1 files changed, 82 insertions, 23 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 4af738e12a..c46c18e166 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.90 2018/03/30 20:38:23 schwarze Exp $
+.\" $OpenBSD: openssl.1,v 1.91 2018/03/30 23:03:31 schwarze Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -300,6 +300,7 @@ into a nested structure.
 .Op Fl batch
 .Op Fl cert Ar file
 .Op Fl config Ar file
+.Op Fl create_serial
 .Op Fl crl_CA_compromise Ar time
 .Op Fl crl_compromise Ar time
 .Op Fl crl_hold Ar instruction
@@ -314,11 +315,12 @@ into a nested structure.
 .Op Fl gencrl
 .Op Fl in Ar file
 .Op Fl infiles
-.Op Fl key Ar keyfile
+.Op Fl key Ar password
 .Op Fl keyfile Ar arg
-.Op Fl keyform Ar pem
+.Op Fl keyform Cm pem | der
 .Op Fl md Ar arg
 .Op Fl msie_hack
+.Op Fl multivalue\-rdn
 .Op Fl name Ar section
 .Op Fl noemailDN
 .Op Fl notext
@@ -328,12 +330,14 @@ into a nested structure.
 .Op Fl policy Ar arg
 .Op Fl preserveDN
 .Op Fl revoke Ar file
+.Op Fl selfsign
 .Op Fl spkac Ar file
 .Op Fl ss_cert Ar file
 .Op Fl startdate Ar date
 .Op Fl status Ar serial
 .Op Fl subj Ar arg
 .Op Fl updatedb
+.Op Fl utf8
 .Op Fl verbose
 .nr nS 0
 .Pp
@@ -354,6 +358,10 @@ and all certificates will be certified automatically.
 The CA certificate file.
 .It Fl config Ar file
 Specify an alternative configuration file.
+.It Fl create_serial
+If reading the serial from the text file as specified in the
+configuration fails, create a new random serial to be used as the
+next serial number.
 .It Fl days Ar arg
 The number of days to certify the certificate for.
 .It Fl enddate Ar date
@@ -371,6 +379,9 @@ If no extension section is present, a V1 certificate is created.
 If the extension section is present
 .Pq even if it is empty ,
 then a V3 certificate is created.
+See the
+.Xr x509v3.cnf 5
+manual page for details of the extension section format.
 .It Fl extfile Ar file
 An additional configuration
 .Ar file
@@ -385,14 +396,18 @@ containing a single certificate request to be signed by the CA.
 .It Fl infiles
 If present, this should be the last option; all subsequent arguments
 are assumed to be the names of files containing certificate requests.
-.It Fl key Ar keyfile
+.It Fl key Ar password
-The password used to encrypt the private key.
+The
+.Fa password
+used to encrypt the private key.
 Since on some systems the command line arguments are visible,
 this option should be used with caution.
 .It Fl keyfile Ar file
 The private key to sign requests with.
-.It Fl keyform Ar pem
+.It Fl keyform Cm pem | der
 Private key file format.
+The default is
+.Cm pem .
 .It Fl md Ar alg
 The message digest to use.
 Possible values include
@@ -411,6 +426,16 @@ its use is strongly discouraged.
 The newer control
 .Qq Xenroll
 does not need this option.
+.It Fl multivalue\-rdn
+This option causes the
+.Fl subj
+argument to be interpreted with full support for multivalued RDNs,
+for example
+.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" .
+If
+.Fl multivalue\-rdn
+is not used, the UID value is set to
+.Qq "123456+CN=John Doe" .
 .It Fl name Ar section
 Specifies the configuration file
 .Ar section
@@ -435,7 +460,10 @@ Don't output the text form of a certificate to the output file.
 .It Fl out Ar file
 The output file to output certificates to.
 The default is standard output.
-The certificate details will also be printed out to this file.
+The certificate details will also be printed out to this file in
+PEM format, except that
+.Fl spkac
+outputs DER format.
 .It Fl outdir Ar directory
 The
 .Ar directory
@@ -472,6 +500,27 @@ This is largely for compatibility with the older IE enrollment control
 which would only accept certificates if their DNs matched the order of the
 request.
 This is not needed for Xenroll.
+.It Fl selfsign
+Indicates the issued certificates are to be signed with the key the
+certificate requests were signed with, given with
+.Fl keyfile .
+Certificate requests signed with a different key are ignored.
+If
+.Fl gencrl ,
+.Fl spkac ,
+or
+.Fl ss_cert
+are given,
+.Fl selfsign
+is ignored.
+.Pp
+A consequence of using
+.Fl selfsign
+is that the self-signed certificate appears among the entries in
+the certificate database (see the configuration option
+.Cm database )
+and uses the same serial number counter as all other certificates
+signed with the self-signed certificate.
 .It Fl spkac Ar file
 A file containing a single Netscape signed public key and challenge,
 and additional field values to be signed by the CA.
@@ -492,11 +541,23 @@ A single self-signed certificate to be signed by the CA.
 Set the start date.
 The format of the date is [YY]YYMMDDHHMMSSZ,
 with all four year digits required for dates from 2050 onwards.
-.It Fl status Ar serial
+.It Fl subj Ar arg
-Show the status of the certificate with serial number
+Supersedes the subject name given in the request.
-.Ar serial .
+The
-.It Fl updatedb
+.Ar arg
-Update database for expired certificates.
+must be formatted as
+.Sm off
+.Pf / Ar type0 Ns = Ar value0 Ns / Ar type 1 Ns = Ar value 1 Ns /
+.Ar type2 Ns = Ar ... ;
+.Sm on
+characters may be escaped by
+.Sq \e
+.Pq backslash ,
+no spaces are skipped.
+.It Fl utf8
+Interpret field values read from a terminal or obtained from a
+configuration file as UTF-8 strings.
+By default, they are interpreted as ASCII.
 .It Fl verbose
 Print extra details about the operations being performed.
 .El
@@ -547,6 +608,9 @@ if the CRL extension section is present
 then a V2 CRL is created.
 The CRL extensions specified are CRL extensions and not CRL entry extensions.
 It should be noted that some software can't handle V2 CRLs.
+See the
+.Xr x509v3.cnf 5
+manual page for details of the extension section format.
 .It Fl crlhours Ar num
 The number of hours before the next CRL is due.
 .It Fl gencrl
@@ -555,16 +619,11 @@ Generate a CRL based on information in the index file.
 A
 .Ar file
 containing a certificate to revoke.
-.It Fl subj Ar arg
+.It Fl status Ar serial
-Supersedes the subject name given in the request.
+Show the status of the certificate with serial number
-The
+.Ar serial .
-.Ar arg
+.It Fl updatedb
-must be formatted as
+Update the database index to purge expired certificates.
-.Ar /type0=value0/type1=value1/type2=... ;
-characters may be escaped by
-.Sq \e
-.Pq backslash ,
-no spaces are skipped.
 .El
 .Pp
 Many of the options can be set in the
@@ -623,7 +682,7 @@ extension with CA:TRUE and the
 value is set to
 .Cm copyall
 and the user does not spot
-this when the certificate is displayed, then this will hand the requestor
+this when the certificate is displayed, then this will hand the requester
 a valid CA certificate.
 .Pp
 This situation can be avoided by setting

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 4af738e12a..c46c18e166 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.90 2018/03/30 20:38:23 schwarze Exp $	1	.\" $OpenBSD: openssl.1,v 1.91 2018/03/30 23:03:31 schwarze Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -300,6 +300,7 @@ into a nested structure.
300	.Op Fl batch	300	.Op Fl batch
301	.Op Fl cert Ar file	301	.Op Fl cert Ar file
302	.Op Fl config Ar file	302	.Op Fl config Ar file
		303	.Op Fl create_serial
303	.Op Fl crl_CA_compromise Ar time	304	.Op Fl crl_CA_compromise Ar time
304	.Op Fl crl_compromise Ar time	305	.Op Fl crl_compromise Ar time
305	.Op Fl crl_hold Ar instruction	306	.Op Fl crl_hold Ar instruction
@@ -314,11 +315,12 @@ into a nested structure.
314	.Op Fl gencrl	315	.Op Fl gencrl
315	.Op Fl in Ar file	316	.Op Fl in Ar file
316	.Op Fl infiles	317	.Op Fl infiles
317	.Op Fl key Ar keyfile	318	.Op Fl key Ar password
318	.Op Fl keyfile Ar arg	319	.Op Fl keyfile Ar arg
319	.Op Fl keyform Ar pem	320	.Op Fl keyform Cm pem \| der
320	.Op Fl md Ar arg	321	.Op Fl md Ar arg
321	.Op Fl msie_hack	322	.Op Fl msie_hack
		323	.Op Fl multivalue\-rdn
322	.Op Fl name Ar section	324	.Op Fl name Ar section
323	.Op Fl noemailDN	325	.Op Fl noemailDN
324	.Op Fl notext	326	.Op Fl notext
@@ -328,12 +330,14 @@ into a nested structure.
328	.Op Fl policy Ar arg	330	.Op Fl policy Ar arg
329	.Op Fl preserveDN	331	.Op Fl preserveDN
330	.Op Fl revoke Ar file	332	.Op Fl revoke Ar file
		333	.Op Fl selfsign
331	.Op Fl spkac Ar file	334	.Op Fl spkac Ar file
332	.Op Fl ss_cert Ar file	335	.Op Fl ss_cert Ar file
333	.Op Fl startdate Ar date	336	.Op Fl startdate Ar date
334	.Op Fl status Ar serial	337	.Op Fl status Ar serial
335	.Op Fl subj Ar arg	338	.Op Fl subj Ar arg
336	.Op Fl updatedb	339	.Op Fl updatedb
		340	.Op Fl utf8
337	.Op Fl verbose	341	.Op Fl verbose
338	.nr nS 0	342	.nr nS 0
339	.Pp	343	.Pp
@@ -354,6 +358,10 @@ and all certificates will be certified automatically.
354	The CA certificate file.	358	The CA certificate file.
355	.It Fl config Ar file	359	.It Fl config Ar file
356	Specify an alternative configuration file.	360	Specify an alternative configuration file.
		361	.It Fl create_serial
		362	If reading the serial from the text file as specified in the
		363	configuration fails, create a new random serial to be used as the
		364	next serial number.
357	.It Fl days Ar arg	365	.It Fl days Ar arg
358	The number of days to certify the certificate for.	366	The number of days to certify the certificate for.
359	.It Fl enddate Ar date	367	.It Fl enddate Ar date
@@ -371,6 +379,9 @@ If no extension section is present, a V1 certificate is created.
371	If the extension section is present	379	If the extension section is present
372	.Pq even if it is empty ,	380	.Pq even if it is empty ,
373	then a V3 certificate is created.	381	then a V3 certificate is created.
		382	See the
		383	.Xr x509v3.cnf 5
		384	manual page for details of the extension section format.
374	.It Fl extfile Ar file	385	.It Fl extfile Ar file
375	An additional configuration	386	An additional configuration
376	.Ar file	387	.Ar file
@@ -385,14 +396,18 @@ containing a single certificate request to be signed by the CA.
385	.It Fl infiles	396	.It Fl infiles
386	If present, this should be the last option; all subsequent arguments	397	If present, this should be the last option; all subsequent arguments
387	are assumed to be the names of files containing certificate requests.	398	are assumed to be the names of files containing certificate requests.
388	.It Fl key Ar keyfile	399	.It Fl key Ar password
389	The password used to encrypt the private key.	400	The
		401	.Fa password
		402	used to encrypt the private key.
390	Since on some systems the command line arguments are visible,	403	Since on some systems the command line arguments are visible,
391	this option should be used with caution.	404	this option should be used with caution.
392	.It Fl keyfile Ar file	405	.It Fl keyfile Ar file
393	The private key to sign requests with.	406	The private key to sign requests with.
394	.It Fl keyform Ar pem	407	.It Fl keyform Cm pem \| der
395	Private key file format.	408	Private key file format.
		409	The default is
		410	.Cm pem .
396	.It Fl md Ar alg	411	.It Fl md Ar alg
397	The message digest to use.	412	The message digest to use.
398	Possible values include	413	Possible values include
@@ -411,6 +426,16 @@ its use is strongly discouraged.
411	The newer control	426	The newer control
412	.Qq Xenroll	427	.Qq Xenroll
413	does not need this option.	428	does not need this option.
		429	.It Fl multivalue\-rdn
		430	This option causes the
		431	.Fl subj
		432	argument to be interpreted with full support for multivalued RDNs,
		433	for example
		434	.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" .
		435	If
		436	.Fl multivalue\-rdn
		437	is not used, the UID value is set to
		438	.Qq "123456+CN=John Doe" .
414	.It Fl name Ar section	439	.It Fl name Ar section
415	Specifies the configuration file	440	Specifies the configuration file
416	.Ar section	441	.Ar section
@@ -435,7 +460,10 @@ Don't output the text form of a certificate to the output file.
435	.It Fl out Ar file	460	.It Fl out Ar file
436	The output file to output certificates to.	461	The output file to output certificates to.
437	The default is standard output.	462	The default is standard output.
438	The certificate details will also be printed out to this file.	463	The certificate details will also be printed out to this file in
		464	PEM format, except that
		465	.Fl spkac
		466	outputs DER format.
439	.It Fl outdir Ar directory	467	.It Fl outdir Ar directory
440	The	468	The
441	.Ar directory	469	.Ar directory
@@ -472,6 +500,27 @@ This is largely for compatibility with the older IE enrollment control
472	which would only accept certificates if their DNs matched the order of the	500	which would only accept certificates if their DNs matched the order of the
473	request.	501	request.
474	This is not needed for Xenroll.	502	This is not needed for Xenroll.
		503	.It Fl selfsign
		504	Indicates the issued certificates are to be signed with the key the
		505	certificate requests were signed with, given with
		506	.Fl keyfile .
		507	Certificate requests signed with a different key are ignored.
		508	If
		509	.Fl gencrl ,
		510	.Fl spkac ,
		511	or
		512	.Fl ss_cert
		513	are given,
		514	.Fl selfsign
		515	is ignored.
		516	.Pp
		517	A consequence of using
		518	.Fl selfsign
		519	is that the self-signed certificate appears among the entries in
		520	the certificate database (see the configuration option
		521	.Cm database )
		522	and uses the same serial number counter as all other certificates
		523	signed with the self-signed certificate.
475	.It Fl spkac Ar file	524	.It Fl spkac Ar file
476	A file containing a single Netscape signed public key and challenge,	525	A file containing a single Netscape signed public key and challenge,
477	and additional field values to be signed by the CA.	526	and additional field values to be signed by the CA.
@@ -492,11 +541,23 @@ A single self-signed certificate to be signed by the CA.
492	Set the start date.	541	Set the start date.
493	The format of the date is [YY]YYMMDDHHMMSSZ,	542	The format of the date is [YY]YYMMDDHHMMSSZ,
494	with all four year digits required for dates from 2050 onwards.	543	with all four year digits required for dates from 2050 onwards.
495	.It Fl status Ar serial	544	.It Fl subj Ar arg
496	Show the status of the certificate with serial number	545	Supersedes the subject name given in the request.
497	.Ar serial .	546	The
498	.It Fl updatedb	547	.Ar arg
499	Update database for expired certificates.	548	must be formatted as
		549	.Sm off
		550	.Pf / Ar type0 Ns = Ar value0 Ns / Ar type 1 Ns = Ar value 1 Ns /
		551	.Ar type2 Ns = Ar ... ;
		552	.Sm on
		553	characters may be escaped by
		554	.Sq \e
		555	.Pq backslash ,
		556	no spaces are skipped.
		557	.It Fl utf8
		558	Interpret field values read from a terminal or obtained from a
		559	configuration file as UTF-8 strings.
		560	By default, they are interpreted as ASCII.
500	.It Fl verbose	561	.It Fl verbose
501	Print extra details about the operations being performed.	562	Print extra details about the operations being performed.
502	.El	563	.El
@@ -547,6 +608,9 @@ if the CRL extension section is present
547	then a V2 CRL is created.	608	then a V2 CRL is created.
548	The CRL extensions specified are CRL extensions and not CRL entry extensions.	609	The CRL extensions specified are CRL extensions and not CRL entry extensions.
549	It should be noted that some software can't handle V2 CRLs.	610	It should be noted that some software can't handle V2 CRLs.
		611	See the
		612	.Xr x509v3.cnf 5
		613	manual page for details of the extension section format.
550	.It Fl crlhours Ar num	614	.It Fl crlhours Ar num
551	The number of hours before the next CRL is due.	615	The number of hours before the next CRL is due.
552	.It Fl gencrl	616	.It Fl gencrl
@@ -555,16 +619,11 @@ Generate a CRL based on information in the index file.
555	A	619	A
556	.Ar file	620	.Ar file
557	containing a certificate to revoke.	621	containing a certificate to revoke.
558	.It Fl subj Ar arg	622	.It Fl status Ar serial
559	Supersedes the subject name given in the request.	623	Show the status of the certificate with serial number
560	The	624	.Ar serial .
561	.Ar arg	625	.It Fl updatedb
562	must be formatted as	626	Update the database index to purge expired certificates.
563	.Ar /type0=value0/type1=value1/type2=... ;
564	characters may be escaped by
565	.Sq \e
566	.Pq backslash ,
567	no spaces are skipped.
568	.El	627	.El
569	.Pp	628	.Pp
570	Many of the options can be set in the	629	Many of the options can be set in the
@@ -623,7 +682,7 @@ extension with CA:TRUE and the
623	value is set to	682	value is set to
624	.Cm copyall	683	.Cm copyall
625	and the user does not spot	684	and the user does not spot
626	this when the certificate is displayed, then this will hand the requestor	685	this when the certificate is displayed, then this will hand the requester
627	a valid CA certificate.	686	a valid CA certificate.
628	.Pp	687	.Pp
629	This situation can be avoided by setting	688	This situation can be avoided by setting