[openssl] master update
Richard Levitte
levitte at openssl.org
Tue Oct 1 06:37:16 UTC 2019
The branch master has been updated
via e8769719c9bbe53d7af088111b7625671660d4db (commit)
from 4dcb150ea30f9bbfa7946e6b39c30a86aca5ed02 (commit)
- Log -----------------------------------------------------------------
commit e8769719c9bbe53d7af088111b7625671660d4db
Author: Rich Salz <rsalz at akamai.com>
Date: Wed Sep 25 15:20:11 2019 -0400
Consistent formatting of flags with args
For documentation of all commands with "-flag arg" format them
consistently: "B<-flag> I<arg>", except when arg is literal
(for example "B<-inform> B<PEM>|B<DER>")
Update find-doc-nits to complain if badly formatted strings are found.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10022)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/CA.pl.pod | 10 +-
doc/man1/openssl-asn1parse.pod | 46 ++++----
doc/man1/openssl-ca.pod | 144 +++++++++++------------
doc/man1/openssl-ciphers.pod | 8 +-
doc/man1/openssl-cms.pod | 143 ++++++++++++-----------
doc/man1/openssl-crl.pod | 28 ++---
doc/man1/openssl-crl2pkcs7.pod | 20 ++--
doc/man1/openssl-dgst.pod | 58 ++++-----
doc/man1/openssl-dhparam.pod | 20 ++--
doc/man1/openssl-dsa.pod | 30 ++---
doc/man1/openssl-dsaparam.pod | 30 ++---
doc/man1/openssl-ec.pod | 38 +++---
doc/man1/openssl-ecparam.pod | 38 +++---
doc/man1/openssl-enc.pod | 61 +++++-----
doc/man1/openssl-fipsinstall.pod | 28 ++---
doc/man1/openssl-gendsa.pod | 16 +--
doc/man1/openssl-genpkey.pod | 34 +++---
doc/man1/openssl-genrsa.pod | 28 ++---
doc/man1/openssl-kdf.pod | 4 +-
doc/man1/openssl-mac.pod | 10 +-
doc/man1/openssl-nseq.pod | 8 +-
doc/man1/openssl-ocsp.pod | 138 +++++++++++-----------
doc/man1/openssl-passwd.pod | 10 +-
doc/man1/openssl-pkcs12.pod | 88 +++++++-------
doc/man1/openssl-pkcs7.pod | 20 ++--
doc/man1/openssl-pkcs8.pod | 50 ++++----
doc/man1/openssl-pkey.pod | 34 +++---
doc/man1/openssl-pkeyparam.pod | 12 +-
doc/man1/openssl-pkeyutl.pod | 66 +++++------
doc/man1/openssl-prime.pod | 16 +--
doc/man1/openssl-rand.pod | 10 +-
doc/man1/openssl-rehash.pod | 12 +-
doc/man1/openssl-req.pod | 110 ++++++++---------
doc/man1/openssl-rsa.pod | 30 ++---
doc/man1/openssl-rsautl.pod | 24 ++--
doc/man1/openssl-s_client.pod | 214 +++++++++++++++++-----------------
doc/man1/openssl-s_server.pod | 246 +++++++++++++++++++--------------------
doc/man1/openssl-s_time.pod | 44 +++----
doc/man1/openssl-sess_id.pod | 20 ++--
doc/man1/openssl-smime.pod | 92 +++++++--------
doc/man1/openssl-speed.pod | 38 +++---
doc/man1/openssl-spkac.pod | 38 +++---
doc/man1/openssl-srp.pod | 18 +--
doc/man1/openssl-storeutl.pod | 40 +++----
doc/man1/openssl-ts.pod | 180 ++++++++++++++--------------
doc/man1/openssl-tsget.pod | 4 +-
doc/man1/openssl-verify.pod | 66 +++++------
doc/man1/openssl-x509.pod | 118 +++++++++----------
doc/man3/BIO_ADDR.pod | 4 +-
doc/man3/PKCS7_verify.pod | 2 +-
doc/man3/X509_NAME_print_ex.pod | 6 +-
doc/man5/config.pod | 4 +-
doc/man7/bio.pod | 4 +-
util/find-doc-nits | 14 +++
54 files changed, 1295 insertions(+), 1279 deletions(-)
diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod
index b055622bff..c4fa87c336 100644
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -21,13 +21,13 @@ B<-signCA> |
B<-signcert> |
B<-crl> |
B<-newca>
-[B<-extra-cmd> extra-params]
+[B<-extra-cmd> I<extra-params>]
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
+B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<extra-params>] [I<certname>]
-B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
+B<CA.pl> B<-verify> [B<-extra-verify> I<extra-params>] I<certfile>...
-B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
+B<CA.pl> B<-revoke> [B<-extra-ca> I<extra-params>] I<certfile> [I<reason>]
=head1 DESCRIPTION
@@ -106,7 +106,7 @@ Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
Generate a CRL. Executes B<openssl ca> command.
-=item B<-revoke certfile [reason]>
+=item B<-revoke> I<certfile> [I<reason>]
Revoke the certificate contained in the specified B<certfile>. An optional
reason may be specified, and must be one of: B<unspecified>,
diff --git a/doc/man1/openssl-asn1parse.pod b/doc/man1/openssl-asn1parse.pod
index ccb2f034b1..73824bfe14 100644
--- a/doc/man1/openssl-asn1parse.pod
+++ b/doc/man1/openssl-asn1parse.pod
@@ -8,21 +8,21 @@ openssl-asn1parse - ASN.1 parsing tool
B<openssl> B<asn1parse>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
-[B<-offset number>]
-[B<-length number>]
+[B<-offset> I<number>]
+[B<-length> I<number>]
[B<-i>]
-[B<-oid filename>]
+[B<-oid> I<filename>]
[B<-dump>]
-[B<-dlimit num>]
-[B<-strparse offset>]
-[B<-genstr string>]
-[B<-genconf file>]
+[B<-dlimit> I<num>]
+[B<-strparse> I<offset>]
+[B<-genstr> I<string>]
+[B<-genconf> I<file>]
[B<-strictpem>]
-[B<-item name>]
+[B<-item> I<name>]
=head1 DESCRIPTION
@@ -37,16 +37,16 @@ structures. It can also be used to extract data from ASN.1 formatted data.
Print out a usage message.
-=item B<-inform> B<DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input format. B<DER> is binary format and B<PEM> (the default) is base64
+The input format. I<DER> is binary format and I<PEM> (the default) is base64
encoded.
-=item B<-in filename>
+=item B<-in> I<filename>
The input file, default is standard input.
-=item B<-out filename>
+=item B<-out> I<filename>
Output file to place the DER encoded data into. If this
option is not present then no data will be output. This is most useful when
@@ -56,11 +56,11 @@ combined with the B<-strparse> option.
Don't output the parsed version of the input file.
-=item B<-offset number>
+=item B<-offset> I<number>
Starting offset to begin parsing, default is start of file.
-=item B<-length number>
+=item B<-length> I<number>
Number of bytes to parse, default is until end of file.
@@ -68,7 +68,7 @@ Number of bytes to parse, default is until end of file.
Indents the output according to the "depth" of the structures.
-=item B<-oid filename>
+=item B<-oid> I<filename>
A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.
@@ -77,16 +77,16 @@ file is described in the NOTES section below.
Dump unknown data in hex format.
-=item B<-dlimit num>
+=item B<-dlimit> I<num>
Like B<-dump>, but only the first B<num> bytes are output.
-=item B<-strparse offset>
+=item B<-strparse> I<offset>
Parse the contents octets of the ASN.1 object starting at B<offset>. This
option can be used multiple times to "drill down" into a nested structure.
-=item B<-genstr string>, B<-genconf file>
+=item B<-genstr> I<string>, B<-genconf> I<file>
Generate encoded data based on B<string>, B<file> or both using
L<ASN1_generate_nconf(3)> format. If B<file> only is
@@ -103,7 +103,7 @@ processed whether it has the normal PEM BEGIN and END markers or not. This
option will ignore any data prior to the start of the BEGIN marker, or after an
END marker in a PEM file.
-=item B<-item name>
+=item B<-item> I<name>
Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
print out the fields of any supported ASN.1 structure if the type is known.
@@ -143,7 +143,7 @@ Some knowledge of the ASN.1 structure is needed to interpret the output.
In this example the BIT STRING at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
-be examined using the option B<-strparse 229> to yield:
+be examined using the option C<-strparse 229> to yield:
0:d=0 hl=3 l= 137 cons: SEQUENCE
3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
diff --git a/doc/man1/openssl-ca.pod b/doc/man1/openssl-ca.pod
index 9826fbfc9d..3159ee21f2 100644
--- a/doc/man1/openssl-ca.pod
+++ b/doc/man1/openssl-ca.pod
@@ -9,55 +9,55 @@ openssl-ca - sample minimal CA application
B<openssl> B<ca>
[B<-help>]
[B<-verbose>]
-[B<-config filename>]
-[B<-name section>]
+[B<-config> I<filename>]
+[B<-name> I<section>]
[B<-gencrl>]
-[B<-revoke file>]
-[B<-valid file>]
-[B<-status serial>]
+[B<-revoke> I<file>]
+[B<-valid> I<file>]
+[B<-status> I<serial>]
[B<-updatedb>]
-[B<-crl_reason reason>]
-[B<-crl_hold instruction>]
-[B<-crl_compromise time>]
-[B<-crl_CA_compromise time>]
-[B<-crldays days>]
-[B<-crlhours hours>]
-[B<-crlexts section>]
-[B<-startdate date>]
-[B<-enddate date>]
-[B<-days arg>]
-[B<-md arg>]
-[B<-policy arg>]
-[B<-keyfile arg>]
-[B<-keyform PEM|DER>]
-[B<-key arg>]
-[B<-passin arg>]
-[B<-cert file>]
+[B<-crl_reason> I<reason>]
+[B<-crl_hold> I<instruction>]
+[B<-crl_compromise> I<time>]
+[B<-crl_CA_compromise> I<time>]
+[B<-crldays> I<days>]
+[B<-crlhours> I<hours>]
+[B<-crlexts> I<section>]
+[B<-startdate> I<date>]
+[B<-enddate> I<date>]
+[B<-days> I<arg>]
+[B<-md> I<arg>]
+[B<-policy> I<arg>]
+[B<-keyfile> I<arg>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-key> I<arg>]
+[B<-passin> I<arg>]
+[B<-cert> I<file>]
[B<-selfsign>]
-[B<-in file>]
-[B<-out file>]
+[B<-in> I<file>]
+[B<-out> I<file>]
[B<-notext>]
-[B<-outdir dir>]
+[B<-outdir> I<dir>]
[B<-infiles>]
-[B<-spkac file>]
-[B<-ss_cert file>]
+[B<-spkac> I<file>]
+[B<-ss_cert> I<file>]
[B<-preserveDN>]
[B<-noemailDN>]
[B<-batch>]
[B<-msie_hack>]
-[B<-extensions section>]
-[B<-extfile section>]
-[B<-engine id>]
-[B<-subj arg>]
+[B<-extensions> I<section>]
+[B<-extfile> I<section>]
+[B<-engine> I<id>]
+[B<-subj> I<arg>]
[B<-utf8>]
-[B<-sigopt nm:v>]
+[B<-sigopt> I<nm>:I<v>]
[B<-create_serial>]
[B<-rand_serial>]
[B<-multivalue-rdn>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-sm2-id string>]
-[B<-sm2-hex-id hex-string>]
+[B<-rand> I<file>]
+[B<-writerand> I<file>]
+[B<-sm2-id> I<string>]
+[B<-sm2-hex-id> I<hex-string>]
=head1 DESCRIPTION
@@ -80,27 +80,27 @@ Print out a usage message.
This prints extra details about the operations being performed.
-=item B<-config filename>
+=item B<-config> I<filename>
Specifies the configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-name section>
+=item B<-name> I<section>
Specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
-=item B<-in filename>
+=item B<-in> I<filename>
An input filename containing a single certificate request to be
signed by the CA.
-=item B<-ss_cert filename>
+=item B<-ss_cert> I<filename>
A single self-signed certificate to be signed by the CA.
-=item B<-spkac filename>
+=item B<-spkac> I<filename>
A file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
@@ -111,13 +111,13 @@ section for information on the required input and output format.
If present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
-=item B<-out filename>
+=item B<-out> I<filename>
The output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in PEM format (except that B<-spkac> outputs DER format).
-=item B<-outdir directory>
+=item B<-outdir> I<directory>
The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
@@ -127,21 +127,21 @@ written to a filename consisting of the serial number in hex with
The CA certificate file.
-=item B<-keyfile filename>
+=item B<-keyfile> I<filename>
The private key to sign requests with.
-=item B<-keyform PEM|DER>
+=item B<-keyform> B<DER>|B<PEM>
The format of the data in the private key file.
The default is PEM.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-key password>
+=item B<-key> I<password>
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
@@ -161,41 +161,41 @@ certificate appears among the entries in the certificate database
serial number counter as all other certificates sign with the
self-signed certificate.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-notext>
Don't output the text form of a certificate to the output file.
-=item B<-startdate date>
+=item B<-startdate> I<date>
This allows the start date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
both formats, seconds SS and timezone Z must be present.
-=item B<-enddate date>
+=item B<-enddate> I<date>
This allows the expiry date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
both formats, seconds SS and timezone Z must be present.
-=item B<-days arg>
+=item B<-days> I<arg>
The number of days to certify the certificate for.
-=item B<-md alg>
+=item B<-md> I<alg>
The message digest to use.
Any digest supported by the OpenSSL B<dgst> command can be used. For signing
algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
digest that is set is ignored. This option also applies to CRLs.
-=item B<-policy arg>
+=item B<-policy> I<arg>
This option defines the CA "policy" to use. This is a section in
the configuration file which decides which fields should be mandatory
@@ -231,7 +231,7 @@ used in the configuration file to enable this behaviour.
This sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
-=item B<-extensions section>
+=item B<-extensions> I<section>
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to B<x509_extensions>
@@ -241,20 +241,20 @@ is present (even if it is empty), then a V3 certificate is created. See the
L<x509v3_config(5)> manual page for details of the
extension section format.
-=item B<-extfile file>
+=item B<-extfile> I<file>
An additional configuration file to read certificate extensions from
(using the default section unless the B<-extensions> option is also
used).
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-subj arg>
+=item B<-subj> I<arg>
Supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
@@ -291,7 +291,7 @@ I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
-=item B<-rand file...>
+=item B<-rand> I<file>
A file or files containing random data used to seed the random number
generator.
@@ -299,17 +299,17 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-sm2-id>
+=item B<-sm2-id> I<string>
Specify the ID string to use when verifying an SM2 certificate. The ID string is
required by the SM2 signature algorithm for signing and verification.
-=item B<-sm2-hex-id>
+=item B<-sm2-hex-id> I<hex-string>
Specify a binary ID string to use when signing or verifying using an SM2
certificate. The argument for this option is string of hexadecimal digits.
@@ -324,24 +324,24 @@ certificate. The argument for this option is string of hexadecimal digits.
This option generates a CRL based on information in the index file.
-=item B<-crldays num>
+=item B<-crldays> I<num>
The number of days before the next CRL is due. That is the days from
now to place in the CRL nextUpdate field.
-=item B<-crlhours num>
+=item B<-crlhours> I<num>
The number of hours before the next CRL is due.
-=item B<-revoke filename>
+=item B<-revoke> I<filename>
A filename containing a certificate to revoke.
-=item B<-valid filename>
+=item B<-valid> I<filename>
A filename containing a certificate to add a Valid certificate entry.
-=item B<-status serial>
+=item B<-status> I<serial>
Displays the revocation status of the certificate with the specified
serial number and exits.
@@ -350,7 +350,7 @@ serial number and exits.
Updates the database index to purge expired certificates.
-=item B<-crl_reason reason>
+=item B<-crl_reason> I<reason>
Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
@@ -360,24 +360,24 @@ insensitive. Setting any revocation reason will make the CRL v2.
In practice B<removeFromCRL> is not particularly useful because it is only used
in delta CRLs which are not currently implemented.
-=item B<-crl_hold instruction>
+=item B<-crl_hold> I<instruction>
This sets the CRL revocation reason code to B<certificateHold> and the hold
instruction to B<instruction> which must be an OID. Although any OID can be
used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
-=item B<-crl_compromise time>
+=item B<-crl_compromise> I<time>
This sets the revocation reason to B<keyCompromise> and the compromise time to
B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
-=item B<-crl_CA_compromise time>
+=item B<-crl_CA_compromise> I<time>
This is the same as B<crl_compromise> except the revocation reason is set to
B<CACompromise>.
-=item B<-crlexts section>
+=item B<-crlexts> I<section>
The section of the configuration file containing CRL extensions to
include. If no CRL extension section is present then a V1 CRL is
diff --git a/doc/man1/openssl-ciphers.pod b/doc/man1/openssl-ciphers.pod
index 7e498333c6..332b507a9d 100644
--- a/doc/man1/openssl-ciphers.pod
+++ b/doc/man1/openssl-ciphers.pod
@@ -20,8 +20,8 @@ B<openssl> B<ciphers>
[B<-psk>]
[B<-srp>]
[B<-stdname>]
-[B<-convert name>]
-[B<-ciphersuites val>]
+[B<-convert> I<name>]
+[B<-ciphersuites> I<val>]
[B<cipherlist>]
=head1 DESCRIPTION
@@ -83,11 +83,11 @@ OpenSSL was built.
Precede each cipher suite by its standard name.
-=item B<-convert name>
+=item B<-convert> I<name>
Convert a standard cipher B<name> to its OpenSSL name.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
Sets the list of TLSv1.3 ciphersuites. This list will be combined with any
TLSv1.2 and below ciphersuites that have been configured. The format for this
diff --git a/doc/man1/openssl-cms.pod b/doc/man1/openssl-cms.pod
index 54e757ff11..ddb0edf5a0 100644
--- a/doc/man1/openssl-cms.pod
+++ b/doc/man1/openssl-cms.pod
@@ -23,23 +23,25 @@ B<openssl> B<cms>
[B<-uncompress>]
[B<-EncryptedData_encrypt>]
[B<-sign_receipt>]
-[B<-verify_receipt receipt>]
-[B<-in filename>]
-[B<-inform SMIME|PEM|DER>]
-[B<-rctform SMIME|PEM|DER>]
-[B<-out filename>]
-[B<-outform SMIME|PEM|DER>]
-[B<-stream -indef -noindef>]
+[B<-verify_receipt> I<receipt>]
+[B<-in> I<filename>]
+[B<-inform> B<DER>|B<PEM>|B<SMIME>]
+[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
+[B<-out> I<filename>]
+[B<-outform> B<DER>|B<PEM>|B<SMIME>]
+[B<-stream>]
+[B<-indef>]
[B<-noindef>]
-[B<-content filename>]
+[B<-noindef>]
+[B<-content> I<filename>]
[B<-text>]
[B<-noout>]
[B<-print>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
@@ -50,25 +52,25 @@ B<openssl> B<cms>
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
-[B<-md digest>]
-[B<-I<cipher>>]
+[B<-md> I<digest>]
+[B<->I<cipher>]
[B<-nointern>]
[B<-noverify>]
[B<-nocerts>]
@@ -78,29 +80,28 @@ B<openssl> B<cms>
[B<-crlfeol>]
[B<-asciicrlf>]
[B<-nodetach>]
-[B<-certfile file>]
-[B<-certsout file>]
-[B<-signer file>]
-[B<-recip file>]
+[B<-certfile> I<file>]
+[B<-certsout> I<file>]
+[B<-signer> I<file>]
+[B<-recip> I<file>]
[B<-keyid>]
[B<-receipt_request_all>]
[B<-receipt_request_first>]
-[B<-receipt_request_from emailaddress>]
-[B<-receipt_request_to emailaddress>]
+[B<-receipt_request_from> I<emailaddress>]
+[B<-receipt_request_to> I<emailaddress>]
[B<-receipt_request_print>]
-[B<-secretkey key>]
-[B<-secretkeyid id>]
-[B<-econtent_type type>]
-[B<-inkey file>]
-[B<-keyopt name:parameter>]
-[B<-passin arg>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<cert.pem...>]
-[B<-to addr>]
-[B<-from addr>]
-[B<-subject subj>]
-[cert.pem]...
+[B<-secretkey> I<key>]
+[B<-secretkeyid> I<id>]
+[B<-econtent_type> I<type>]
+[B<-inkey> I<file>]
+[B<-keyopt> I<name>:I<parameter>]
+[B<-passin> I<arg>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-to> I<addr>]
+[B<-from> I<addr>]
+[B<-subject> I<subj>]
+[I<cert.pem ...>]
=head1 DESCRIPTION
@@ -202,18 +203,18 @@ Generate and output a signed receipt for the supplied message. The input
message B<must> contain a signed receipt request. Functionality is otherwise
similar to the B<-sign> operation.
-=item B<-verify_receipt receipt>
+=item B<-verify_receipt> I<receipt>
Verify a signed receipt in filename B<receipt>. The input message B<must>
contain the original receipt request. Functionality is otherwise similar
to the B<-verify> operation.
-=item B<-in filename>
+=item B<-in> I<filename>
The input message to be encrypted or signed or the message to be decrypted
or verified.
-=item B<-inform SMIME|PEM|DER>
+=item B<-inform> B<DER>|B<PEM>|B<SMIME>
This specifies the input format for the CMS structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
@@ -222,17 +223,17 @@ instead. This currently only affects the input format of the CMS
structure, if no CMS structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
-=item B<-rctform SMIME|PEM|DER>
+=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
Specify the format for a signed receipt for use with the B<-receipt_verify>
operation.
-=item B<-out filename>
+=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
-=item B<-outform SMIME|PEM|DER>
+=item B<-outform> B<DER>|B<PEM>|B<SMIME>
This specifies the output format for the CMS structure. The default
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
@@ -241,7 +242,7 @@ instead. This currently only affects the output format of the CMS
structure, if no CMS structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
-=item B<-stream -indef -noindef>
+=item B<-stream>, B<-indef>, B<-noindef>
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
@@ -256,7 +257,7 @@ Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
-=item B<-content filename>
+=item B<-content> I<filename>
This specifies a file containing the detached content, this is only
useful with the B<-verify> command. This is only usable if the CMS
@@ -282,15 +283,15 @@ structure is being checked.
For the B<-cmsout> operation print out all fields of the CMS structure. This
is mainly useful for testing purposes.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted CA certificates, only used with B<-verify>.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using B<x509 -hash>) should be linked
+is a hash of each subject name (using C<x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
@@ -301,12 +302,12 @@ Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default directory location
-=item B<-md digest>
+=item B<-md> I<digest>
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-I<cipher>>
+=item B<->I<cipher>
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
@@ -374,24 +375,24 @@ to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
-=item B<-certfile file>
+=item B<-certfile> I<file>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
-=item B<-certsout file>
+=item B<-certsout> I<file>
Any certificates contained in the message are written to B<file>.
-=item B<-signer file>
+=item B<-signer> I<file>
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
-=item B<-recip file>
+=item B<-recip> I<file>
When decrypting a message this specifies the recipients certificate. The
certificate must match one of the recipients of the message or an error
@@ -416,12 +417,12 @@ For B<-sign> option include a signed receipt request. Indicate requests should
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it B<-receipt_request_from> is included.
-=item B<-receipt_request_from emailaddress>
+=item B<-receipt_request_from> I<emailaddress>
For B<-sign> option include a signed receipt request. Add an explicit email
address where receipts should be supplied.
-=item B<-receipt_request_to emailaddress>
+=item B<-receipt_request_to> I<emailaddress>
Add an explicit email address where signed receipts should be sent to. This
option B<must> but supplied if a signed receipt it requested.
@@ -431,7 +432,7 @@ option B<must> but supplied if a signed receipt it requested.
For the B<-verify> operation print out the contents of any signed receipt
requests.
-=item B<-secretkey key>
+=item B<-secretkey> I<key>
Specify symmetric key to use. The key must be supplied in hex format and be
consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
@@ -439,7 +440,7 @@ B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
content encryption key using an AES key in the B<KEKRecipientInfo> type.
-=item B<-secretkeyid id>
+=item B<-secretkeyid> I<id>
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
@@ -447,13 +448,13 @@ B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
B<KEKRecipientInfo> structures.
-=item B<-econtent_type type>
+=item B<-econtent_type> I<type>
Set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
numerical format.
-=item B<-inkey file>
+=item B<-inkey> I<file>
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
@@ -461,19 +462,19 @@ private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
multiple times to specify successive keys.
-=item B<-keyopt name:opt>
+=item B<-keyopt> I<name>:I<parameter>
For signing and encryption this option can be used multiple times to
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -481,17 +482,17 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<cert.pem...>
+=item I<cert.pem...>
One or more certificates of message recipients: used when encrypting
a message.
-=item B<-to, -from, -subject>
+=item B<-to>, B<-from>, B<-subject>
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
@@ -634,7 +635,7 @@ support the older format. These are detailed below.
The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
-The B<-outform PEM> option uses different headers.
+The B<-outform> I<PEM> option uses different headers.
The B<-compress> option.
diff --git a/doc/man1/openssl-crl.pod b/doc/man1/openssl-crl.pod
index 35fe5ed1fc..abf2a2e87a 100644
--- a/doc/man1/openssl-crl.pod
+++ b/doc/man1/openssl-crl.pod
@@ -8,19 +8,19 @@ openssl-crl - CRL utility
B<openssl> B<crl>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-informout> B<DER>|B<PEM>]
[B<-text>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-nameopt option>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-nameopt> I<option>]
[B<-noout>]
[B<-hash>]
[B<-issuer>]
[B<-lastupdate>]
[B<-nextupdate>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
=head1 DESCRIPTION
@@ -34,23 +34,23 @@ The B<crl> command processes CRL files in DER or PEM format.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. B<DER> format is DER encoded CRL
structure. B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read from or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
@@ -59,7 +59,7 @@ default.
Print out the CRL in text form.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)>.
@@ -90,12 +90,12 @@ Output the lastUpdate field.
Output the nextUpdate field.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
Verify the signature on a CRL by looking up the issuing certificate in
B<file>.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
Verify the signature on a CRL by looking up the issuing certificate in
B<dir>. This directory must be a standard certificate directory: that
diff --git a/doc/man1/openssl-crl2pkcs7.pod b/doc/man1/openssl-crl2pkcs7.pod
index bb172529be..32248e5e21 100644
--- a/doc/man1/openssl-crl2pkcs7.pod
+++ b/doc/man1/openssl-crl2pkcs7.pod
@@ -8,11 +8,11 @@ openssl-crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates
B<openssl> B<crl2pkcs7>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-certfile filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-certfile> I<filename>]
[B<-nocrl>]
=head1 DESCRIPTION
@@ -29,29 +29,29 @@ only" structure.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the CRL input format. B<DER> format is DER encoded CRL
structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines. The default format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the PKCS#7 structure output format. B<DER> format is DER
encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines. The default format is PEM.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a CRL from or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write the PKCS#7 structure to or standard
output by default.
-=item B<-certfile filename>
+=item B<-certfile> I<filename>
Specifies a filename containing one or more certificates in B<PEM> format.
All certificates in the file will be added to the PKCS#7 structure. This
diff --git a/doc/man1/openssl-dgst.pod b/doc/man1/openssl-dgst.pod
index 5fb5128a02..d9319e5697 100644
--- a/doc/man1/openssl-dgst.pod
+++ b/doc/man1/openssl-dgst.pod
@@ -7,25 +7,25 @@ openssl-dgst - perform digest operations
=head1 SYNOPSIS
B<openssl dgst>
-[B<-I<digest>>]
+[B<->I<digest>]
[B<-help>]
[B<-c>]
[B<-d>]
[B<-hex>]
[B<-binary>]
[B<-r>]
-[B<-out filename>]
-[B<-sign filename>]
-[B<-keyform arg>]
-[B<-passin arg>]
-[B<-verify filename>]
-[B<-prverify filename>]
-[B<-signature filename>]
-[B<-sigopt nm:v>]
-[B<-hmac key>]
+[B<-out> I<filename>]
+[B<-sign> I<filename>]
+[B<-keyform> I<arg>]
+[B<-passin> I<arg>]
+[B<-verify> I<filename>]
+[B<-prverify> I<filename>]
+[B<-signature> I<filename>]
+[B<-sigopt> I<nm>:I<v>]
+[B<-hmac> I<key>]
[B<-fips-fingerprint>]
-[B<-rand file...>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-engine> I<id>]
[B<-engine_impl>]
[B<file...>]
@@ -52,10 +52,10 @@ command.
Print out a usage message.
-=item B<-I<digest>>
+=item B<->I<digest>
Specifies name of a supported digest to be used. To see the list of
-supported digests, use the command I<list --digest-commands>.
+supported digests, use the command C<list --digest-commands>.
=item B<-c>
@@ -81,52 +81,52 @@ Output the digest or signature in binary form.
Output the digest in the "coreutils" format, including newlines.
Used by programs like B<sha1sum>.
-=item B<-out filename>
+=item B<-out> I<filename>
Filename to output to, or standard output by default.
-=item B<-sign filename>
+=item B<-sign> I<filename>
Digitally sign the digest using the private key in "filename". Note this option
does not support Ed25519 or Ed448 private keys. Use the B<pkeyutl> command
instead for this.
-=item B<-keyform arg>
+=item B<-keyform> I<arg>
Specifies the key format to sign digest with. The DER, PEM, P12,
and ENGINE formats are supported.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-verify filename>
+=item B<-verify> I<filename>
Verify the signature using the public key in "filename".
The output is either "Verification OK" or "Verification Failure".
-=item B<-prverify filename>
+=item B<-prverify> I<filename>
Verify the signature using the private key in "filename".
-=item B<-signature filename>
+=item B<-signature> I<filename>
The actual signature to verify.
-=item B<-hmac key>
+=item B<-hmac> I<key>
Create a hashed MAC using "key".
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-mac alg>
+=item B<-mac> I<alg>
Create MAC (keyed Message Authentication Code). The most popular MAC
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
@@ -137,7 +137,7 @@ via B<-macopt> parameter.
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to MAC algorithm, specified by B<-mac> key.
Following options are supported by both by B<HMAC> and B<gost-mac>:
@@ -161,7 +161,7 @@ for example exactly 32 chars for gost-mac.
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -169,7 +169,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
@@ -178,7 +178,7 @@ This can be used with a subsequent B<-rand> flag.
Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
-=item B<-engine id>
+=item B<-engine> I<id>
Use engine B<id> for operations (including private key storage).
This engine is not used as source for digest algorithms, unless it is
diff --git a/doc/man1/openssl-dhparam.pod b/doc/man1/openssl-dhparam.pod
index 6643e20e2a..b575473d96 100644
--- a/doc/man1/openssl-dhparam.pod
+++ b/doc/man1/openssl-dhparam.pod
@@ -8,8 +8,8 @@ openssl-dhparam - DH parameter manipulation and generation
B<openssl dhparam>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-dsaparam>]
@@ -20,9 +20,9 @@ B<openssl dhparam>
[B<-2>]
[B<-3>]
[B<-5>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[I<numbits>]
=head1 DESCRIPTION
@@ -37,14 +37,14 @@ This command is used to manipulate DH parameter files.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#3 DHparameter structure. The PEM form is the
default format: it consists of the B<DER> format base64 encoded with
additional header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
@@ -84,7 +84,7 @@ input file is ignored and parameters are generated instead. If not
present but B<numbits> is present, parameters are generated with the
default generator 2.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -92,7 +92,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
@@ -119,7 +119,7 @@ This option prints out the DH parameters in human readable form.
This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-dsa.pod b/doc/man1/openssl-dsa.pod
index 8039b395c3..9d33809cb3 100644
--- a/doc/man1/openssl-dsa.pod
+++ b/doc/man1/openssl-dsa.pod
@@ -8,12 +8,12 @@ openssl-dsa - DSA key processing
B<openssl> B<dsa>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
@@ -31,7 +31,7 @@ B<openssl> B<dsa>
[B<-modulus>]
[B<-pubin>]
[B<-pubout>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
@@ -48,7 +48,7 @@ applications should use the more secure PKCS#8 format using the B<pkcs8>
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option with a private key uses
an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
@@ -60,30 +60,30 @@ The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
@@ -121,7 +121,7 @@ By default, a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-dsaparam.pod b/doc/man1/openssl-dsaparam.pod
index e6a63cf96e..68e960a0df 100644
--- a/doc/man1/openssl-dsaparam.pod
+++ b/doc/man1/openssl-dsaparam.pod
@@ -8,19 +8,19 @@ openssl-dsaparam - DSA parameter manipulation and generation
B<openssl dsaparam>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
[B<-text>]
[B<-C>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-genkey>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-verbose>]
-[B<numbits>]
+[I<numbits>]
=head1 DESCRIPTION
@@ -34,25 +34,25 @@ This command is used to manipulate or generate DSA parameter files.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
of p, q and g respectively. The PEM form is the default format: it consists
of the B<DER> format base64 encoded with additional header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified. If the B<numbits> parameter is included then
this option will be ignored.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
@@ -76,7 +76,7 @@ be loaded by calling the get_dsaXXX() function.
This option will generate a DSA either using the specified or generated
parameters.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -84,12 +84,12 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-ec.pod b/doc/man1/openssl-ec.pod
index 6d86c1a10a..56ff0dce6a 100644
--- a/doc/man1/openssl-ec.pod
+++ b/doc/man1/openssl-ec.pod
@@ -8,12 +8,12 @@ openssl-ec - EC key processing
B<openssl> B<ec>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -22,11 +22,11 @@ B<openssl> B<ec>
[B<-param_out>]
[B<-pubin>]
[B<-pubout>]
-[B<-conv_form arg>]
-[B<-param_enc arg>]
+[B<-conv_form> I<arg>]
+[B<-param_enc> I<arg>]
[B<-no_public>]
[B<-check>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
@@ -44,7 +44,7 @@ PKCS#8 private key format use the B<pkcs8> command.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option with a private key uses
an ASN.1 DER encoded SEC1 private key. When used with a public key it
@@ -53,35 +53,35 @@ The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-des|-des3|-idea>
+=item B<-des>|B<-des3>|B<-idea>
These options encrypt the private key with the DES, triple DES, IDEA or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
@@ -121,7 +121,7 @@ B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
-=item B<-param_enc arg>
+=item B<-param_enc> I<arg>
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
@@ -139,7 +139,7 @@ This option omits the public key components from the private key output.
This option checks the consistency of an EC private or public key.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-ecparam.pod b/doc/man1/openssl-ecparam.pod
index 9d8539bd22..1f17f02561 100644
--- a/doc/man1/openssl-ecparam.pod
+++ b/doc/man1/openssl-ecparam.pod
@@ -8,24 +8,24 @@ openssl-ecparam - EC parameter manipulation and generation
B<openssl ecparam>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
[B<-text>]
[B<-C>]
[B<-check>]
[B<-check_named>]
-[B<-name arg>]
+[B<-name> I<arg>]
[B<-list_curves>]
-[B<-conv_form arg>]
-[B<-param_enc arg>]
+[B<-conv_form> I<arg>]
+[B<-param_enc> I<arg>]
[B<-no_seed>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-genkey>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
@@ -39,24 +39,24 @@ This command is used to manipulate or generate EC parameter files.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
form compatible with RFC 3279 EcpkParameters. The PEM form is the default
format: it consists of the B<DER> format base64 encoded with additional
header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
@@ -84,7 +84,7 @@ Validate the elliptic curve parameters.
Validate the elliptic name curve parameters by checking if the curve parameters
match any built-in curves.
-=item B<-name arg>
+=item B<-name> I<arg>
Use the EC parameters with the specified 'short' name. Use B<-list_curves>
to get a list of all currently implemented EC parameters.
@@ -104,7 +104,7 @@ B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
-=item B<-param_enc arg>
+=item B<-param_enc> I<arg>
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
@@ -123,7 +123,7 @@ is included in the ECParameters structure (see RFC 3279).
This option will generate an EC private key using the specified parameters.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -131,12 +131,12 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-enc.pod b/doc/man1/openssl-enc.pod
index 2ea69e77b0..6ece5a542a 100644
--- a/doc/man1/openssl-enc.pod
+++ b/doc/man1/openssl-enc.pod
@@ -6,39 +6,40 @@ openssl-enc - symmetric cipher routines
=head1 SYNOPSIS
-B<openssl enc -I<cipher>>
+B<openssl>
+[B<->I<cipher>]
[B<-help>]
[B<-ciphers>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-pass arg>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-pass> I<arg>]
[B<-e>]
[B<-d>]
[B<-a>]
[B<-base64>]
[B<-A>]
-[B<-k password>]
-[B<-kfile filename>]
-[B<-K key>]
-[B<-iv IV>]
-[B<-S salt>]
+[B<-k> I<password>]
+[B<-kfile> I<filename>]
+[B<-K> I<key>]
+[B<-iv> I<IV>]
+[B<-S> I<salt>]
[B<-salt>]
[B<-nosalt>]
[B<-z>]
-[B<-md digest>]
-[B<-iter count>]
+[B<-md> I<digest>]
+[B<-iter> I<count>]
[B<-pbkdf2>]
[B<-p>]
[B<-P>]
-[B<-bufsize number>]
+[B<-bufsize> I<number>]
[B<-nopad>]
[B<-debug>]
[B<-none>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
-B<openssl> I<[cipher]> [B<...>]
+B<openssl> I<cipher> [B<...>]
=head1 DESCRIPTION
@@ -59,18 +60,18 @@ Print out a usage message.
List all supported ciphers.
-=item B<-in filename>
+=item B<-in> I<filename>
The input filename, standard input by default.
-=item B<-out filename>
+=item B<-out> I<filename>
The output filename, standard output by default.
-=item B<-pass arg>
+=item B<-pass> I<arg>
The password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-e>
@@ -94,23 +95,23 @@ Same as B<-a>
If the B<-a> option is set then base64 process the data on one line.
-=item B<-k password>
+=item B<-k> I<password>
The password to derive the key from. This is for compatibility with previous
versions of OpenSSL. Superseded by the B<-pass> argument.
-=item B<-kfile filename>
+=item B<-kfile> I<filename>
Read the password to derive the key from the first line of B<filename>.
This is for compatibility with previous versions of OpenSSL. Superseded by
the B<-pass> argument.
-=item B<-md digest>
+=item B<-md> I<digest>
Use the specified digest to create the key from the passphrase.
The default algorithm is sha-256.
-=item B<-iter count>
+=item B<-iter> I<count>
Use a given number of iterations on the password in deriving the encryption key.
High values increase the time required to brute-force the resulting file.
@@ -131,11 +132,11 @@ OpenSSL.
Use salt (randomly generated or provide with B<-S> option) when
encrypting, this is the default.
-=item B<-S salt>
+=item B<-S> I<salt>
The actual salt to use: this must be represented as a string of hex digits.
-=item B<-K key>
+=item B<-K> I<key>
The actual key to use: this must be represented as a string comprised only
of hex digits. If only the key is specified, the IV must additionally specified
@@ -144,7 +145,7 @@ key given with the B<-K> option will be used and the IV generated from the
password will be taken. It does not make much sense to specify both key
and password.
-=item B<-iv IV>
+=item B<-iv> I<IV>
The actual IV to use: this must be represented as a string comprised only
of hex digits. When only the key is specified using the B<-K> option, the
@@ -160,7 +161,7 @@ Print out the key and IV used.
Print out the key and IV used then immediately exit: don't do any encryption
or decryption.
-=item B<-bufsize number>
+=item B<-bufsize> I<number>
Set the buffer size for I/O.
@@ -182,7 +183,7 @@ or zlib-dynamic option.
Use NULL cipher (no encryption or decryption of input).
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -190,7 +191,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
diff --git a/doc/man1/openssl-fipsinstall.pod b/doc/man1/openssl-fipsinstall.pod
index 7481cafb5d..1e00928961 100644
--- a/doc/man1/openssl-fipsinstall.pod
+++ b/doc/man1/openssl-fipsinstall.pod
@@ -8,14 +8,14 @@ openssl-fipsinstall - perform FIPS configuration installation
B<openssl fipsinstall>
[B<-help>]
-[B<-in configfilename>]
-[B<-out configfilename>]
-[B<-module modulefilename>]
-[B<-provider_name providername>]
-[B<-section_name sectionname>]
+[B<-in> I<configfilename>]
+[B<-out> I<configfilename>]
+[B<-module> I<modulefilename>]
+[B<-provider_name> I<providername>]
+[B<-section_name> I<sectionname>]
[B<-verify>]
-[B<-mac_name macname>]
-[B<-macopt>]
+[B<-mac_name> I<macname>]
+[B<-macopt> I<nm>:I<v>]
B<openssl> I<fipsinstall> [B<...>]
@@ -45,15 +45,15 @@ verifies the modules MAC, but only needs to run the KATS once during install.
Print a usage message.
-=item B<-module filename>
+=item B<-module> I<filename>
Filename of a fips module to perform an integrity check on.
-=item B<-out configfilename>
+=item B<-out> I<configfilename>
Filename to output the configuration data to, or standard output by default.
-=item B<-in configfilename>
+=item B<-in> I<configfilename>
Input filename to load configuration data from. Used with the '-verify' option.
Standard input is used if the filename is '-'.
@@ -62,21 +62,21 @@ Standard input is used if the filename is '-'.
Verify that the input configuration file contains the correct information
-=item B<-provider_name providername>
+=item B<-provider_name> I<providername>
Name of the provider inside the configuration file.
-=item B<-section_name sectionname>
+=item B<-section_name> I<sectionname>
Name of the section inside the configuration file.
-=item B<-mac_name name>
+=item B<-mac_name> I<name>
Specifies the name of a supported MAC algorithm which will be used.
To see the list of supported MAC's use the command I<list -mac-algorithms>.
The default is "HMAC".
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to the MAC algorithm.
A comprehensive list of controls can be found in the EVP_MAC implementation
diff --git a/doc/man1/openssl-gendsa.pod b/doc/man1/openssl-gendsa.pod
index 36da9983cd..0cc354a066 100644
--- a/doc/man1/openssl-gendsa.pod
+++ b/doc/man1/openssl-gendsa.pod
@@ -8,7 +8,7 @@ openssl-gendsa - generate a DSA private key from a set of parameters
B<openssl> B<gendsa>
[B<-help>]
-[B<-out filename>]
+[B<-out> I<filename>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
@@ -21,9 +21,9 @@ B<openssl> B<gendsa>
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[B<-verbose>]
[B<paramfile>]
@@ -40,7 +40,7 @@ The B<gendsa> command generates a DSA private key from a DSA parameter file
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
Output the key to the specified file. If this argument is not specified then
standard output is used.
@@ -51,7 +51,7 @@ These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -59,12 +59,12 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-genpkey.pod b/doc/man1/openssl-genpkey.pod
index c9364109b3..dab170cb83 100644
--- a/doc/man1/openssl-genpkey.pod
+++ b/doc/man1/openssl-genpkey.pod
@@ -8,14 +8,14 @@ openssl-genpkey - generate a private key
B<openssl> B<genpkey>
[B<-help>]
-[B<-out filename>]
-[B<-outform PEM|DER>]
-[B<-pass arg>]
-[B<-I<cipher>>]
-[B<-engine id>]
-[B<-paramfile file>]
-[B<-algorithm alg>]
-[B<-pkeyopt opt:value>]
+[B<-out> I<filename>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-pass> I<arg>]
+[B<->I<cipher>]
+[B<-engine> I<id>]
+[B<-paramfile> I<file>]
+[B<-algorithm> I<alg>]
+[B<-pkeyopt> I<opt:value>]
[B<-genparam>]
[B<-text>]
@@ -31,26 +31,26 @@ The B<genpkey> command generates a private key.
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
Output the key to the specified file. If this argument is not specified then
standard output is used.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format DER or PEM. The default format is PEM.
-=item B<-pass arg>
+=item B<-pass> I<arg>
The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-I<cipher>>
+=item B<->I<cipher>
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
@@ -58,7 +58,7 @@ thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
options.
-=item B<-algorithm alg>
+=item B<-algorithm> I<alg>
Public key algorithm to use such as RSA, DSA or DH. If used this option must
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
@@ -77,7 +77,7 @@ will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
below for more details.
-=item B<-pkeyopt opt:value>
+=item B<-pkeyopt> I<opt:value>
Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
@@ -89,7 +89,7 @@ L<PARAMETER GENERATION OPTIONS> below for more details.
Generate a set of parameters instead of a private key. If used this option must
precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
-=item B<-paramfile filename>
+=item B<-paramfile> I<filename>
Some public key algorithms generate a private key based on a set of parameters.
They can be supplied using this option. If this option is used the public key
diff --git a/doc/man1/openssl-genrsa.pod b/doc/man1/openssl-genrsa.pod
index c551792a4f..b963dd742d 100644
--- a/doc/man1/openssl-genrsa.pod
+++ b/doc/man1/openssl-genrsa.pod
@@ -8,8 +8,8 @@ openssl-genrsa - generate an RSA private key
B<openssl> B<genrsa>
[B<-help>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
@@ -24,10 +24,10 @@ B<openssl> B<genrsa>
[B<-idea>]
[B<-f4>]
[B<-3>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
-[B<-primes num>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
+[B<-primes> I<num>]
[B<-verbose>]
[B<numbits>]
@@ -43,15 +43,15 @@ The B<genrsa> command generates an RSA private key.
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
Output the key to the specified file. If this argument is not specified then
standard output is used.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format
-of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
@@ -60,11 +60,11 @@ cipher before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> argument.
-=item B<-F4|-3>
+=item B<-F4>|B<-3>
The public exponent to use, either 65537 or 3. The default is 65537.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -72,19 +72,19 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-primes num>
+=item B<-primes> I<num>
Specify the number of primes to use while generating the RSA key. The B<num>
parameter must be a positive integer that is greater than 1 and less than 16.
diff --git a/doc/man1/openssl-kdf.pod b/doc/man1/openssl-kdf.pod
index 2b14eaadc4..2bba8d3ef2 100644
--- a/doc/man1/openssl-kdf.pod
+++ b/doc/man1/openssl-kdf.pod
@@ -8,7 +8,7 @@ openssl-kdf - perform Key Derivation Function operations
B<openssl kdf>
[B<-help>]
-[B<-kdfopt> I<nm:v>]
+[B<-kdfopt> I<nm>:I<v>]
[B<-keylen> I<num>]
[B<-out> I<filename>]
[B<-binary>]
@@ -39,7 +39,7 @@ Filename to output to, or standard output by default.
Output the derived key in binary form. Uses hexadecimal text format if not specified.
-=item B<-kdfopt> I<nm:v>
+=item B<-kdfopt> I<nm>:I<v>
Passes options to the KDF algorithm.
A comprehensive list of parameters can be found in the EVP_KDF_CTX
diff --git a/doc/man1/openssl-mac.pod b/doc/man1/openssl-mac.pod
index d2e6c7f262..8fd911142f 100644
--- a/doc/man1/openssl-mac.pod
+++ b/doc/man1/openssl-mac.pod
@@ -9,8 +9,8 @@ openssl-mac - perform Message Authentication Code operations
B<openssl mac>
[B<-help>]
[B<-macopt>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-binary>]
B<mac_name>
@@ -29,14 +29,14 @@ file.
Print a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
Input filename to calculate a MAC for, or standard input by default.
Standard input is used if the filename is '-'.
Files are expected to be in binary format, standard input uses hexadecimal text
format.
-=item B<-out filename>
+=item B<-out> I<filename>
Filename to output to, or standard output by default.
@@ -44,7 +44,7 @@ Filename to output to, or standard output by default.
Output the MAC in binary form. Uses hexadecimal text format if not specified.
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to the MAC algorithm.
A comprehensive list of controls can be found in the EVP_MAC implementation
diff --git a/doc/man1/openssl-nseq.pod b/doc/man1/openssl-nseq.pod
index 37ceae1b22..40f8f56591 100644
--- a/doc/man1/openssl-nseq.pod
+++ b/doc/man1/openssl-nseq.pod
@@ -8,8 +8,8 @@ openssl-nseq - create or examine a Netscape certificate sequence
B<openssl> B<nseq>
[B<-help>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-toseq>]
=head1 DESCRIPTION
@@ -27,12 +27,12 @@ sequence.
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename or standard output by default.
diff --git a/doc/man1/openssl-ocsp.pod b/doc/man1/openssl-ocsp.pod
index d5bc2f75da..f2a0e49c08 100644
--- a/doc/man1/openssl-ocsp.pod
+++ b/doc/man1/openssl-ocsp.pod
@@ -8,33 +8,33 @@ openssl-ocsp - Online Certificate Status Protocol utility
B<openssl> B<ocsp>
[B<-help>]
-[B<-out file>]
-[B<-issuer file>]
-[B<-cert file>]
-[B<-serial n>]
-[B<-signer file>]
-[B<-signkey file>]
-[B<-sign_other file>]
+[B<-out> I<file>]
+[B<-issuer> I<file>]
+[B<-cert> I<file>]
+[B<-serial> I<n>]
+[B<-signer> I<file>]
+[B<-signkey> I<file>]
+[B<-sign_other> I<file>]
[B<-no_certs>]
[B<-req_text>]
[B<-resp_text>]
[B<-text>]
-[B<-reqout file>]
-[B<-respout file>]
-[B<-reqin file>]
-[B<-respin file>]
+[B<-reqout> I<file>]
+[B<-respout> I<file>]
+[B<-reqin> I<file>]
+[B<-respin> I<file>]
[B<-nonce>]
[B<-no_nonce>]
-[B<-url URL>]
-[B<-host host:port>]
-[B<-multi process-count>]
+[B<-url> I<URL>]
+[B<-host> I<host:port>]
+[B<-multi> I<process-count>]
[B<-header>]
[B<-path>]
-[B<-CApath dir>]
-[B<-CAfile file>]
+[B<-CApath> I<dir>]
+[B<-CAfile> I<file>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
@@ -45,28 +45,28 @@ B<openssl> B<ocsp>
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
-[B<-VAfile file>]
-[B<-validity_period n>]
-[B<-status_age n>]
+[B<-VAfile> I<file>]
+[B<-validity_period> I<n>]
+[B<-status_age> I<n>]
[B<-noverify>]
-[B<-verify_other file>]
+[B<-verify_other> I<file>]
[B<-trust_other>]
[B<-no_intern>]
[B<-no_signature_verify>]
@@ -74,21 +74,21 @@ B<openssl> B<ocsp>
[B<-no_chain>]
[B<-no_cert_checks>]
[B<-no_explicit>]
-[B<-port num>]
+[B<-port> I<num>]
[B<-ignore_err>]
-[B<-index file>]
-[B<-CA file>]
-[B<-rsigner file>]
-[B<-rkey file>]
-[B<-rother file>]
-[B<-rsigopt nm:v>]
+[B<-index> I<file>]
+[B<-CA> I<file>]
+[B<-rsigner> I<file>]
+[B<-rkey> I<file>]
+[B<-rother> I<file>]
+[B<-rsigopt> I<nm>:I<v>]
[B<-resp_no_certs>]
-[B<-nmin n>]
-[B<-ndays n>]
+[B<-nmin> I<n>]
+[B<-ndays> I<n>]
[B<-resp_key_id>]
-[B<-nrequest n>]
-[B<-rcid I<digest>>]
-[B<-I<digest>>]
+[B<-nrequest> I<n>]
+[B<-rcid> I<digest>]
+[B<->I<digest>]
=head1 DESCRIPTION
@@ -112,30 +112,30 @@ The options are described below, divided into those two modes.
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
specify output filename, default is standard output.
-=item B<-issuer filename>
+=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
multiple times. The certificate specified in B<filename> must be in
PEM format. This option B<MUST> come before any B<-cert> options.
-=item B<-cert filename>
+=item B<-cert> I<filename>
Add the certificate B<filename> to the request. The issuer certificate
is taken from the previous B<issuer> option, or an error occurs if no
issuer certificate is specified.
-=item B<-serial num>
+=item B<-serial> I<num>
Same as the B<cert> option except the certificate with serial number
B<num> is added to the request. The serial number is interpreted as a
decimal integer unless preceded by B<0x>. Negative integers can also
be specified by preceding the value by a B<-> sign.
-=item B<-signer filename>, B<-signkey filename>
+=item B<-signer> I<filename>, B<-signkey> I<filename>
Sign the OCSP request using the certificate specified in the B<signer>
option and the private key specified by the B<signkey> option. If
@@ -143,7 +143,7 @@ the B<signkey> option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the OCSP request is not signed.
-=item B<-sign_other filename>
+=item B<-sign_other> I<filename>
Additional certificates to include in the signed request.
@@ -159,34 +159,34 @@ a nonce is automatically added specifying B<no_nonce> overrides this.
Print out the text form of the OCSP request, response or both respectively.
-=item B<-reqout file>, B<-respout file>
+=item B<-reqout> I<file>, B<-respout> I<file>
Write out the DER encoded certificate request or response to B<file>.
-=item B<-reqin file>, B<-respin file>
+=item B<-reqin> I<file>, B<-respin> I<file>
Read OCSP request or response file from B<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
with B<serial>, B<cert> and B<host> options).
-=item B<-url responder_url>
+=item B<-url> I<responder_url>
Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
-=item B<-host hostname:port>, B<-path pathname>
+=item B<-host> I<hostname:port>, B<-path> I<pathname>
If the B<host> option is present then the OCSP request is sent to the host
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
-=item B<-header name=value>
+=item B<-header> I<name=value>
Adds the header B<name> with the specified B<value> to the OCSP request
that is sent to the responder.
This may be repeated.
-=item B<-timeout seconds>
+=item B<-timeout> I<seconds>
Connection timeout to the OCSP responder in seconds.
On POSIX systems, when running as an OCSP responder, this option also limits
@@ -194,7 +194,7 @@ the time that the responder is willing to wait for the client request.
This time is measured from the time the responder accepts the connection until
the complete request is received.
-=item B<-multi process-count>
+=item B<-multi> I<process-count>
Run the specified number of OCSP responder child processes, with the parent
process respawning child processes as needed.
@@ -205,7 +205,7 @@ each child is willing to wait for the client's OCSP response.
This option is available on POSIX systems (that support the fork() and other
required unix system-calls).
-=item B<-CAfile file>, B<-CApath pathname>
+=item B<-CAfile> I<file>, B<-CApath> I<pathname>
File or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
@@ -229,7 +229,7 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different certificate verification options.
See L<verify(1)> manual page for details.
-=item B<-verify_other file>
+=item B<-verify_other> I<file>
File containing additional certificates to search when attempting to locate
the OCSP response signing certificate. Some responders omit the actual signer's
@@ -243,7 +243,7 @@ trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
-=item B<-VAfile file>
+=item B<-VAfile> I<file>
File containing explicitly trusted responder certificates. Equivalent to the
B<-verify_other> and B<-trust_other> options.
@@ -288,7 +288,7 @@ That is do not make any checks to see if the signers certificate is authorised
to provide the necessary status information: as a result this option should
only be used for testing purposes.
-=item B<-validity_period nsec>, B<-status_age age>
+=item B<-validity_period> I<nsec>, B<-status_age> I<age>
These options specify the range of times, in seconds, which will be tolerated
in an OCSP response. Each certificate status response includes a B<notBefore>
@@ -304,13 +304,13 @@ status information is immediately available. In this case the age of the
B<notBefore> field is checked to see it is not older than B<age> seconds old.
By default this additional check is not performed.
-=item B<-rcid I<digest>>
+=item B<-rcid> I<digest>
This option sets the digest algorithm to use for certificate identification
in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can
be used. The default is the same digest algorithm used in the request.
-=item B<-I<digest>>
+=item B<->I<digest>
This option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
@@ -323,7 +323,7 @@ digest used by subsequent certificate identifiers.
=over 4
-=item B<-index indexfile>
+=item B<-index> I<indexfile>
The B<indexfile> parameter is the name of a text index file in B<ca>
format containing certificate revocation information.
@@ -337,15 +337,15 @@ or via external OCSP clients (if B<port> or B<url> is specified).
If the B<index> option is present then the B<CA> and B<rsigner> options
must also be present.
-=item B<-CA file>
+=item B<-CA> I<file>
CA certificate corresponding to the revocation information in B<indexfile>.
-=item B<-rsigner file>
+=item B<-rsigner> I<file>
The certificate to sign OCSP responses with.
-=item B<-rother file>
+=item B<-rother> I<file>
Additional certificates to include in the OCSP response.
@@ -358,17 +358,17 @@ Don't include any certificates in the OCSP response.
Identify the signer certificate using the key ID, default is to use the
subject name.
-=item B<-rkey file>
+=item B<-rkey> I<file>
The private key to sign OCSP responses with: if not present the file
specified in the B<rsigner> option is used.
-=item B<-rsigopt nm:v>
+=item B<-rsigopt> I<nm>:I<v>
Pass options to the signature algorithm when signing OCSP responses.
Names and values of these options are algorithm-specific.
-=item B<-port portnum>
+=item B<-port> I<portnum>
Port to listen for OCSP requests on. The port may also be specified
using the B<url> option.
@@ -379,11 +379,11 @@ Ignore malformed requests or responses: When acting as an OCSP client, retry if
a malformed response is received. When acting as an OCSP responder, continue
running instead of terminating upon receiving a malformed request.
-=item B<-nrequest number>
+=item B<-nrequest> I<number>
The OCSP server will exit after receiving B<number> requests, default unlimited.
-=item B<-nmin minutes>, B<-ndays days>
+=item B<-nmin> I<minutes>, B<-ndays> I<days>
Number of minutes or days when fresh revocation information is available:
used in the B<nextUpdate> field. If neither option is present then the
diff --git a/doc/man1/openssl-passwd.pod b/doc/man1/openssl-passwd.pod
index d2dc63dcd6..da4c73cf1c 100644
--- a/doc/man1/openssl-passwd.pod
+++ b/doc/man1/openssl-passwd.pod
@@ -20,15 +20,15 @@ B<openssl passwd>
[B<-noverify>]
[B<-quiet>]
[B<-table>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
{I<password>}
=head1 DESCRIPTION
The B<passwd> command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
-taken from the named file for option B<-in file>, from stdin for
+taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
The Unix standard algorithm B<crypt> and the MD5-based BSD password
algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available.
@@ -90,7 +90,7 @@ Don't output warnings when passwords given at the command line are truncated.
In the output list, prepend the cleartext password and a TAB character
to each password hash.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -98,7 +98,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
diff --git a/doc/man1/openssl-pkcs12.pod b/doc/man1/openssl-pkcs12.pod
index b7233920b6..44052d130d 100644
--- a/doc/man1/openssl-pkcs12.pod
+++ b/doc/man1/openssl-pkcs12.pod
@@ -10,12 +10,12 @@ B<openssl> B<pkcs12>
[B<-help>]
[B<-export>]
[B<-chain>]
-[B<-inkey file_or_id>]
-[B<-certfile filename>]
-[B<-name name>]
-[B<-caname name>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inkey> I<file_or_id>]
+[B<-certfile> I<filename>]
+[B<-name> I<name>]
+[B<-caname> I<name>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
[B<-nomacver>]
[B<-nocerts>]
@@ -23,26 +23,26 @@ B<openssl> B<pkcs12>
[B<-cacerts>]
[B<-nokeys>]
[B<-info>]
-[B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -aria128 | -aria192 | -aria256 | -camellia128 | -camellia192 | -camellia256 | -nodes>]
+[B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>]
[B<-noiter>]
-[B<-maciter | -nomaciter | -nomac>]
+[B<-maciter> | B<-nomaciter> | B<-nomac>]
[B<-twopass>]
[B<-descert>]
-[B<-certpbe cipher>]
-[B<-keypbe cipher>]
-[B<-macalg digest>]
+[B<-certpbe> I<cipher>]
+[B<-keypbe> I<cipher>]
+[B<-macalg> I<digest>]
[B<-keyex>]
[B<-keysig>]
-[B<-password arg>]
-[B<-passin arg>]
-[B<-passout arg>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<-password> I<arg>]
+[B<-passin> I<arg>]
+[B<-passout> I<arg>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-CSP name>]
+[B<-CSP> I<name>]
=head1 DESCRIPTION
@@ -64,29 +64,29 @@ file can be created by using the B<-export> option (see below).
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies filename of the PKCS#12 file to be parsed. Standard input is used
by default.
-=item B<-out filename>
+=item B<-out> I<filename>
The filename to write certificates and private keys to, standard output by
default. They are all written in PEM format.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The PKCS#12 file (i.e. input file) password source. For more information about
-the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+the format of B<arg>
+see L<openssl(1)/Pass phrase options>.
-=item B<-passout arg>
+=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
-=item B<-password arg>
+=item B<-password> I<arg>
With -export, -password is equivalent to -passout.
Otherwise, -password is equivalent to -passin.
@@ -167,48 +167,48 @@ PKCS#12 files unreadable. Cannot be used in combination with the options
This option specifies that a PKCS#12 file will be created rather than
parsed.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies filename to write the PKCS#12 file to. Standard output is used
by default.
-=item B<-in filename>
+=item B<-in> I<filename>
The filename to read certificates and private keys from, standard input by
default. They must all be in PEM format. The order doesn't matter but one
private key and its corresponding certificate should be present. If additional
certificates are present they will also be included in the PKCS#12 file.
-=item B<-inkey file_or_id>
+=item B<-inkey> I<file_or_id>
File to read private key from. If not present then a private key must be present
in the input file.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
-=item B<-name friendlyname>
+=item B<-name> I<friendlyname>
This specifies the "friendly name" for the certificate and private key. This
name is typically displayed in list boxes by software importing the file.
-=item B<-certfile filename>
+=item B<-certfile> I<filename>
A filename to read additional certificates from.
-=item B<-caname friendlyname>
+=item B<-caname> I<friendlyname>
This specifies the "friendly name" for other certificates. This option may be
used multiple times to specify names for all certificates in the order they
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
-=item B<-pass arg>, B<-passout arg>
+=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
-=item B<-passin password>
+=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
@@ -227,7 +227,7 @@ file unreadable by some "export grade" software. By default the private
key is encrypted using triple DES and the certificate using 40 bit RC2
unless RC2 is disabled in which case triple DES is used.
-=item B<-keypbe alg>, B<-certpbe alg>
+=item B<-keypbe> I<alg>, B<-certpbe> I<alg>
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
@@ -236,7 +236,7 @@ can be used (see B<NOTES> section for more information). If a cipher name
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
-=item B<-keyex|-keysig>
+=item B<-keyex>|B<-keysig>
Specifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by MSIE and similar MS software. Normally
@@ -247,7 +247,7 @@ S/MIME signing, authenticode (ActiveX control signing) and SSL client
authentication, however due to a bug only MSIE 5.0 and later support
the use of signing only keys for SSL client authentication.
-=item B<-macalg digest>
+=item B<-macalg> I<digest>
Specify the MAC digest algorithm. If not included them SHA1 will be used.
@@ -278,7 +278,7 @@ to be needed to use MAC iterations counts but they are now used by default.
Don't attempt to provide the MAC integrity.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -286,16 +286,16 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
CA storage as a file.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
CA storage as a directory. This directory must be a standard certificate
directory: that is a hash of each subject name (using B<x509 -hash>) should be
@@ -309,7 +309,7 @@ Do not load the trusted CA certificates from the default file location.
Do not load the trusted CA certificates from the default directory location.
-=item B<-CSP name>
+=item B<-CSP> I<name>
Write B<name> as a Microsoft CSP name.
@@ -330,12 +330,12 @@ file is the one corresponding to the private key: this may not always
be the case. Using the B<-clcerts> option will solve this problem by only
outputting the certificate corresponding to the private key. If the CA
certificates are required then they can be output to a separate file using
-the B<-nokeys -cacerts> options to just output CA certificates.
+the B<-nokeys> B<-cacerts> options to just output CA certificates.
The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple DES
-encrypted private keys, then the option B<-keypbe PBE-SHA1-RC2-40> can
+encrypted private keys, then the option B<-keypbe> I<PBE-SHA1-RC2-40> can
be used to reduce the private key encryption to 40 bit RC2. A complete
description of all algorithms is contained in the B<pkcs8> manual page.
diff --git a/doc/man1/openssl-pkcs7.pod b/doc/man1/openssl-pkcs7.pod
index ef0655af42..f02a1cc298 100644
--- a/doc/man1/openssl-pkcs7.pod
+++ b/doc/man1/openssl-pkcs7.pod
@@ -8,14 +8,14 @@ openssl-pkcs7 - PKCS#7 utility
B<openssl> B<pkcs7>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-print_certs>]
[B<-text>]
[B<-noout>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
@@ -29,23 +29,23 @@ The B<pkcs7> command processes PKCS#7 files in DER or PEM format.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. B<DER> format is DER encoded PKCS#7
v1.5 structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read from or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
@@ -65,7 +65,7 @@ issuer names.
Don't output the encoded version of the PKCS#7 structure (or certificates
is B<-print_certs> is set).
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-pkcs8.pod b/doc/man1/openssl-pkcs8.pod
index 9b63694907..1004a2d766 100644
--- a/doc/man1/openssl-pkcs8.pod
+++ b/doc/man1/openssl-pkcs8.pod
@@ -9,26 +9,26 @@ openssl-pkcs8 - PKCS#8 format private key conversion tool
B<openssl> B<pkcs8>
[B<-help>]
[B<-topk8>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
-[B<-iter count>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
+[B<-iter> I<count>]
[B<-noiter>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-nocrypt>]
[B<-traditional>]
[B<-v2 alg>]
[B<-v2prf alg>]
[B<-v1 alg>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-scrypt>]
-[B<-scrypt_N N>]
-[B<-scrypt_r r>]
-[B<-scrypt_p p>]
+[B<-scrypt_N> I<N>]
+[B<-scrypt_r> I<r>]
+[B<-scrypt_p> I<p>]
=head1 DESCRIPTION
@@ -50,12 +50,12 @@ Normally a PKCS#8 private key is expected on input and a private key will be
written to the output file. With the B<-topk8> option the situation is
reversed: it reads a private key and writes a PKCS#8 format key.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format: see L<KEY FORMATS> for more details. The default
format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format: see L<KEY FORMATS> for more details. The default
format is PEM.
@@ -65,30 +65,30 @@ format is PEM.
When this option is present and B<-topk8> is not a traditional format private
key is written.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output by
default. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-iter count>
+=item B<-iter> I<count>
When creating new PKCS#8 containers, use a given number of iterations on
the password in deriving the encryption key for the PKCS#8 output.
@@ -103,7 +103,7 @@ This option does not encrypt private keys at all and should only be used
when absolutely necessary. Certain software such as some versions of Java
code signing software used unencrypted private keys.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -111,7 +111,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
@@ -139,7 +139,7 @@ This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 form is used.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
@@ -153,7 +153,7 @@ parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
B<-scrypt_p> and B<-v2> options.
-=item B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
+=item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
Sets the scrypt B<N>, B<r> or B<p> parameters.
diff --git a/doc/man1/openssl-pkey.pod b/doc/man1/openssl-pkey.pod
index c6d1ae7143..161eef40ee 100644
--- a/doc/man1/openssl-pkey.pod
+++ b/doc/man1/openssl-pkey.pod
@@ -8,20 +8,20 @@ openssl-pkey - public or private key processing tool
B<openssl> B<pkey>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-traditional>]
-[B<-I<cipher>>]
+[B<->I<cipher>]
[B<-text>]
[B<-text_pub>]
[B<-noout>]
[B<-pubin>]
[B<-pubout>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-check>]
[B<-pubcheck>]
@@ -38,34 +38,34 @@ between various forms and their components printed out.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format DER or PEM. The default format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout password>
+=item B<-passout> I<password>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
@@ -76,7 +76,7 @@ Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
-=item B<-I<cipher>>
+=item B<->I<cipher>
These options encrypt the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
@@ -105,7 +105,7 @@ By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-pkeyparam.pod b/doc/man1/openssl-pkeyparam.pod
index 4ebb24118a..c1d2911d2b 100644
--- a/doc/man1/openssl-pkeyparam.pod
+++ b/doc/man1/openssl-pkeyparam.pod
@@ -8,11 +8,11 @@ openssl-pkeyparam - public key algorithm parameter processing tool
B<openssl> B<pkeyparam>
[B<-help>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-text>]
[B<-noout>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-check>]
=head1 DESCRIPTION
@@ -28,12 +28,12 @@ They can be checked for correctness and their components printed out.
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write parameters to or standard output if
this option is not specified.
@@ -46,7 +46,7 @@ Prints out the parameters in plain text in addition to the encoded version.
Do not output the encoded version of the parameters.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-pkeyutl.pod b/doc/man1/openssl-pkeyutl.pod
index e4a0d2c11f..a99f3dcc07 100644
--- a/doc/man1/openssl-pkeyutl.pod
+++ b/doc/man1/openssl-pkeyutl.pod
@@ -8,16 +8,16 @@ openssl-pkeyutl - public key algorithm utility
B<openssl> B<pkeyutl>
[B<-help>]
-[B<-in file>]
+[B<-in> I<file>]
[B<-rawin>]
-[B<-digest algorithm>]
-[B<-out file>]
-[B<-sigfile file>]
-[B<-inkey file>]
-[B<-keyform PEM|DER|ENGINE>]
-[B<-passin arg>]
-[B<-peerkey file>]
-[B<-peerform PEM|DER|ENGINE>]
+[B<-digest> I<algorithm>]
+[B<-out> I<file>]
+[B<-sigfile> I<file>]
+[B<-inkey> I<file>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-passin> I<arg>]
+[B<-peerkey> I<file>]
+[B<-peerform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-rev>]
@@ -27,15 +27,15 @@ B<openssl> B<pkeyutl>
[B<-encrypt>]
[B<-decrypt>]
[B<-derive>]
-[B<-kdf algorithm>]
-[B<-kdflen length>]
-[B<-pkeyopt opt:value>]
-[B<-pkeyopt_passin opt:passarg>]
+[B<-kdf> I<algorithm>]
+[B<-kdflen> I<length>]
+[B<-pkeyopt> I<opt:value>]
+[B<-pkeyopt_passin> I<opt:passarg>]
[B<-hexdump>]
[B<-asn1parse>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[B<-engine_impl>]
=head1 DESCRIPTION
@@ -51,7 +51,7 @@ using any supported algorithm.
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read data from or standard input
if this option is not specified.
@@ -63,7 +63,7 @@ message digest algorithm. The user can specify a digest algorithm by using
the B<-digest> option. This option can only be used with B<-sign> and
B<-verify> and must be used with the Ed25519 and Ed448 algorithms.
-=item B<-digest algorithm>
+=item B<-digest> I<algorithm>
This specifies the digest algorithm which is used to hash the input data before
signing or verifying it with the input key. This option could be omitted if the
@@ -73,33 +73,33 @@ used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the
default digest algorithm. For SM2, it will be SM3. If this option is present,
then the B<-rawin> option must be also specified to B<pkeyutl>.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
-=item B<-sigfile file>
+=item B<-sigfile> I<file>
Signature file, required for B<verify> operations only
-=item B<-inkey file>
+=item B<-inkey> I<file>
The input key file, by default it should be a private key.
-=item B<-keyform PEM|DER|ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format PEM, DER or ENGINE. Default is PEM.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-peerkey file>
+=item B<-peerkey> I<file>
The peer key file, used by key derivation (agreement) operations.
-=item B<-peerform PEM|DER|ENGINE>
+=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
The peer key format PEM, DER or ENGINE. Default is PEM.
@@ -142,7 +142,7 @@ Decrypt the input data using a private key.
Derive a shared secret using the peer key.
-=item B<-kdf algorithm>
+=item B<-kdf> I<algorithm>
Use key derivation function B<algorithm>. The supported algorithms are
at present B<TLS1-PRF> and B<HKDF>.
@@ -151,15 +151,15 @@ set for this to work.
See L<EVP_PKEY_CTX_set_hkdf_md(3)> and L<EVP_PKEY_CTX_set_tls1_prf_md(3)>
for the supported string parameters of each algorithm.
-=item B<-kdflen length>
+=item B<-kdflen> I<length>
Set the output length for KDF.
-=item B<-pkeyopt opt:value>
+=item B<-pkeyopt> I<opt:value>
Public key options specified as opt:value. See NOTES below for more details.
-=item B<-pkeyopt_passin opt:passarg>
+=item B<-pkeyopt_passin> I<opt:passarg>
Allows reading a public key option B<opt> from stdin or a password source. If
only opt is specified, the user will be prompted to enter the value on stdin.
@@ -175,7 +175,7 @@ hex dump the output data.
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -183,12 +183,12 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-prime.pod b/doc/man1/openssl-prime.pod
index 068cf34405..618af6ae1a 100644
--- a/doc/man1/openssl-prime.pod
+++ b/doc/man1/openssl-prime.pod
@@ -10,9 +10,9 @@ B<openssl prime>
[B<-help>]
[B<-hex>]
[B<-generate>]
-[B<-bits>]
+[B<-bits> I<num>]
[B<-safe>]
-[B<-checks>]
+[B<-checks> I<num>]
[I<number...>]
=head1 DESCRIPTION
@@ -27,28 +27,28 @@ rest of the flags.
=over 4
-=item [B<-help>]
+=item B<-help>
Display an option summary.
-=item [B<-hex>]
+=item B<-hex>
Generate hex output.
-=item [B<-generate>]
+=item B<-generate>
Generate a prime number.
-=item [B<-bits num>]
+=item B<-bits> I<num>
Generate a prime with B<num> bits.
-=item [B<-safe>]
+=item B<-safe>
When used with B<-generate>, generates a "safe" prime. If the number
generated is B<n>, then check that B<(n-1)/2> is also prime.
-=item [B<-checks num>]
+=item B<-checks> I<num>
Perform the checks B<num> times to see that the generated number
is prime. The default is 20.
diff --git a/doc/man1/openssl-rand.pod b/doc/man1/openssl-rand.pod
index 7d431e0e4f..2595bc65d2 100644
--- a/doc/man1/openssl-rand.pod
+++ b/doc/man1/openssl-rand.pod
@@ -9,8 +9,8 @@ openssl-rand - generate pseudo-random bytes
B<openssl rand>
[B<-help>]
[B<-out> I<file>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-base64>]
[B<-hex>]
I<num>
@@ -32,11 +32,11 @@ seeding was obtained from these sources.
Print out a usage message.
-=item B<-out file>
+=item B<-out> I<file>
Write to I<file> instead of standard output.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -44,7 +44,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
diff --git a/doc/man1/openssl-rehash.pod b/doc/man1/openssl-rehash.pod
index d68b32c9cc..5dbb15de74 100644
--- a/doc/man1/openssl-rehash.pod
+++ b/doc/man1/openssl-rehash.pod
@@ -11,12 +11,12 @@ openssl-c_rehash - Create symbolic links to files named by the hash values
B<openssl>
B<rehash>
-B<[-h]>
-B<[-help]>
-B<[-old]>
-B<[-n]>
-B<[-v]>
-[ I<directory>...]
+[B<-h>]
+[B<-help>]
+[B<-old>]
+[B<-n>]
+[B<-v>]
+[I<directory>...]
B<c_rehash>
I<flags...>
diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod
index 7453d5e7e9..5a4cf2703e 100644
--- a/doc/man1/openssl-req.pod
+++ b/doc/man1/openssl-req.pod
@@ -8,49 +8,49 @@ openssl-req - PKCS#10 certificate request and certificate generating utility
B<openssl> B<req>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-text>]
[B<-pubkey>]
[B<-noout>]
[B<-verify>]
[B<-modulus>]
[B<-new>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-newkey rsa:bits>]
-[B<-newkey alg:file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-newkey> I<rsa:bits>]
+[B<-newkey> I<alg:file>]
[B<-nodes>]
-[B<-key filename>]
-[B<-keyform PEM|DER>]
-[B<-keyout filename>]
-[B<-keygen_engine id>]
-[B<-I<digest>>]
-[B<-config filename>]
+[B<-key> I<filename>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-keyout> I<filename>]
+[B<-keygen_engine> I<id>]
+[B<-> I<digest>]
+[B<-config> I<filename>]
[B<-multivalue-rdn>]
[B<-x509>]
-[B<-days n>]
-[B<-set_serial n>]
+[B<-days> I<n>]
+[B<-set_serial> I<n>]
[B<-newhdr>]
-[B<-addext ext>]
-[B<-extensions section>]
-[B<-reqexts section>]
+[B<-addext> I<ext>]
+[B<-extensions> I<section>]
+[B<-reqexts> I<section>]
[B<-precert>]
[B<-utf8>]
[B<-nameopt>]
[B<-reqopt>]
[B<-subject>]
-[B<-subj arg>]
-[B<-sigopt nm:v>]
+[B<-subj> I<arg>]
+[B<-sigopt> I<nm>:I<v>]
[B<-batch>]
[B<-verbose>]
-[B<-engine id>]
-[B<-sm2-id string>]
-[B<-sm2-hex-id hex-string>]
+[B<-engine> I<id>]
+[B<-sm2-id> I<string>]
+[B<-sm2-hex-id> I<hex-string>]
=head1 DESCRIPTION
@@ -66,40 +66,40 @@ for use as root CAs for example.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#10. The B<PEM> form is the default format: it
consists of the B<DER> format base64 encoded with additional header and
footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a request from or standard input
if this option is not specified. A request is only read if the creation
options (B<-new> and B<-newkey>) are not specified.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
@@ -140,7 +140,7 @@ in the configuration file and any requested extensions.
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -148,20 +148,20 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-newkey arg>
+=item B<-newkey> I<arg>
This option creates a new certificate request and a new private
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
+in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
the default key size, specified in the configuration file is used.
-All other algorithms support the B<-newkey alg:file> form, where file may be
+All other algorithms support the B<-newkey> I<alg:file> form, where file may be
an algorithm parameter file, created by the B<genpkey -genparam> command
or and X.509 certificate for a key with appropriate algorithm.
@@ -176,27 +176,27 @@ in the file B<filename>. B<ec:filename> generates EC key (usable both with
ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
34.10-2001 key (requires B<ccgost> engine configured in the configuration
file). If just B<gost2001> is specified a parameter set should be
-specified by B<-pkeyopt paramset:X>
+specified by B<-pkeyopt> I<paramset:X>
-=item B<-pkeyopt opt:value>
+=item B<-pkeyopt> I<opt:value>
Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
-=item B<-key filename>
+=item B<-key> I<filename>
This specifies the file to read the private key from. It also
accepts PKCS#8 format private keys for PEM format files.
-=item B<-keyform PEM|DER>
+=item B<-keyform> B<DER>|B<PEM>
The format of the private key file specified in the B<-key>
argument. PEM is the default.
-=item B<-keyout filename>
+=item B<-keyout> I<filename>
This gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
@@ -207,7 +207,7 @@ configuration file is used.
If this option is specified then if a private key is created it
will not be encrypted.
-=item B<-I<digest>>
+=item B<->I<digest>
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
@@ -218,13 +218,13 @@ Some public key algorithms may override this choice. For instance, DSA
signatures always use SHA1, GOST R 34.10 signatures always use
GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest.
-=item B<-config filename>
+=item B<-config> I<filename>
This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-subj arg>
+=item B<-subj> I<arg>
Sets subject name for new request or supersedes the subject name
when processing a request.
@@ -254,18 +254,18 @@ the serial number.
If existing request is specified with the B<-in> option, it is converted
to the self signed certificate otherwise new request is created.
-=item B<-days n>
+=item B<-days> I<n>
When the B<-x509> option is being used this specifies the number of
days to certify the certificate for, otherwise it is ignored. B<n> should
be a positive integer. The default is 30 days.
-=item B<-set_serial n>
+=item B<-set_serial> I<n>
Serial number to use when outputting a self signed certificate. This
may be specified as a decimal value or a hex value if preceded by B<0x>.
-=item B<-addext ext>
+=item B<-addext> I<ext>
Add a specific extension to the certificate (if the B<-x509> option is
present) or certificate request. The argument must have the form of
@@ -273,9 +273,9 @@ a key=value pair as it would appear in a config file.
This option can be given multiple times.
-=item B<-extensions section>
+=item B<-extensions> I<section>
-=item B<-reqexts section>
+=item B<-reqexts> I<section>
These options specify alternative sections to include certificate
extensions (if the B<-x509> option is present) or certificate
@@ -300,7 +300,7 @@ default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
@@ -328,14 +328,14 @@ Non-interactive mode.
Print extra details about the operations being performed.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-keygen_engine id>
+=item B<-keygen_engine> I<id>
Specifies an engine (by its unique B<id> string) which would be used
for key generation operations.
diff --git a/doc/man1/openssl-rsa.pod b/doc/man1/openssl-rsa.pod
index 2b271fc6d0..cc129e46c9 100644
--- a/doc/man1/openssl-rsa.pod
+++ b/doc/man1/openssl-rsa.pod
@@ -8,12 +8,12 @@ openssl-rsa - RSA key processing tool
B<openssl> B<rsa>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
@@ -34,7 +34,7 @@ B<openssl> B<rsa>
[B<-pubout>]
[B<-RSAPublicKey_in>]
[B<-RSAPublicKey_out>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
@@ -52,7 +52,7 @@ utility.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
@@ -60,30 +60,30 @@ The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. On input PKCS#8 format private
keys are also accepted.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout password>
+=item B<-passout> I<password>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
@@ -130,7 +130,7 @@ the input is a public key.
Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-rsautl.pod b/doc/man1/openssl-rsautl.pod
index 5ab282d097..2d4fadc5b2 100644
--- a/doc/man1/openssl-rsautl.pod
+++ b/doc/man1/openssl-rsautl.pod
@@ -8,18 +8,18 @@ openssl-rsautl - RSA utility
B<openssl> B<rsautl>
[B<-help>]
-[B<-in file>]
-[B<-out file>]
-[B<-inkey file>]
-[B<-keyform PEM|DER|ENGINE>]
+[B<-in> I<file>]
+[B<-out> I<file>]
+[B<-inkey> I<file>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-sign>]
[B<-verify>]
[B<-encrypt>]
[B<-decrypt>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-pkcs>]
[B<-ssl>]
[B<-raw>]
@@ -39,21 +39,21 @@ data using the RSA algorithm.
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read data from or standard input
if this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
-=item B<-inkey file>
+=item B<-inkey> I<file>
The input key file, by default it should be an RSA private key.
-=item B<-keyform PEM|DER|ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format PEM, DER or ENGINE.
@@ -82,7 +82,7 @@ Encrypt the input data using an RSA public key.
Decrypt the input data using an RSA private key.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -90,7 +90,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
diff --git a/doc/man1/openssl-s_client.pod b/doc/man1/openssl-s_client.pod
index 61d95244c3..4e8fdfb0d5 100644
--- a/doc/man1/openssl-s_client.pod
+++ b/doc/man1/openssl-s_client.pod
@@ -8,42 +8,42 @@ openssl-s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-help>]
-[B<-connect host:port>]
-[B<-bind host:port>]
-[B<-proxy host:port>]
-[B<-proxy_user userid>]
-[B<-proxy_pass arg>]
-[B<-unix path>]
+[B<-connect> I<host:port>]
+[B<-bind> I<host:port>]
+[B<-proxy> I<host:port>]
+[B<-proxy_user> I<userid>]
+[B<-proxy_pass> I<arg>]
+[B<-unix> I<path>]
[B<-4>]
[B<-6>]
-[B<-servername name>]
+[B<-servername> I<name>]
[B<-noservername>]
-[B<-verify depth>]
+[B<-verify> I<depth>]
[B<-verify_return_error>]
-[B<-cert filename>]
-[B<-certform DER|PEM>]
-[B<-key filename>]
-[B<-keyform DER|PEM>]
-[B<-cert_chain filename>]
+[B<-cert> I<filename>]
+[B<-certform> B<DER>|B<PEM>]
+[B<-key> I<filename>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-cert_chain> I<filename>]
[B<-build_chain>]
[B<-xkey>]
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
-[B<-xcertform PEM|DER>]
-[B<-xkeyform PEM|DER>]
-[B<-pass arg>]
-[B<-CApath directory>]
-[B<-CAfile filename>]
-[B<-chainCApath directory>]
-[B<-chainCAfile filename>]
+[B<-xcertform> B<DER>|B<PEM>]
+[B<-xkeyform> B<DER>|B<PEM>]
+[B<-pass> I<arg>]
+[B<-CApath> I<directory>]
+[B<-CAfile> I<filename>]
+[B<-chainCApath> I<directory>]
+[B<-chainCAfile> I<filename>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-requestCAfile filename>]
-[B<-dane_tlsa_domain domain>]
-[B<-dane_tlsa_rrdata rrdata>]
+[B<-requestCAfile> I<filename>]
+[B<-dane_tlsa_domain> I<domain>]
+[B<-dane_tlsa_rrdata> I<rrdata>]
[B<-dane_ee_no_namechecks>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
@@ -54,23 +54,23 @@ B<openssl> B<s_client>
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-nameopt option>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-nameopt> I<option>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-build_chain>]
[B<-x509_strict>]
[B<-reconnect>]
@@ -83,9 +83,9 @@ B<openssl> B<s_client>
[B<-crlf>]
[B<-ign_eof>]
[B<-no_ign_eof>]
-[B<-psk_identity identity>]
-[B<-psk key>]
-[B<-psk_session file>]
+[B<-psk_identity> I<identity>]
+[B<-psk> I<key>]
+[B<-psk_session> I<file>]
[B<-quiet>]
[B<-ssl3>]
[B<-tls1>]
@@ -112,32 +112,32 @@ B<openssl> B<s_client>
[B<-comp>]
[B<-no_comp>]
[B<-allow_no_dhe_kex>]
-[B<-sigalgs sigalglist>]
-[B<-curves curvelist>]
-[B<-cipher cipherlist>]
-[B<-ciphersuites val>]
+[B<-sigalgs> I<sigalglist>]
+[B<-curves> I<curvelist>]
+[B<-cipher> I<cipherlist>]
+[B<-ciphersuites> I<val>]
[B<-serverpref>]
-[B<-starttls protocol>]
-[B<-xmpphost hostname>]
-[B<-name hostname>]
-[B<-engine id>]
+[B<-starttls> I<protocol>]
+[B<-xmpphost> I<hostname>]
+[B<-name> I<hostname>]
+[B<-engine> I<id>]
[B<-tlsextdebug>]
[B<-no_ticket>]
-[B<-sess_out filename>]
-[B<-sess_in filename>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-serverinfo types>]
+[B<-sess_out> I<filename>]
+[B<-sess_in> I<filename>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-serverinfo> I<types>]
[B<-status>]
-[B<-alpn protocols>]
-[B<-nextprotoneg protocols>]
+[B<-alpn> I<protocols>]
+[B<-nextprotoneg> I<protocols>]
[B<-ct>]
[B<-noct>]
[B<-ctlogfile>]
-[B<-keylogfile file>]
-[B<-early_data file>]
+[B<-keylogfile> I<file>]
+[B<-early_data> I<file>]
[B<-enable_pha>]
-[B<target>]
+[I<host>:I<port>]
=head1 DESCRIPTION
@@ -158,26 +158,26 @@ manual page.
Print out a usage message.
-=item B<-connect host:port>
+=item B<-connect> I<host>:I<port>
This specifies the host and optional port to connect to. It is possible to
select the host and port using the optional target positional argument instead.
If neither this nor the target positional argument are specified then an attempt
is made to connect to the local host on port 4433.
-=item B<-bind host:port>]
+=item B<-bind> I<host:port>]
This specifies the host address and or port to bind as the source for the
connection. For Unix-domain sockets the port is ignored and the host is
used as the source socket address.
-=item B<-proxy host:port>
+=item B<-proxy> I<host:port>
When used with the B<-connect> flag, the program uses the host and port
specified with this flag and issues an HTTP CONNECT command to connect
to the desired server.
-=item B<-proxy_user userid>
+=item B<-proxy_user> I<userid>
When used with the B<-proxy> flag, the program will attempt to authenticate
with the specified proxy using basic (base64) authentication.
@@ -186,13 +186,13 @@ in easily reversible base64 encoding before any TLS/SSL session is established.
Therefore these credentials are easily recovered by anyone able to sniff/trace
the network. Use with caution.
-=item B<-proxy_pass arg>
+=item B<-proxy_pass> I<arg>
The proxy password source, used with the B<-proxy_user> flag.
-For more information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS>
-section in L<openssl(1)>.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass phrase options>.
-=item B<-unix path>
+=item B<-unix> I<path>
Connect over the specified Unix-domain socket.
@@ -204,7 +204,7 @@ Use IPv4 only.
Use IPv6 only.
-=item B<-servername name>
+=item B<-servername> I<name>
Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
the given value.
@@ -225,21 +225,21 @@ Suppresses sending of the SNI (Server Name Indication) extension in the
ClientHello message. Cannot be used in conjunction with the B<-servername> or
<-dane_tlsa_domain> options.
-=item B<-cert certname>
+=item B<-cert> I<certname>
The certificate to use, if one is requested by the server. The default is
not to use a certificate.
-=item B<-certform format>
+=item B<-certform> I<format>
The certificate format to use: DER or PEM. PEM is the default.
-=item B<-key keyfile>
+=item B<-key> I<keyfile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform format>
+=item B<-keyform> I<format>
The private format to use: DER or PEM. PEM is the default.
@@ -254,7 +254,7 @@ B<-cert> option.
Specify whether the application should build the certificate chain to be
provided to the server.
-=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
+=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When
@@ -264,19 +264,19 @@ client.
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
-provided to the server for the extra certificates provided via B<-xkey infile>,
-B<-xcert infile>, B<-xchain> options.
+provided to the server for the extra certificates provided via B<-xkey> I<infile>,
+B<-xcert> I<infile>, B<-xchain> options.
-=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
+=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
-=item B<-pass arg>
+=item B<-pass> I<arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-verify depth>
+=item B<-verify> I<depth>
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
@@ -289,30 +289,30 @@ will never fail due to a server certificate verify failure.
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-CApath directory>
+=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
must be in "hash format", see L<verify(1)> for more information. These are
also used when building the client certificate chain.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
-=item B<-chainCApath directory>
+=item B<-chainCApath> I<directory>
The directory to use for building the chain provided to the server. This
directory must be in "hash format", see L<verify(1)> for more information.
-=item B<-chainCAfile file>
+=item B<-chainCAfile> I<file>
A file containing trusted certificates to use when attempting to build the
client certificate chain.
@@ -325,13 +325,13 @@ Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default directory location
-=item B<-requestCAfile file>
+=item B<-requestCAfile> I<file>
A file containing a list of certificates whose subject names will be sent
to the server in the B<certificate_authorities> extension. Only supported
for TLS 1.3
-=item B<-dane_tlsa_domain domain>
+=item B<-dane_tlsa_domain> I<domain>
Enable RFC6698/RFC7671 DANE TLSA authentication and specify the
TLSA base domain which becomes the default SNI hint and the primary
@@ -347,7 +347,7 @@ certificate of the chain, the result is reported as "TA public key
verified". Otherwise, either the TLSA record "matched TA certificate"
at a positive depth or else "matched EE certificate" at depth 0.
-=item B<-dane_tlsa_rrdata rrdata>
+=item B<-dane_tlsa_rrdata> I<rrdata>
Use one or more times to specify the RRDATA fields of the DANE TLSA
RRset associated with the target service. The B<rrdata> value is
@@ -469,19 +469,19 @@ turns on B<-ign_eof> as well.
Shut down the connection when end of file is reached in the input.
Can be used to override the implicit B<-ign_eof> after B<-quiet>.
-=item B<-psk_identity identity>
+=item B<-psk_identity> I<identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
The default value is "Client_identity" (without the quotes).
-=item B<-psk key>
+=item B<-psk> I<key>
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
-=item B<-psk_session file>
+=item B<-psk_session> I<file>
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
@@ -528,12 +528,12 @@ asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
-=item B<-max_send_frag int>
+=item B<-max_send_frag> I<int>
The maximum size of data fragment to send.
See L<SSL_CTX_set_max_send_fragment(3)> for further information.
-=item B<-split_send_frag int>
+=item B<-split_send_frag> I<int>
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
@@ -542,14 +542,14 @@ a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
-=item B<-max_pipelines int>
+=item B<-max_pipelines> I<int>
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
-=item B<-read_buf int>
+=item B<-read_buf> I<int>
The default read buffer size to be used for connections. This will only have an
effect if the buffer size is larger than the size that would otherwise be used
@@ -579,20 +579,20 @@ OpenSSL 1.1.0.
Only provide a brief summary of connection parameters instead of the
normal verbose output.
-=item B<-sigalgs sigalglist>
+=item B<-sigalgs> I<sigalglist>
Specifies the list of signature algorithms that are sent by the client.
The server selects one entry in the list based on its preferences.
For example strings, see L<SSL_CTX_set1_sigalgs(3)>
-=item B<-curves curvelist>
+=item B<-curves> I<curvelist>
Specifies the list of supported curves to be sent by the client. The curve is
ultimately selected by the server. For a list of all curves, use:
$ openssl ecparam -list_curves
-=item B<-cipher cipherlist>
+=item B<-cipher> I<cipherlist>
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
@@ -600,7 +600,7 @@ configured. Although the server determines which ciphersuite is used it should
take the first supported cipher in the list sent by the client. See the
B<ciphers> command for more information.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
@@ -609,14 +609,14 @@ take the first supported cipher in the list sent by the client. See the
B<ciphers> command for more information. The format for this list is a simple
colon (":") separated list of TLSv1.3 ciphersuite names.
-=item B<-starttls protocol>
+=item B<-starttls> I<protocol>
Send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
-=item B<-xmpphost hostname>
+=item B<-xmpphost> I<hostname>
This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
specifies the host for the "to" attribute of the stream element.
@@ -625,7 +625,7 @@ will be used.
This option is an alias of the B<-name> option for "xmpp" and "xmpp-server".
-=item B<-name hostname>
+=item B<-name> I<hostname>
This option is used to specify hostname information for various protocols
used with B<-starttls> option. Currently only "xmpp", "xmpp-server",
@@ -647,23 +647,23 @@ Print out a hex dump of any TLS extensions received from the server.
Disable RFC4507bis session ticket support.
-=item B<-sess_out filename>
+=item B<-sess_out> I<filename>
Output SSL session to B<filename>.
-=item B<-sess_in sess.pem>
+=item B<-sess_in> I<sess.pem>
Load SSL session from B<filename>. The client will attempt to resume a
connection from this session.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<s_client>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -671,12 +671,12 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-serverinfo types>
+=item B<-serverinfo> I<types>
A list of comma-separated TLS Extension Types (numbers between 0 and
65535). Each type will be sent as an empty ClientHello TLS Extension.
@@ -688,7 +688,7 @@ file.
Sends a certificate status request to the server (OCSP stapling). The server
response (if any) is printed out.
-=item B<-alpn protocols>, B<-nextprotoneg protocols>
+=item B<-alpn> I<protocols>, B<-nextprotoneg> I<protocols>
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
@@ -717,12 +717,12 @@ for SCTs.
A file containing a list of known Certificate Transparency logs. See
L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
-=item B<-keylogfile file>
+=item B<-keylogfile> I<file>
Appends TLS secrets to the specified keylog file such that external programs
(like Wireshark) can decrypt TLS connections.
-=item B<-early_data file>
+=item B<-early_data> I<file>
Reads the contents of the specified file and attempts to send it as early data
to the server. This will only work with resumed sessions that support early
@@ -733,12 +733,12 @@ data and when the server accepts the early data.
For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
happen whether or not a certificate has been provided via B<-cert>.
-=item B<[target]>
+=item I<host>:I<port>
Rather than providing B<-connect>, the target hostname and optional port may
be provided as a single positional argument after all options. If neither this
-nor B<-connect> are provided, falls back to attempting to connect to localhost
-on port 4433.
+nor B<-connect> are provided, falls back to attempting to connect to
+I<localhost> on port I<4433>.
=back
diff --git a/doc/man1/openssl-s_server.pod b/doc/man1/openssl-s_server.pod
index c3a0e7af59..0c7c3db8e1 100644
--- a/doc/man1/openssl-s_server.pod
+++ b/doc/man1/openssl-s_server.pod
@@ -8,36 +8,36 @@ openssl-s_server - SSL/TLS server program
B<openssl> B<s_server>
[B<-help>]
-[B<-port +int>]
-[B<-accept val>]
-[B<-unix val>]
+[B<-port> I<+int>]
+[B<-accept> I<val>]
+[B<-unix> I<val>]
[B<-4>]
[B<-6>]
[B<-unlink>]
-[B<-context val>]
-[B<-verify int>]
-[B<-Verify int>]
-[B<-cert infile>]
-[B<-nameopt val>]
-[B<-naccept +int>]
-[B<-serverinfo val>]
-[B<-certform PEM|DER>]
-[B<-key infile>]
-[B<-keyform format>]
-[B<-pass val>]
-[B<-dcert infile>]
-[B<-dcertform PEM|DER>]
-[B<-dkey infile>]
-[B<-dkeyform PEM|DER>]
-[B<-dpass val>]
+[B<-context> I<val>]
+[B<-verify> I<int>]
+[B<-Verify> I<int>]
+[B<-cert> I<infile>]
+[B<-nameopt> I<val>]
+[B<-naccept> I<+int>]
+[B<-serverinfo> I<val>]
+[B<-certform> B<DER>|B<PEM>]
+[B<-key> I<infile>]
+[B<-keyform> I<format>]
+[B<-pass> I<val>]
+[B<-dcert> I<infile>]
+[B<-dcertform> B<DER>|B<PEM>]
+[B<-dkey> I<infile>]
+[B<-dkeyform> B<DER>|B<PEM>]
+[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
[B<-debug>]
[B<-msg>]
-[B<-msgfile outfile>]
+[B<-msgfile> I<outfile>]
[B<-state>]
-[B<-CAfile infile>]
-[B<-CApath dir>]
+[B<-CAfile> I<infile>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-nocert>]
@@ -51,43 +51,43 @@ B<openssl> B<s_server>
[B<-key2 infile>]
[B<-tlsextdebug>]
[B<-HTTP>]
-[B<-id_prefix val>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-keymatexport val>]
-[B<-keymatexportlen +int>]
-[B<-CRL infile>]
+[B<-id_prefix> I<val>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-keymatexport> I<val>]
+[B<-keymatexportlen> I<+int>]
+[B<-CRL> I<infile>]
[B<-crl_download>]
-[B<-cert_chain infile>]
-[B<-dcert_chain infile>]
-[B<-chainCApath dir>]
-[B<-verifyCApath dir>]
+[B<-cert_chain> I<infile>]
+[B<-dcert_chain> I<infile>]
+[B<-chainCApath> I<dir>]
+[B<-verifyCApath> I<dir>]
[B<-no_cache>]
[B<-ext_cache>]
-[B<-CRLform PEM|DER>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-verify_return_error>]
[B<-verify_quiet>]
[B<-build_chain>]
-[B<-chainCAfile infile>]
-[B<-verifyCAfile infile>]
+[B<-chainCAfile> I<infile>]
+[B<-verifyCAfile> I<infile>]
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-status>]
[B<-status_verbose>]
-[B<-status_timeout int>]
-[B<-status_url val>]
-[B<-status_file infile>]
+[B<-status_timeout> I<int>]
+[B<-status_url> I<val>]
+[B<-status_file> I<infile>]
[B<-trace>]
[B<-security_debug>]
[B<-security_debug_verbose>]
[B<-brief>]
[B<-rev>]
[B<-async>]
-[B<-ssl_config val>]
-[B<-max_send_frag +int>]
-[B<-split_send_frag +int>]
-[B<-max_pipelines +int>]
-[B<-read_buf +int>]
+[B<-ssl_config> I<val>]
+[B<-max_send_frag> I<+int>]
+[B<-split_send_frag> I<+int>]
+[B<-max_pipelines> I<+int>]
+[B<-read_buf> I<+int>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_tls1_1>]
@@ -107,24 +107,24 @@ B<openssl> B<s_server>
[B<-allow_no_dhe_kex>]
[B<-prioritize_chacha>]
[B<-strict>]
-[B<-sigalgs val>]
-[B<-client_sigalgs val>]
-[B<-groups val>]
-[B<-curves val>]
-[B<-named_curve val>]
-[B<-cipher val>]
-[B<-ciphersuites val>]
-[B<-dhparam infile>]
-[B<-record_padding val>]
+[B<-sigalgs> I<val>]
+[B<-client_sigalgs> I<val>]
+[B<-groups> I<val>]
+[B<-curves> I<val>]
+[B<-named_curve> I<val>]
+[B<-cipher> I<val>]
+[B<-ciphersuites> I<val>]
+[B<-dhparam> I<infile>]
+[B<-record_padding> I<val>]
[B<-debug_broken_protocol>]
-[B<-policy val>]
-[B<-purpose val>]
-[B<-verify_name val>]
-[B<-verify_depth int>]
-[B<-auth_level int>]
-[B<-attime intmax>]
-[B<-verify_hostname val>]
-[B<-verify_email val>]
+[B<-policy> I<val>]
+[B<-purpose> I<val>]
+[B<-verify_name> I<val>]
+[B<-verify_depth> I<int>]
+[B<-auth_level> I<int>]
+[B<-attime> I<intmax>]
+[B<-verify_hostname> I<val>]
+[B<-verify_email> I<val>]
[B<-verify_ip>]
[B<-ignore_critical>]
[B<-issuer_checks>]
@@ -151,15 +151,15 @@ B<openssl> B<s_server>
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
-[B<-xcertform PEM|DER>]
-[B<-xkeyform PEM|DER>]
+[B<-xcertform> B<DER>|B<PEM>]
+[B<-xkeyform> B<DER>|B<PEM>]
[B<-nbio>]
-[B<-psk_identity val>]
-[B<-psk_hint val>]
-[B<-psk val>]
-[B<-psk_session file>]
-[B<-srpvfile infile>]
-[B<-srpuserseed val>]
+[B<-psk_identity> I<val>]
+[B<-psk_hint> I<val>]
+[B<-psk> I<val>]
+[B<-psk_session> I<file>]
+[B<-srpvfile> I<infile>]
+[B<-srpuserseed> I<val>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
@@ -167,19 +167,19 @@ B<openssl> B<s_server>
[B<-tls1_3>]
[B<-dtls>]
[B<-timeout>]
-[B<-mtu +int>]
+[B<-mtu> I<+int>]
[B<-listen>]
[B<-dtls1>]
[B<-dtls1_2>]
[B<-sctp>]
[B<-sctp_label_bug>]
[B<-no_dhe>]
-[B<-nextprotoneg val>]
-[B<-use_srtp val>]
-[B<-alpn val>]
-[B<-engine val>]
-[B<-keylogfile outfile>]
-[B<-max_early_data int>]
+[B<-nextprotoneg> I<val>]
+[B<-use_srtp> I<val>]
+[B<-alpn> I<val>]
+[B<-engine> I<val>]
+[B<-keylogfile> I<outfile>]
+[B<-max_early_data> I<int>]
[B<-early_data>]
[B<-anti_replay>]
[B<-no_anti_replay>]
@@ -203,15 +203,15 @@ manual page.
Print out a usage message.
-=item B<-port +int>
+=item B<-port> I<+int>
The TCP port to listen on for connections. If not specified 4433 is used.
-=item B<-accept val>
+=item B<-accept> I<val>
The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
-=item B<-unix val>
+=item B<-unix> I<val>
Unix domain socket to accept on.
@@ -227,12 +227,12 @@ Use IPv6 only.
For -unix, unlink any existing socket first.
-=item B<-context val>
+=item B<-context> I<val>
Sets the SSL context id. It can be given any string value. If this option
is not present a default value will be used.
-=item B<-verify int>, B<-Verify int>
+=item B<-verify> I<int>, B<-Verify> I<int>
The verify depth to use. This specifies the maximum length of the
client certificate chain and makes the server request a certificate from
@@ -243,7 +243,7 @@ must supply a certificate or an error occurs.
If the cipher suite cannot request a client certificate (for example an
anonymous cipher suite or PSK) this option has no effect.
-=item B<-cert infile>
+=item B<-cert> I<infile>
The certificate to use, most servers cipher suites require the use of a
certificate and some require a certificate with a certain public key type:
@@ -261,19 +261,19 @@ B<-cert> option.
Specify whether the application should build the certificate chain to be
provided to the client.
-=item B<-nameopt val>
+=item B<-nameopt> I<val>
Option which determines how the subject or issuer names are displayed. The
B<val> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-naccept +int>
+=item B<-naccept> I<+int>
The server will exit after receiving the specified number of connections,
default unlimited.
-=item B<-serverinfo val>
+=item B<-serverinfo> I<val>
A file containing one or more blocks of PEM data. Each PEM block
must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
@@ -281,25 +281,25 @@ followed by "length" bytes of extension data). If the client sends
an empty TLS ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
-=item B<-certform PEM|DER>
+=item B<-certform> B<DER>|B<PEM>
The certificate format to use: DER or PEM. PEM is the default.
-=item B<-key infile>
+=item B<-key> I<infile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform format>
+=item B<-keyform> I<format>
The private format to use: DER or PEM. PEM is the default.
-=item B<-pass val>
+=item B<-pass> I<val>
The private key password source. For more information about the format of B<val>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-dcert infile>, B<-dkey infile>
+=item B<-dcert> I<infile>, B<-dkey> I<infile>
Specify an additional certificate and private key, these behave in the
same manner as the B<-cert> and B<-key> options except there is no default
@@ -316,11 +316,11 @@ A file containing trusted certificates to use when attempting to build the
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform PEM|DER>, B<-dkeyform PEM|DER>, B<-dpass val>
+=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>, B<-dpass> I<val>
Additional certificate and private key format and passphrase respectively.
-=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
+=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When
@@ -330,10 +330,10 @@ the server.
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
-provided to the client for the extra certificates provided via B<-xkey infile>,
-B<-xcert infile>, B<-xchain> options.
+provided to the client for the extra certificates provided via B<-xkey> I<infile>,
+B<-xcert> I<infile>, B<-xchain> options.
-=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
+=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
@@ -353,7 +353,7 @@ Print extensive debugging information including a hex dump of all traffic.
Show all protocol messages with hex dump.
-=item B<-msgfile outfile>
+=item B<-msgfile> I<outfile>
File to send output of B<-msg> or B<-trace> to, default standard output.
@@ -361,25 +361,25 @@ File to send output of B<-msg> or B<-trace> to, default standard output.
Prints the SSL session states.
-=item B<-CAfile infile>
+=item B<-CAfile> I<infile>
A file containing trusted certificates to use during client authentication
and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
The directory to use for client certificate verification. This directory
must be in "hash format", see L<verify(1)> for more information. These are
also used when building the server certificate chain.
-=item B<-chainCApath dir>
+=item B<-chainCApath> I<dir>
The directory to use for building the chain provided to the client. This
directory must be in "hash format", see L<verify(1)> for more information.
-=item B<-chainCAfile file>
+=item B<-chainCAfile> I<file>
A file containing trusted certificates to use when attempting to build the
server certificate chain.
@@ -429,14 +429,14 @@ assumed to contain a complete and correct HTTP response (lines that
are part of the HTTP response line and headers must end with CRLF). Cannot be
used in conjunction with B<-early_data>.
-=item B<-id_prefix val>
+=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (eg. with a certain prefix).
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -444,7 +444,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
@@ -464,17 +464,17 @@ Enables certificate status request support (aka OCSP stapling).
Enables certificate status request support (aka OCSP stapling) and gives
a verbose printout of the OCSP response.
-=item B<-status_timeout int>
+=item B<-status_timeout> I<int>
Sets the timeout for OCSP response to B<int> seconds.
-=item B<-status_url val>
+=item B<-status_url> I<val>
Sets a fallback responder URL to use if no responder URL is present in the
server certificate. Without this option an error is returned if the server
certificate does not contain a responder address.
-=item B<-status_file infile>
+=item B<-status_file> I<infile>
Overrides any OCSP responder URLs from the certificate and always provides the
OCSP Response stored in the file. The file must be in DER format.
@@ -502,12 +502,12 @@ asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
-=item B<-max_send_frag +int>
+=item B<-max_send_frag> I<+int>
The maximum size of data fragment to send.
See L<SSL_CTX_set_max_send_fragment(3)> for further information.
-=item B<-split_send_frag +int>
+=item B<-split_send_frag> I<+int>
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
@@ -516,14 +516,14 @@ a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
-=item B<-max_pipelines +int>
+=item B<-max_pipelines> I<+int>
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
-=item B<-read_buf +int>
+=item B<-read_buf> I<+int>
The default read buffer size to be used for connections. This will only have an
effect if the buffer size is larger than the size that would otherwise be used
@@ -581,19 +581,19 @@ Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
-=item B<-client_sigalgs val>
+=item B<-client_sigalgs> I<val>
Signature algorithms to support for client certificate authentication
(colon-separated list).
-=item B<-named_curve val>
+=item B<-named_curve> I<val>
Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
For a list of all possible curves, use:
$ openssl ecparam -list_curves
-=item B<-cipher val>
+=item B<-cipher> I<val>
This allows the list of TLSv1.2 and below ciphersuites used by the server to be
modified. This list is combined with any TLSv1.3 ciphersuites that have been
@@ -602,7 +602,7 @@ cipher also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist is irrelevant. See
the B<ciphers> command for more information.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
This list is combined with any TLSv1.2 and below ciphersuites that have been
@@ -612,7 +612,7 @@ the preference order, the order of the server cipherlist is irrelevant. See
the B<ciphers> command for more information. The format for this list is a
simple colon (":") separated list of TLSv1.3 ciphersuite names.
-=item B<-dhparam infile>
+=item B<-dhparam> I<infile>
The DH parameter file to use. The ephemeral DH cipher suites generate keys
using a set of DH parameters. If not specified then an attempt is made to
@@ -641,24 +641,24 @@ option all CRLs of all CAs in the chain are checked.
Turns on non blocking I/O.
-=item B<-psk_identity val>
+=item B<-psk_identity> I<val>
Expect the client to send PSK identity B<val> when using a PSK
cipher suite, and warn if they do not. By default, the expected PSK
identity is the string "Client_identity".
-=item B<-psk_hint val>
+=item B<-psk_hint> I<val>
Use the PSK identity hint B<val> when using a PSK cipher suite.
-=item B<-psk val>
+=item B<-psk> I<val>
Use the PSK key B<val> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
-=item B<-psk_session file>
+=item B<-psk_session> I<file>
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
@@ -699,7 +699,7 @@ available where OpenSSL has support for SCTP enabled.
If this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
-=item B<-alpn val>, B<-nextprotoneg val>
+=item B<-alpn> I<val>, B<-nextprotoneg> I<val>
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
@@ -710,19 +710,19 @@ Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
-=item B<-engine val>
+=item B<-engine> I<val>
Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-keylogfile outfile>
+=item B<-keylogfile> I<outfile>
Appends TLS secrets to the specified keylog file such that external programs
(like Wireshark) can decrypt TLS connections.
-=item B<-max_early_data int>
+=item B<-max_early_data> I<int>
Change the default maximum early data bytes that are specified for new sessions
and any incoming early data (when used in conjunction with the B<-early_data>
diff --git a/doc/man1/openssl-s_time.pod b/doc/man1/openssl-s_time.pod
index 5993cd27fe..c6b05c9f4a 100644
--- a/doc/man1/openssl-s_time.pod
+++ b/doc/man1/openssl-s_time.pod
@@ -8,27 +8,27 @@ openssl-s_time - SSL/TLS performance timing program
B<openssl> B<s_time>
[B<-help>]
-[B<-connect host:port>]
-[B<-www page>]
-[B<-cert filename>]
-[B<-key filename>]
-[B<-CApath directory>]
-[B<-cafile filename>]
+[B<-connect> I<host:port>]
+[B<-www> I<page>]
+[B<-cert> I<filename>]
+[B<-key> I<filename>]
+[B<-CApath> I<directory>]
+[B<-cafile> I<filename>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-reuse>]
[B<-new>]
-[B<-verify depth>]
-[B<-nameopt option>]
-[B<-time seconds>]
+[B<-verify> I<depth>]
+[B<-nameopt> I<option>]
+[B<-time> I<seconds>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
[B<-tls1_3>]
[B<-bugs>]
-[B<-cipher cipherlist>]
-[B<-ciphersuites val>]
+[B<-cipher> I<cipherlist>]
+[B<-ciphersuites> I<val>]
=head1 DESCRIPTION
@@ -46,28 +46,28 @@ transferred (if any), and calculates the average time spent for one connection.
Print out a usage message.
-=item B<-connect host:port>
+=item B<-connect> I<host:port>
This specifies the host and optional port to connect to.
-=item B<-www page>
+=item B<-www> I<page>
This specifies the page to GET from the server. A value of '/' gets the
index.htm[l] page. If this parameter is not specified, then B<s_time> will only
perform the handshake to establish SSL connections but not transfer any
payload data.
-=item B<-cert certname>
+=item B<-cert> I<certname>
The certificate to use, if one is requested by the server. The default is
not to use a certificate. The file is in PEM format.
-=item B<-key keyfile>
+=item B<-key> I<keyfile>
The private key to use. If not specified then the certificate file will
be used. The file is in PEM format.
-=item B<-verify depth>
+=item B<-verify> I<depth>
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
@@ -75,20 +75,20 @@ Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-CApath directory>
+=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
must be in "hash format", see B<verify> for more information. These are
also used when building the client certificate chain.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
@@ -127,7 +127,7 @@ OpenSSL was built.
There are several known bugs in SSL and TLS implementations. Adding this
option enables various workarounds.
-=item B<-cipher cipherlist>
+=item B<-cipher> I<cipherlist>
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
@@ -135,7 +135,7 @@ configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
L<ciphers(1)> for more information.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
@@ -144,7 +144,7 @@ take the first supported cipher in the list sent by the client. See
L<ciphers(1)> for more information. The format for this list is a simple
colon (":") separated list of TLSv1.3 ciphersuite names.
-=item B<-time length>
+=item B<-time> I<length>
Specifies how long (in seconds) B<s_time> should establish connections and
optionally transfer payload data from a server. Server and client performance
diff --git a/doc/man1/openssl-sess_id.pod b/doc/man1/openssl-sess_id.pod
index 7b5a8f956a..ffec19147d 100644
--- a/doc/man1/openssl-sess_id.pod
+++ b/doc/man1/openssl-sess_id.pod
@@ -8,13 +8,13 @@ openssl-sess_id - SSL/TLS session handling utility
B<openssl> B<sess_id>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER|NSS>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>|B<MSS>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-text>]
[B<-noout>]
-[B<-context ID>]
+[B<-context> I<ID>]
=head1 DESCRIPTION
@@ -32,25 +32,25 @@ not need to use it.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
format containing session details. The precise format can vary from one version
to the next. The B<PEM> form is the default format: it consists of the B<DER>
format base64 encoded with additional header and footer lines.
-=item B<-outform DER|PEM|NSS>
+=item B<-outform> B<DER>|B<PEM>|B<NSS>
This specifies the output format. The B<PEM> and B<DER> options have the same meaning
and default as the B<-inform> option. The B<NSS> option outputs the session id and
the master key in NSS keylog format.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read session information from or standard
input by default.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write session information to or standard
output if this option is not specified.
@@ -69,7 +69,7 @@ if the B<-text> option is also present then it will be printed out in text form.
This option prevents output of the encoded version of the session.
-=item B<-context ID>
+=item B<-context> I<ID>
This option can set the session id so the output session information uses the
supplied ID. The ID can be any string of characters. This option won't normally
diff --git a/doc/man1/openssl-smime.pod b/doc/man1/openssl-smime.pod
index aaf440957c..52aa0b3783 100644
--- a/doc/man1/openssl-smime.pod
+++ b/doc/man1/openssl-smime.pod
@@ -16,13 +16,13 @@ B<openssl> B<smime>
[B<-pk7out>]
[B<-binary>]
[B<-crlfeol>]
-[B<-I<cipher>>]
-[B<-in file>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<->I<cipher>]
+[B<-in> I<file>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
@@ -32,42 +32,42 @@ B<openssl> B<smime>
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
-[B<-certfile file>]
-[B<-signer file>]
-[B<-recip file>]
-[B<-inform SMIME|PEM|DER>]
-[B<-passin arg>]
-[B<-inkey file_or_id>]
-[B<-out file>]
-[B<-outform SMIME|PEM|DER>]
-[B<-content file>]
-[B<-to addr>]
-[B<-from ad>]
-[B<-subject s>]
+[B<-certfile> I<file>]
+[B<-signer> I<file>]
+[B<-recip> I< file>]
+[B<-inform> B<DER>|B<PEM>|B<SMIME>]
+[B<-passin> I<arg>]
+[B<-inkey> I<file_or_id>]
+[B<-out> I<file>]
+[B<-outform> B<DER>|B<PEM>|B<SMIME>]
+[B<-content> I<file>]
+[B<-to> I<addr>]
+[B<-from> I<ad>]
+[B<-subject> I<s>]
[B<-text>]
[B<-indef>]
[B<-noindef>]
[B<-stream>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-md digest>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-md> I<digest>]
[cert.pem]...
=head1 DESCRIPTION
@@ -119,12 +119,12 @@ Takes an input message and writes out a PEM encoded PKCS#7 structure.
Resign a message: take an existing message and one or more new signers.
-=item B<-in filename>
+=item B<-in> I<filename>
The input message to be encrypted or signed or the MIME message to
be decrypted or verified.
-=item B<-inform SMIME|PEM|DER>
+=item B<-inform> B<DER>|B<PEM>|B<SMIME>
This specifies the input format for the PKCS#7 structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
@@ -133,12 +133,12 @@ instead. This currently only affects the input format of the PKCS#7
structure, if no PKCS#7 structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
-=item B<-out filename>
+=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
-=item B<-outform SMIME|PEM|DER>
+=item B<-outform> B<DER>|B<PEM>|B<SMIME>
This specifies the output format for the PKCS#7 structure. The default
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
@@ -147,7 +147,7 @@ instead. This currently only affects the output format of the PKCS#7
structure, if no PKCS#7 structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
-=item B<-stream -indef -noindef>
+=item B<-stream>, B<-indef>, B<-noindef>
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
@@ -162,7 +162,7 @@ Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
-=item B<-content filename>
+=item B<-content> I<filename>
This specifies a file containing the detached content, this is only
useful with the B<-verify> command. This is only usable if the PKCS#7
@@ -177,11 +177,11 @@ message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted CA certificates, only used with B<-verify>.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
@@ -196,12 +196,12 @@ Do not load the trusted CA certificates from the default file location.
Do not load the trusted CA certificates from the default directory location.
-=item B<-md digest>
+=item B<-md> I<digest>
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-I<cipher>>
+=item B<->I<cipher>
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
@@ -263,25 +263,25 @@ to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
-=item B<-certfile file>
+=item B<-certfile> I<file>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
-=item B<-signer file>
+=item B<-signer> I<file>
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
-=item B<-recip file>
+=item B<-recip> I<file>
The recipients certificate when decrypting a message. This certificate
must match one of the recipients of the message or an error occurs.
-=item B<-inkey file_or_id>
+=item B<-inkey> I<file_or_id>
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
@@ -291,12 +291,12 @@ multiple times to specify successive keys.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -304,7 +304,7 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
diff --git a/doc/man1/openssl-speed.pod b/doc/man1/openssl-speed.pod
index 796cced47c..2b6eb06bf4 100644
--- a/doc/man1/openssl-speed.pod
+++ b/doc/man1/openssl-speed.pod
@@ -8,17 +8,17 @@ openssl-speed - test library performance
B<openssl speed>
[B<-help>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-elapsed>]
-[B<-evp algo>]
-[B<-hmac algo>]
-[B<-cmac algo>]
+[B<-evp> I<algo>]
+[B<-hmac> I<algo>]
+[B<-cmac> I<algo>]
[B<-decrypt>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-primes num>]
-[B<-seconds num>]
-[B<-bytes num>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-primes> I<num>]
+[B<-seconds> I<num>]
+[B<-bytes> I<num>]
[B<algorithm...>]
=head1 DESCRIPTION
@@ -36,7 +36,7 @@ the I<rand> algorithm name.
Print out a usage message.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<speed>
to attempt to obtain a functional reference to the specified engine,
@@ -49,18 +49,18 @@ When calculating operations- or bytes-per-second, use wall-clock time
instead of CPU user time as divisor. It can be useful when testing speed
of hardware engines.
-=item B<-evp algo>
+=item B<-evp> I<algo>
Use the specified cipher or message digest algorithm via the EVP interface.
If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a
TLS-like sequence. And if B<algo> is a multi-buffer capable cipher, e.g.
aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
-=item B<-hmac digest>
+=item B<-hmac> I<digest>
Time the HMAC algorithm using the specified message digest.
-=item B<-cmac cipher>
+=item B<-cmac> I<cipher>
Time the CMAC algorithm using the specified cipher e.g. B<speed -cmac aes128>.
@@ -68,7 +68,7 @@ Time the CMAC algorithm using the specified cipher e.g. B<speed -cmac aes128>.
Time the decryption instead of encryption. Affects only the EVP testing.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -76,25 +76,25 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-primes num>
+=item B<-primes> I<num>
Generate a B<num>-prime RSA key and use it to run the benchmarks. This option
is only effective if RSA algorithm is specified to test.
-=item B<-seconds num>
+=item B<-seconds> I<num>
Run benchmarks for B<num> seconds.
-=item B<-bytes num>
+=item B<-bytes> I<num>
Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
-=item B<[zero or more test algorithms]>
+=item B<algorithm...>
If any options are given, B<speed> tests those algorithms, otherwise a
pre-compiled grand selection is tested.
diff --git a/doc/man1/openssl-spkac.pod b/doc/man1/openssl-spkac.pod
index ea992c6109..9c9ab67157 100644
--- a/doc/man1/openssl-spkac.pod
+++ b/doc/man1/openssl-spkac.pod
@@ -8,18 +8,18 @@ openssl-spkac - SPKAC printing and generating utility
B<openssl> B<spkac>
[B<-help>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-key keyfile>]
-[B<-keyform PEM|DER|ENGINE>]
-[B<-passin arg>]
-[B<-challenge string>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-key> I<keyfile>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-passin> I<arg>]
+[B<-challenge> I<string>]
[B<-pubkey>]
-[B<-spkac spkacname>]
-[B<-spksect section>]
+[B<-spkac> I<spkacname>]
+[B<-spksect> I<section>]
[B<-noout>]
[B<-verify>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
@@ -35,43 +35,43 @@ produce its own SPKACs from a supplied private key.
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read from or standard input if this
option is not specified. Ignored if the B<-key> option is used.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
-=item B<-key keyfile>
+=item B<-key> I<keyfile>
Create an SPKAC file using the private key in B<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
-=item B<-keyform PEM|DER|ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
Whether the key format is PEM, DER, or an engine-backed key.
The default is PEM.
-=item B<-passin password>
+=item B<-passin> I<password>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-challenge string>
+=item B<-challenge> I<string>
Specifies the challenge string if an SPKAC is being created.
-=item B<-spkac spkacname>
+=item B<-spkac> I<spkacname>
Allows an alternative name form the variable containing the
SPKAC. The default is "SPKAC". This option affects both
generated and input SPKAC files.
-=item B<-spksect section>
+=item B<-spksect> I<section>
Allows an alternative name form the section containing the
SPKAC. The default is the default section.
@@ -90,7 +90,7 @@ being created).
Verifies the digital signature on the supplied SPKAC.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
diff --git a/doc/man1/openssl-srp.pod b/doc/man1/openssl-srp.pod
index 8f1370899b..cb98f85678 100644
--- a/doc/man1/openssl-srp.pod
+++ b/doc/man1/openssl-srp.pod
@@ -13,13 +13,13 @@ B<openssl srp>
[B<-modify>]
[B<-delete>]
[B<-list>]
-[B<-name section>]
-[B<-config file>]
-[B<-srpvfile file>]
-[B<-gn identifier>]
-[B<-userinfo text...>]
-[B<-passin arg>]
-[B<-passout arg>]
+[B<-name> I<section>]
+[B<-config> I<file>]
+[B<-srpvfile> I<file>]
+[B<-gn> I<identifier>]
+[B<-userinfo> I<text...>]
+[B<-passin> I<arg>]
+[B<-passout> I<arg>]
[I<user...>]
=head1 DESCRIPTION
@@ -50,11 +50,11 @@ the L<openssl(1)> command.
=over 4
-=item [B<-help>]
+=item B<-help>
Display an option summary.
-=item [B<-verbose>]
+=item B<-verbose>
Generate verbose output while processing.
diff --git a/doc/man1/openssl-storeutl.pod b/doc/man1/openssl-storeutl.pod
index 61f30a8dbc..efaa6f98b2 100644
--- a/doc/man1/openssl-storeutl.pod
+++ b/doc/man1/openssl-storeutl.pod
@@ -8,21 +8,21 @@ openssl-storeutl - STORE utility
B<openssl> B<storeutl>
[B<-help>]
-[B<-out file>]
+[B<-out> I<file>]
[B<-noout>]
-[B<-passin arg>]
-[B<-text arg>]
-[B<-engine id>]
+[B<-passin> I<arg>]
+[B<-text> I<arg>]
+[B<-engine> I<id>]
[B<-r>]
[B<-certs>]
[B<-keys>]
[B<-crls>]
-[B<-subject arg>]
-[B<-issuer arg>]
-[B<-serial arg>]
-[B<-alias arg>]
-[B<-fingerprint arg>]
-[B<-I<digest>>]
+[B<-subject> I<arg>]
+[B<-issuer> I<arg>]
+[B<-serial> I<arg>]
+[B<-alias> I<arg>]
+[B<-fingerprint> I<arg>]
+[B<->I<digest>]
B<uri> ...
=head1 DESCRIPTION
@@ -38,7 +38,7 @@ as the case may be) fetched from the given URIs.
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
specifies the output filename to write to or standard output by
default.
@@ -47,17 +47,17 @@ default.
this option prevents output of the PEM data.
-=item B<-passin arg>
+=item B<-passin> I<arg>
the key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-text>
Prints out the objects in text form, similarly to the B<-text> output from
B<openssl x509>, B<openssl pkey>, etc.
-=item B<-engine id>
+=item B<-engine> I<id>
specifying an engine (by its unique B<id> string) will cause B<storeutl>
to attempt to obtain a functional reference to the specified engine,
@@ -78,7 +78,7 @@ Only select the certificates, keys or CRLs from the given URI.
However, if this URI would return a set of names (URIs), those are always
returned.
-=item B<-subject arg>
+=item B<-subject> I<arg>
Search for an object having the subject name B<arg>.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
@@ -87,9 +87,9 @@ Empty values are permitted but are ignored for the search. That is,
a search with an empty value will have the same effect as not specifying
the type at all.
-=item B<-issuer arg>
+=item B<-issuer> I<arg>
-=item B<-serial arg>
+=item B<-serial> I<arg>
Search for an object having the given issuer name and serial number.
These two options I<must> be used together.
@@ -98,15 +98,15 @@ characters may be escaped by \ (backslash), no spaces are skipped.
The serial arg may be specified as a decimal value or a hex value if preceded
by B<0x>.
-=item B<-alias arg>
+=item B<-alias> I<arg>
Search for an object having the given alias.
-=item B<-fingerprint arg>
+=item B<-fingerprint> I<arg>
Search for an object having the given fingerprint.
-=item B<-I<digest>>
+=item B<->I<digest>
The digest that was used to compute the fingerprint given with B<-fingerprint>.
diff --git a/doc/man1/openssl-ts.pod b/doc/man1/openssl-ts.pod
index 1544cc94e2..6247cc786d 100644
--- a/doc/man1/openssl-ts.pod
+++ b/doc/man1/openssl-ts.pod
@@ -8,79 +8,79 @@ openssl-ts - Time Stamping Authority tool (client/server)
B<openssl> B<ts>
B<-query>
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-config> configfile]
-[B<-data> file_to_hash]
-[B<-digest> digest_bytes]
-[B<-I<digest>>]
-[B<-tspolicy> object_id]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-config> I<configfile>]
+[B<-data> I<file_to_hash>]
+[B<-digest> I<digest_bytes>]
+[B<->I<digest>]
+[B<-tspolicy> I<object_id>]
[B<-no_nonce>]
[B<-cert>]
-[B<-in> request.tsq]
-[B<-out> request.tsq]
+[B<-in> I<request.tsq>]
+[B<-out> I<request.tsq>]
[B<-text>]
B<openssl> B<ts>
B<-reply>
-[B<-config> configfile]
-[B<-section> tsa_section]
-[B<-queryfile> request.tsq]
-[B<-passin> password_src]
-[B<-signer> tsa_cert.pem]
-[B<-inkey> file_or_id]
-[B<-I<digest>>]
-[B<-chain> certs_file.pem]
-[B<-tspolicy> object_id]
-[B<-in> response.tsr]
+[B<-config> I<configfile>]
+[B<-section> I<tsa_section>]
+[B<-queryfile> I<request.tsq>]
+[B<-passin> I<password_src>]
+[B<-signer> I<tsa_cert.pem>]
+[B<-inkey> I<file_or_id>]
+[B<->I<digest>]
+[B<-chain> I<certs_file.pem>]
+[B<-tspolicy> I<object_id>]
+[B<-in> I<response.tsr>]
[B<-token_in>]
-[B<-out> response.tsr]
+[B<-out> I<response.tsr>]
[B<-token_out>]
[B<-text>]
-[B<-engine> id]
+[B<-engine> I<id>]
B<openssl> B<ts>
B<-verify>
-[B<-data> file_to_hash]
-[B<-digest> digest_bytes]
-[B<-queryfile> request.tsq]
-[B<-in> response.tsr]
+[B<-data> I<file_to_hash>]
+[B<-digest> I<digest_bytes>]
+[B<-queryfile> I<request.tsq>]
+[B<-in> I<response.tsr>]
[B<-token_in>]
-[B<-CApath> trusted_cert_path]
-[B<-CAfile> trusted_certs.pem]
-[B<-untrusted> cert_file.pem]
+[B<-CApath> I<trusted_cert_path>]
+[B<-CAfile> I<trusted_certs.pem>]
+[B<-untrusted> I<cert_file.pem>]
[I<verify options>]
I<verify options:>
-[-attime timestamp]
-[-check_ss_sig]
-[-crl_check]
-[-crl_check_all]
-[-explicit_policy]
-[-extended_crl]
-[-ignore_critical]
-[-inhibit_any]
-[-inhibit_map]
-[-issuer_checks]
-[-no_alt_chains]
-[-no_check_time]
-[-partial_chain]
-[-policy arg]
-[-policy_check]
-[-policy_print]
-[-purpose purpose]
-[-suiteB_128]
-[-suiteB_128_only]
-[-suiteB_192]
-[-trusted_first]
-[-use_deltas]
-[-auth_level num]
-[-verify_depth num]
-[-verify_email email]
-[-verify_hostname hostname]
-[-verify_ip ip]
-[-verify_name name]
-[-x509_strict]
+[B<-attime> I<timestamp>]
+[B<-check_ss_sig>]
+[B<-crl_check>]
+[B<-crl_check_all>]
+[B<-explicit_policy>]
+[B<-extended_crl>]
+[B<-ignore_critical>]
+[B<-inhibit_any>]
+[B<-inhibit_map>]
+[B<-issuer_checks>]
+[B<-no_alt_chains>]
+[B<-no_check_time>]
+[B<-partial_chain>]
+[B<-policy> I<arg>]
+[B<-policy_check>]
+[B<-policy_print>]
+[B<-purpose> I<purpose>]
+[B<-suiteB_128>]
+[B<-suiteB_128_only>]
+[B<-suiteB_192>]
+[B<-trusted_first>]
+[B<-use_deltas>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
+[B<-x509_strict>]
=head1 DESCRIPTION
@@ -132,7 +132,7 @@ request with the following options:
=over 4
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -140,24 +140,24 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-config> configfile
+=item B<-config> I<configfile>
The configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-data> file_to_hash
+=item B<-data> I<file_to_hash>
The data file for which the time stamp request needs to be
created. stdin is the default if neither the B<-data> nor the B<-digest>
parameter is specified. (Optional)
-=item B<-digest> digest_bytes
+=item B<-digest> I<digest_bytes>
It is possible to specify the message imprint explicitly without the data
file. The imprint must be specified in a hexadecimal format, two characters
@@ -165,13 +165,13 @@ per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
-=item B<-I<digest>>
+=item B<->I<digest>
The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
The default is SHA-256. (Optional)
-=item B<-tspolicy> object_id
+=item B<-tspolicy> I<object_id>
The policy that the client expects the TSA to use for creating the
time stamp token. Either the dotted OID notation or OID names defined
@@ -190,14 +190,14 @@ protect against replay-attacks. (Optional)
The TSA is expected to include its signing certificate in the
response. (Optional)
-=item B<-in> request.tsq
+=item B<-in> I<request.tsq>
This option specifies a previously created time stamp request in DER
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
-=item B<-out> request.tsq
+=item B<-out> I<request.tsq>
Name of the output file to which the request will be written. Default
is stdout. (Optional)
@@ -221,29 +221,29 @@ otherwise it is a time stamp token (ContentInfo).
=over 4
-=item B<-config> configfile
+=item B<-config> I<configfile>
The configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-See B<CONFIGURATION FILE OPTIONS> for configurable variables.
+See L</CONFIGURATION FILE OPTIONS> for configurable variables.
-=item B<-section> tsa_section
+=item B<-section> I<tsa_section>
The name of the config file section containing the settings for the
response generation. If not specified the default TSA section is
-used, see B<CONFIGURATION FILE OPTIONS> for details. (Optional)
+used, see L</CONFIGURATION FILE OPTIONS> for details. (Optional)
-=item B<-queryfile> request.tsq
+=item B<-queryfile> I<request.tsq>
The name of the file containing a DER encoded time stamp request. (Optional)
-=item B<-passin> password_src
+=item B<-passin> I<password_src>
Specifies the password source for the private key of the TSA. See
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. (Optional)
+description in L<openssl(1)>. (Optional)
-=item B<-signer> tsa_cert.pem
+=item B<-signer> I<tsa_cert.pem>
The signer certificate of the TSA in PEM format. The TSA signing
certificate must have exactly one extended key usage assigned to it:
@@ -251,19 +251,19 @@ timeStamping. The extended key usage must also be critical, otherwise
the certificate is going to be refused. Overrides the B<signer_cert>
variable of the config file. (Optional)
-=item B<-inkey> file_or_id
+=item B<-inkey> I<file_or_id>
The signer private key of the TSA in PEM format. Overrides the
B<signer_key> config file option. (Optional)
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
-=item B<-I<digest>>
+=item B<->I<digest>
Signing digest to use. Overrides the B<signer_digest> config file
option. (Mandatory unless specified in the config file)
-=item B<-chain> certs_file.pem
+=item B<-chain> I<certs_file.pem>
The collection of certificates in PEM format that will all
be included in the response in addition to the signer certificate if
@@ -272,14 +272,14 @@ contain the certificate chain for the signer certificate from its
issuer upwards. The B<-reply> command does not build a certificate
chain automatically. (Optional)
-=item B<-tspolicy> object_id
+=item B<-tspolicy> I<object_id>
The default policy to use for the response unless the client
explicitly requires a particular TSA policy. The OID can be specified
either in dotted notation or with its name. Overrides the
B<default_policy> config file option. (Optional)
-=item B<-in> response.tsr
+=item B<-in> I<response.tsr>
Specifies a previously created time stamp response or time stamp token
(if B<-token_in> is also specified) in DER format that will be written
@@ -295,7 +295,7 @@ This flag can be used together with the B<-in> option and indicates
that the input is a DER encoded time stamp token (ContentInfo) instead
of a time stamp response (TimeStampResp). (Optional)
-=item B<-out> response.tsr
+=item B<-out> I<response.tsr>
The response is written to this file. The format and content of the
file depends on other options (see B<-text>, B<-token_out>). The default is
@@ -311,7 +311,7 @@ response (TimeStampResp). (Optional)
If this option is specified the output is human-readable text format
instead of DER. (Optional)
-=item B<-engine> id
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ts>
to attempt to obtain a functional reference to the specified engine,
@@ -328,26 +328,26 @@ data file. The B<-verify> command does not use the configuration file.
=over 4
-=item B<-data> file_to_hash
+=item B<-data> I<file_to_hash>
The response or token must be verified against file_to_hash. The file
is hashed with the message digest algorithm specified in the token.
The B<-digest> and B<-queryfile> options must not be specified with this one.
(Optional)
-=item B<-digest> digest_bytes
+=item B<-digest> I<digest_bytes>
The response or token must be verified against the message digest specified
with this option. The number of bytes must match the message digest algorithm
specified in the token. The B<-data> and B<-queryfile> options must not be
specified with this one. (Optional)
-=item B<-queryfile> request.tsq
+=item B<-queryfile> I<request.tsq>
The original time stamp request in DER format. The B<-data> and B<-digest>
options must not be specified with this one. (Optional)
-=item B<-in> response.tsr
+=item B<-in> I<response.tsr>
The time stamp response that needs to be verified in DER format. (Mandatory)
@@ -357,14 +357,14 @@ This flag can be used together with the B<-in> option and indicates
that the input is a DER encoded time stamp token (ContentInfo) instead
of a time stamp response (TimeStampResp). (Optional)
-=item B<-CApath> trusted_cert_path
+=item B<-CApath> I<trusted_cert_path>
The name of the directory containing the trusted CA certificates of the
client. See the similar option of L<verify(1)> for additional
details. Either this option or B<-CAfile> must be specified. (Optional)
-=item B<-CAfile> trusted_certs.pem
+=item B<-CAfile> I<trusted_certs.pem>
The name of the file containing a set of trusted self-signed CA
certificates in PEM format. See the similar option of
@@ -372,7 +372,7 @@ L<verify(1)> for additional details. Either this option
or B<-CApath> must be specified.
(Optional)
-=item B<-untrusted> cert_file.pem
+=item B<-untrusted> I<cert_file.pem>
Set of additional untrusted certificates in PEM format which may be
needed when building the certificate chain for the TSA's signing
@@ -382,7 +382,7 @@ all intermediate CA certificates unless the response includes them.
=item I<verify options>
-The options B<-attime timestamp>, B<-check_ss_sig>, B<-crl_check>,
+The options B<-attime>, B<-check_ss_sig>, B<-crl_check>,
B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>,
B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>,
B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>,
@@ -459,7 +459,7 @@ command line option. (Optional)
=item B<signer_digest>
Signing digest to use. The same as the
-B<-I<digest>> command line option. (Mandatory unless specified on the command
+B<->I<digest> command line option. (Mandatory unless specified on the command
line)
=item B<default_policy>
diff --git a/doc/man1/openssl-tsget.pod b/doc/man1/openssl-tsget.pod
index 15d0dd7854..35d296eff0 100644
--- a/doc/man1/openssl-tsget.pod
+++ b/doc/man1/openssl-tsget.pod
@@ -19,7 +19,7 @@ B<-h> server_url
[B<-P> CA_path]
[B<-r> file:file...]
[B<-g> EGD_socket]
-[request]...
+[B<request...>
=head1 DESCRIPTION
@@ -121,7 +121,7 @@ MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional)
The name of an EGD socket to get random data from. (Optional)
-=item [request]...
+=item B<request...>
List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
requests are specified only one request will be sent to the server and it will be
diff --git a/doc/man1/openssl-verify.pod b/doc/man1/openssl-verify.pod
index e511161368..cdc1da8ecd 100644
--- a/doc/man1/openssl-verify.pod
+++ b/doc/man1/openssl-verify.pod
@@ -8,45 +8,45 @@ openssl-verify - Utility to verify certificates
B<openssl> B<verify>
[B<-help>]
-[B<-CAfile file>]
-[B<-CApath directory>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<directory>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-allow_proxy_certs>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
-[B<-CRLfile file>]
+[B<-CRLfile> I<file>]
[B<-crl_download>]
[B<-crl_check>]
[B<-crl_check_all>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-explicit_policy>]
[B<-extended_crl>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-nameopt option>]
+[B<-nameopt> I<option>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
-[B<-untrusted file>]
-[B<-trusted file>]
+[B<-untrusted> I<file>]
+[B<-trusted> I<file>]
[B<-use_deltas>]
[B<-verbose>]
-[B<-auth_level level>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<level>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
[B<-show_chain>]
[B<-sm2-id string>]
@@ -66,12 +66,12 @@ The B<verify> command verifies certificate chains.
Print out a usage message.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A B<file> of trusted certificates.
The file should contain one or more certificates in PEM format.
-=item B<-CApath directory>
+=item B<-CApath> I<directory>
A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this
@@ -91,7 +91,7 @@ Do not load the trusted CA certificates from the default directory location.
Allow the verification of proxy certificates.
-=item B<-attime timestamp>
+=item B<-attime> I<timestamp>
Perform validation checks using time specified by B<timestamp> and not
current system time. B<timestamp> is the number of seconds since
@@ -102,7 +102,7 @@ current system time. B<timestamp> is the number of seconds since
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
-=item B<-CRLfile file>
+=item B<-CRLfile> I<file>
The B<file> should contain one or more CRLs in PEM format.
This option can be specified more than once to include CRLs from multiple
@@ -122,7 +122,7 @@ If a valid CRL cannot be found an error occurs.
Checks the validity of B<all> certificates in the chain by attempting
to look up valid CRLs.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine B<id> will cause L<verify(1)> to attempt to load the
specified engine.
@@ -154,7 +154,7 @@ Set policy variable inhibit-any-policy (see RFC5280).
Set policy variable inhibit-policy-mapping (see RFC5280).
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
@@ -164,7 +164,7 @@ set multiple options. See the L<x509(1)> manual page for details.
=item B<-no_check_time>
This option suppresses checking the validity period of certificates and CRLs
-against the current time. If option B<-attime timestamp> is used to specify
+against the current time. If option B<-attime> is used to specify
a verification time, the check is not suppressed.
=item B<-partial_chain>
@@ -173,7 +173,7 @@ Allow verification to succeed even if a I<complete> chain cannot be built to a
self-signed trust-anchor, provided it is possible to construct a chain to a
trusted certificate that might not be self-signed.
-=item B<-policy arg>
+=item B<-policy> I<arg>
Enable policy processing and add B<arg> to the user-initial-policy-set (see
RFC5280). The policy B<arg> can be an object name an OID in numeric form.
@@ -187,7 +187,7 @@ Enables certificate policy processing.
Print out diagnostics related to policy processing.
-=item B<-purpose purpose>
+=item B<-purpose> I<purpose>
The intended use for the certificate. If this option is not specified,
B<verify> will not consider certificate purpose during chain verification.
@@ -220,7 +220,7 @@ trust store to see if an alternative chain can be found that is trusted.
As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no
effect.
-=item B<-untrusted file>
+=item B<-untrusted> I<file>
A B<file> of additional untrusted certificates (intermediate issuer CAs) used
to construct a certificate chain from the subject certificate to a trust-anchor.
@@ -228,7 +228,7 @@ The B<file> should contain one or more certificates in PEM format.
This option can be specified more than once to include untrusted certificates
from multiple B<files>.
-=item B<-trusted file>
+=item B<-trusted> I<file>
A B<file> of trusted certificates, which must be self-signed, unless the
B<-partial_chain> option is specified.
@@ -250,7 +250,7 @@ Enable support for delta CRLs.
Print extra information about the operations being performed.
-=item B<-auth_level level>
+=item B<-auth_level> I<level>
Set the certificate chain authentication security level to B<level>.
The authentication security level determines the acceptable signature and
@@ -268,29 +268,29 @@ Security level 1 requires at least 80-bit-equivalent security and is broadly
interoperable, though it will, for example, reject MD5 signatures or RSA keys
shorter than 1024 bits.
-=item B<-verify_depth num>
+=item B<-verify_depth> I<num>
Limit the certificate chain to B<num> intermediate CA certificates.
A maximal depth chain can have up to B<num+2> certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
B<-verify_depth> limit.
-=item B<-verify_email email>
+=item B<-verify_email> I<email>
Verify if the B<email> matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
-=item B<-verify_hostname hostname>
+=item B<-verify_hostname> I<hostname>
Verify if the B<hostname> matches DNS name in Subject Alternative Name or
Common Name in the subject certificate.
-=item B<-verify_ip ip>
+=item B<-verify_ip> I<ip>
Verify if the B<ip> matches the IP address in Subject Alternative Name of
the subject certificate.
-=item B<-verify_name name>
+=item B<-verify_name> I<name>
Use default verification policies like trust model and required certificate
policies identified by B<name>.
diff --git a/doc/man1/openssl-x509.pod b/doc/man1/openssl-x509.pod
index 004055a63e..be369eae16 100644
--- a/doc/man1/openssl-x509.pod
+++ b/doc/man1/openssl-x509.pod
@@ -8,13 +8,13 @@ openssl-x509 - Certificate display and signing utility
B<openssl> B<x509>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
-[B<-keyform DER|PEM>]
-[B<-CAform DER|PEM>]
-[B<-CAkeyform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-CAform> B<DER>|B<PEM>]
+[B<-CAkeyform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-serial>]
[B<-hash>]
[B<-subject_hash>]
@@ -22,14 +22,14 @@ B<openssl> B<x509>
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
-[B<-nameopt option>]
+[B<-nameopt> I<option>]
[B<-email>]
[B<-ocsp_uri>]
[B<-startdate>]
[B<-enddate>]
[B<-purpose>]
[B<-dates>]
-[B<-checkend num>]
+[B<-checkend> I<num>]
[B<-modulus>]
[B<-pubkey>]
[B<-fingerprint>]
@@ -38,34 +38,34 @@ B<openssl> B<x509>
[B<-trustout>]
[B<-clrtrust>]
[B<-clrreject>]
-[B<-addtrust arg>]
-[B<-addreject arg>]
-[B<-setalias arg>]
-[B<-days arg>]
-[B<-set_serial n>]
-[B<-signkey filename>]
-[B<-passin arg>]
+[B<-addtrust> I<arg>]
+[B<-addreject> I<arg>]
+[B<-setalias> I<arg>]
+[B<-days> I<arg>]
+[B<-set_serial> I<n>]
+[B<-signkey> I<filename>]
+[B<-passin> I<arg>]
[B<-x509toreq>]
[B<-req>]
-[B<-CA filename>]
-[B<-CAkey filename>]
+[B<-CA> I<filename>]
+[B<-CAkey> I<filename>]
[B<-CAcreateserial>]
-[B<-CAserial filename>]
+[B<-CAserial> I<filename>]
[B<-new>]
-[B<-force_pubkey filename>]
-[B<-subj arg>]
+[B<-force_pubkey> I<filename>]
+[B<-subj> I<arg>]
[B<-text>]
-[B<-ext extensions>]
-[B<-certopt option>]
+[B<-ext> I<extensions>]
+[B<-certopt> I<option>]
[B<-C>]
-[B<-I<digest>>]
+[B<->I<digest>]
[B<-clrext>]
-[B<-extfile filename>]
-[B<-extensions section>]
-[B<-sigopt nm:v>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-extfile> I<filename>]
+[B<-extensions> I<section>]
+[B<-sigopt> I<nm>:I<v>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[B<-preserve_dates>]
=head1 DESCRIPTION
@@ -88,7 +88,7 @@ various sections.
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as B<-req> are
@@ -96,22 +96,22 @@ present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer lines
added. The default format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a certificate from or standard input
if this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-I<digest>>
+=item B<->I<digest>
The digest to use.
This affects any signing or display option that uses a message
@@ -120,7 +120,7 @@ Any digest supported by the OpenSSL B<dgst> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
@@ -128,12 +128,12 @@ Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
@@ -161,13 +161,13 @@ Prints out the certificate in text form. Full details are output including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
-=item B<-ext extensions>
+=item B<-ext> I<extensions>
Prints out the certificate extensions in text form. Extensions are specified
with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier".
See the L<x509v3_config(5)> manual page for the extension names.
-=item B<-certopt option>
+=item B<-certopt> I<option>
Customise the output format used with B<-text>. The B<option> argument
can be a single option or multiple options separated by commas. The
@@ -227,7 +227,7 @@ Outputs the subject name.
Outputs the issuer name.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
@@ -254,7 +254,7 @@ Prints out the expiry date of the certificate, that is the notAfter date.
Prints out the start and expiry dates of a certificate.
-=item B<-checkend arg>
+=item B<-checkend> I<arg>
Checks if the certificate expires within the next B<arg> seconds and exits
non-zero if yes it will expire or zero if not.
@@ -305,7 +305,7 @@ certificate is output and any trust settings are discarded. With the
B<-trustout> option a trusted certificate is output. A trusted
certificate is automatically output if any trust settings are modified.
-=item B<-setalias arg>
+=item B<-setalias> I<arg>
Sets the alias of the certificate. This will allow the certificate
to be referred to using a nickname for example "Steve's Certificate".
@@ -322,7 +322,7 @@ Clears all the permitted or trusted uses of the certificate.
Clears all the prohibited or rejected uses of the certificate.
-=item B<-addtrust arg>
+=item B<-addtrust> I<arg>
Adds a trusted certificate use.
Any object name can be used here but currently only B<clientAuth> (SSL client
@@ -332,7 +332,7 @@ As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
-=item B<-addreject arg>
+=item B<-addreject> I<arg>
Adds a prohibited use. It accepts the same values as the B<-addtrust>
option.
@@ -352,7 +352,7 @@ can thus behave like a "mini CA".
=over 4
-=item B<-signkey filename>
+=item B<-signkey> I<filename>
This option causes the input file to be self signed using the supplied
private key.
@@ -364,15 +364,15 @@ and the end date to a value determined by the B<-days> option.
It retains any certificate extensions unless the B<-clrext> option is supplied;
this includes, for example, any existing key identifier extensions.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-clrext>
@@ -381,12 +381,12 @@ certificate is being created from another certificate (for example with
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.
-=item B<-keyform PEM|DER>
+=item B<-keyform> B<DER>|B<PEM>
Specifies the format (DER or PEM) of the private key file used in the
B<-signkey> option.
-=item B<-days arg>
+=item B<-days> I<arg>
Specifies the number of days to make a certificate valid for. The default
is 30 days. Cannot be used with the B<-preserve_dates> option.
@@ -401,7 +401,7 @@ is used to pass the required private key.
By default a certificate is expected on input. With this option a
certificate request is expected instead.
-=item B<-set_serial n>
+=item B<-set_serial> I<n>
Specifies the serial number to use. This option can be used with either
the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
@@ -410,7 +410,7 @@ B<-CAcreateserial> options) is not used.
The serial number can be decimal or hex (if preceded by B<0x>).
-=item B<-CA filename>
+=item B<-CA> I<filename>
Specifies the CA certificate to be used for signing. When this option is
present B<x509> behaves like a "mini CA". The input file is signed by this
@@ -420,13 +420,13 @@ of the CA and it is digitally signed using the CAs private key.
This option is normally combined with the B<-req> option. Without the
B<-req> option the input is a certificate which must be self signed.
-=item B<-CAkey filename>
+=item B<-CAkey> I<filename>
Sets the CA private key to sign a certificate with. If this option is
not specified then it is assumed that the CA private key is present in
the CA certificate file.
-=item B<-CAserial filename>
+=item B<-CAserial> I<filename>
Sets the CA serial number file to use.
@@ -447,12 +447,12 @@ have the 1 as its serial number. If the B<-CA> option is specified
and the serial number file does not exist a random number is generated;
this is the recommended practice.
-=item B<-extfile filename>
+=item B<-extfile> I<filename>
File containing certificate extensions to use. If not specified then
no extensions are added to the certificate.
-=item B<-extensions section>
+=item B<-extensions> I<section>
The section to add certificate extensions from. If this option is not
specified then the extensions should either be contained in the unnamed
@@ -467,7 +467,7 @@ Generate a certificate from scratch, not using an input certificate
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> and <-force_pubkey> options need to be given.
-=item B<-force_pubkey filename>
+=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in B<filename>
instead of the key contained in the input or given with the B<-signkey> option.
@@ -479,7 +479,7 @@ generate a certificate containing any desired public key.
The format of the key file can be specified using the B<-keyform> option.
-=item B<-subj arg>
+=item B<-subj> I<arg>
When a certificate is created set its subject name to the given value.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
diff --git a/doc/man3/BIO_ADDR.pod b/doc/man3/BIO_ADDR.pod
index 3668d75ea6..73c2819985 100644
--- a/doc/man3/BIO_ADDR.pod
+++ b/doc/man3/BIO_ADDR.pod
@@ -50,7 +50,7 @@ therefore ignored) and populates the given B<BIO_ADDR> with them.
In case this creates a B<AF_UNIX> B<BIO_ADDR>, B<wherelen> is expected
to be the length of the path string (not including the terminating
NUL, such as the result of a call to strlen()).
-I<Read on about the addresses in L</RAW ADDRESSES> below>.
+Read on about the addresses in L</RAW ADDRESSES> below.
BIO_ADDR_family() returns the protocol family of the given
B<BIO_ADDR>. The possible non-error results are one of the
@@ -67,7 +67,7 @@ order, most significant byte first.
In case this is a B<AF_UNIX> B<BIO_ADDR>, B<l> gets the length of the
path string (not including the terminating NUL, such as the result of
a call to strlen()).
-I<Read on about the addresses in L</RAW ADDRESSES> below>.
+Read on about the addresses in L</RAW ADDRESSES> below.
BIO_ADDR_rawport() returns the raw port of the given B<BIO_ADDR>.
The raw port will be in network byte order.
diff --git a/doc/man3/PKCS7_verify.pod b/doc/man3/PKCS7_verify.pod
index 72c0d19199..200464faeb 100644
--- a/doc/man3/PKCS7_verify.pod
+++ b/doc/man3/PKCS7_verify.pod
@@ -85,7 +85,7 @@ certificates supplied in B<certs> then the verify will fail because the
signer cannot be found.
Care should be taken when modifying the default verify behaviour, for example
-setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
+setting C<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
and any signed message will be considered valid. This combination is however
useful if one merely wishes to write the content to B<out> and its validity
is not considered important.
diff --git a/doc/man3/X509_NAME_print_ex.pod b/doc/man3/X509_NAME_print_ex.pod
index fdeb4bba79..a9532b1853 100644
--- a/doc/man3/X509_NAME_print_ex.pod
+++ b/doc/man3/X509_NAME_print_ex.pod
@@ -86,14 +86,14 @@ In addition a number options can be set for commonly used formats.
B<XN_FLAG_RFC2253> sets options which produce an output compatible with RFC2253 it
is equivalent to:
- B<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS>
+ C<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS>
B<XN_FLAG_ONELINE> is a more readable one line format which is the same as:
- B<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN>
+ C<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN>
B<XN_FLAG_MULTILINE> is a multiline format which is the same as:
- B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
+ C<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls X509_NAME_print() internally.
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 5e950d740a..5509c740e5 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -13,9 +13,9 @@ files for the B<x509> utility. OpenSSL applications can also use the
CONF library for their own purposes.
A configuration file is divided into a number of sections. Each section
-starts with a line B<[ section_name ]> and ends when a new section is
+starts with a line C<[section_name]> and ends when a new section is
started or end of file is reached. A section name can consist of
-alphanumeric characters and underscores.
+alphanumeric characters and underscores. The brackets are required.
The first section of a configuration file is special and is referred
to as the B<default> section. This section is usually unnamed and spans from the
diff --git a/doc/man7/bio.pod b/doc/man7/bio.pod
index 84892e71ac..63380bce57 100644
--- a/doc/man7/bio.pod
+++ b/doc/man7/bio.pod
@@ -49,8 +49,8 @@ BIO_free() on it other than the discarded return value.
Normally the I<type> argument is supplied by a function which returns a
pointer to a BIO_METHOD. There is a naming convention for such functions:
-a source/sink BIO is normally called B<BIO_s_I<*>>() and a filter BIO
-B<BIO_f_I<*>>();
+a source/sink BIO typically starts with I<BIO_s_> and
+a filter BIO with I<BIO_f_>.
=head1 EXAMPLES
diff --git a/util/find-doc-nits b/util/find-doc-nits
index 11dcfcbac3..6641a238d8 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -255,6 +255,20 @@ sub check {
if $contents =~ /=over([^ ][^24])/;
err($id, "Possible version style issue")
if $contents =~ /OpenSSL version [019]/;
+ err($id, "Brackets on item line")
+ if $contents =~ /=item \[/;
+ if ( $contents !~ /=for comment generic/) {
+ # Some API pages have B<foo<I<TYPE>bar>.
+ err($id, "Bad flag formatting inside B<>")
+ if $contents =~ /B<-[A-Za-z_ ]+ /;
+ while ( $contents =~ /([BI])<([^>]*)>/g ) {
+ my $B = $1;
+ my $T = $2;
+ next if $T =~ /E</; # Assume it's E<lt>
+ err($id, "Bad content inside $B<$T>")
+ if $T =~ /[<|]/;
+ }
+ }
if ( $contents !~ /=for comment multiple includes/ ) {
# Look for multiple consecutive openssl #include lines
More information about the openssl-commits
mailing list