From 532c18f1f3c2b718b6845205aa5dc0ea3c873efc Mon Sep 17 00:00:00 2001 From: jmc <> Date: Wed, 16 Jul 2003 09:05:58 +0000 Subject: kill a rake of .br's and .Pp's that worked around the spacing bug. should help postscript output too. --- src/usr.sbin/openssl/openssl.1 | 101 +---------------------------------------- 1 file changed, 1 insertion(+), 100 deletions(-) (limited to 'src') diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index b115397bad..0be74bd25e 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.9 2003/06/12 12:59:51 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.10 2003/07/16 09:05:58 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -459,7 +459,6 @@ This option can be used multiple times to "drill down" into a nested structure. .El .Sh ASN1PARSE OUTPUT The output will typically contain lines like this: -.Pp .Bd -literal 0:d=0 hl=4 l= 681 cons: SEQUENCE @@ -500,7 +499,6 @@ The contents octets of this will contain the public key information. This can be examined using the option .Fl strparse Cm 229 to yield: -.Pp .Bd -literal \& 0:d=0 hl=3 l= 137 cons: SEQUENCE \& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 @@ -816,7 +814,6 @@ Where the option is present in the configuration file and the command line, the command line value is used. Where an option is described as mandatory, then it must be present in the configuration file or the command line equivalent (if any) used. -.Pp .Bl -tag -width "XXXX" .It Ar oid_file This specifies a file containing additional OBJECT IDENTIFIERS. @@ -1043,7 +1040,6 @@ Certify a Netscape SPKAC: \& $ openssl ca -spkac spkac.txt .Pp A sample SPKAC file (the SPKAC line has been truncated for clarity): -.Pp .Bd -literal \& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 \& CN=Steve Test @@ -1054,7 +1050,6 @@ A sample SPKAC file (the SPKAC line has been truncated for clarity): .Pp A sample configuration file with the relevant sections for .Nm ca : -.Pp .Bd -literal \& [ ca ] \& default_ca = CA_default # The default ca section @@ -1094,7 +1089,6 @@ A sample configuration file with the relevant sections for the location of all files can change either by compile time options, configuration file entries, environment variables or command line options. The values below reflect the default values. -.Pp .Bd -literal /usr/local/ssl/lib/openssl.cnf - master configuration file \&./demoCA - main CA directory @@ -1307,7 +1301,6 @@ If .Cm - is used, then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options. -.br .Pp If .Cm + @@ -1432,7 +1425,6 @@ authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. .Pp .Sy "SSL v3.0 cipher suites" -.Pp .Bd -literal SSL_RSA_WITH_NULL_MD5 NULL-MD5 SSL_RSA_WITH_NULL_SHA NULL-SHA @@ -1445,7 +1437,6 @@ In these cases, RSA authentication is used. SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA .Ed -.Pp .Bd -literal SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. @@ -1460,7 +1451,6 @@ In these cases, RSA authentication is used. SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA .Ed -.Pp .Bd -literal SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 @@ -1468,7 +1458,6 @@ In these cases, RSA authentication is used. SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA .Ed -.Pp .Bd -literal SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. @@ -1476,7 +1465,6 @@ In these cases, RSA authentication is used. .Ed .Pp .Sy "TLS v1.0 cipher suites" -.Pp .Bd -literal TLS_RSA_WITH_NULL_MD5 NULL-MD5 TLS_RSA_WITH_NULL_SHA NULL-SHA @@ -1489,7 +1477,6 @@ In these cases, RSA authentication is used. TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA .Ed -.Pp .Bd -literal TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. @@ -1504,7 +1491,6 @@ In these cases, RSA authentication is used. TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA .Ed -.Pp .Bd -literal TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 @@ -1536,7 +1522,6 @@ In these cases, RSA authentication is used. .Pp .Sy Note : These ciphers can also be used in SSL v3. -.Pp .Bd -literal TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA @@ -1546,7 +1531,6 @@ These ciphers can also be used in SSL v3. .Ed .Pp .Sy "SSL v2.0 cipher suites" -.Pp .Bd -literal SSL_CK_RC4_128_WITH_MD5 RC4-MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 @@ -1670,7 +1654,6 @@ should be linked to each certificate. .El .Sh CRL NOTES The PEM CRL format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN X509 CRL----- \& -----END X509 CRL----- @@ -1756,7 +1739,6 @@ Creates a PKCS#7 structure in .Ar DER format with no CRL from several different certificates: -.Pp .Bd -literal \& $ openssl crl2pkcs7 -nocrl -certfile newcert.pem \& -certfile demoCA/cacert.pem -outform DER -out p7.der @@ -2010,7 +1992,6 @@ versions of .Sh DHPARAM NOTES .Ar PEM format DH parameters use the header and footer lines: -.Pp .Bd -literal \& -----BEGIN DH PARAMETERS----- \& -----END DH PARAMETERS----- @@ -2162,7 +2143,6 @@ The engine will then be set as the default for all available algorithms. The .Ar PEM private key format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN DSA PRIVATE KEY----- \& -----END DSA PRIVATE KEY----- @@ -2171,7 +2151,6 @@ private key format uses the header and footer lines: The .Ar PEM public key format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN PUBLIC KEY----- \& -----END PUBLIC KEY----- @@ -2296,7 +2275,6 @@ The engine will then be set as the default for all available algorithms. .Sh DSAPARAM NOTES .Ar PEM format DSA parameters use the header and footer lines: -.Pp .Bd -literal \& -----BEGIN DSA PARAMETERS----- \& -----END DSA PARAMETERS----- @@ -2525,7 +2503,6 @@ Blowfish and RC5 algorithms use a 128 bit key. .Bd -literal \& base64 Base 64 .Ed -.Pp .Bd -literal \& bf-cbc Blowfish in CBC mode \& bf Alias for bf-cbc @@ -2533,7 +2510,6 @@ Blowfish and RC5 algorithms use a 128 bit key. \& bf-ecb Blowfish in ECB mode \& bf-ofb Blowfish in OFB mode .Ed -.Pp .Bd -literal \& cast-cbc CAST in CBC mode \& cast Alias for cast-cbc @@ -2542,7 +2518,6 @@ Blowfish and RC5 algorithms use a 128 bit key. \& cast5-ecb CAST5 in ECB mode \& cast5-ofb CAST5 in OFB mode .Ed -.Pp .Bd -literal \& des-cbc DES in CBC mode \& des Alias for des-cbc @@ -2550,14 +2525,12 @@ Blowfish and RC5 algorithms use a 128 bit key. \& des-ofb DES in OFB mode \& des-ecb DES in ECB mode .Ed -.Pp .Bd -literal \& des-ede-cbc Two key triple DES EDE in CBC mode \& des-ede Alias for des-ede \& des-ede-cfb Two key triple DES EDE in CFB mode \& des-ede-ofb Two key triple DES EDE in OFB mode .Ed -.Pp .Bd -literal \& des-ede3-cbc Three key triple DES EDE in CBC mode \& des-ede3 Alias for des-ede3-cbc @@ -2565,11 +2538,9 @@ Blowfish and RC5 algorithms use a 128 bit key. \& des-ede3-cfb Three key triple DES EDE CFB mode \& des-ede3-ofb Three key triple DES EDE in OFB mode .Ed -.Pp .Bd -literal \& desx DESX algorithm. .Ed -.Pp .Bd -literal \& idea-cbc IDEA algorithm in CBC mode \& idea same as idea-cbc @@ -2577,7 +2548,6 @@ Blowfish and RC5 algorithms use a 128 bit key. \& idea-ecb IDEA in ECB mode \& idea-ofb IDEA in OFB mode .Ed -.Pp .Bd -literal \& rc2-cbc 128 bit RC2 in CBC mode \& rc2 Alias for rc2-cbc @@ -2587,13 +2557,11 @@ Blowfish and RC5 algorithms use a 128 bit key. \& rc2-64-cbc 64 bit RC2 in CBC mode \& rc2-40-cbc 40 bit RC2 in CBC mode .Ed -.Pp .Bd -literal \& rc4 128 bit RC4 \& rc4-64 64 bit RC4 \& rc4-40 40 bit RC4 .Ed -.Pp .Bd -literal \& rc5-cbc RC5 cipher in CBC mode \& rc5 Alias for rc5-cbc @@ -2854,7 +2822,6 @@ Output the certificates in a Netscape certificate sequence: .Ed .Pp Create a Netscape certificate sequence: -.Pp .Bd -literal \& $ openssl nseq -in certs.pem -toseq -out nseq.pem .Ed @@ -2862,7 +2829,6 @@ Create a Netscape certificate sequence: The .Em PEM encoded form uses the same headers and footers as a certificate: -.Pp .Bd -literal \& -----BEGIN CERTIFICATE----- \& -----END CERTIFICATE----- @@ -2931,7 +2897,6 @@ input and output files and allowing multiple certificate files to be used. .Op Fl resp_key_id .Op Fl nrequest Ar n .Ek -.br .Pp The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate (RFC 2560). @@ -3242,7 +3207,6 @@ If the OCSP responder is a which can give details about multiple CAs and has its own separate certificate chain, then its root CA can be trusted for OCSP signing. For example: -.Pp .Bd -literal \& $ openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem .Ed @@ -3279,7 +3243,6 @@ and options. .Sh OCSP EXAMPLES Create an OCSP request and write it to a file: -.Pp .Bd -literal \& $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout \e req.der @@ -3288,14 +3251,12 @@ Create an OCSP request and write it to a file: Send a query to an OCSP responder with URL .Pa http://ocsp.myhost.com/ , save the response to a file and print it out in text form: -.Pp .Bd -literal \& $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e \& -url http://ocsp.myhost.com/ -resp_text -respout resp.der .Ed .Pp Read in an OCSP response and print out text form: -.Pp .Bd -literal \& $ openssl ocsp -respin resp.der -text .Ed @@ -3304,21 +3265,18 @@ OCSP server on port 8888 using a standard .Nm ca configuration, and a separate responder certificate. All requests and responses are printed to a file: -.Pp .Bd -literal \& $ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem \e -CA demoCA/cacert.pem -text -out log.txt .Ed .Pp As above, but exit after processing one request: -.Pp .Bd -literal \& $ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem \e -CA demoCA/cacert.pem -nrequest 1 .Ed .Pp Query status information using internally generated request: -.Pp .Bd -literal \& $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 @@ -3326,7 +3284,6 @@ Query status information using internally generated request: .Pp Query status information using request read from a file, write response to a second file: -.Pp .Bd -literal \& $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e demoCA/cacert.pem -reqin req.der -respout resp.der @@ -3425,7 +3382,6 @@ prints .Op Fl noout .Op Fl engine Ar id .Ek -.br .Pp The .Nm pkcs7 @@ -3491,14 +3447,12 @@ Output all certificates in a file: The .Em PEM PKCS#7 format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN PKCS7----- \& -----END PKCS7----- .Ed .Pp For compatibility with some CAs it will also accept: -.Pp .Bd -literal \& -----BEGIN CERTIFICATE----- \& -----END CERTIFICATE----- @@ -3665,14 +3619,12 @@ The encrypted form of a .Em PEM encoded PKCS#8 file uses the following headers and footers: -.Pp .Bd -literal \& -----BEGIN ENCRYPTED PRIVATE KEY----- \& -----END ENCRYPTED PRIVATE KEY----- .Ed .Pp The unencrypted form uses: -.Pp .Bd -literal \& -----BEGIN PRIVATE KEY----- \& -----END PRIVATE KEY----- @@ -3703,7 +3655,6 @@ Various algorithms can be used with the .Fl v1 command line option, including PKCS#5 v1.5 and PKCS#12. These are described in more detail below. -.Pp .Bl -tag -width "XXXX" .It Ar PBE-MD2-DES PBE-MD5-DES These algorithms were included in the original PKCS#5 v1.5 specification. @@ -4044,21 +3995,18 @@ Output only client certificates to a file: Don't encrypt the private key: .Pp \& $ openssl pkcs12 -in file.p12 -out file.pem -nodes -.br .Pp Print some info about a PKCS#12 file: .Pp \& $ openssl pkcs12 -in file.p12 -info -noout .Pp Create a PKCS#12 file: -.Pp .Bd -literal \& $ openssl pkcs12 -export -in file.pem -out file.p12 \e -name "My Certificate" .Ed .Pp Include some extra certificates: -.Pp .Bd -literal \& $ openssl pkcs12 -export -in file.pem -out file.p12 \e -name "My Certificate" -certfile othercerts.pem @@ -4095,7 +4043,6 @@ and recreating the PKCS#12 file from the keys and certificates using a newer version of .Nm OpenSSL . For example: -.Pp .Bd -literal \& $ old-openssl -in bad.p12 -out keycerts.pem \& $ openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 @@ -4586,7 +4533,6 @@ If the option is set to .Em no then these sections just consist of field names and values: for example, -.Pp .Bd -literal \& CN=My Name \& OU=My Organization @@ -4606,7 +4552,6 @@ option is absent or not set to .Em no , then the file contains field prompting information. It consists of lines of the form: -.Pp .Bd -literal \& fieldName="prompt" \& fieldName_default="default field value" @@ -4673,7 +4618,6 @@ Examine and verify certificate request: \& $ openssl req -in req.pem -text -verify -noout .Pp Create a private key and then generate a certificate request from it: -.Pp .Bd -literal \& $ openssl genrsa -out key.pem 1024 \& $ openssl req -new -key key.pem -out req.pem @@ -4686,12 +4630,10 @@ The same but just using req: Generate a self-signed root certificate: .Pp \& $ openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem -.br .Pp Example of a file pointed to by the .Ar oid_file option: -.Pp .Bd -literal \& 1.2.3.4 shortName A longer Name \& 1.2.3.6 otherName Other longer Name @@ -4700,14 +4642,12 @@ option: Example of a section pointed to by .Ar oid_section making use of variable expansion: -.Pp .Bd -literal \& testoid1=1.2.3.5 \& testoid2=${testoid1}.6 .Ed .Pp Sample configuration file prompting for field values: -.Pp .Bd -literal \& [ req ] \& default_bits = 1024 @@ -4747,7 +4687,6 @@ Sample configuration file prompting for field values: .Ed .Pp Sample configuration containing all field values: -.Pp .Bd -literal \& RANDFILE = $ENV::HOME/.rnd .Pp @@ -4775,14 +4714,12 @@ Sample configuration containing all field values: The header and footer lines in the .Ar PEM format are normally: -.Pp .Bd -literal \& -----BEGIN CERTIFICATE REQUEST----- \& -----END CERTIFICATE REQUEST----- .Ed .Pp Some software (some versions of Netscape certificate server) instead needs: -.Pp .Bd -literal \& -----BEGIN NEW CERTIFICATE REQUEST----- \& -----END NEW CERTIFICATE REQUEST----- @@ -4803,14 +4740,12 @@ by the script in an extension. .Sh REQ DIAGNOSTICS The following messages are frequently asked about: -.Pp .Bd -literal \& Using configuration from /some/path/openssl.cnf \& Unable to load config info .Ed .Pp This is followed some time later by... -.Pp .Bd -literal \& unable to find 'distinguished_name' in config \& problems making Certificate Request @@ -4824,7 +4759,6 @@ Generation of certificates or requests, however, do need a configuration file. This could be regarded as a bug. .Pp Another puzzling message is this: -.Pp .Bd -literal \& Attributes: \& a0:00 @@ -5012,7 +4946,6 @@ The engine will then be set as the default for all available algorithms. The .Em PEM private key format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN RSA PRIVATE KEY----- \& -----END RSA PRIVATE KEY----- @@ -5021,7 +4954,6 @@ private key format uses the header and footer lines: The .Em PEM public key format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN PUBLIC KEY----- \& -----END PUBLIC KEY----- @@ -5064,7 +4996,6 @@ to format: .Pp \& $ openssl rsa -in key.pem -outform DER -out keyout.der -.br .Pp To print out the components of a private key to standard output: .Pp @@ -5164,7 +5095,6 @@ Recover the signed data: Examine the raw signed data: .Pp \& $ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump -.Pp .Bd -literal \& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ \& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ @@ -5190,7 +5120,6 @@ Running as follows yields: .Pp \& $ openssl asn1parse -in pca-cert.pem -.Pp .Bd -literal \& 0:d=0 hl=4 l= 742 cons: SEQUENCE \& 4:d=1 hl=4 l= 591 cons: SEQUENCE @@ -5224,7 +5153,6 @@ The certificate public key can be extracted with: The signature can be analysed with: .Pp \& $ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin -.Pp .Bd -literal \& 0:d=0 hl=2 l= 32 cons: SEQUENCE \& 2:d=1 hl=2 l= 12 cons: SEQUENCE @@ -5243,7 +5171,6 @@ The actual part of the certificate that was signed can be extracted with: \& $ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 .Pp and its digest computed with: -.Pp .Bd -literal \& $ openssl md5 -c tbs \& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 @@ -5735,7 +5662,6 @@ from the client is displayed and any key presses will be sent to the client. .Pp Certain single letter commands are also recognized which perform special operations: these are listed below. -.Pp .Bl -tag -width "XXXX" .It Ar q End the current SSL connection, but still accept new connections. @@ -5867,7 +5793,6 @@ This option won't normally be used. .El .Sh SESS_ID OUTPUT Typical output: -.Pp .Bd -literal \& SSL-Session: \& Protocol : TLSv1 @@ -5908,7 +5833,6 @@ This is the return code when an SSL client certificate is verified. The .Em PEM encoded session format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN SSL SESSION PARAMETERS----- \& -----END SSL SESSION PARAMETERS----- @@ -6247,14 +6171,12 @@ the signers certificates. .El .Sh SMIME EXAMPLES Create a cleartext signed message: -.Pp .Bd -literal \& $ openssl smime -sign -in message.txt -text -out mail.msg \e \& -signer mycert.pem .Ed .Pp Create an opaque signed message: -.Pp .Bd -literal \& $ openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e \& -signer mycert.pem @@ -6262,7 +6184,6 @@ Create an opaque signed message: .Pp Create a signed message, include some additional certificates and read the private key from another file: -.Pp .Bd -literal \& $ openssl smime -sign -in in.txt -text -out mail.msg \e \& -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem @@ -6271,7 +6192,6 @@ read the private key from another file: Send a signed message under Unix directly to .Xr sendmail 8 , including headers: -.Pp .Bd -literal \& $ openssl smime -sign -in in.txt -text -signer mycert.pem \e \& -from steve@openssl.org -to someone@somewhere \e @@ -6279,14 +6199,12 @@ including headers: .Ed .Pp Verify a message and extract the signer's certificate if successful: -.Pp .Bd -literal \& $ openssl smime -verify -in mail.msg -signer user.pem \e \& -out signedtext.txt .Ed .Pp Send encrypted mail using triple DES: -.Pp .Bd -literal \& $ openssl smime -encrypt -in in.txt -from steve@openssl.org \e \& -to someone@somewhere -subject "Encrypted message" \e @@ -6294,7 +6212,6 @@ Send encrypted mail using triple DES: .Ed .Pp Sign and encrypt mail: -.Pp .Bd -literal \& $ openssl smime -sign -in ml.txt -signer my.pem -text \e \& | openssl smime -encrypt -out mail.msg \e @@ -6317,22 +6234,18 @@ The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with: -.Pp .Bd -literal \& -----BEGIN PKCS7----- \& -----END PKCS7----- .Ed .Pp and using the command: -.br -.Pp .Bd -literal \& $ openssl smime -verify -inform PEM -in signature.pem \& -content content.txt .Ed .Pp Alternatively, you can base64 decode the signature and use: -.Pp .Bd -literal \& $ openssl smime -verify -inform DER -in signature.der \& -content content.txt @@ -6401,7 +6314,6 @@ v3 structures may cause parsing errors. The .Nm speed command is used to test the performance of cryptographic algorithms. -.Pp .Bl -tag -width "XXXX" .It Fl engine Ar id Specifying an engine (by it's unique @@ -6511,7 +6423,6 @@ Create an SPKAC using the challenge string "hello": \& $ openssl spkac -key key.pem -challenge hello -out spkac.cnf .Pp Example of an SPKAC, (long lines split up for clarity): -.Pp .Bd -literal \& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e \& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e @@ -6709,7 +6620,6 @@ If any operation fails then the certificate is not valid. .Sh VERIFY DIAGNOSTICS When a verify operation fails, the output messages can be somewhat cryptic. The general form of the error message is: -.Pp .Bd -literal \& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) \& error 24 at 1 depth lookup:invalid CA certificate @@ -6728,7 +6638,6 @@ includes the name of the error code as defined in the header file .Aq Pa x509_vfy.h . Some of the error codes are defined but never returned: these are described as "unused". -.Pp .Bl -tag -width "XXXX" .It Ar "0 X509_V_OK: ok" The operation was successful. @@ -7188,7 +7097,6 @@ The .Nm x509 utility can be used to sign certificates and requests: it can thus behave like a "mini CA". -.Pp .Bl -tag -width "XXXX" .It Fl signkey Ar filename This option causes the input file to be self-signed using the supplied @@ -7557,7 +7465,6 @@ Convert a certificate to a certificate request: .Pp Convert a certificate request into a self-signed certificate using extensions for a CA: -.Pp .Bd -literal \& $ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions \e \& v3_ca -signkey key.pem -out cacert.pem @@ -7565,7 +7472,6 @@ extensions for a CA: .Pp Sign a certificate request using the CA certificate above and add user certificate extensions: -.Pp .Bd -literal \& $ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions \e v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial @@ -7573,7 +7479,6 @@ certificate extensions: .Pp Set a certificate to be trusted for SSL client use and set its alias to "Steve's Class 1 CA": -.Pp .Bd -literal \& $ openssl x509 -in cert.pem -addtrust clientAuth \e \& -setalias "Steve's Class 1 CA" -out trust.pem @@ -7582,21 +7487,18 @@ client use and set its alias to "Steve's Class 1 CA": The .Em PEM format uses the header and footer lines: -.Pp .Bd -literal \& -----BEGIN CERTIFICATE----- \& -----END CERTIFICATE----- .Ed .Pp It will also handle files containing: -.Pp .Bd -literal \& -----BEGIN X509 CERTIFICATE----- \& -----END X509 CERTIFICATE----- .Ed .Pp Trusted certificates have the lines: -.Pp .Bd -literal \& -----BEGIN TRUSTED CERTIFICATE----- \& -----END TRUSTED CERTIFICATE----- @@ -7684,7 +7586,6 @@ and and V1 certificates above apply to .Em all CA certificates. -.Pp .Bl -tag -width "XXXX" .It Ar SSL Client The extended key usage extension must be absent or include the -- cgit v1.2.3-55-g6feb