diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.sbin/openssl/openssl.1 | 473 | 
1 files changed, 332 insertions, 141 deletions
| diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index b14c94f604..019225304f 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: openssl.1,v 1.7 2003/04/30 12:11:44 jmc Exp $ | 1 | .\" $OpenBSD: openssl.1,v 1.8 2003/05/12 10:52:57 jmc Exp $ | 
| 2 | .\" ==================================================================== | 2 | .\" ==================================================================== | 
| 3 | .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | 3 | .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | 
| 4 | .\" | 4 | .\" | 
| @@ -135,7 +135,6 @@ | |||
| 135 | .Nm | 135 | .Nm | 
| 136 | .Cm no- Ns Ar XXX | 136 | .Cm no- Ns Ar XXX | 
| 137 | .Op Ar arbitrary options | 137 | .Op Ar arbitrary options | 
| 138 | .Pp | ||
| 139 | .Sh DESCRIPTION | 138 | .Sh DESCRIPTION | 
| 140 | .Nm OpenSSL | 139 | .Nm OpenSSL | 
| 141 | is a cryptography toolkit implementing the Secure Sockets Layer | 140 | is a cryptography toolkit implementing the Secure Sockets Layer | 
| @@ -214,7 +213,7 @@ availability of ciphers in the | |||
| 214 | .Nm | 213 | .Nm | 
| 215 | program. | 214 | program. | 
| 216 | .Pp | 215 | .Pp | 
| 217 | .Sy Note: | 216 | .Sy Note : | 
| 218 | .Cm no- Ns Ar XXX | 217 | .Cm no- Ns Ar XXX | 
| 219 | is not able to detect pseudo-commands such as | 218 | is not able to detect pseudo-commands such as | 
| 220 | .Cm quit , | 219 | .Cm quit , | 
| @@ -406,7 +405,6 @@ Read the password from standard input. | |||
| 406 | .\" ASN1PARSE | 405 | .\" ASN1PARSE | 
| 407 | .\" | 406 | .\" | 
| 408 | .Sh ASN1PARSE | 407 | .Sh ASN1PARSE | 
| 409 | .Pp | ||
| 410 | .Nm "openssl asn1parse" | 408 | .Nm "openssl asn1parse" | 
| 411 | .Op Fl inform Ar PEM|DER | 409 | .Op Fl inform Ar PEM|DER | 
| 412 | .Op Fl in Ar filename | 410 | .Op Fl in Ar filename | 
| @@ -541,6 +539,10 @@ The output of some ASN.1 types is not well handled (if at all). | |||
| 541 | .Op Fl name Ar section | 539 | .Op Fl name Ar section | 
| 542 | .Op Fl gencrl | 540 | .Op Fl gencrl | 
| 543 | .Op Fl revoke Ar file | 541 | .Op Fl revoke Ar file | 
| 542 | .Op Fl crl_reason Ar reason | ||
| 543 | .Op Fl crl_hold Ar instruction | ||
| 544 | .Op Fl crl_compromise Ar time | ||
| 545 | .Op Fl crl_CA_compromise Ar time | ||
| 544 | .Op Fl subj Ar arg | 546 | .Op Fl subj Ar arg | 
| 545 | .Op Fl crldays Ar days | 547 | .Op Fl crldays Ar days | 
| 546 | .Op Fl crlhours Ar hours | 548 | .Op Fl crlhours Ar hours | 
| @@ -567,6 +569,7 @@ The output of some ASN.1 types is not well handled (if at all). | |||
| 567 | .Op Fl msie_hack | 569 | .Op Fl msie_hack | 
| 568 | .Op Fl extensions Ar section | 570 | .Op Fl extensions Ar section | 
| 569 | .Op Fl extfile Ar section | 571 | .Op Fl extfile Ar section | 
| 572 | .Op Fl engine Ar id | ||
| 570 | .Ek | 573 | .Ek | 
| 571 | .Pp | 574 | .Pp | 
| 572 | The | 575 | The | 
| @@ -599,7 +602,7 @@ A single self-signed certificate to be signed by the CA. | |||
| 599 | A file containing a single Netscape signed public key and challenge, | 602 | A file containing a single Netscape signed public key and challenge, | 
| 600 | and additional field values to be signed by the CA. | 603 | and additional field values to be signed by the CA. | 
| 601 | See the | 604 | See the | 
| 602 | .Sx CA NOTES | 605 | .Sx SPKAC FORMAT | 
| 603 | section for information on the required format. | 606 | section for information on the required format. | 
| 604 | .It Fl infiles | 607 | .It Fl infiles | 
| 605 | If present, this should be the last option; all subsequent arguments | 608 | If present, this should be the last option; all subsequent arguments | 
| @@ -708,6 +711,14 @@ to read certificate extensions from | |||
| 708 | (using the default section unless the | 711 | (using the default section unless the | 
| 709 | .Fl extensions | 712 | .Fl extensions | 
| 710 | option is also used). | 713 | option is also used). | 
| 714 | .It Fl engine Ar id | ||
| 715 | Specifying an engine (by it's unique | ||
| 716 | .Ar id | ||
| 717 | string) will cause | ||
| 718 | .Nm req | ||
| 719 | to attempt to obtain a functional reference to the specified engine, | ||
| 720 | thus initialising it if needed. | ||
| 721 | The engine will then be set as the default for all available algorithms. | ||
| 711 | .El | 722 | .El | 
| 712 | .Sh CRL OPTIONS | 723 | .Sh CRL OPTIONS | 
| 713 | .Bl -tag -width "XXXX" | 724 | .Bl -tag -width "XXXX" | 
| @@ -724,6 +735,35 @@ The number of hours before the next CRL is due. | |||
| 724 | A | 735 | A | 
| 725 | .Ar filename | 736 | .Ar filename | 
| 726 | containing a certificate to revoke. | 737 | containing a certificate to revoke. | 
| 738 | .It Fl crl_reason Ar reason | ||
| 739 | Revocation reason, where | ||
| 740 | .Ar reason | ||
| 741 | is one of: | ||
| 742 | unspecified, keyCompromise, CACompromise, affiliationChanged, superseded, | ||
| 743 | cessationOfOperation, certificateHold or removeFromCRL. | ||
| 744 | The matching of | ||
| 745 | .Ar reason | ||
| 746 | is case insensitive. | ||
| 747 | Setting any revocation reason will make the CRL v2. | ||
| 748 | In practive removeFromCRL is not particularly useful because it is only used | ||
| 749 | in delta CRLs which are not currently implemented. | ||
| 750 | .It Fl crl_hold Ar instruction | ||
| 751 | This sets the CRL revocation reason code to certificateHold and the hold | ||
| 752 | instruction to | ||
| 753 | .Ar instruction | ||
| 754 | which must be an OID. | ||
| 755 | Although any OID can be used, only holdInstructionNone | ||
| 756 | (the use of which is discouraged by RFC 2459), holdInstructionCallIssuer or | ||
| 757 | holdInstructionReject will normally be used. | ||
| 758 | .It Fl crl_compromise Ar time | ||
| 759 | This sets the revocation reason to keyCompromise and the compromise time to | ||
| 760 | .Ar time . | ||
| 761 | .Ar time | ||
| 762 | should be in GeneralizedTime format, i.e. YYYYMMDDHHMMSSZ. | ||
| 763 | .It Fl crl_CA_compromise Ar time | ||
| 764 | This is the same as | ||
| 765 | .Fl crl_compromise , | ||
| 766 | except the revocation reason is set to CACompromise. | ||
| 727 | .It Fl subj Ar arg | 767 | .It Fl subj Ar arg | 
| 728 | Supersedes the subject name given in the request. | 768 | Supersedes the subject name given in the request. | 
| 729 | The | 769 | The | 
| @@ -799,7 +839,7 @@ It specifies the directory where new certificates will be placed. | |||
| 799 | Mandatory. | 839 | Mandatory. | 
| 800 | .It Ar certificate | 840 | .It Ar certificate | 
| 801 | The same as | 841 | The same as | 
| 802 | .Fl cert. | 842 | .Fl cert . | 
| 803 | It gives the file containing the CA certificate. | 843 | It gives the file containing the CA certificate. | 
| 804 | Mandatory. | 844 | Mandatory. | 
| 805 | .It Ar private_key | 845 | .It Ar private_key | 
| @@ -958,7 +998,7 @@ the SPKAC and also the required DN components as name value pairs. | |||
| 958 | If it's necessary to include the same component twice then it can be | 998 | If it's necessary to include the same component twice then it can be | 
| 959 | preceded by a number and a '.'. | 999 | preceded by a number and a '.'. | 
| 960 | .Sh CA EXAMPLES | 1000 | .Sh CA EXAMPLES | 
| 961 | .Sy Note: | 1001 | .Sy Note : | 
| 962 | these examples assume that the | 1002 | these examples assume that the | 
| 963 | .Nm ca | 1003 | .Nm ca | 
| 964 | directory structure is already set up and the relevant files already exist. | 1004 | directory structure is already set up and the relevant files already exist. | 
| @@ -1049,25 +1089,8 @@ A sample configuration file with the relevant sections for | |||
| 1049 | \& commonName = supplied | 1089 | \& commonName = supplied | 
| 1050 | \& emailAddress = optional | 1090 | \& emailAddress = optional | 
| 1051 | .Ed | 1091 | .Ed | 
| 1052 | .Sh CA WARNINGS | ||
| 1053 | The | ||
| 1054 | .Nm ca | ||
| 1055 | command is quirky and at times downright unfriendly. | ||
| 1056 | .Pp | ||
| 1057 | The | ||
| 1058 | .Nm ca | ||
| 1059 | utility was originally meant as an example of how to do things in a CA. | ||
| 1060 | It was not supposed to be used as a full blown CA itself; | ||
| 1061 | nevertheless some people are using it for this purpose. | ||
| 1062 | .Pp | ||
| 1063 | The | ||
| 1064 | .Nm ca | ||
| 1065 | command is effectively a single user command: no locking is | ||
| 1066 | done on the various files and attempts to run more than one | ||
| 1067 | .Nm ca | ||
| 1068 | command on the same database can have unpredictable results. | ||
| 1069 | .Sh CA FILES | 1092 | .Sh CA FILES | 
| 1070 | .Sy Note: | 1093 | .Sy Note : | 
| 1071 | the location of all files can change either by compile time options, | 1094 | the location of all files can change either by compile time options, | 
| 1072 | configuration file entries, environment variables or command line options. | 1095 | configuration file entries, environment variables or command line options. | 
| 1073 | The values below reflect the default values. | 1096 | The values below reflect the default values. | 
| @@ -1096,9 +1119,6 @@ and if corrupted it can be difficult to fix. | |||
| 1096 | It is theoretically possible to rebuild the index file from all the | 1119 | It is theoretically possible to rebuild the index file from all the | 
| 1097 | issued certificates and a current CRL; however there is no option to do this. | 1120 | issued certificates and a current CRL; however there is no option to do this. | 
| 1098 | .Pp | 1121 | .Pp | 
| 1099 | CRL entry extensions cannot currently be created; only CRL extensions | ||
| 1100 | can be added. | ||
| 1101 | .Pp | ||
| 1102 | V2 CRL features like delta CRL support and CRL numbers are not currently | 1122 | V2 CRL features like delta CRL support and CRL numbers are not currently | 
| 1103 | supported. | 1123 | supported. | 
| 1104 | .Pp | 1124 | .Pp | 
| @@ -1141,6 +1161,23 @@ Cancelling some commands by refusing to certify a certificate can | |||
| 1141 | create an empty file. | 1161 | create an empty file. | 
| 1142 | .Sh CA WARNINGS | 1162 | .Sh CA WARNINGS | 
| 1143 | The | 1163 | The | 
| 1164 | .Nm ca | ||
| 1165 | command is quirky and at times downright unfriendly. | ||
| 1166 | .Pp | ||
| 1167 | The | ||
| 1168 | .Nm ca | ||
| 1169 | utility was originally meant as an example of how to do things in a CA. | ||
| 1170 | It was not supposed to be used as a full blown CA itself: | ||
| 1171 | nevertheless some people are using it for this purpose. | ||
| 1172 | .Pp | ||
| 1173 | The | ||
| 1174 | .Nm ca | ||
| 1175 | command is effectively a single user command: no locking is done on the | ||
| 1176 | various files, and attempts to run more than one | ||
| 1177 | .Nm ca | ||
| 1178 | command on the same database can have unpredictable results. | ||
| 1179 | .Pp | ||
| 1180 | The | ||
| 1144 | .Ar copy_extensions | 1181 | .Ar copy_extensions | 
| 1145 | option should be used with caution. | 1182 | option should be used with caution. | 
| 1146 | If care is not taken then it can be a security risk. | 1183 | If care is not taken then it can be a security risk. | 
| @@ -1368,6 +1405,8 @@ TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively. | |||
| 1368 | Cipher suites using DH, including anonymous DH. | 1405 | Cipher suites using DH, including anonymous DH. | 
| 1369 | .It Ar ADH | 1406 | .It Ar ADH | 
| 1370 | Anonymous DH cipher suites. | 1407 | Anonymous DH cipher suites. | 
| 1408 | .It Ar AES | ||
| 1409 | Cipher suites using AES. | ||
| 1371 | .It Ar 3DES | 1410 | .It Ar 3DES | 
| 1372 | Cipher suites using triple DES. | 1411 | Cipher suites using triple DES. | 
| 1373 | .It Ar DES | 1412 | .It Ar DES | 
| @@ -1388,114 +1427,135 @@ The following lists give the SSL or TLS cipher suites names from the | |||
| 1388 | relevant specification and their | 1427 | relevant specification and their | 
| 1389 | .Nm OpenSSL | 1428 | .Nm OpenSSL | 
| 1390 | equivalents. | 1429 | equivalents. | 
| 1430 | It should be noted that several cipher suite names do not include the | ||
| 1431 | authentication used, e.g. DES-CBC3-SHA. | ||
| 1432 | In these cases, RSA authentication is used. | ||
| 1391 | .Pp | 1433 | .Pp | 
| 1392 | .Cm SSL v3.0 cipher suites | 1434 | .Sy "SSL v3.0 cipher suites" | 
| 1393 | .Pp | 1435 | .Pp | 
| 1394 | .Bd -literal | 1436 | .Bd -literal | 
| 1395 | \& SSL_RSA_WITH_NULL_MD5 NULL-MD5 | 1437 | SSL_RSA_WITH_NULL_MD5 NULL-MD5 | 
| 1396 | \& SSL_RSA_WITH_NULL_SHA NULL-SHA | 1438 | SSL_RSA_WITH_NULL_SHA NULL-SHA | 
| 1397 | \& SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 | 1439 | SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 | 
| 1398 | \& SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 | 1440 | SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 | 
| 1399 | \& SSL_RSA_WITH_RC4_128_SHA RC4-SHA | 1441 | SSL_RSA_WITH_RC4_128_SHA RC4-SHA | 
| 1400 | \& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 | 1442 | SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 | 
| 1401 | \& SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA | 1443 | SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA | 
| 1402 | \& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA | 1444 | SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA | 
| 1403 | \& SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA | 1445 | SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA | 
| 1404 | \& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA | 1446 | SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA | 
| 1405 | .Ed | 1447 | .Ed | 
| 1406 | .Pp | 1448 | .Pp | 
| 1407 | .Bd -literal | 1449 | .Bd -literal | 
| 1408 | \& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 1450 | SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 
| 1409 | \& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. | 1451 | SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. | 
| 1410 | \& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. | 1452 | SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. | 
| 1411 | \& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 1453 | SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 
| 1412 | \& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. | 1454 | SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. | 
| 1413 | \& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. | 1455 | SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. | 
| 1414 | \& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA | 1456 | SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA | 
| 1415 | \& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA | 1457 | SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA | 
| 1416 | \& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA | 1458 | SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA | 
| 1417 | \& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA | 1459 | SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA | 
| 1418 | \& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA | 1460 | SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA | 
| 1419 | \& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA | 1461 | SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA | 
| 1420 | .Ed | 1462 | .Ed | 
| 1421 | .Pp | 1463 | .Pp | 
| 1422 | .Bd -literal | 1464 | .Bd -literal | 
| 1423 | \& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 | 1465 | SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 | 
| 1424 | \& SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 | 1466 | SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 | 
| 1425 | \& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA | 1467 | SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA | 
| 1426 | \& SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA | 1468 | SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA | 
| 1427 | \& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA | 1469 | SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA | 
| 1428 | .Ed | 1470 | .Ed | 
| 1429 | .Pp | 1471 | .Pp | 
| 1430 | .Bd -literal | 1472 | .Bd -literal | 
| 1431 | \& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. | 1473 | SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. | 
| 1432 | \& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. | 1474 | SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. | 
| 1433 | \& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. | 1475 | SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. | 
| 1434 | .Ed | 1476 | .Ed | 
| 1435 | .Pp | 1477 | .Pp | 
| 1436 | .Cm TLS v1.0 cipher suites | 1478 | .Sy "TLS v1.0 cipher suites" | 
| 1437 | .Pp | 1479 | .Pp | 
| 1438 | .Bd -literal | 1480 | .Bd -literal | 
| 1439 | \& TLS_RSA_WITH_NULL_MD5 NULL-MD5 | 1481 | TLS_RSA_WITH_NULL_MD5 NULL-MD5 | 
| 1440 | \& TLS_RSA_WITH_NULL_SHA NULL-SHA | 1482 | TLS_RSA_WITH_NULL_SHA NULL-SHA | 
| 1441 | \& TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 | 1483 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 | 
| 1442 | \& TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 | 1484 | TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 | 
| 1443 | \& TLS_RSA_WITH_RC4_128_SHA RC4-SHA | 1485 | TLS_RSA_WITH_RC4_128_SHA RC4-SHA | 
| 1444 | \& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 | 1486 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 | 
| 1445 | \& TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA | 1487 | TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA | 
| 1446 | \& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA | 1488 | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA | 
| 1447 | \& TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA | 1489 | TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA | 
| 1448 | \& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA | 1490 | TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA | 
| 1449 | .Ed | 1491 | .Ed | 
| 1450 | .Pp | 1492 | .Pp | 
| 1451 | .Bd -literal | 1493 | .Bd -literal | 
| 1452 | \& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 1494 | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 
| 1453 | \& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. | 1495 | TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. | 
| 1454 | \& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. | 1496 | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. | 
| 1455 | \& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 1497 | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. | 
| 1456 | \& TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. | 1498 | TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. | 
| 1457 | \& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. | 1499 | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. | 
| 1458 | \& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA | 1500 | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA | 
| 1459 | \& TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA | 1501 | TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA | 
| 1460 | \& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA | 1502 | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA | 
| 1461 | \& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA | 1503 | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA | 
| 1462 | \& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA | 1504 | TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA | 
| 1463 | \& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA | 1505 | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA | 
| 1464 | .Ed | 1506 | .Ed | 
| 1465 | .Pp | 1507 | .Pp | 
| 1466 | .Bd -literal | 1508 | .Bd -literal | 
| 1467 | \& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 | 1509 | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 | 
| 1468 | \& TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 | 1510 | TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 | 
| 1469 | \& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA | 1511 | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA | 
| 1470 | \& TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA | 1512 | TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA | 
| 1471 | \& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA | 1513 | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA | 
| 1472 | .Ed | 1514 | .Ed | 
| 1473 | .Pp | 1515 | .Pp | 
| 1474 | .Cm Additional Export 1024 and other cipher suites | 1516 | .Sy "AES ciphersuites from RFC 3268, extending TLS v1.0" | 
| 1517 | .Bd -literal | ||
| 1518 | TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA | ||
| 1519 | TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA | ||
| 1520 | |||
| 1521 | TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA | ||
| 1522 | TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA | ||
| 1523 | TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA | ||
| 1524 | TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA | ||
| 1525 | |||
| 1526 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA | ||
| 1527 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA | ||
| 1528 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA | ||
| 1529 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA | ||
| 1530 | |||
| 1531 | TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA | ||
| 1532 | TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA | ||
| 1533 | .Ed | ||
| 1475 | .Pp | 1534 | .Pp | 
| 1476 | .Sy Note: | 1535 | .Sy "Additional Export 1024 and other cipher suites" | 
| 1536 | .Pp | ||
| 1537 | .Sy Note : | ||
| 1477 | These ciphers can also be used in SSL v3. | 1538 | These ciphers can also be used in SSL v3. | 
| 1478 | .Pp | 1539 | .Pp | 
| 1479 | .Bd -literal | 1540 | .Bd -literal | 
| 1480 | \& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA | 1541 | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA | 
| 1481 | \& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA | 1542 | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA | 
| 1482 | \& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA | 1543 | TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA | 
| 1483 | \& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA | 1544 | TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA | 
| 1484 | \& TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA | 1545 | TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA | 
| 1485 | .Ed | 1546 | .Ed | 
| 1486 | .Pp | 1547 | .Pp | 
| 1487 | .Cm SSL v2.0 cipher suites | 1548 | .Sy "SSL v2.0 cipher suites" | 
| 1488 | .Pp | 1549 | .Pp | 
| 1489 | .Bd -literal | 1550 | .Bd -literal | 
| 1490 | \& SSL_CK_RC4_128_WITH_MD5 RC4-MD5 | 1551 | SSL_CK_RC4_128_WITH_MD5 RC4-MD5 | 
| 1491 | \& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 | 1552 | SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 | 
| 1492 | \& SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 | 1553 | SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 | 
| 1493 | \& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 | 1554 | SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 | 
| 1494 | \& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 | 1555 | SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 | 
| 1495 | \& SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 | 1556 | SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 | 
| 1496 | \& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 | 1557 | SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 | 
| 1497 | .Ed | 1558 | .Ed | 
| 1498 | .Pp | ||
| 1499 | .Sh CIPHERS NOTES | 1559 | .Sh CIPHERS NOTES | 
| 1500 | The non-ephemeral DH modes are currently unimplemented in | 1560 | The non-ephemeral DH modes are currently unimplemented in | 
| 1501 | .Nm OpenSSL | 1561 | .Nm OpenSSL | 
| @@ -1766,7 +1826,7 @@ Digitally sign the digest using the private key in | |||
| 1766 | .Ar filename . | 1826 | .Ar filename . | 
| 1767 | .It Fl verify Ar filename | 1827 | .It Fl verify Ar filename | 
| 1768 | Verify the signature using the public key in | 1828 | Verify the signature using the public key in | 
| 1769 | .Ar filename. | 1829 | .Ar filename . | 
| 1770 | The output is either "Verification OK" or "Verification Failure". | 1830 | The output is either "Verification OK" or "Verification Failure". | 
| 1771 | .It Fl prverify Ar filename | 1831 | .It Fl prverify Ar filename | 
| 1772 | Verify the signature using the private key in | 1832 | Verify the signature using the private key in | 
| @@ -1812,7 +1872,7 @@ being signed or verified. | |||
| 1812 | Diffie-Hellman Parameter Management. The | 1872 | Diffie-Hellman Parameter Management. The | 
| 1813 | .Nm dh | 1873 | .Nm dh | 
| 1814 | command has been replaced by | 1874 | command has been replaced by | 
| 1815 | .Nm dhparam. | 1875 | .Nm dhparam . | 
| 1816 | See | 1876 | See | 
| 1817 | .Sx DHPARAM | 1877 | .Sx DHPARAM | 
| 1818 | below. | 1878 | below. | 
| @@ -1833,6 +1893,7 @@ below. | |||
| 1833 | .Op Fl 2 | 1893 | .Op Fl 2 | 
| 1834 | .Op Fl 5 | 1894 | .Op Fl 5 | 
| 1835 | .Op Fl rand Ar file ... | 1895 | .Op Fl rand Ar file ... | 
| 1896 | .Op Fl engine Ar id | ||
| 1836 | .Op Ar numbits | 1897 | .Op Ar numbits | 
| 1837 | .Ek | 1898 | .Ek | 
| 1838 | .Pp | 1899 | .Pp | 
| @@ -1919,6 +1980,14 @@ This option converts the parameters into C code. | |||
| 1919 | The parameters can then be loaded by calling the | 1980 | The parameters can then be loaded by calling the | 
| 1920 | .Cm get_dh Ns Ar numbits Ns Li () | 1981 | .Cm get_dh Ns Ar numbits Ns Li () | 
| 1921 | function. | 1982 | function. | 
| 1983 | .It Fl engine Ar id | ||
| 1984 | Specifying an engine (by it's unique | ||
| 1985 | .Ar id | ||
| 1986 | string) will cause | ||
| 1987 | .Nm req | ||
| 1988 | to attempt to obtain a functional reference to the specified engine, | ||
| 1989 | thus initialising it if needed. | ||
| 1990 | The engine will then be set as the default for all available algorithms. | ||
| 1922 | .El | 1991 | .El | 
| 1923 | .Sh DHPARAM WARNINGS | 1992 | .Sh DHPARAM WARNINGS | 
| 1924 | The program | 1993 | The program | 
| @@ -1985,6 +2054,7 @@ option was added in | |||
| 1985 | .Op Fl modulus | 2054 | .Op Fl modulus | 
| 1986 | .Op Fl pubin | 2055 | .Op Fl pubin | 
| 1987 | .Op Fl pubout | 2056 | .Op Fl pubout | 
| 2057 | .Op Fl engine Ar id | ||
| 1988 | .Ek | 2058 | .Ek | 
| 1989 | .Pp | 2059 | .Pp | 
| 1990 | The | 2060 | The | 
| @@ -1992,7 +2062,7 @@ The | |||
| 1992 | command processes DSA keys. | 2062 | command processes DSA keys. | 
| 1993 | They can be converted between various forms and their components printed out. | 2063 | They can be converted between various forms and their components printed out. | 
| 1994 | .Pp | 2064 | .Pp | 
| 1995 | .Sy Note: | 2065 | .Sy Note : | 
| 1996 | This command uses the traditional | 2066 | This command uses the traditional | 
| 1997 | .Nm SSLeay | 2067 | .Nm SSLeay | 
| 1998 | compatible format for private key encryption: | 2068 | compatible format for private key encryption: | 
| @@ -2079,6 +2149,14 @@ With this option a public key is read instead. | |||
| 2079 | By default a private key is output. | 2149 | By default a private key is output. | 
| 2080 | With this option a public key will be output instead. | 2150 | With this option a public key will be output instead. | 
| 2081 | This option is automatically set if the input is a public key. | 2151 | This option is automatically set if the input is a public key. | 
| 2152 | .It Fl engine Ar id | ||
| 2153 | Specifying an engine (by it's unique | ||
| 2154 | .Ar id | ||
| 2155 | string) will cause | ||
| 2156 | .Nm req | ||
| 2157 | to attempt to obtain a functional reference to the specified engine, | ||
| 2158 | thus initialising it if needed. | ||
| 2159 | The engine will then be set as the default for all available algorithms. | ||
| 2082 | .El | 2160 | .El | 
| 2083 | .Sh DSA NOTES | 2161 | .Sh DSA NOTES | 
| 2084 | The | 2162 | The | 
| @@ -2123,6 +2201,7 @@ To just output the public part of a private key: | |||
| 2123 | .\" | 2201 | .\" | 
| 2124 | .Sh DSAPARAM | 2202 | .Sh DSAPARAM | 
| 2125 | .Nm openssl dsaparam | 2203 | .Nm openssl dsaparam | 
| 2204 | .Bk -words | ||
| 2126 | .Op Fl inform Ar DER|PEM | 2205 | .Op Fl inform Ar DER|PEM | 
| 2127 | .Op Fl outform Ar DER|PEM | 2206 | .Op Fl outform Ar DER|PEM | 
| 2128 | .Op Fl in Ar filename | 2207 | .Op Fl in Ar filename | 
| @@ -2132,7 +2211,9 @@ To just output the public part of a private key: | |||
| 2132 | .Op Fl C | 2211 | .Op Fl C | 
| 2133 | .Op Fl rand Ar file ... | 2212 | .Op Fl rand Ar file ... | 
| 2134 | .Op Fl genkey | 2213 | .Op Fl genkey | 
| 2214 | .Op Fl engine Ar id | ||
| 2135 | .Op Ar numbits | 2215 | .Op Ar numbits | 
| 2216 | .Ek | ||
| 2136 | .Pp | 2217 | .Pp | 
| 2137 | The | 2218 | The | 
| 2138 | .Nm dsaparam | 2219 | .Nm dsaparam | 
| @@ -2203,6 +2284,14 @@ This option specifies that a parameter set should be generated of size | |||
| 2203 | .Ar numbits . | 2284 | .Ar numbits . | 
| 2204 | It must be the last option. | 2285 | It must be the last option. | 
| 2205 | If this option is included, then the input file (if any) is ignored. | 2286 | If this option is included, then the input file (if any) is ignored. | 
| 2287 | .It Fl engine Ar id | ||
| 2288 | Specifying an engine (by it's unique | ||
| 2289 | .Ar id | ||
| 2290 | string) will cause | ||
| 2291 | .Nm req | ||
| 2292 | to attempt to obtain a functional reference to the specified engine, | ||
| 2293 | thus initialising it if needed. | ||
| 2294 | The engine will then be set as the default for all available algorithms. | ||
| 2206 | .El | 2295 | .El | 
| 2207 | .Sh DSAPARAM NOTES | 2296 | .Sh DSAPARAM NOTES | 
| 2208 | .Ar PEM | 2297 | .Ar PEM | 
| @@ -2565,7 +2654,7 @@ utility is undocumented. | |||
| 2565 | .\" | 2654 | .\" | 
| 2566 | .Sh GENDH | 2655 | .Sh GENDH | 
| 2567 | Generation of Diffie-Hellman Parameters. Replaced by | 2656 | Generation of Diffie-Hellman Parameters. Replaced by | 
| 2568 | .Nm dhparam. | 2657 | .Nm dhparam . | 
| 2569 | See | 2658 | See | 
| 2570 | .Sx DHPARAM | 2659 | .Sx DHPARAM | 
| 2571 | above. | 2660 | above. | 
| @@ -2579,6 +2668,7 @@ above. | |||
| 2579 | .Op Fl des3 | 2668 | .Op Fl des3 | 
| 2580 | .Op Fl idea | 2669 | .Op Fl idea | 
| 2581 | .Op Fl rand Ar file ... | 2670 | .Op Fl rand Ar file ... | 
| 2671 | .Op Fl engine Ar id | ||
| 2582 | .Op Ar paramfile | 2672 | .Op Ar paramfile | 
| 2583 | .Pp | 2673 | .Pp | 
| 2584 | The | 2674 | The | 
| @@ -2611,6 +2701,14 @@ for MS-Windows, | |||
| 2611 | for OpenVMS, and | 2701 | for OpenVMS, and | 
| 2612 | .Cm \&: | 2702 | .Cm \&: | 
| 2613 | for all others. | 2703 | for all others. | 
| 2704 | .It Fl engine Ar id | ||
| 2705 | Specifying an engine (by it's unique | ||
| 2706 | .Ar id | ||
| 2707 | string) will cause | ||
| 2708 | .Nm req | ||
| 2709 | to attempt to obtain a functional reference to the specified engine, | ||
| 2710 | thus initialising it if needed. | ||
| 2711 | The engine will then be set as the default for all available algorithms. | ||
| 2614 | .It Ar paramfile | 2712 | .It Ar paramfile | 
| 2615 | This option specifies the DSA parameter file to use. | 2713 | This option specifies the DSA parameter file to use. | 
| 2616 | The parameters in this file determine the size of the private key. | 2714 | The parameters in this file determine the size of the private key. | 
| @@ -2634,6 +2732,7 @@ much quicker that RSA key generation for example. | |||
| 2634 | .Op Fl f4 | 2732 | .Op Fl f4 | 
| 2635 | .Op Fl 3 | 2733 | .Op Fl 3 | 
| 2636 | .Op Fl rand Ar file ... | 2734 | .Op Fl rand Ar file ... | 
| 2735 | .Op Fl engine Ar id | ||
| 2637 | .Op Ar numbits | 2736 | .Op Ar numbits | 
| 2638 | .Pp | 2737 | .Pp | 
| 2639 | The | 2738 | The | 
| @@ -2680,6 +2779,14 @@ for MS-Windows, | |||
| 2680 | for OpenVMS, and | 2779 | for OpenVMS, and | 
| 2681 | .Cm \&: | 2780 | .Cm \&: | 
| 2682 | for all others. | 2781 | for all others. | 
| 2782 | .It Fl engine Ar id | ||
| 2783 | Specifying an engine (by it's unique | ||
| 2784 | .Ar id | ||
| 2785 | string) will cause | ||
| 2786 | .Nm req | ||
| 2787 | to attempt to obtain a functional reference to the specified engine, | ||
| 2788 | thus initialising it if needed. | ||
| 2789 | The engine will then be set as the default for all available algorithms. | ||
| 2683 | .It Ar numbits | 2790 | .It Ar numbits | 
| 2684 | The size of the private key to generate in bits. | 2791 | The size of the private key to generate in bits. | 
| 2685 | This must be the last option specified. | 2792 | This must be the last option specified. | 
| @@ -2783,6 +2890,10 @@ input and output files and allowing multiple certificate files to be used. | |||
| 2783 | .Op Fl issuer Ar file | 2890 | .Op Fl issuer Ar file | 
| 2784 | .Op Fl cert Ar file | 2891 | .Op Fl cert Ar file | 
| 2785 | .Op Fl serial Ar n | 2892 | .Op Fl serial Ar n | 
| 2893 | .Op Fl signer Ar file | ||
| 2894 | .Op Fl signkey Ar file | ||
| 2895 | .Op Fl sign_other Ar file | ||
| 2896 | .Op Fl no_certs | ||
| 2786 | .Op Fl req_text | 2897 | .Op Fl req_text | 
| 2787 | .Op Fl resp_text | 2898 | .Op Fl resp_text | 
| 2788 | .Op Fl text | 2899 | .Op Fl text | 
| @@ -2792,28 +2903,36 @@ input and output files and allowing multiple certificate files to be used. | |||
| 2792 | .Op Fl respin Ar file | 2903 | .Op Fl respin Ar file | 
| 2793 | .Op Fl nonce | 2904 | .Op Fl nonce | 
| 2794 | .Op Fl no_nonce | 2905 | .Op Fl no_nonce | 
| 2795 | .Op Fl url Ar responder_url | 2906 | .Op Fl url Ar URL | 
| 2796 | .Op Fl host Ar host:n | 2907 | .Op Fl host Ar host:n | 
| 2797 | .Op Fl path | 2908 | .Op Fl path | 
| 2798 | .Op Fl CApath Ar file | 2909 | .Op Fl CApath Ar dir | 
| 2799 | .Op Fl CAfile Ar file | 2910 | .Op Fl CAfile Ar file | 
| 2800 | .Op Fl VAfile Ar file | 2911 | .Op Fl VAfile Ar file | 
| 2801 | .Op Fl verify_certs Ar file | 2912 | .Op Fl validity_period Ar n | 
| 2913 | .Op Fl status_age Ar n | ||
| 2802 | .Op Fl noverify | 2914 | .Op Fl noverify | 
| 2915 | .Op Fl verify_other Ar file | ||
| 2803 | .Op Fl trust_other | 2916 | .Op Fl trust_other | 
| 2804 | .Op Fl no_intern | 2917 | .Op Fl no_intern | 
| 2805 | .Op Fl no_sig_verify | 2918 | .Op Fl no_signature_verify | 
| 2806 | .Op Fl no_cert_verify | 2919 | .Op Fl no_cert_verify | 
| 2807 | .Op Fl no_chain | 2920 | .Op Fl no_chain | 
| 2808 | .Op Fl no_cert_checks | 2921 | .Op Fl no_cert_checks | 
| 2809 | .Op Fl validity_period Ar nsec | 2922 | .Op Fl port Ar num | 
| 2810 | .Op Fl status_age Ar nsec | 2923 | .Op Fl index Ar file | 
| 2924 | .Op Fl CA Ar file | ||
| 2925 | .Op Fl rsigner Ar file | ||
| 2926 | .Op Fl rkey Ar file | ||
| 2927 | .Op Fl rother Ar file | ||
| 2928 | .Op Fl resp_no_certs | ||
| 2929 | .Op Fl nmin Ar n | ||
| 2930 | .Op Fl ndays Ar n | ||
| 2931 | .Op Fl resp_key_id | ||
| 2932 | .Op Fl nrequest Ar n | ||
| 2811 | .Ek | 2933 | .Ek | 
| 2812 | .br | 2934 | .br | 
| 2813 | .Pp | 2935 | .Pp | 
| 2814 | .Sy WARNING: | ||
| 2815 | this documentation is preliminary and subject to change. | ||
| 2816 | .Pp | ||
| 2817 | The Online Certificate Status Protocol (OCSP) enables applications to | 2936 | The Online Certificate Status Protocol (OCSP) enables applications to | 
| 2818 | determine the (revocation) state of an identified certificate (RFC 2560). | 2937 | determine the (revocation) state of an identified certificate (RFC 2560). | 
| 2819 | .Pp | 2938 | .Pp | 
| @@ -2865,6 +2984,8 @@ If the | |||
| 2865 | option is not present then the private key is read from the same file | 2984 | option is not present then the private key is read from the same file | 
| 2866 | as the certificate. | 2985 | as the certificate. | 
| 2867 | If neither option is specified then the OCSP request is not signed. | 2986 | If neither option is specified then the OCSP request is not signed. | 
| 2987 | .It Fl sign_other Ar filename | ||
| 2988 | Additional certificates to include in the signed request. | ||
| 2868 | .It Fl nonce , no_nonce | 2989 | .It Fl nonce , no_nonce | 
| 2869 | Add an OCSP | 2990 | Add an OCSP | 
| 2870 | .Em nonce | 2991 | .Em nonce | 
| @@ -2923,7 +3044,7 @@ or | |||
| 2923 | .Ar pathname | 3044 | .Ar pathname | 
| 2924 | containing trusted CA certificates. | 3045 | containing trusted CA certificates. | 
| 2925 | These are used to verify the signature on the OCSP response. | 3046 | These are used to verify the signature on the OCSP response. | 
| 2926 | .It Fl verify_certs Ar file | 3047 | .It Fl verify_other Ar file | 
| 2927 | .Ar file | 3048 | .Ar file | 
| 2928 | containing additional certificates to search when attempting to locate | 3049 | containing additional certificates to search when attempting to locate | 
| 2929 | the OCSP response signing certificate. | 3050 | the OCSP response signing certificate. | 
| @@ -2958,7 +3079,7 @@ With this option the signer's certificate must be specified with either the | |||
| 2958 | or | 3079 | or | 
| 2959 | .Fl VAfile | 3080 | .Fl VAfile | 
| 2960 | options. | 3081 | options. | 
| 2961 | .It Fl no_sig_verify | 3082 | .It Fl no_signature_verify | 
| 2962 | Don't check the signature on the OCSP response. | 3083 | Don't check the signature on the OCSP response. | 
| 2963 | Since this option tolerates invalid signatures on OCSP responses, | 3084 | Since this option tolerates invalid signatures on OCSP responses, | 
| 2964 | it will normally only be used for testing purposes. | 3085 | it will normally only be used for testing purposes. | 
| @@ -3003,7 +3124,6 @@ seconds old. | |||
| 3003 | By default this additional check is not performed. | 3124 | By default this additional check is not performed. | 
| 3004 | .El | 3125 | .El | 
| 3005 | .Sh OCSP SERVER OPTIONS | 3126 | .Sh OCSP SERVER OPTIONS | 
| 3006 | .Pp | ||
| 3007 | .Bl -tag -width "XXXX" | 3127 | .Bl -tag -width "XXXX" | 
| 3008 | .It Fl index Ar indexfile | 3128 | .It Fl index Ar indexfile | 
| 3009 | .Ar indexfile | 3129 | .Ar indexfile | 
| @@ -3236,7 +3356,7 @@ The password list is taken from the named | |||
| 3236 | for option | 3356 | for option | 
| 3237 | .Fl in , | 3357 | .Fl in , | 
| 3238 | from stdin for option | 3358 | from stdin for option | 
| 3239 | .Fl stdin, | 3359 | .Fl stdin , | 
| 3240 | or from the command line, or from the terminal otherwise. | 3360 | or from the command line, or from the terminal otherwise. | 
| 3241 | The Unix standard algorithm | 3361 | The Unix standard algorithm | 
| 3242 | .Em crypt | 3362 | .Em crypt | 
| @@ -3279,14 +3399,13 @@ In the output list, prepend the cleartext password and a TAB character | |||
| 3279 | to each password hash. | 3399 | to each password hash. | 
| 3280 | .El | 3400 | .El | 
| 3281 | .Sh PASSWD EXAMPLES | 3401 | .Sh PASSWD EXAMPLES | 
| 3282 | .Pp | ||
| 3283 | .Bl -tag -width "XXXX" | 3402 | .Bl -tag -width "XXXX" | 
| 3284 | .It $ openssl passwd -crypt -salt xx password | 3403 | .It $ openssl passwd -crypt -salt xx password | 
| 3285 | prints | 3404 | prints | 
| 3286 | .Em xxj31ZMTZzkVA . | 3405 | .Em xxj31ZMTZzkVA . | 
| 3287 | .It $ openssl passwd -1 -salt xxxxxxxx password | 3406 | .It $ openssl passwd -1 -salt xxxxxxxx password | 
| 3288 | prints | 3407 | prints | 
| 3289 | .Em $1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1 . | 3408 | .Em $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a. . | 
| 3290 | .It $ openssl passwd -apr1 -salt xxxxxxxx password | 3409 | .It $ openssl passwd -apr1 -salt xxxxxxxx password | 
| 3291 | prints | 3410 | prints | 
| 3292 | .Em $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 . | 3411 | .Em $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 . | 
| @@ -3304,6 +3423,7 @@ prints | |||
| 3304 | .Op Fl print_certs | 3423 | .Op Fl print_certs | 
| 3305 | .Op Fl text | 3424 | .Op Fl text | 
| 3306 | .Op Fl noout | 3425 | .Op Fl noout | 
| 3426 | .Op Fl engine Ar id | ||
| 3307 | .Ek | 3427 | .Ek | 
| 3308 | .br | 3428 | .br | 
| 3309 | .Pp | 3429 | .Pp | 
| @@ -3347,6 +3467,14 @@ Don't output the encoded version of the PKCS#7 structure | |||
| 3347 | (or certificates if | 3467 | (or certificates if | 
| 3348 | .Fl print_certs | 3468 | .Fl print_certs | 
| 3349 | is set). | 3469 | is set). | 
| 3470 | .It Fl engine Ar id | ||
| 3471 | Specifying an engine (by it's unique | ||
| 3472 | .Ar id | ||
| 3473 | string) will cause | ||
| 3474 | .Nm req | ||
| 3475 | to attempt to obtain a functional reference to the specified engine, | ||
| 3476 | thus initialising it if needed. | ||
| 3477 | The engine will then be set as the default for all available algorithms. | ||
| 3350 | .El | 3478 | .El | 
| 3351 | .Sh PKCS7 EXAMPLES | 3479 | .Sh PKCS7 EXAMPLES | 
| 3352 | Convert a PKCS#7 file from | 3480 | Convert a PKCS#7 file from | 
| @@ -3400,6 +3528,7 @@ They cannot currently parse, for example, the new CMS as described in RFC2630. | |||
| 3400 | .Op Fl nsdb | 3528 | .Op Fl nsdb | 
| 3401 | .Op Fl v2 Ar alg | 3529 | .Op Fl v2 Ar alg | 
| 3402 | .Op Fl v1 Ar alg | 3530 | .Op Fl v1 Ar alg | 
| 3531 | .Op Fl engine Ar id | ||
| 3403 | .Ek | 3532 | .Ek | 
| 3404 | .Pp | 3533 | .Pp | 
| 3405 | The | 3534 | The | 
| @@ -3522,6 +3651,14 @@ is used. | |||
| 3522 | .It Fl v1 Ar alg | 3651 | .It Fl v1 Ar alg | 
| 3523 | This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. | 3652 | This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. | 
| 3524 | A complete list of possible algorithms is included below. | 3653 | A complete list of possible algorithms is included below. | 
| 3654 | .It Fl engine Ar id | ||
| 3655 | Specifying an engine (by it's unique | ||
| 3656 | .Ar id | ||
| 3657 | string) will cause | ||
| 3658 | .Nm req | ||
| 3659 | to attempt to obtain a functional reference to the specified engine, | ||
| 3660 | thus initialising it if needed. | ||
| 3661 | The engine will then be set as the default for all available algorithms. | ||
| 3525 | .El | 3662 | .El | 
| 3526 | .Sh PKCS8 NOTES | 3663 | .Sh PKCS8 NOTES | 
| 3527 | The encrypted form of a | 3664 | The encrypted form of a | 
| @@ -4061,6 +4198,7 @@ encoding on the output. | |||
| 4061 | .Op Fl nameopt | 4198 | .Op Fl nameopt | 
| 4062 | .Op Fl batch | 4199 | .Op Fl batch | 
| 4063 | .Op Fl verbose | 4200 | .Op Fl verbose | 
| 4201 | .Op Fl engine Ar id | ||
| 4064 | .Ek | 4202 | .Ek | 
| 4065 | .Pp | 4203 | .Pp | 
| 4066 | The | 4204 | The | 
| @@ -4163,7 +4301,7 @@ is the number of bits, generates an RSA key | |||
| 4163 | in size. | 4301 | in size. | 
| 4164 | .Ar dsa:filename | 4302 | .Ar dsa:filename | 
| 4165 | generates a DSA key using the parameters in the file | 4303 | generates a DSA key using the parameters in the file | 
| 4166 | .Ar filename. | 4304 | .Ar filename . | 
| 4167 | .It Fl key Ar filename | 4305 | .It Fl key Ar filename | 
| 4168 | This specifies the file to read the private key from. | 4306 | This specifies the file to read the private key from. | 
| 4169 | It also accepts PKCS#8 format private keys for | 4307 | It also accepts PKCS#8 format private keys for | 
| @@ -4274,6 +4412,14 @@ Some software (Netscape certificate server) and some CAs need this. | |||
| 4274 | Non-interactive mode. | 4412 | Non-interactive mode. | 
| 4275 | .It Fl verbose | 4413 | .It Fl verbose | 
| 4276 | Print extra details about the operations being performed. | 4414 | Print extra details about the operations being performed. | 
| 4415 | .It Fl engine Ar id | ||
| 4416 | Specifying an engine (by it's unique | ||
| 4417 | .Ar id | ||
| 4418 | string) will cause | ||
| 4419 | .Nm req | ||
| 4420 | to attempt to obtain a functional reference to the specified engine, | ||
| 4421 | thus initialising it if needed. | ||
| 4422 | The engine will then be set as the default for all available algorithms. | ||
| 4277 | .El | 4423 | .El | 
| 4278 | .Sh REQ CONFIGURATION FILE FORMAT | 4424 | .Sh REQ CONFIGURATION FILE FORMAT | 
| 4279 | The configuration options are specified in the | 4425 | The configuration options are specified in the | 
| @@ -4506,7 +4652,7 @@ These are compiled into | |||
| 4506 | .Nm OpenSSL | 4652 | .Nm OpenSSL | 
| 4507 | and include the usual values such as | 4653 | and include the usual values such as | 
| 4508 | .Em commonName , countryName , localityName , organizationName , | 4654 | .Em commonName , countryName , localityName , organizationName , | 
| 4509 | .Em organizationUnitName , stateOrPrivinceName . | 4655 | .Em organizationUnitName , stateOrProvinceName . | 
| 4510 | Additionally | 4656 | Additionally | 
| 4511 | .Em emailAddress | 4657 | .Em emailAddress | 
| 4512 | is included as well as | 4658 | is included as well as | 
| @@ -4631,15 +4777,15 @@ The header and footer lines in the | |||
| 4631 | format are normally: | 4777 | format are normally: | 
| 4632 | .Pp | 4778 | .Pp | 
| 4633 | .Bd -literal | 4779 | .Bd -literal | 
| 4634 | \& -----BEGIN CERTIFICATE REQUEST---- | 4780 | \& -----BEGIN CERTIFICATE REQUEST----- | 
| 4635 | \& -----END CERTIFICATE REQUEST---- | 4781 | \& -----END CERTIFICATE REQUEST----- | 
| 4636 | .Ed | 4782 | .Ed | 
| 4637 | .Pp | 4783 | .Pp | 
| 4638 | Some software (some versions of Netscape certificate server) instead needs: | 4784 | Some software (some versions of Netscape certificate server) instead needs: | 
| 4639 | .Pp | 4785 | .Pp | 
| 4640 | .Bd -literal | 4786 | .Bd -literal | 
| 4641 | \& -----BEGIN NEW CERTIFICATE REQUEST---- | 4787 | \& -----BEGIN NEW CERTIFICATE REQUEST----- | 
| 4642 | \& -----END NEW CERTIFICATE REQUEST---- | 4788 | \& -----END NEW CERTIFICATE REQUEST----- | 
| 4643 | .Ed | 4789 | .Ed | 
| 4644 | .Pp | 4790 | .Pp | 
| 4645 | which is produced with the | 4791 | which is produced with the | 
| @@ -4736,6 +4882,7 @@ should be input by the user. | |||
| 4736 | .\" | 4882 | .\" | 
| 4737 | .Sh RSA | 4883 | .Sh RSA | 
| 4738 | .Cm openssl rsa | 4884 | .Cm openssl rsa | 
| 4885 | .Bk -words | ||
| 4739 | .Op Fl inform Ar PEM|NET|DER | 4886 | .Op Fl inform Ar PEM|NET|DER | 
| 4740 | .Op Fl outform Ar PEM|NET|DER | 4887 | .Op Fl outform Ar PEM|NET|DER | 
| 4741 | .Op Fl in Ar filename | 4888 | .Op Fl in Ar filename | 
| @@ -4752,6 +4899,8 @@ should be input by the user. | |||
| 4752 | .Op Fl check | 4899 | .Op Fl check | 
| 4753 | .Op Fl pubin | 4900 | .Op Fl pubin | 
| 4754 | .Op Fl pubout | 4901 | .Op Fl pubout | 
| 4902 | .Op Fl engine Ar id | ||
| 4903 | .Ek | ||
| 4755 | .Pp | 4904 | .Pp | 
| 4756 | The | 4905 | The | 
| 4757 | .Nm rsa | 4906 | .Nm rsa | 
| @@ -4850,6 +4999,14 @@ option a public key is read instead. | |||
| 4850 | By default a private key is output: | 4999 | By default a private key is output: | 
| 4851 | with this option a public key will be output instead. | 5000 | with this option a public key will be output instead. | 
| 4852 | This option is automatically set if the input is a public key. | 5001 | This option is automatically set if the input is a public key. | 
| 5002 | .It Fl engine Ar id | ||
| 5003 | Specifying an engine (by it's unique | ||
| 5004 | .Ar id | ||
| 5005 | string) will cause | ||
| 5006 | .Nm req | ||
| 5007 | to attempt to obtain a functional reference to the specified engine, | ||
| 5008 | thus initialising it if needed. | ||
| 5009 | The engine will then be set as the default for all available algorithms. | ||
| 4853 | .El | 5010 | .El | 
| 4854 | .Sh RSA NOTES | 5011 | .Sh RSA NOTES | 
| 4855 | The | 5012 | The | 
| @@ -5098,6 +5255,7 @@ which it can be seen agrees with the recovered value above. | |||
| 5098 | .\" | 5255 | .\" | 
| 5099 | .Sh S_CLIENT | 5256 | .Sh S_CLIENT | 
| 5100 | .Nm openssl s_client | 5257 | .Nm openssl s_client | 
| 5258 | .Bk -words | ||
| 5101 | .Op Fl connect Ar host:port> | 5259 | .Op Fl connect Ar host:port> | 
| 5102 | .Op Fl verify Ar depth | 5260 | .Op Fl verify Ar depth | 
| 5103 | .Op Fl cert Ar filename | 5261 | .Op Fl cert Ar filename | 
| @@ -5123,8 +5281,11 @@ which it can be seen agrees with the recovered value above. | |||
| 5123 | .Op Fl no_tls1 | 5281 | .Op Fl no_tls1 | 
| 5124 | .Op Fl bugs | 5282 | .Op Fl bugs | 
| 5125 | .Op Fl cipher Ar cipherlist | 5283 | .Op Fl cipher Ar cipherlist | 
| 5284 | .Op Fl starttls Ar protocol | ||
| 5285 | .Op Fl starttls Ar protocol | ||
| 5126 | .Op Fl engine Ar id | 5286 | .Op Fl engine Ar id | 
| 5127 | .Op Fl rand Ar file ... | 5287 | .Op Fl rand Ar file ... | 
| 5288 | .Ek | ||
| 5128 | .Pp | 5289 | .Pp | 
| 5129 | The | 5290 | The | 
| 5130 | .Nm s_client | 5291 | .Nm s_client | 
| @@ -5236,6 +5397,11 @@ the first supported cipher in the list sent by the client. | |||
| 5236 | See the | 5397 | See the | 
| 5237 | .Sx CIPHERS | 5398 | .Sx CIPHERS | 
| 5238 | section above for more information. | 5399 | section above for more information. | 
| 5400 | .It Fl starttls Ar protocol | ||
| 5401 | Send the protocol-specific message(s) to switch to TLS for communication. | ||
| 5402 | .Ar protocol | ||
| 5403 | is a keyword for the intended protocol. | ||
| 5404 | Currently, the only supported keyword is "smtp". | ||
| 5239 | .It Fl engine Ar id | 5405 | .It Fl engine Ar id | 
| 5240 | Specifying an engine (by it's unique | 5406 | Specifying an engine (by it's unique | 
| 5241 | .Ar id | 5407 | .Ar id | 
| @@ -5379,6 +5545,7 @@ We should really report information whenever a session is renegotiated. | |||
| 5379 | .Op Fl WWW | 5545 | .Op Fl WWW | 
| 5380 | .Op Fl HTTP | 5546 | .Op Fl HTTP | 
| 5381 | .Op Fl engine Ar id | 5547 | .Op Fl engine Ar id | 
| 5548 | .Op Fl id_prefix Ar arg | ||
| 5382 | .Op Fl rand Ar file ... | 5549 | .Op Fl rand Ar file ... | 
| 5383 | .Ek | 5550 | .Ek | 
| 5384 | .Pp | 5551 | .Pp | 
| @@ -5535,6 +5702,12 @@ string) will cause | |||
| 5535 | to attempt to obtain a functional reference to the specified engine, | 5702 | to attempt to obtain a functional reference to the specified engine, | 
| 5536 | thus initialising it if needed. | 5703 | thus initialising it if needed. | 
| 5537 | The engine will then be set as the default for all available algorithms. | 5704 | The engine will then be set as the default for all available algorithms. | 
| 5705 | .It Fl id_prefix Ar arg | ||
| 5706 | Generate SSL/TLS session IDs prefixed by | ||
| 5707 | .Ar arg . | ||
| 5708 | This is mostly useful for testing any SSL/TLS code (e.g. proxies) that wish | ||
| 5709 | to deal with multiple servers, when each of which might be generating a | ||
| 5710 | unique range of session IDs (e.g. with a certain prefix). | ||
| 5538 | .It Fl rand Ar file ... | 5711 | .It Fl rand Ar file ... | 
| 5539 | A | 5712 | A | 
| 5540 | .Ar file | 5713 | .Ar file | 
| @@ -6146,8 +6319,8 @@ You can use this program to verify the signature by line wrapping the | |||
| 6146 | base64 encoded structure and surrounding it with: | 6319 | base64 encoded structure and surrounding it with: | 
| 6147 | .Pp | 6320 | .Pp | 
| 6148 | .Bd -literal | 6321 | .Bd -literal | 
| 6149 | \& -----BEGIN PKCS7---- | 6322 | \& -----BEGIN PKCS7----- | 
| 6150 | \& -----END PKCS7---- | 6323 | \& -----END PKCS7----- | 
| 6151 | .Ed | 6324 | .Ed | 
| 6152 | .Pp | 6325 | .Pp | 
| 6153 | and using the command: | 6326 | and using the command: | 
| @@ -6259,6 +6432,7 @@ tests those algorithms, otherwise all of the above are tested. | |||
| 6259 | .Op Fl spksect Ar section | 6432 | .Op Fl spksect Ar section | 
| 6260 | .Op Fl noout | 6433 | .Op Fl noout | 
| 6261 | .Op Fl verify | 6434 | .Op Fl verify | 
| 6435 | .Op Fl engine Ar id | ||
| 6262 | .Pp | 6436 | .Pp | 
| 6263 | The | 6437 | The | 
| 6264 | .Nm spkac | 6438 | .Nm spkac | 
| @@ -6314,6 +6488,14 @@ Output the public key of an SPKAC (not used if an SPKAC is | |||
| 6314 | being created). | 6488 | being created). | 
| 6315 | .It Fl verify | 6489 | .It Fl verify | 
| 6316 | Verifies the digital signature on the supplied SPKAC. | 6490 | Verifies the digital signature on the supplied SPKAC. | 
| 6491 | .It Fl engine Ar id | ||
| 6492 | Specifying an engine (by it's unique | ||
| 6493 | .Ar id | ||
| 6494 | string) will cause | ||
| 6495 | .Nm req | ||
| 6496 | to attempt to obtain a functional reference to the specified engine, | ||
| 6497 | thus initialising it if needed. | ||
| 6498 | The engine will then be set as the default for all available algorithms. | ||
| 6317 | .El | 6499 | .El | 
| 6318 | .Sh SPKAC EXAMPLES | 6500 | .Sh SPKAC EXAMPLES | 
| 6319 | Print out the contents of an SPKAC: | 6501 | Print out the contents of an SPKAC: | 
| @@ -6783,6 +6965,7 @@ option was added in | |||
| 6783 | .Op Fl clrext | 6965 | .Op Fl clrext | 
| 6784 | .Op Fl extfile Ar filename | 6966 | .Op Fl extfile Ar filename | 
| 6785 | .Op Fl extensions Ar section | 6967 | .Op Fl extensions Ar section | 
| 6968 | .Op Fl engine Ar id | ||
| 6786 | .Ek | 6969 | .Ek | 
| 6787 | .Pp | 6970 | .Pp | 
| 6788 | The | 6971 | The | 
| @@ -6835,6 +7018,14 @@ options. | |||
| 6835 | If not specified then MD5 is used. | 7018 | If not specified then MD5 is used. | 
| 6836 | If the key being used to sign with is a DSA key then | 7019 | If the key being used to sign with is a DSA key then | 
| 6837 | this option has no effect: SHA1 is always used with DSA keys. | 7020 | this option has no effect: SHA1 is always used with DSA keys. | 
| 7021 | .It Fl engine Ar id | ||
| 7022 | Specifying an engine (by it's unique | ||
| 7023 | .Ar id | ||
| 7024 | string) will cause | ||
| 7025 | .Nm req | ||
| 7026 | to attempt to obtain a functional reference to the specified engine, | ||
| 7027 | thus initialising it if needed. | ||
| 7028 | The engine will then be set as the default for all available algorithms. | ||
| 6838 | .El | 7029 | .El | 
| 6839 | .Sh X509 DISPLAY OPTIONS | 7030 | .Sh X509 DISPLAY OPTIONS | 
| 6840 | .Sy Note : | 7031 | .Sy Note : | 
| @@ -6843,7 +7034,7 @@ The | |||
| 6843 | and | 7034 | and | 
| 6844 | .Fl purpose | 7035 | .Fl purpose | 
| 6845 | options are also display options but are described in the | 7036 | options are also display options but are described in the | 
| 6846 | .Sx X509 TRUST OPTIONS | 7037 | .Sx X509 TRUST SETTINGS | 
| 6847 | section. | 7038 | section. | 
| 6848 | .Bl -tag -width "XXXX" | 7039 | .Bl -tag -width "XXXX" | 
| 6849 | .It Fl text | 7040 | .It Fl text | 
| @@ -7102,7 +7293,7 @@ For example if the CA certificate file is called | |||
| 7102 | .Pa mycacert.pem , | 7293 | .Pa mycacert.pem , | 
| 7103 | it expects to find a serial number file called | 7294 | it expects to find a serial number file called | 
| 7104 | .Pa mycacert.srl . | 7295 | .Pa mycacert.srl . | 
| 7105 | .It Fl CAcreateserial Ar filename | 7296 | .It Fl CAcreateserial | 
| 7106 | With this option the CA serial number file is created if it does not exist: | 7297 | With this option the CA serial number file is created if it does not exist: | 
| 7107 | it will contain the serial number "02" and the certificate being signed will | 7298 | it will contain the serial number "02" and the certificate being signed will | 
| 7108 | have 1 as its serial number. | 7299 | have 1 as its serial number. | 
| @@ -7381,11 +7572,11 @@ certificate extensions: | |||
| 7381 | .Ed | 7572 | .Ed | 
| 7382 | .Pp | 7573 | .Pp | 
| 7383 | Set a certificate to be trusted for SSL | 7574 | Set a certificate to be trusted for SSL | 
| 7384 | client use and change set its alias to "Steve's Class 1 CA": | 7575 | client use and set its alias to "Steve's Class 1 CA": | 
| 7385 | .Pp | 7576 | .Pp | 
| 7386 | .Bd -literal | 7577 | .Bd -literal | 
| 7387 | \& $ openssl x509 -in cert.pem -addtrust sslclient \e | 7578 | \& $ openssl x509 -in cert.pem -addtrust clientAuth \e | 
| 7388 | \& -alias "Steve's Class 1 CA" -out trust.pem | 7579 | \& -setalias "Steve's Class 1 CA" -out trust.pem | 
| 7389 | .Ed | 7580 | .Ed | 
| 7390 | .Sh X509 NOTES | 7581 | .Sh X509 NOTES | 
| 7391 | The | 7582 | The | 
| @@ -7393,22 +7584,22 @@ The | |||
| 7393 | format uses the header and footer lines: | 7584 | format uses the header and footer lines: | 
| 7394 | .Pp | 7585 | .Pp | 
| 7395 | .Bd -literal | 7586 | .Bd -literal | 
| 7396 | \& -----BEGIN CERTIFICATE---- | 7587 | \& -----BEGIN CERTIFICATE----- | 
| 7397 | \& -----END CERTIFICATE---- | 7588 | \& -----END CERTIFICATE----- | 
| 7398 | .Ed | 7589 | .Ed | 
| 7399 | .Pp | 7590 | .Pp | 
| 7400 | It will also handle files containing: | 7591 | It will also handle files containing: | 
| 7401 | .Pp | 7592 | .Pp | 
| 7402 | .Bd -literal | 7593 | .Bd -literal | 
| 7403 | \& -----BEGIN X509 CERTIFICATE---- | 7594 | \& -----BEGIN X509 CERTIFICATE----- | 
| 7404 | \& -----END X509 CERTIFICATE---- | 7595 | \& -----END X509 CERTIFICATE----- | 
| 7405 | .Ed | 7596 | .Ed | 
| 7406 | .Pp | 7597 | .Pp | 
| 7407 | Trusted certificates have the lines: | 7598 | Trusted certificates have the lines: | 
| 7408 | .Pp | 7599 | .Pp | 
| 7409 | .Bd -literal | 7600 | .Bd -literal | 
| 7410 | \& -----BEGIN TRUSTED CERTIFICATE---- | 7601 | \& -----BEGIN TRUSTED CERTIFICATE----- | 
| 7411 | \& -----END TRUSTED CERTIFICATE---- | 7602 | \& -----END TRUSTED CERTIFICATE----- | 
| 7412 | .Ed | 7603 | .Ed | 
| 7413 | .Pp | 7604 | .Pp | 
| 7414 | The conversion to UTF8 format used with the name options assumes that | 7605 | The conversion to UTF8 format used with the name options assumes that | 
