@ -140,12 +140,15 @@
 .Fn d2i_RSAPublicKey
 and
 .Fn i2d_RSAPublicKey
-decode and encode a PKCS#1 RSAPublicKey structure.
+decode and encode a PKCS#1
+.Vt RSAPublicKey
+structure.
 .Pp
 .Fn d2i_RSA_PUBKEY
 and
 .Fn i2d_RSA_PUBKEY
-decode and encode an RSA public key using a SubjectPublicKeyInfo
+decode and encode an RSA public key using an ASN.1
+.Vt SubjectPublicKeyInfo
 (certificate public key) structure.
 .Pp
 .Fn d2i_RSA_PUBKEY_bio ,
@@ -165,7 +168,9 @@ pointer.
 .Pp
 .Fn d2i_RSAPrivateKey ,
 .Fn i2d_RSAPrivateKey
-decode and encode a PKCS#1 RSAPrivateKey structure.
+decode and encode a PKCS#1
+.Vt RSAPrivateKey
+structure.
 .Pp
 .Fn d2i_Netscape_RSA ,
 .Fn i2d_Netscape_RSA
diff --git a/src/lib/libcrypto/man/d2i_X509_ALGOR.3 b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
index 858396f5fe..7514e5fac5 100644
--- a/src/lib/libcrypto/man/d2i_X509_ALGOR.3
+++ b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_ALGOR.3,v 1.5 2016/12/15 22:09:22 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_ALGOR.3,v 1.6 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 15 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt D2I_X509_ALGOR 3
 .Os
 .Sh NAME
@@ -71,8 +71,8 @@
 .Sh DESCRIPTION
 These functions decode and encode an
 .Vt X509_ALGOR
-structure which is equivalent to the
-.Sy AlgorithmIdentifier
+structure which is equivalent to the ASN.1
+.Vt AlgorithmIdentifier
 structure.
 They otherwise behave in a way similar to
 .Xr d2i_X509 3
diff --git a/src/lib/libcrypto/man/d2i_X509_NAME.3 b/src/lib/libcrypto/man/d2i_X509_NAME.3
index 0dacb648c7..d3c085784e 100644
--- a/src/lib/libcrypto/man/d2i_X509_NAME.3
+++ b/src/lib/libcrypto/man/d2i_X509_NAME.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_NAME.3,v 1.6 2016/12/14 17:26:35 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_NAME.3,v 1.7 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL d900a015 Oct 8 14:40:42 2015 +0200
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 14 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt D2I_X509_NAME 3
 .Os
 .Sh NAME
@@ -67,7 +67,9 @@ decodes
 .Fa length
 bytes of the DER-encoded string
 .Pf * Fa in
-and stores the resulting Name object in
+and stores the resulting
+.Vt Name
+object in
 .Pf * Fa name .
 .Pp
 .Fn i2d_X509_NAME
@@ -89,7 +91,9 @@ decodes
 .Fa length
 bytes of the DER-encoded string
 .Pf * Fa in
-and stores the resulting RelativeDistinguishedName object in
+and stores the resulting
+.Vt RelativeDistinguishedName
+object in
 .Pf * Fa ne .
 .Pp
 .Fn i2d_X509_NAME_ENTRY
diff --git a/src/lib/libcrypto/man/d2i_X509_SIG.3 b/src/lib/libcrypto/man/d2i_X509_SIG.3
index 8466ccfe7f..33676b6df0 100644
--- a/src/lib/libcrypto/man/d2i_X509_SIG.3
+++ b/src/lib/libcrypto/man/d2i_X509_SIG.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_SIG.3,v 1.4 2016/12/08 20:22:08 jmc Exp $
+.\"     $OpenBSD: d2i_X509_SIG.3,v 1.5 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 8 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt D2I_X509_SIG 3
 .Os
 .Sh NAME
@@ -72,7 +72,7 @@
 These functions decode and encode an
 .Vt X509_SIG
 structure, which is equivalent to the
-.Sy DigestInfo
+.Vt DigestInfo
 structure defined in PKCS#1 and PKCS#7.
 They otherwise behave in a way similar to
 .Xr d2i_X509 3
diff --git a/src/lib/libcrypto/man/x509v3.cnf.5 b/src/lib/libcrypto/man/x509v3.cnf.5
index 1fd4c0cc9f..19608697e3 100644
--- a/src/lib/libcrypto/man/x509v3.cnf.5
+++ b/src/lib/libcrypto/man/x509v3.cnf.5
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: x509v3.cnf.5,v 1.2 2016/12/12 22:02:55 jmc Exp $
+.\"     $OpenBSD: x509v3.cnf.5,v 1.3 2016/12/25 22:15:10 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 12 2016 $
+.Dd $Mdocdate: December 25 2016 $
 .Dt X509V3.CNF 5
 .Os
 .Sh NAME
@@ -530,8 +530,11 @@ The
 option changes the type of the
 .Ic organization
 field.
-In RFC 2459, it can only be of type DisplayText.
-In RFC 3280, IA5Strring is also permissible.
+In RFC 2459, it can only be of type
+.Vt DisplayText .
+In RFC 3280,
+.Vt IA5String
+is also permissible.
 Some software (for example some versions of MSIE) may require
 .Ic ia5org .
 .Ss Policy constraints