[openssl] master update
Richard Levitte
levitte at openssl.org
Wed Oct 9 08:49:11 UTC 2019
The branch master has been updated
via 6f02932edba62186a6866e8c9f0f0714674f6bab (commit)
via 8bc93d2f220de9750c6934d8d2f2346d14616180 (commit)
via 0503f08d6f6b94c5a985b47671acb124915c82f9 (commit)
via b2bdfb63eb16431aabe93ef59364d41125db255e (commit)
via bc9564c2f9fdce250b804210bc866b2bf9820f0d (commit)
via a43384fde39261adc86f0c3f2d67fb4c0efb4e57 (commit)
via 1948394d0e8a8dbffa62c3125fc0aaf9ef187b70 (commit)
via f5c14c63226b12e10a9404604657f2860dcfcdee (commit)
via 35a810bb1d6af5a71170c5c4b506f7665d573a3e (commit)
via 2f0ea9365806895c313b6d8e2ce33428260e856c (commit)
via fed8bd90e4cf02066eeed9426e29d709e3630cc9 (commit)
via b1c0cc24564e7c8d3cd8a437585c230259584bb7 (commit)
from 18caaa2ec41246267fc3e59160dbc19301d988a1 (commit)
- Log -----------------------------------------------------------------
commit 6f02932edba62186a6866e8c9f0f0714674f6bab
Author: Richard Levitte <levitte at openssl.org>
Date: Wed Oct 2 19:41:20 2019 +0200
util/find-doc-nits: ignore tsget.pod name
It's a separate script, not an openssl sub-command
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit 8bc93d2f220de9750c6934d8d2f2346d14616180
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 21:57:00 2019 +0200
Command docs: more reference fixes
Normalise on L<openssl-cmd(1)> over L<cmd(1)>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit 0503f08d6f6b94c5a985b47671acb124915c82f9
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 21:26:16 2019 +0200
Command docs: rename openssl-tsget.pod to tsget.pod, and fix it
Make replacables italic, change '-rand' to '-r', fix links.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit b2bdfb63eb16431aabe93ef59364d41125db255e
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 21:10:17 2019 +0200
Command docs: diverse small fixes
Better synopsis for 'openssl dgst' and 'openssl enc', correct names
for 'openssl rehash' ('c_rehash' is mentioned there too), correct
option end marker for 'openssl verify', and finally, refer to
sub-commands as sub-commands.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit bc9564c2f9fdce250b804210bc866b2bf9820f0d
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 20:41:53 2019 +0200
Command docs: fix some engine references
"gost" was called "ccgost".
"rsax" was treated like literal input rather than an engine name.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit a43384fde39261adc86f0c3f2d67fb4c0efb4e57
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 20:29:52 2019 +0200
Command docs: wrap literal input/output with C<>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit 1948394d0e8a8dbffa62c3125fc0aaf9ef187b70
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 20:19:45 2019 +0200
Command docs: wrap literal file names with F<>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit f5c14c63226b12e10a9404604657f2860dcfcdee
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 20:06:22 2019 +0200
Command docs: fix links to other sections (sometimes in other manuals)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit 35a810bb1d6af5a71170c5c4b506f7665d573a3e
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 19:43:36 2019 +0200
Command docs: fix up command references
Almost all OpenSSL commands are in reality 'openssl cmd', so make sure
they are refered to like that and not just as the sub-command.
Self-references are avoided as much as is possible, and replaced with
"this command". In some cases, we even avoid that with a slight
rewrite of the sentence or paragrah they were in. However, in the few
cases where a self-reference is still admissible, they are done in
bold, i.e. openssl-speed.pod references itself like this:
B<openssl speed>
References to other commands are done as manual links, i.e. CA.pl.pod
references 'openssl req' like this: L<openssl-req(1)>
Some commands are examples rather than references; we enclose those in
C<>.
While we are it, we abolish "utility", replacing it with "command", or
remove it entirely in some cases.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit 2f0ea9365806895c313b6d8e2ce33428260e856c
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 18:16:29 2019 +0200
Command docs: replacables are in italics, options always start with a dash
Quite a lot of replacables were still bold, and some options were
mentioned without a beginning dash.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit fed8bd90e4cf02066eeed9426e29d709e3630cc9
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 10:00:14 2019 +0200
Command docs: remove ellipses for '-rand'
Ellipses were used to express that the '-rand' value can specify
multiple files, like this:
B<-rand> I<file...>
Because there are conventions around ellipses, this becomes confusing,
because '-rand file...' is normally intepreted to mean that
'-rand file1 file2 file3' would be processed as three randomness
files, which makes no sense.
Rather than making things complicated with more elaborate syntax, we
change it to:
B<-rand> I<files>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
commit b1c0cc24564e7c8d3cd8a437585c230259584bb7
Author: Richard Levitte <levitte at openssl.org>
Date: Tue Oct 1 09:57:37 2019 +0200
Command docs: fix ellipses, the easy cases
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/CA.pl.pod | 72 +++++++++----------
doc/man1/openssl-asn1parse.pod | 28 ++++----
doc/man1/openssl-ca.pod | 78 ++++++++++-----------
doc/man1/openssl-ciphers.pod | 19 ++---
doc/man1/openssl-cmds.pod | 12 ++--
doc/man1/openssl-cms.pod | 39 +++++------
doc/man1/openssl-crl.pod | 12 ++--
doc/man1/openssl-crl2pkcs7.pod | 4 +-
doc/man1/openssl-dgst.pod | 52 +++++++-------
doc/man1/openssl-dhparam.pod | 19 +++--
doc/man1/openssl-dsa.pod | 16 ++---
doc/man1/openssl-dsaparam.pod | 15 ++--
doc/man1/openssl-ec.pod | 18 ++---
doc/man1/openssl-ecparam.pod | 16 ++---
doc/man1/openssl-enc.pod | 46 ++++++------
doc/man1/openssl-engine.pod | 21 +++---
doc/man1/openssl-errstr.pod | 8 +--
doc/man1/openssl-fipsinstall.pod | 25 ++++---
doc/man1/openssl-gendsa.pod | 23 +++---
doc/man1/openssl-genpkey.pod | 71 ++++++++++---------
doc/man1/openssl-genrsa.pod | 18 +++--
doc/man1/openssl-info.pod | 2 +-
doc/man1/openssl-list.pod | 18 ++---
doc/man1/openssl-mac.pod | 29 ++++----
doc/man1/openssl-nseq.pod | 2 +-
doc/man1/openssl-ocsp.pod | 83 +++++++++++-----------
doc/man1/openssl-passwd.pod | 14 ++--
doc/man1/openssl-pkcs12.pod | 35 +++++----
doc/man1/openssl-pkcs7.pod | 4 +-
doc/man1/openssl-pkcs8.pod | 23 +++---
doc/man1/openssl-pkey.pod | 14 ++--
doc/man1/openssl-pkeyparam.pod | 4 +-
doc/man1/openssl-pkeyutl.pod | 80 ++++++++++-----------
doc/man1/openssl-prime.pod | 10 +--
doc/man1/openssl-provider.pod | 6 +-
doc/man1/openssl-rand.pod | 13 ++--
doc/man1/openssl-rehash.pod | 44 +++++++-----
doc/man1/openssl-req.pod | 87 ++++++++++++-----------
doc/man1/openssl-rsa.pod | 26 +++----
doc/man1/openssl-rsautl.pod | 16 ++---
doc/man1/openssl-s_client.pod | 76 ++++++++++----------
doc/man1/openssl-s_server.pod | 102 +++++++++++++--------------
doc/man1/openssl-s_time.pod | 60 ++++++++--------
doc/man1/openssl-sess_id.pod | 18 ++---
doc/man1/openssl-smime.pod | 31 ++++----
doc/man1/openssl-speed.pod | 34 ++++-----
doc/man1/openssl-spkac.pod | 14 ++--
doc/man1/openssl-srp.pod | 13 ++--
doc/man1/openssl-storeutl.pod | 22 +++---
doc/man1/openssl-ts.pod | 43 ++++++------
doc/man1/openssl-verify.pod | 111 ++++++++++++++---------------
doc/man1/openssl-version.pod | 2 +-
doc/man1/openssl-x509.pod | 70 +++++++++---------
doc/man1/openssl.pod | 75 +++++++++++---------
doc/man1/{openssl-tsget.pod => tsget.pod} | 113 +++++++++++++++---------------
util/find-doc-nits | 2 +-
56 files changed, 955 insertions(+), 953 deletions(-)
rename doc/man1/{openssl-tsget.pod => tsget.pod} (61%)
diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod
index 07366613a8..db444d5683 100644
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -25,14 +25,14 @@ B<-newca>
B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<extra-params>] [I<certname>]
-B<CA.pl> B<-verify> [B<-extra-verify> I<extra-params>] I<certfile>...
+B<CA.pl> B<-verify> [B<-extra-verify> I<extra-params>] I<certfile> ...
B<CA.pl> B<-revoke> [B<-extra-ca> I<extra-params>] I<certfile> [I<reason>]
=head1 DESCRIPTION
The B<CA.pl> script is a perl script that supplies the relevant command line
-arguments to the B<openssl> command for some common certificate operations.
+arguments to the L<openssl(1)> command for some common certificate operations.
It is intended to simplify the process of certificate creation and management
by the use of some simple options.
@@ -47,19 +47,19 @@ Prints a usage message.
=item B<-newcert>
Creates a new self signed certificate. The private key is written to the file
-"newkey.pem" and the request written to the file "newreq.pem".
-This argument invokes B<openssl req> command.
+F<newkey.pem> and the request written to the file F<newreq.pem>.
+Invokes L<openssl-req(1)>.
=item B<-newreq>
Creates a new certificate request. The private key is written to the file
-"newkey.pem" and the request written to the file "newreq.pem".
-Executes B<openssl req> command below the hood.
+F<newkey.pem> and the request written to the file F<newreq.pem>.
+Executes L<openssl-req(1)> under the hood.
=item B<-newreq-nodes>
Is like B<-newreq> except that the private key will not be encrypted.
-Uses B<openssl req> command.
+Uses L<openssl-req(1)>.
=item B<-newca>
@@ -67,44 +67,44 @@ Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
and B<-xsign> options). The user is prompted to enter the filename of the CA
certificates (which should also contain the private key) or by hitting ENTER
details of the CA will be prompted for. The relevant files and directories
-are created in a directory called "demoCA" in the current directory.
-B<openssl req> and B<openssl ca> commands are get invoked.
+are created in a directory called F<demoCA> in the current directory.
+Uses L<openssl-req(1)> and L<openssl-ca(1)>.
=item B<-pkcs12>
Create a PKCS#12 file containing the user certificate, private key and CA
certificate. It expects the user certificate and private key to be in the
-file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
-it creates a file "newcert.p12". This command can thus be called after the
+file F<newcert.pem> and the CA certificate to be in the file F<demoCA/cacert.pem>,
+it creates a file F<newcert.p12>. This command can thus be called after the
B<-sign> option. The PKCS#12 file can be imported directly into a browser.
If there is an additional argument on the command line it will be used as the
"friendly name" for the certificate (which is typically displayed in the browser
list box), otherwise the name "My Certificate" is used.
-Delegates work to B<openssl pkcs12> command.
+Delegates work to L<openssl-pkcs12(1)>.
=item B<-sign>, B<-signcert>, B<-xsign>
-Calls the B<ca> program to sign a certificate request. It expects the request
-to be in the file "newreq.pem". The new certificate is written to the file
-"newcert.pem" except in the case of the B<-xsign> option when it is written
-to standard output. Leverages B<openssl ca> command.
+Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the
+request to be in the file F<newreq.pem>. The new certificate is written to the
+file F<newcert.pem> except in the case of the B<-xsign> option when it is
+written to standard output.
=item B<-signCA>
This option is the same as the B<-signreq> option except it uses the
configuration file section B<v3_ca> and so makes the signed request a
valid CA certificate. This is useful when creating intermediate CA from
-a root CA. Extra params are passed on to B<openssl ca> command.
+a root CA. Extra params are passed to L<openssl-ca(1)>.
=item B<-signcert>
This option is the same as B<-sign> except it expects a self signed certificate
-to be present in the file "newreq.pem".
-Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
+to be present in the file F<newreq.pem>.
+Extra params are passed to L<openssl-x509(1)> and L<openssl-ca(1)>.
=item B<-crl>
-Generate a CRL. Executes B<openssl ca> command.
+Generate a CRL. Executes L<openssl-ca(1)>.
=item B<-revoke> I<certfile> [I<reason>]
@@ -112,23 +112,21 @@ Revoke the certificate contained in the specified B<certfile>. An optional
reason may be specified, and must be one of: B<unspecified>,
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
-Leverages B<openssl ca> command.
+Leverages L<openssl-ca(1)>.
=item B<-verify>
-Verifies certificates against the CA certificate for "demoCA". If no
+Verifies certificates against the CA certificate for F<demoCA>. If no
certificates are specified on the command line it tries to verify the file
-"newcert.pem". Invokes B<openssl verify> command.
+F<newcert.pem>. Invokes L<openssl-verify(1)>.
-=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
+=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
-The purpose of these parameters is to allow optional parameters to be supplied
-to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
-option being used and the B<openssl> command getting invoked. For example
-when this command invokes B<openssl req> extra parameters can be passed on
-with the B<-extra-req> parameter. The
-B<openssl> commands being invoked per option are documented below.
-Users should consult B<openssl> command documentation for more information.
+For each option B<extra-I<cmd>>, pass I<extra-params> to the L<openssl(1)>
+sub-command with the same name as I<cmd>, if that sub-command is invoked.
+For example, if L<openssl-req(1)> is invoked, the I<extra-params> given with
+B<-extra-req> will be passed to it.
+Users should consult L<openssl(1)> command documentation for more information.
=back
@@ -149,7 +147,7 @@ the request and finally create a PKCS#12 file containing it.
=head1 DSA CERTIFICATES
Although the B<CA.pl> creates RSA CAs and requests it is still possible to
-use it with DSA certificates and requests using the L<req(1)> command
+use it with DSA certificates and requests using the L<openssl-req(1)> command
directly. The following example shows the steps that would typically be taken.
Create some DSA parameters:
@@ -164,7 +162,8 @@ Create the CA directories and files:
CA.pl -newca
-enter cacert.pem when prompted for the CA filename.
+enter a filename (for example, F<cacert.pem>) when prompted for the CA file
+name.
Create a DSA certificate request and private key (a different set of parameters
can optionally be created first):
@@ -193,9 +192,10 @@ be wrong. In this case the command:
can be used and the B<OPENSSL_CONF> environment variable changed to point to
the correct path of the configuration file.
-The script is intended as a simple front end for the B<openssl> program for use
-by a beginner. Its behaviour isn't always what is wanted. For more control over the
-behaviour of the certificate commands call the B<openssl> command directly.
+The script is intended as a simple front end for the L<openssl(1)> program for
+use by a beginner. Its behaviour isn't always what is wanted. For more control
+over the behaviour of the certificate commands call the L<openssl(1)> command
+directly.
=head1 SEE ALSO
diff --git a/doc/man1/openssl-asn1parse.pod b/doc/man1/openssl-asn1parse.pod
index 73824bfe14..5e755596c2 100644
--- a/doc/man1/openssl-asn1parse.pod
+++ b/doc/man1/openssl-asn1parse.pod
@@ -26,8 +26,8 @@ B<openssl> B<asn1parse>
=head1 DESCRIPTION
-The B<asn1parse> command is a diagnostic utility that can parse ASN.1
-structures. It can also be used to extract data from ASN.1 formatted data.
+This command is a diagnostic utility that can parse ASN.1 structures.
+It can also be used to extract data from ASN.1 formatted data.
=head1 OPTIONS
@@ -39,7 +39,7 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
-The input format. I<DER> is binary format and I<PEM> (the default) is base64
+The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.
=item B<-in> I<filename>
@@ -88,12 +88,12 @@ option can be used multiple times to "drill down" into a nested structure.
=item B<-genstr> I<string>, B<-genconf> I<file>
-Generate encoded data based on B<string>, B<file> or both using
-L<ASN1_generate_nconf(3)> format. If B<file> only is
+Generate encoded data based on I<string>, I<file> or both using
+L<ASN1_generate_nconf(3)> format. If I<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option.
+file using the B<-out> option.
=item B<-strictpem>
@@ -105,8 +105,9 @@ END marker in a PEM file.
=item B<-item> I<name>
-Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
-print out the fields of any supported ASN.1 structure if the type is known.
+Attempt to decode and print the data as an B<ASN1_ITEM> I<name>. This can be
+used to print out the fields of any supported ASN.1 structure if the type is
+known.
=back
@@ -132,9 +133,9 @@ The output will typically contain lines like this:
.....
This example is part of a self-signed certificate. Each line starts with the
-offset in decimal. B<d=XX> specifies the current depth. The depth is increased
-within the scope of any SET or SEQUENCE. B<hl=XX> gives the header length
-(tag and length octets) of the current type. B<l=XX> gives the length of
+offset in decimal. C<d=XX> specifies the current depth. The depth is increased
+within the scope of any SET or SEQUENCE. C<hl=XX> gives the header length
+(tag and length octets) of the current type. C<l=XX> gives the length of
the contents octets.
The B<-i> option can be used to make the output more readable.
@@ -157,10 +158,13 @@ allows additional OIDs to be included. Each line consists of three columns,
the first column is the OID in numerical format and should be followed by white
space. The second column is the "short name" which is a single word followed
by white space. The final column is the rest of the line and is the
-"long name". B<asn1parse> displays the long name. Example:
+"long name". Example:
C<1.2.3.4 shortName A long name>
+For any OID with an associated short and long name, this command will display
+the long name.
+
=head1 EXAMPLES
Parse a file:
diff --git a/doc/man1/openssl-ca.pod b/doc/man1/openssl-ca.pod
index c53ba4fa33..a939f4d6e3 100644
--- a/doc/man1/openssl-ca.pod
+++ b/doc/man1/openssl-ca.pod
@@ -54,7 +54,7 @@ B<openssl> B<ca>
[B<-create_serial>]
[B<-rand_serial>]
[B<-multivalue-rdn>]
-[B<-rand> I<file>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
@@ -63,7 +63,7 @@ B<openssl> B<ca>
=head1 DESCRIPTION
-The B<ca> command is a minimal CA application. It can be used
+This command is a minimal CA application. It can be used
to sign certificate requests in a variety of forms and generate
CRLs it also maintains a text database of issued certificates
and their status.
@@ -123,7 +123,7 @@ file in PEM format (except that B<-spkac> outputs DER format).
The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
-".pem" appended.
+F<.pem> appended.
=item B<-cert>
@@ -147,7 +147,7 @@ Names and values of these options are algorithm-specific.
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
-the 'ps' utility) this option should be used with caution.
+the L<ps(1)> utility) this option should be used with caution.
=item B<-selfsign>
@@ -193,7 +193,7 @@ The number of days to certify the certificate for.
=item B<-md> I<alg>
The message digest to use.
-Any digest supported by the OpenSSL B<dgst> command can be used. For signing
+Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
digest that is set is ignored. This option also applies to CRLs.
@@ -206,8 +206,8 @@ for more information.
=item B<-msie_hack>
-This is a deprecated option to make B<ca> work with very old versions of
-the IE certificate enrollment control "certenr3". It used UniversalStrings
+This is a deprecated option to make this command work with very old versions
+of the IE certificate enrollment control "certenr3". It used UniversalStrings
for almost everything. Since the old control has various security bugs
its use is strongly discouraged.
@@ -251,7 +251,7 @@ used).
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ca>
+Specifying an engine (by its unique I<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -259,8 +259,9 @@ for all available algorithms.
=item B<-subj> I<arg>
Supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
-Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
+Keyword characters may be escaped by C<\> (backslash), and whitespace is
+retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
@@ -289,14 +290,13 @@ This overrides any option or configuration to use a serial number file.
This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
-I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+If B<-multi-rdn> is not used then the UID value is C<123456+CN=John Doe>.
-=item B<-rand> I<file>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -354,9 +354,9 @@ Updates the database index to purge expired certificates.
=item B<-crl_reason> I<reason>
-Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
-B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
+B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
In practice B<removeFromCRL> is not particularly useful because it is only used
@@ -365,14 +365,14 @@ in delta CRLs which are not currently implemented.
=item B<-crl_hold> I<instruction>
This sets the CRL revocation reason code to B<certificateHold> and the hold
-instruction to B<instruction> which must be an OID. Although any OID can be
+instruction to I<instruction> which must be an OID. Although any OID can be
used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
=item B<-crl_compromise> I<time>
This sets the revocation reason to B<keyCompromise> and the compromise time to
-B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
+I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
=item B<-crl_CA_compromise> I<time>
@@ -394,7 +394,7 @@ extension section format.
=head1 CONFIGURATION FILE OPTIONS
-The section of the configuration file containing options for B<ca>
+The section of the configuration file containing options for this command
is found as follows: If the B<-name> command line option is used,
then it names the section to be used. Otherwise the section to
be used must be named in the B<default_ca> option of the B<ca> section
@@ -582,7 +582,7 @@ this can be regarded more of a quirk than intended behaviour.
The input to the B<-spkac> command line option is a Netscape
signed public key and challenge. This will usually come from
the B<KEYGEN> tag in an HTML form to create a new private key.
-It is however possible to create SPKACs using the B<spkac> utility.
+It is however possible to create SPKACs using L<openssl-spkac(1)>.
The file should contain the variable SPKAC set to the value of
the SPKAC and also the required DN components as name value pairs.
@@ -595,18 +595,18 @@ flag is used.
=head1 EXAMPLES
-Note: these examples assume that the B<ca> directory structure is
-already set up and the relevant files already exist. This usually
-involves creating a CA certificate and private key with B<req>, a
-serial number file and an empty index file and placing them in
-the relevant directories.
+Note: these examples assume that the directory structure this command
+assumes is already set up and the relevant files already exist. This
+usually involves creating a CA certificate and private key with
+L<openssl-req(1)>, a serial number file and an empty index file and
+placing them in the relevant directories.
-To use the sample configuration file below the directories demoCA,
-demoCA/private and demoCA/newcerts would be created. The CA
-certificate would be copied to demoCA/cacert.pem and its private
-key to demoCA/private/cakey.pem. A file demoCA/serial would be
+To use the sample configuration file below the directories F<demoCA>,
+F<demoCA/private> and F<demoCA/newcerts> would be created. The CA
+certificate would be copied to F<demoCA/cacert.pem> and its private
+key to F<demoCA/private/cakey.pem>. A file F<demoCA/serial> would be
created containing for example "01" and the empty index file
-demoCA/index.txt.
+F<demoCA/index.txt>.
Sign a certificate request:
@@ -641,7 +641,7 @@ A sample SPKAC file (the SPKAC line has been truncated for clarity):
0.OU=OpenSSL Group
1.OU=Another Group
-A sample configuration file with the relevant sections for B<ca>:
+A sample configuration file with the relevant sections for this command:
[ ca ]
default_ca = CA_default # The default ca section
@@ -712,7 +712,7 @@ The use of an in-memory text database can cause problems when large
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
-The B<ca> command really needs rewriting or the required functionality
+This command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
(perl script or GUI) can handle things properly. The script
B<CA.pl> helps a little but not very much.
@@ -729,15 +729,15 @@ create an empty file.
=head1 WARNINGS
-The B<ca> command is quirky and at times downright unfriendly.
+This command is quirky and at times downright unfriendly.
-The B<ca> utility was originally meant as an example of how to do things
-in a CA. It was not supposed to be used as a full blown CA itself:
+This command was originally meant as an example of how to do
+things in a CA. It was not supposed to be used as a full blown CA itself:
nevertheless some people are using it for this purpose.
-The B<ca> command is effectively a single user command: no locking is
-done on the various files and attempts to run more than one B<ca> command
-on the same database can have unpredictable results.
+This command command is effectively a single user command: no locking
+is done on the various files and attempts to run more than one B<openssl ca>
+command on the same database can have unpredictable results.
The B<copy_extensions> option should be used with caution. If care is
not taken then it can be a security risk. For example if a certificate
diff --git a/doc/man1/openssl-ciphers.pod b/doc/man1/openssl-ciphers.pod
index 0ed7d14eaf..e0fd549b96 100644
--- a/doc/man1/openssl-ciphers.pod
+++ b/doc/man1/openssl-ciphers.pod
@@ -22,15 +22,15 @@ B<openssl> B<ciphers>
[B<-stdname>]
[B<-convert> I<name>]
[B<-ciphersuites> I<val>]
-[B<cipherlist>]
+[I<cipherlist>]
=for comment ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp
=head1 DESCRIPTION
-The B<ciphers> command converts textual OpenSSL cipher lists into ordered
-SSL cipher preference lists. It can be used as a test tool to determine
-the appropriate cipherlist.
+This command converts textual OpenSSL cipher lists into
+ordered SSL cipher preference lists. It can be used as a test tool to
+determine the appropriate cipherlist.
=head1 OPTIONS
@@ -87,7 +87,7 @@ Precede each cipher suite by its standard name.
=item B<-convert> I<name>
-Convert a standard cipher B<name> to its OpenSSL name.
+Convert a standard cipher I<name> to its OpenSSL name.
=item B<-ciphersuites> I<val>
@@ -147,8 +147,8 @@ will not moved to the end of the list.
The cipher string B<@STRENGTH> can be used at any point to sort the current
cipher list in order of encryption algorithm key length.
-The cipher string B<@SECLEVEL=n> can be used at any point to set the security
-level to B<n>, which should be a number between zero and five, inclusive.
+The cipher string B<@SECLEVEL>=I<n> can be used at any point to set the security
+level to I<n>, which should be a number between zero and five, inclusive.
See L<SSL_CTX_set_security_level> for a description of what each level means.
The cipher list can be prefixed with the B<DEFAULT> keyword, which enables
@@ -497,7 +497,8 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0
Note: these ciphers require an engine which including GOST cryptographic
-algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
+algorithms, such as the B<gost> engine, which isn't part of the OpenSSL
+distribution.
TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
@@ -761,7 +762,7 @@ L<ssl(7)>
=head1 HISTORY
-The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
+The B<-V> option was added in OpenSSL 1.0.0.
The B<-stdname> is only available if OpenSSL is built with tracing enabled
(B<enable-ssl-trace> argument to Configure) before OpenSSL 1.1.1.
diff --git a/doc/man1/openssl-cmds.pod b/doc/man1/openssl-cmds.pod
index cab89f126d..5c4f06e1de 100644
--- a/doc/man1/openssl-cmds.pod
+++ b/doc/man1/openssl-cmds.pod
@@ -57,13 +57,13 @@ x509
=for comment generic
-B<openssl> B<cmd> [B<-help>] [B<...>]
+B<openssl> I<cmd> B<-help> | [I<-option> | I<-option> I<arg>] ... [I<arg>] ...
=head1 DESCRIPTION
-Every B<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
-It has its own detailed manual page at B<openssl-cmd(1)>. For example, to view
-the manual page for the B<openssl dgst> command, type B<man openssl-dgst>.
+Every I<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
+It has its own detailed manual page at B<openssl-I<cmd>>(1). For example, to
+view the manual page for the B<openssl dgst> command, type C<man openssl-dgst>.
=head1 OPTIONS
@@ -132,8 +132,8 @@ L<openssl-x509(1)>,
=head1 HISTORY
-Initially, the manual page entry for the B<openssl cmd> command used
-to be available at B<cmd(1)>. Later, the alias B<openssl-cmd(1)> was
+Initially, the manual page entry for the C<openssl I<cmd>> command used
+to be available at I<cmd>(1). Later, the alias B<openssl-I<cmd>>(1) was
introduced, which made it easier to group the openssl commands using
the L<apropos(1)> command or the shell's tab completion.
diff --git a/doc/man1/openssl-cms.pod b/doc/man1/openssl-cms.pod
index d50a5d0efe..0468fdbd9e 100644
--- a/doc/man1/openssl-cms.pod
+++ b/doc/man1/openssl-cms.pod
@@ -96,19 +96,19 @@ B<openssl> B<cms>
[B<-inkey> I<file>]
[B<-keyopt> I<name>:I<parameter>]
[B<-passin> I<arg>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-to> I<addr>]
[B<-from> I<addr>]
[B<-subject> I<subj>]
-[I<cert.pem ...>]
+[I<cert.pem> ...]
=for comment ifdef des-wrap engine
=head1 DESCRIPTION
-The B<cms> command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and
-verify, compress and uncompress S/MIME messages.
+This command handles S/MIME v3.1 mail. It can encrypt, decrypt,
+sign and verify, compress and uncompress S/MIME messages.
=head1 OPTIONS
@@ -314,7 +314,7 @@ default digest algorithm for the signing key will be used (usually SHA1).
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes-128-cbc>. See L<enc(1)> for a list of ciphers
+example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt> and
@@ -385,7 +385,7 @@ the signers certificates. The certificates should be in PEM format.
=item B<-certsout> I<file>
-Any certificates contained in the message are written to B<file>.
+Any certificates contained in the message are written to I<file>.
=item B<-signer> I<file>
@@ -446,14 +446,14 @@ content encryption key using an AES key in the B<KEKRecipientInfo> type.
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
-B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
+B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
B<KEKRecipientInfo> structures.
=item B<-econtent_type> I<type>
-Set the encapsulated content type to B<type> if not supplied the B<Data> type
-is used. The B<type> argument can be any valid OID name in either text or
+Set the encapsulated content type to I<type> if not supplied the B<Data> type
+is used. The I<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey> I<file>
@@ -476,10 +476,9 @@ or to modify default parameters for ECDH.
The private key password source. For more information about the format of B<arg>
see L<openssl(1)/Pass phrase options>.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -489,7 +488,7 @@ all others.
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item I<cert.pem...>
+=item I<cert.pem> ...
One or more certificates of message recipients: used when encrypting
a message.
@@ -510,7 +509,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
=back
@@ -630,10 +629,10 @@ the signers certificates.
=head1 COMPATIBILITY WITH PKCS#7 FORMAT
-The B<smime> utility can only process the older B<PKCS#7> format. The B<cms>
-utility supports Cryptographic Message Syntax format. Use of some features
-will result in messages which cannot be processed by applications which only
-support the older format. These are detailed below.
+L<openssl-smime(1)> can only process the older B<PKCS#7> format.
+B<openssl cms> supports Cryptographic Message Syntax format.
+Use of some features will result in messages which cannot be processed by
+applications which only support the older format. These are detailed below.
The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
@@ -648,7 +647,7 @@ The use of PSS with B<-sign>.
The use of OAEP or non-RSA keys with B<-encrypt>.
Additionally the B<-EncryptedData_create> and B<-data_create> type cannot
-be processed by the older B<smime> command.
+be processed by the older L<openssl-smime(1)> command.
=head1 EXAMPLES
@@ -767,7 +766,7 @@ No revocation checking is done on the signer's certificate.
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0.
-The B<keyopt> option was added in OpenSSL 1.0.2.
+The B<-keyopt> option was added in OpenSSL 1.0.2.
Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
diff --git a/doc/man1/openssl-crl.pod b/doc/man1/openssl-crl.pod
index 7a715fd9a6..1dcf6b0bb1 100644
--- a/doc/man1/openssl-crl.pod
+++ b/doc/man1/openssl-crl.pod
@@ -26,7 +26,7 @@ B<openssl> B<crl>
=head1 DESCRIPTION
-The B<crl> command processes CRL files in DER or PEM format.
+This command processes CRL files in DER or PEM format.
=head1 OPTIONS
@@ -64,7 +64,7 @@ Print out the CRL in text form.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. See
-the description of B<-nameopt> in L<x509(1)>.
+the description of B<-nameopt> in L<openssl-x509(1)>.
=item B<-noout>
@@ -95,14 +95,14 @@ Output the nextUpdate field.
=item B<-CAfile> I<file>
Verify the signature on a CRL by looking up the issuing certificate in
-B<file>.
+I<file>.
=item B<-CApath> I<dir>
Verify the signature on a CRL by looking up the issuing certificate in
-B<dir>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using B<x509 -hash>) should be linked
-to each certificate.
+I<dir>. This directory must be a standard certificate directory: that
+is a hash of each subject name (using the L<openssl-x509(1)> B<-hash> option)
+should be linked to each certificate.
=back
diff --git a/doc/man1/openssl-crl2pkcs7.pod b/doc/man1/openssl-crl2pkcs7.pod
index 32248e5e21..8b0f33bbd1 100644
--- a/doc/man1/openssl-crl2pkcs7.pod
+++ b/doc/man1/openssl-crl2pkcs7.pod
@@ -17,7 +17,7 @@ B<openssl> B<crl2pkcs7>
=head1 DESCRIPTION
-The B<crl2pkcs7> command takes an optional CRL and one or more
+This command takes an optional CRL and one or more
certificates and converts them into a PKCS#7 degenerate "certificates
only" structure.
@@ -82,7 +82,7 @@ different certificates:
The output file is a PKCS#7 signed data structure containing no signers and
just certificates and an optional CRL.
-This utility can be used to send certificates and CAs to Netscape as part of
+This command can be used to send certificates and CAs to Netscape as part of
the certificate enrollment process. This involves sending the DER encoded output
as MIME type application/x-x509-user-cert.
diff --git a/doc/man1/openssl-dgst.pod b/doc/man1/openssl-dgst.pod
index c6e2b21b8e..5f836f9cb5 100644
--- a/doc/man1/openssl-dgst.pod
+++ b/doc/man1/openssl-dgst.pod
@@ -6,7 +6,7 @@ openssl-dgst - perform digest operations
=head1 SYNOPSIS
-B<openssl dgst>
+B<openssl> B<dgst>|I<digest>
[B<-I<digest>>]
[B<-help>]
[B<-c>]
@@ -24,25 +24,22 @@ B<openssl dgst>
[B<-sigopt> I<nm>:I<v>]
[B<-hmac> I<key>]
[B<-fips-fingerprint>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-engine> I<id>]
[B<-engine_impl>]
-[B<file...>]
-
-B<openssl> I<digest> [B<...>]
+[I<file> ...]
=head1 DESCRIPTION
-The digest functions output the message digest of a supplied file or files
-in hexadecimal. The digest functions also generate and verify digital
+This command output the message digest of a supplied file or files
+in hexadecimal, and also generates and verifies digital
signatures using message digests.
-The generic name, B<dgst>, may be used with an option specifying the
+The generic name, B<openssl dgst>, may be used with an option specifying the
algorithm to be used.
-The default digest is I<sha256>.
-A supported I<digest> name may also be used as the command name.
-To see the list of supported algorithms, use the I<list --digest-commands>
-command.
+The default digest is B<sha256>.
+A supported I<digest> name may also be used as the sub-command name.
+To see the list of supported algorithms, use C<openssl list -digest-commands>
=head1 OPTIONS
@@ -60,7 +57,7 @@ supported digests, use the command C<list --digest-commands>.
=item B<-c>
Print out the digest in two digit groups separated by colons, only relevant if
-B<hex> format output is used.
+the B<-hex> option is given as well.
=item B<-d>
@@ -79,7 +76,7 @@ Output the digest or signature in binary form.
=item B<-r>
Output the digest in the "coreutils" format, including newlines.
-Used by programs like B<sha1sum>.
+Used by programs like L<sha1sum(1)>.
=item B<-out> I<filename>
@@ -88,8 +85,8 @@ Filename to output to, or standard output by default.
=item B<-sign> I<filename>
Digitally sign the digest using the private key in "filename". Note this option
-does not support Ed25519 or Ed448 private keys. Use the B<pkeyutl> command
-instead for this.
+does not support Ed25519 or Ed448 private keys. Use the L<openssl-pkeyutl(1)>
+command instead for this.
=item B<-keyform> I<arg>
@@ -103,7 +100,7 @@ Names and values of these options are algorithm-specific.
=item B<-passin> I<arg>
-The private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<filename>
@@ -131,7 +128,7 @@ option.
Create MAC (keyed Message Authentication Code). The most popular MAC
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
which are not based on hash, for instance B<gost-mac> algorithm,
-supported by B<ccgost> engine. MAC keys and other options should be set
+supported by the B<gost> engine. MAC keys and other options should be set
via B<-macopt> parameter.
The L<openssl-mac(1)> command should be preferred to using this command line
@@ -144,13 +141,13 @@ Following options are supported by both by B<HMAC> and B<gost-mac>:
=over 4
-=item B<key:string>
+=item B<key>:I<string>
Specifies MAC key as alphanumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the MAC algorithm for example exactly 32 chars for gost-mac.
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
Specifies MAC key in hexadecimal form (two hex digits per byte).
Key length must conform to any restrictions of the MAC algorithm
@@ -161,10 +158,9 @@ for example exactly 32 chars for gost-mac.
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -180,7 +176,7 @@ Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
=item B<-engine> I<id>
-Use engine B<id> for operations (including private key storage).
+Use engine I<id> for operations (including private key storage).
This engine is not used as source for digest algorithms, unless it is
also specified in the configuration file or B<-engine_impl> is also
specified.
@@ -188,9 +184,9 @@ specified.
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
-engine B<id> for digest operations.
+engine I<id> for digest operations.
-=item B<file...>
+=item I<file> ...
File or files to digest. If no files are specified then standard input is
used.
@@ -216,13 +212,13 @@ To verify a signature:
The digest mechanisms that are available will depend on the options
used when building OpenSSL.
-The B<list digest-commands> command can be used to list them.
+The C<openssl list -digest-commands> command can be used to list them.
New or agile applications should use probably use SHA-256. Other digests,
particularly SHA-1 and MD5, are still widely used for interoperating
with existing formats and protocols.
-When signing a file, B<dgst> will automatically determine the algorithm
+When signing a file, this command will automatically determine the algorithm
(RSA, ECC, etc) to use for signing based on the private key's ASN.1 info.
When verifying signatures, it only handles the RSA, DSA, or ECDSA signature
itself, not the related data to identify the signer and algorithm used in
diff --git a/doc/man1/openssl-dhparam.pod b/doc/man1/openssl-dhparam.pod
index 26b080f4f6..01eab5cc91 100644
--- a/doc/man1/openssl-dhparam.pod
+++ b/doc/man1/openssl-dhparam.pod
@@ -20,7 +20,7 @@ B<openssl dhparam>
[B<-2>]
[B<-3>]
[B<-5>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
[I<numbits>]
@@ -83,13 +83,12 @@ displays a warning if not.
The generator to use, either 2, 3 or 5. If present then the
input file is ignored and parameters are generated instead. If not
-present but B<numbits> is present, parameters are generated with the
+present but I<numbits> is present, parameters are generated with the
default generator 2.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -123,7 +122,7 @@ be loaded by calling the get_dhNNNN() function.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<dhparam>
+Specifying an engine (by its unique I<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -132,10 +131,10 @@ for all available algorithms.
=head1 WARNINGS
-The program B<dhparam> combines the functionality of the programs B<dh> and
-B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
-programs are retained for now but may have different purposes in future
-versions of OpenSSL.
+This command combines the functionality of the L<openssl-dh(1)> and the
+L<openssl-gendh(1)> commands in previous OpenSSL versions.
+The L<openssl-dh(1)> and L<openssl-gendh(1)> commands are retained for now but
+may have different purposes in future versions of OpenSSL.
=head1 NOTES
diff --git a/doc/man1/openssl-dsa.pod b/doc/man1/openssl-dsa.pod
index 9c34dde658..3e3a114252 100644
--- a/doc/man1/openssl-dsa.pod
+++ b/doc/man1/openssl-dsa.pod
@@ -37,7 +37,7 @@ B<openssl> B<dsa>
=head1 DESCRIPTION
-The B<dsa> command processes DSA keys. They can be converted between various
+This command processes DSA keys. They can be converted between various
forms and their components printed out. B<Note> This command uses the
traditional SSLeay compatible format for private key encryption: newer
applications should use the more secure PKCS#8 format using the B<pkcs8>
@@ -75,7 +75,7 @@ prompted for.
=item B<-passin> I<arg>
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@@ -87,17 +87,17 @@ filename.
=item B<-passout> I<arg>
-The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
-means that using the B<dsa> utility to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
These options can only be used with PEM format output files.
=item B<-text>
@@ -125,7 +125,7 @@ a public key.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<dsa>
+Specifying an engine (by its unique I<id> string) will cause L<openssl-dsa(1)>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
diff --git a/doc/man1/openssl-dsaparam.pod b/doc/man1/openssl-dsaparam.pod
index 68e960a0df..cc5570f333 100644
--- a/doc/man1/openssl-dsaparam.pod
+++ b/doc/man1/openssl-dsaparam.pod
@@ -15,7 +15,7 @@ B<openssl dsaparam>
[B<-noout>]
[B<-text>]
[B<-C>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-genkey>]
[B<-engine> I<id>]
@@ -49,7 +49,7 @@ as the B<-inform> option.
=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
-this option is not specified. If the B<numbits> parameter is included then
+this option is not specified. If the I<numbits> parameter is included then
this option will be ignored.
=item B<-out> I<filename>
@@ -76,10 +76,9 @@ be loaded by calling the get_dsaXXX() function.
This option will generate a DSA either using the specified or generated
parameters.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -91,7 +90,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -100,10 +99,10 @@ for all available algorithms.
Print extra details about the operations being performed.
-=item B<numbits>
+=item I<numbits>
This option specifies that a parameter set should be generated of size
-B<numbits>. It must be the last option. If this option is included then
+I<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
=back
diff --git a/doc/man1/openssl-ec.pod b/doc/man1/openssl-ec.pod
index b43af6df52..8f09692007 100644
--- a/doc/man1/openssl-ec.pod
+++ b/doc/man1/openssl-ec.pod
@@ -32,11 +32,11 @@ B<openssl> B<ec>
=head1 DESCRIPTION
-The B<ec> command processes EC keys. They can be converted between various
-forms and their components printed out. B<Note> OpenSSL uses the
+The L<openssl-ec(1)> command processes EC keys. They can be converted between
+various forms and their components printed out. B<Note> OpenSSL uses the
private key format specified in 'SEC 1: Elliptic Curve Cryptography'
(http://www.secg.org/). To convert an OpenSSL EC private key into the
-PKCS#8 private key format use the B<pkcs8> command.
+PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
=head1 OPTIONS
@@ -68,7 +68,7 @@ prompted for.
=item B<-passin> I<arg>
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@@ -80,8 +80,8 @@ filename.
=item B<-passout> I<arg>
-The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-des>|B<-des3>|B<-idea>
@@ -89,7 +89,7 @@ These options encrypt the private key with the DES, triple DES, IDEA or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
prompted for.
If none of these options is specified the key is written in plain text. This
-means that using the B<ec> utility to read in an encrypted key with no
+means that using this command to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with PEM format output files.
@@ -113,7 +113,7 @@ By default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
@@ -143,7 +143,7 @@ This option checks the consistency of an EC private or public key.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ec>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
diff --git a/doc/man1/openssl-ecparam.pod b/doc/man1/openssl-ecparam.pod
index bd946f10c5..46c0af7f58 100644
--- a/doc/man1/openssl-ecparam.pod
+++ b/doc/man1/openssl-ecparam.pod
@@ -22,7 +22,7 @@ B<openssl ecparam>
[B<-conv_form> I<arg>]
[B<-param_enc> I<arg>]
[B<-no_seed>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-genkey>]
[B<-engine> I<id>]
@@ -93,10 +93,9 @@ to get a list of all currently implemented EC parameters.
=item B<-list_curves>
-If this options is specified B<ecparam> will print out a list of all
-currently implemented EC parameters names and exit.
+Print out a list of all currently implemented EC parameters names and exit.
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
@@ -125,10 +124,9 @@ is included in the ECParameters structure (see RFC 3279).
This option will generate an EC private key using the specified parameters.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -140,7 +138,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ecparam>
+Specifying an engine (by its unique I<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -155,7 +153,7 @@ PEM format EC parameters use the header and footer lines:
-----END EC PARAMETERS-----
OpenSSL is currently not able to generate new groups and therefore
-B<ecparam> can only create EC parameters from known (named) curves.
+B<openssl ecparam> can only create EC parameters from known (named) curves.
=head1 EXAMPLES
diff --git a/doc/man1/openssl-enc.pod b/doc/man1/openssl-enc.pod
index 498df90b1f..f2608a59f7 100644
--- a/doc/man1/openssl-enc.pod
+++ b/doc/man1/openssl-enc.pod
@@ -6,7 +6,7 @@ openssl-enc - symmetric cipher routines
=head1 SYNOPSIS
-B<openssl>
+B<openssl> B<enc>|I<cipher>
[B<-I<cipher>>]
[B<-help>]
[B<-ciphers>]
@@ -35,7 +35,7 @@ B<openssl>
[B<-nopad>]
[B<-debug>]
[B<-none>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
@@ -72,7 +72,7 @@ The output filename, standard output by default.
=item B<-pass> I<arg>
-The password source. For more information about the format of B<arg>
+The password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-e>
@@ -104,7 +104,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument.
=item B<-kfile> I<filename>
-Read the password to derive the key from the first line of B<filename>.
+Read the password to derive the key from the first line of I<filename>.
This is for compatibility with previous versions of OpenSSL. Superseded by
the B<-pass> argument.
@@ -185,10 +185,9 @@ or zlib-dynamic option.
Use NULL cipher (no encryption or decryption of input).
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -202,11 +201,11 @@ This can be used with a subsequent B<-rand> flag.
=head1 NOTES
-The program can be called either as B<openssl cipher> or
-B<openssl enc -cipher>. The first form doesn't work with
+The program can be called either as C<openssl I<cipher>> or
+C<openssl enc -I<cipher>>. The first form doesn't work with
engine-provided ciphers, because this form is processed before the
configuration file is read and any ENGINEs loaded.
-Use the B<list> command to get a list of supported ciphers.
+Use the L<openssl-list(1)> command to get a list of supported ciphers.
Engines which provide entirely new encryption algorithms (such as the ccgost
engine which provides gost89 algorithm) should be configured in the
@@ -251,27 +250,26 @@ Blowfish and RC5 algorithms use a 128 bit key.
Note that some of these ciphers can be disabled at compile time
and some are available only if an appropriate engine is configured
-in the configuration file. The output of the B<enc> command run with
-the B<-ciphers> option (that is B<openssl enc -ciphers>) produces a
-list of ciphers, supported by your version of OpenSSL, including
+in the configuration file. The output when invoking this command
+with the B<-ciphers> option (that is C<openssl enc -ciphers>) is
+a list of ciphers, supported by your version of OpenSSL, including
ones provided by configured engines.
-The B<enc> program does not support authenticated encryption modes
+This command does not support authenticated encryption modes
like CCM and GCM, and will not support such modes in the future.
-The B<enc> interface by necessity must begin streaming output (e.g.,
-to standard output when B<-out> is not used) before the authentication
-tag could be validated, leading to the usage of B<enc> in pipelines
-that begin processing untrusted data and are not capable of rolling
-back upon authentication failure. The AEAD modes currently in common
-use also suffer from catastrophic failure of confidentiality and/or
-integrity upon reuse of key/iv/nonce, and since B<enc> places the
+This is due to having to begin streaming output (e.g., to standard output
+when B<-out> is not used) before the authentication tag could be validated.
+When this command is used in a pipeline, the receiveing end will not be
+able to roll back upon authentication failure. The AEAD modes currently in
+common use also suffer from catastrophic failure of confidentiality and/or
+integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
entire burden of key/iv/nonce management upon the user, the risk of
exposing AEAD modes is too great to allow. These key/iv/nonce
-management issues also affect other modes currently exposed in B<enc>,
+management issues also affect other modes currently exposed in this command,
but the failure modes are less extreme in these cases, and the
functionality cannot be removed with a stable release branch.
For bulk encryption of data, whether using authenticated encryption
-modes or other modes, L<cms(1)> is recommended, as it provides a
+modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
standard data format and performs the needed key/iv/nonce management.
@@ -413,7 +411,7 @@ Base64 decode a file then decrypt it using a password supplied in a file:
The B<-A> option when used with large files doesn't work properly.
-The B<enc> program only supports a fixed number of algorithms with
+The B<openssl enc> command only supports a fixed number of algorithms with
certain parameters. So if, for example, you want to use RC2 with a
76 bit key or RC4 with an 84 bit key you can't use this program.
diff --git a/doc/man1/openssl-engine.pod b/doc/man1/openssl-engine.pod
index 976d69c2b6..30e391fd4e 100644
--- a/doc/man1/openssl-engine.pod
+++ b/doc/man1/openssl-engine.pod
@@ -7,23 +7,21 @@ openssl-engine - load and query engines
=head1 SYNOPSIS
B<openssl engine>
-[ I<engine...> ]
[B<-v>]
[B<-vv>]
[B<-vvv>]
-[B<-vvv>]
-[B<-vvv>]
+[B<-vvvv>]
[B<-c>]
[B<-t>]
[B<-tt>]
-[B<-pre> I<command>]
-[B<-post> I<command>]
-[ I<engine...> ]
+[B<-pre> I<command>] ...
+[B<-post> I<command>] ...
+[I<engine> ...]
=head1 DESCRIPTION
-The B<engine> command is used to query the status and capabilities
-of the specified B<engine>'s.
+This command is used to query the status and capabilities
+of the specified I<engine>s.
Engines may be specified before and after all other command-line flags.
Only those specified are queried.
@@ -57,10 +55,13 @@ Displays an error trace for any unavailable engine.
Command-line configuration of engines.
The B<-pre> command is given to the engine before it is loaded and
the B<-post> command is given after the engine is loaded.
-The I<command> is of the form I<cmd:val> where I<cmd> is the command,
+The I<command> is of the form I<cmd>:I<val> where I<cmd> is the command,
and I<val> is the value for the command.
See the example below.
+These two options are cumulative, so they may be given more than once in the
+same command.
+
=back
=head1 EXAMPLES
@@ -85,7 +86,7 @@ To list all the commands available to a dynamic engine:
LOAD: Load up the ENGINE specified by other settings
(input flags): NO_INPUT
-To list the capabilities of the I<rsax> engine:
+To list the capabilities of the B<rsax> engine:
$ openssl engine -c
(rsax) RSAX engine support
diff --git a/doc/man1/openssl-errstr.pod b/doc/man1/openssl-errstr.pod
index c910f84f09..b19b9da75c 100644
--- a/doc/man1/openssl-errstr.pod
+++ b/doc/man1/openssl-errstr.pod
@@ -6,14 +6,14 @@ openssl-errstr - lookup error codes
=head1 SYNOPSIS
-B<openssl errstr error_code>
+B<openssl errstr> I<error_code>
=head1 DESCRIPTION
Sometimes an application will not load error message and only
-numerical forms will be available. The B<errstr> utility can be used to
-display the meaning of the hex code. The hex code is the hex digits after the
-second colon.
+numerical forms will be available. This command can be
+used to display the meaning of the hex code. The hex code is the hex digits
+after the second colon.
=head1 OPTIONS
diff --git a/doc/man1/openssl-fipsinstall.pod b/doc/man1/openssl-fipsinstall.pod
index 1e00928961..44f6e0e410 100644
--- a/doc/man1/openssl-fipsinstall.pod
+++ b/doc/man1/openssl-fipsinstall.pod
@@ -17,11 +17,9 @@ B<openssl fipsinstall>
[B<-mac_name> I<macname>]
[B<-macopt> I<nm>:I<v>]
-B<openssl> I<fipsinstall> [B<...>]
-
=head1 DESCRIPTION
-This utility is used to generate a FIPS module configuration file.
+This command is used to generate a FIPS module configuration file.
The generated configuration file consists of:
=over 4
@@ -73,8 +71,8 @@ Name of the section inside the configuration file.
=item B<-mac_name> I<name>
Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command I<list -mac-algorithms>.
-The default is "HMAC".
+To see the list of supported MAC's use the command
+C<openssl list -mac-algorithms>. The default is B<HMAC>.
=item B<-macopt> I<nm>:I<v>
@@ -85,25 +83,26 @@ Common control strings used for fipsinstall are:
=over 4
-=item B<key:string>
+=item B<key>:I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<digest:string>
+=item B<digest>:I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command I<list -digest-commands>.
+To see the list of supported digests, use the command
+C<openssl list -digest-commands>.
=back
@@ -111,14 +110,14 @@ To see the list of supported digests, use the command I<list -digest-commands>.
=head1 EXAMPLES
-Calculate the mac of a FIPS module 'fips.so' and run a FIPS self test
-for the module, and save the fips.conf configuration file:
+Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
+for the module, and save the F<fips.conf> configuration file:
openssl fipsinstall -module ./fips.so -out fips.conf -provider_name fips \
-section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213
-Verify that the configuration file 'fips.conf' contains the correct info:
+Verify that the configuration file F<fips.conf> contains the correct info:
openssl fipsinstall -module ./fips.so -in fips.conf -provider_name fips \
-section_name fips_install -mac_name HMAC -macopt digest:SHA256 \
@@ -128,7 +127,7 @@ Verify that the configuration file 'fips.conf' contains the correct info:
The MAC mechanisms that are available will depend on the options
used when building OpenSSL.
-The B<list -mac-algorithms> command can be used to list them.
+The command C<openssl list -mac-algorithms> command can be used to list them.
=head1 SEE ALSO
diff --git a/doc/man1/openssl-gendsa.pod b/doc/man1/openssl-gendsa.pod
index a5d001acc6..8fc91cf64c 100644
--- a/doc/man1/openssl-gendsa.pod
+++ b/doc/man1/openssl-gendsa.pod
@@ -21,18 +21,18 @@ B<openssl> B<gendsa>
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-verbose>]
-[B<paramfile>]
+[I<paramfile>]
=for comment ifdef engine
=head1 DESCRIPTION
-The B<gendsa> command generates a DSA private key from a DSA parameter file
-(which will be typically generated by the B<openssl dsaparam> command).
+This command generates a DSA private key from a DSA parameter file
+(which will be typically generated by the L<openssl-dsaparam(1)> command).
=head1 OPTIONS
@@ -53,10 +53,9 @@ These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -68,7 +67,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<gendsa>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -77,11 +76,11 @@ for all available algorithms.
Print extra details about the operations being performed.
-=item B<paramfile>
+=item I<paramfile>
-This option specifies the DSA parameter file to use. The parameters in this
-file determine the size of the private key. DSA parameters can be generated
-and examined using the B<openssl dsaparam> command.
+The DSA parameter file to use. The parameters in this file determine
+the size of the private key. DSA parameters can be generated and
+examined using the L<openssl-dsaparam(1)> command.
=back
diff --git a/doc/man1/openssl-genpkey.pod b/doc/man1/openssl-genpkey.pod
index 085f7cb4f8..bace33a38a 100644
--- a/doc/man1/openssl-genpkey.pod
+++ b/doc/man1/openssl-genpkey.pod
@@ -15,7 +15,7 @@ B<openssl> B<genpkey>
[B<-engine> I<id>]
[B<-paramfile> I<file>]
[B<-algorithm> I<alg>]
-[B<-pkeyopt> I<opt:value>]
+[B<-pkeyopt> I<opt>:I<value>]
[B<-genparam>]
[B<-text>]
@@ -23,7 +23,7 @@ B<openssl> B<genpkey>
=head1 DESCRIPTION
-The B<genpkey> command generates a private key.
+This command generates a private key.
=head1 OPTIONS
@@ -44,7 +44,7 @@ This specifies the output format DER or PEM. The default format is PEM.
=item B<-pass> I<arg>
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-I<cipher>>
@@ -54,7 +54,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<genpkey>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
@@ -76,15 +76,15 @@ option) are DH, DSA and EC.
Note that the algorithm name X9.42 DH may be used as a synonym for the DH
algorithm. These are identical and do not indicate the type of parameters that
will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
-or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
+or X9.42 DH parameters are required. See L</DH Parameter Generation Options>
below for more details.
-=item B<-pkeyopt> I<opt:value>
+=item B<-pkeyopt> I<opt>:I<value>
-Set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See L<KEY GENERATION OPTIONS> and
-L<PARAMETER GENERATION OPTIONS> below for more details.
+implementation. See L</KEY GENERATION OPTIONS> and
+L</PARAMETER GENERATION OPTIONS> below for more details.
=item B<-genparam>
@@ -128,7 +128,7 @@ The number of primes in the generated key. If not specified 2 is used.
=item B<rsa_keygen_pubexp:value>
The RSA public exponent value. This can be a large decimal or
-hexadecimal value if preceded by B<0x>. Default value is 65537.
+hexadecimal value if preceded by C<0x>. Default value is 65537.
=back
@@ -138,22 +138,23 @@ Note: by default an B<RSA-PSS> key has no parameter restrictions.
=over 4
-=item B<rsa_keygen_bits:numbits>, B<rsa_keygen_primes:numprimes>, B<rsa_keygen_pubexp:value>
+=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>,
+B<rsa_keygen_pubexp>:I<value>
These options have the same meaning as the B<RSA> algorithm.
-=item B<rsa_pss_keygen_md:digest>
+=item B<rsa_pss_keygen_md>:I<digest>
-If set the key is restricted and can only use B<digest> for signing.
+If set the key is restricted and can only use I<digest> for signing.
-=item B<rsa_pss_keygen_mgf1_md:digest>
+=item B<rsa_pss_keygen_mgf1_md>:I<digest>
-If set the key is restricted and can only use B<digest> as it's MGF1
+If set the key is restricted and can only use I<digest> as it's MGF1
parameter.
-=item B<rsa_pss_keygen_saltlen:len>
+=item B<rsa_pss_keygen_saltlen>:I<len>
-If set the key is restricted and B<len> specifies the minimum salt length.
+If set the key is restricted and I<len> specifies the minimum salt length.
=back
@@ -163,14 +164,14 @@ The EC key generation options can also be used for parameter generation.
=over 4
-=item B<ec_paramgen_curve:curve>
+=item B<ec_paramgen_curve>:I<curve>
The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
-=item B<ec_param_enc:encoding>
+=item B<ec_param_enc>:I<encoding>
-The encoding to use for parameters. The "encoding" parameter must be either
-"named_curve" or "explicit". The default value is "named_curve".
+The encoding to use for parameters. The I<encoding> parameter must be either
+B<named_curve> or B<explicit>. The default value is B<named_curve>.
=back
@@ -184,16 +185,16 @@ below.
=over 4
-=item B<dsa_paramgen_bits:numbits>
+=item B<dsa_paramgen_bits>:I<numbits>
The number of bits in the generated prime. If not specified 2048 is used.
-=item B<dsa_paramgen_q_bits:numbits>
+=item B<dsa_paramgen_q_bits>:I<numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 224 is used.
-=item B<dsa_paramgen_md:digest>
+=item B<dsa_paramgen_md>:I<digest>
The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
or B<sha256>. If set, then the number of bits in B<q> will match the output size
@@ -208,30 +209,30 @@ or B<sha256> if it is 256.
=over 4
-=item B<dh_paramgen_prime_len:numbits>
+=item B<dh_paramgen_prime_len>:I<numbits>
-The number of bits in the prime parameter B<p>. The default is 2048.
+The number of bits in the prime parameter I<p>. The default is 2048.
-=item B<dh_paramgen_subprime_len:numbits>
+=item B<dh_paramgen_subprime_len>:I<numbits>
-The number of bits in the sub prime parameter B<q>. The default is 256 if the
+The number of bits in the sub prime parameter I<q>. The default is 256 if the
prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
-=item B<dh_paramgen_generator:value>
+=item B<dh_paramgen_generator>:I<value>
-The value to use for the generator B<g>. The default is 2.
+The value to use for the generator I<g>. The default is 2.
-=item B<dh_paramgen_type:value>
+=item B<dh_paramgen_type>:I<value>
The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
The default is 0.
-=item B<dh_rfc5114:num>
+=item B<dh_rfc5114>:I<num>
If this option is set, then the appropriate RFC5114 parameters are used
-instead of generating new parameters. The value B<num> can take the
-values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
+instead of generating new parameters. The value I<num> can be one of
+1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
@@ -242,7 +243,7 @@ options.
=head2 EC Parameter Generation Options
The EC parameter generation options are the same as for key generation. See
-L<EC Key Generation Options> above.
+L</EC Key Generation Options> above.
=head1 NOTES
diff --git a/doc/man1/openssl-genrsa.pod b/doc/man1/openssl-genrsa.pod
index 81ede1b8c6..39e221c9a9 100644
--- a/doc/man1/openssl-genrsa.pod
+++ b/doc/man1/openssl-genrsa.pod
@@ -22,9 +22,8 @@ B<openssl> B<genrsa>
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-f4>]
-[B<-3>]
-[B<-rand> I<file...>]
+[B<-f4>|B<-3>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-primes> I<num>]
@@ -35,7 +34,7 @@ B<openssl> B<genrsa>
=head1 DESCRIPTION
-The B<genrsa> command generates an RSA private key.
+This command generates an RSA private key.
=head1 OPTIONS
@@ -66,10 +65,9 @@ for if it is not supplied via the B<-passout> argument.
The public exponent to use, either 65537 or 3. The default is 65537.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -81,16 +79,16 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<genrsa>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-primes> I<num>
-Specify the number of primes to use while generating the RSA key. The B<num>
+Specify the number of primes to use while generating the RSA key. The I<num>
parameter must be a positive integer that is greater than 1 and less than 16.
-If B<num> is greater than 2, then the generated key is called a 'multi-prime'
+If I<num> is greater than 2, then the generated key is called a 'multi-prime'
RSA key, which is defined in RFC 8017.
=item B<-verbose>
diff --git a/doc/man1/openssl-info.pod b/doc/man1/openssl-info.pod
index 3040d0add8..6e16bb809f 100644
--- a/doc/man1/openssl-info.pod
+++ b/doc/man1/openssl-info.pod
@@ -76,7 +76,7 @@ Outputs the OpenSSL CPU settings info.
=head1 HISTORY
-The B<openssl info> command was added in OpenSSL 3.0.
+This command was added in OpenSSL 3.0.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-list.pod b/doc/man1/openssl-list.pod
index 3a3c5ab4a9..9e691c60ce 100644
--- a/doc/man1/openssl-list.pod
+++ b/doc/man1/openssl-list.pod
@@ -52,15 +52,15 @@ Display a list of standard commands.
=item B<-digest-commands>
Display a list of message digest commands, which are typically used
-as input to the L<dgst(1)> or L<speed(1)> commands.
+as input to the L<openssl-dgst(1)> or L<openssl-speed(1)> commands.
=item B<-digest-algorithms>
Display a list of message digest algorithms.
-If a line is of the form C<foo =E<gt> bar> then B<foo> is an alias for the
-official algorithm name, B<bar>.
-If a line is of the form C<foo @ bar>, then B<foo> is provided by the provider
-B<bar>.
+If a line is of the form C<foo =E<gt> bar> then C<foo> is an alias for the
+official algorithm name, C<bar>.
+If a line is of the form C<foo @ bar>, then C<foo> is provided by the provider
+C<bar>.
In verbose mode, the algorithms provided by a provider will get additional
information on what parameters each implementation supports.
@@ -76,15 +76,15 @@ Display a list of message authentication code algorithms.
=item B<-cipher-commands>
Display a list of cipher commands, which are typically used as input
-to the L<dgst(1)> or L<speed(1)> commands.
+to the L<openssl-dgst(1)> or L<openssl-speed(1)> commands.
=item B<-cipher-algorithms>
Display a list of cipher algorithms.
-If a line is of the form C<foo =E<gt> bar> then B<foo> is an alias for the
+If a line is of the form C<foo =E<gt> bar> then C<foo> is an alias for the
official algorithm name, B<bar>.
-If a line is of the form C<foo @ bar>, then B<foo> is provided by the provider
-B<bar>.
+If a line is of the form C<foo @ bar>, then C<foo> is provided by the provider
+C<bar>.
In verbose mode, the algorithms provided by a provider will get additional
information on what parameters each implementation supports.
diff --git a/doc/man1/openssl-mac.pod b/doc/man1/openssl-mac.pod
index 8fd911142f..ce2af2d934 100644
--- a/doc/man1/openssl-mac.pod
+++ b/doc/man1/openssl-mac.pod
@@ -12,9 +12,7 @@ B<openssl mac>
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-binary>]
-B<mac_name>
-
-B<openssl> I<mac> [B<...>] B<mac_name>
+I<mac_name>
=head1 DESCRIPTION
@@ -53,58 +51,59 @@ Common parameter names used by EVP_MAC_CTX_get_params() are:
=over 4
-=item B<key:string>
+=item B<key:>I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<hexkey:string>
+=item B<hexkey:>I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<digest:string>
+=item B<digest:>I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command I<list -digest-commands>.
+To see the list of supported digests, use C<openssl list -digest-commands>.
-=item B<cipher:string>
+=item B<cipher:>I<string>
Used by CMAC and GMAC to specify the cipher algorithm.
For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC or
DES-EDE3-CBC.
For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.
-=item B<iv:string>
+=item B<iv:>I<string>
Used by GMAC to specify an IV as an alphanumeric string (use if the IV contains
printable characters only).
-=item B<hexiv:string>
+=item B<hexiv:>I<string>
Used by GMAC to specify an IV in hexadecimal form (two hex digits per byte).
-=item B<outlen:int>
+=item B<outlen:>I<int>
Used by KMAC128 or KMAC256 to specify an output length.
The default sizes are 32 or 64 bytes respectively.
-=item B<custom:string>
+=item B<custom:>I<string>
Used by KMAC128 or KMAC256 to specify a customization string.
The default is the empty string "".
=back
-=item B<mac_name>
+=item I<mac_name>
Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command I<list -mac-algorithms>.
+To see the list of supported MAC's use the command C<opensssl list
+-mac-algorithms>.
=back
@@ -138,7 +137,7 @@ To create a hex-encoded GMAC-AES-128-GCM with a IV from a file: \
The MAC mechanisms that are available will depend on the options
used when building OpenSSL.
-The B<list -mac-algorithms> command can be used to list them.
+Use C<openssl list -mac-algorithms> to list them.
=head1 SEE ALSO
diff --git a/doc/man1/openssl-nseq.pod b/doc/man1/openssl-nseq.pod
index 40f8f56591..6a5f266987 100644
--- a/doc/man1/openssl-nseq.pod
+++ b/doc/man1/openssl-nseq.pod
@@ -14,7 +14,7 @@ B<openssl> B<nseq>
=head1 DESCRIPTION
-The B<nseq> command takes a file containing a Netscape certificate
+This command takes a file containing a Netscape certificate
sequence and prints out the certificates contained in it or takes a
file of certificates and converts it into a Netscape certificate
sequence.
diff --git a/doc/man1/openssl-ocsp.pod b/doc/man1/openssl-ocsp.pod
index b53404d08c..7f6c31fe94 100644
--- a/doc/man1/openssl-ocsp.pod
+++ b/doc/man1/openssl-ocsp.pod
@@ -26,7 +26,7 @@ B<openssl> B<ocsp>
[B<-nonce>]
[B<-no_nonce>]
[B<-url> I<URL>]
-[B<-host> I<host:port>]
+[B<-host> I<host>:I<port>]
[B<-multi> I<process-count>]
[B<-header>]
[B<-path>]
@@ -97,7 +97,7 @@ B<openssl> B<ocsp>
The Online Certificate Status Protocol (OCSP) enables applications to
determine the (revocation) state of an identified certificate (RFC 2560).
-The B<ocsp> command performs many common OCSP tasks. It can be used
+This command performs many common OCSP tasks. It can be used
to print out requests and responses, create requests and send queries
to an OCSP responder and behave like a mini OCSP server itself.
@@ -121,27 +121,27 @@ specify output filename, default is standard output.
=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
-multiple times. The certificate specified in B<filename> must be in
+multiple times. The certificate specified in I<filename> must be in
PEM format. This option B<MUST> come before any B<-cert> options.
=item B<-cert> I<filename>
-Add the certificate B<filename> to the request. The issuer certificate
-is taken from the previous B<issuer> option, or an error occurs if no
+Add the certificate I<filename> to the request. The issuer certificate
+is taken from the previous B<-issuer> option, or an error occurs if no
issuer certificate is specified.
=item B<-serial> I<num>
-Same as the B<cert> option except the certificate with serial number
+Same as the B<-cert> option except the certificate with serial number
B<num> is added to the request. The serial number is interpreted as a
-decimal integer unless preceded by B<0x>. Negative integers can also
-be specified by preceding the value by a B<-> sign.
+decimal integer unless preceded by C<0x>. Negative integers can also
+be specified by preceding the value by a C<-> sign.
=item B<-signer> I<filename>, B<-signkey> I<filename>
-Sign the OCSP request using the certificate specified in the B<signer>
-option and the private key specified by the B<signkey> option. If
-the B<signkey> option is not present then the private key is read
+Sign the OCSP request using the certificate specified in the B<-signer>
+option and the private key specified by the B<-signkey> option. If
+the B<-signkey> option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the OCSP request is not signed.
@@ -152,10 +152,10 @@ Additional certificates to include in the signed request.
=item B<-nonce>, B<-no_nonce>
Add an OCSP nonce extension to a request or disable OCSP nonce addition.
-Normally if an OCSP request is input using the B<reqin> option no
-nonce is added: using the B<nonce> option will force addition of a nonce.
-If an OCSP request is being created (using B<cert> and B<serial> options)
-a nonce is automatically added specifying B<no_nonce> overrides this.
+Normally if an OCSP request is input using the B<-reqin> option no
+nonce is added: using the B<-nonce> option will force addition of a nonce.
+If an OCSP request is being created (using B<-cert> and B<-serial> options)
+a nonce is automatically added specifying B<-no_nonce> overrides this.
=item B<-req_text>, B<-resp_text>, B<-text>
@@ -163,28 +163,28 @@ Print out the text form of the OCSP request, response or both respectively.
=item B<-reqout> I<file>, B<-respout> I<file>
-Write out the DER encoded certificate request or response to B<file>.
+Write out the DER encoded certificate request or response to I<file>.
=item B<-reqin> I<file>, B<-respin> I<file>
-Read OCSP request or response file from B<file>. These option are ignored
+Read OCSP request or response file from I<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
-with B<serial>, B<cert> and B<host> options).
+with B<-serial>, B<-cert> and B<-host> options).
=item B<-url> I<responder_url>
Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
-=item B<-host> I<hostname:port>, B<-path> I<pathname>
+=item B<-host> I<hostname>:I<port>, B<-path> I<pathname>
-If the B<host> option is present then the OCSP request is sent to the host
-B<hostname> on port B<port>. B<path> specifies the HTTP pathname to use
-or "/" by default. This is equivalent to specifying B<-url> with scheme
+If the B<-host> option is present then the OCSP request is sent to the host
+I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
+to use or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
-=item B<-header> I<name=value>
+=item B<-header> I<name>=I<value>
-Adds the header B<name> with the specified B<value> to the OCSP request
+Adds the header I<name> with the specified I<value> to the OCSP request
that is sent to the responder.
This may be repeated.
@@ -229,7 +229,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different certificate verification options.
-See L<verify(1)> manual page for details.
+See L<openssl-verify(1)> manual page for details.
=item B<-verify_other> I<file>
@@ -303,13 +303,13 @@ seconds, the default value is 5 minutes.
If the B<notAfter> time is omitted from a response then this means that new
status information is immediately available. In this case the age of the
-B<notBefore> field is checked to see it is not older than B<age> seconds old.
+B<notBefore> field is checked to see it is not older than I<age> seconds old.
By default this additional check is not performed.
=item B<-rcid> I<digest>
This option sets the digest algorithm to use for certificate identification
-in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can
+in the OCSP response. Any digest supported by the L<openssl-dgst(1)> command can
be used. The default is the same digest algorithm used in the request.
=item B<-I<digest>>
@@ -327,21 +327,22 @@ digest used by subsequent certificate identifiers.
=item B<-index> I<indexfile>
-The B<indexfile> parameter is the name of a text index file in B<ca>
+The I<indexfile> parameter is the name of a text index file in B<ca>
format containing certificate revocation information.
-If the B<index> option is specified the B<ocsp> utility is in responder
-mode, otherwise it is in client mode. The request(s) the responder
-processes can be either specified on the command line (using B<issuer>
-and B<serial> options), supplied in a file (using the B<reqin> option)
-or via external OCSP clients (if B<port> or B<url> is specified).
+If the B<-index> option is specified then this command switches to
+responder mode, otherwise it is in client mode. The request(s) the responder
+processes can be either specified on the command line (using B<-issuer>
+and B<-serial> options), supplied in a file (using the B<-reqin> option)
+or via external OCSP clients (if B<-port> or B<-url> is specified).
-If the B<index> option is present then the B<CA> and B<rsigner> options
+If the B<-index> option is present then the B<-CA> and B<-rsigner> options
must also be present.
=item B<-CA> I<file>
-CA certificate corresponding to the revocation information in B<indexfile>.
+CA certificate corresponding to the revocation information in the index
+file given with B<-index>.
=item B<-rsigner> I<file>
@@ -363,7 +364,7 @@ subject name.
=item B<-rkey> I<file>
The private key to sign OCSP responses with: if not present the file
-specified in the B<rsigner> option is used.
+specified in the B<-rsigner> option is used.
=item B<-rsigopt> I<nm>:I<v>
@@ -383,7 +384,7 @@ running instead of terminating upon receiving a malformed request.
=item B<-nrequest> I<number>
-The OCSP server will exit after receiving B<number> requests, default unlimited.
+The OCSP server will exit after receiving I<number> requests, default unlimited.
=item B<-nmin> I<minutes>, B<-ndays> I<days>
@@ -403,8 +404,8 @@ the OCSP request checked using the responder certificate's public key.
Then a normal certificate verify is performed on the OCSP responder certificate
building up a certificate chain in the process. The locations of the trusted
-certificates used to build the chain can be specified by the B<CAfile>
-and B<CApath> options or they will be looked for in the standard OpenSSL
+certificates used to build the chain can be specified by the B<-CAfile>
+and B<-CApath> options or they will be looked for in the standard OpenSSL
certificates directory.
If the initial verify fails then the OCSP verify process halts with an
@@ -451,8 +452,8 @@ new requests until it has processed the current one. The text index file
format of revocation is also inefficient for large quantities of revocation
data.
-It is possible to run the B<ocsp> application in responder mode via a CGI
-script using the B<reqin> and B<respout> options.
+It is possible to run this command in responder mode via a CGI
+script using the B<-reqin> and B<-respout> options.
=head1 EXAMPLES
diff --git a/doc/man1/openssl-passwd.pod b/doc/man1/openssl-passwd.pod
index 755e80a22e..27a5c1bf61 100644
--- a/doc/man1/openssl-passwd.pod
+++ b/doc/man1/openssl-passwd.pod
@@ -20,7 +20,7 @@ B<openssl passwd>
[B<-noverify>]
[B<-quiet>]
[B<-table>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
{I<password>}
@@ -28,12 +28,13 @@ B<openssl passwd>
=head1 DESCRIPTION
-The B<passwd> command computes the hash of a password typed at
+This command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
-The Unix standard algorithm B<crypt> and the MD5-based BSD password
-algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available.
+The Unix standard algorithm B<-crypt> and the MD5-based BSD password
+algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are
+available.
=head1 OPTIONS
@@ -92,10 +93,9 @@ Don't output warnings when passwords given at the command line are truncated.
In the output list, prepend the cleartext password and a TAB character
to each password hash.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
diff --git a/doc/man1/openssl-pkcs12.pod b/doc/man1/openssl-pkcs12.pod
index f309bcd1b8..4ea722b6e0 100644
--- a/doc/man1/openssl-pkcs12.pod
+++ b/doc/man1/openssl-pkcs12.pod
@@ -36,7 +36,7 @@ B<openssl> B<pkcs12>
[B<-password> I<arg>]
[B<-passin> I<arg>]
[B<-passout> I<arg>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-CAfile> I<file>]
[B<-CApath> I<dir>]
@@ -48,7 +48,7 @@ B<openssl> B<pkcs12>
=head1 DESCRIPTION
-The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
+This command allows PKCS#12 files (sometimes referred to as
PFX files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, MSIE and MS Outlook.
@@ -79,14 +79,14 @@ default. They are all written in PEM format.
=item B<-passin> I<arg>
The PKCS#12 file (i.e. input file) password source. For more information about
-the format of B<arg>
+the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
-information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
-in L<openssl(1)>.
+information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-password> I<arg>
@@ -207,14 +207,12 @@ displays them.
=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
-the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+the format of I<arg> see L<openssl(1)/Pass phrase options>.
=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
-about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+about the format of I<arg> see L<openssl(1)/Pass phrase options>.
=item B<-chain>
@@ -233,8 +231,8 @@ unless RC2 is disabled in which case triple DES is used.
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
-can be used (see B<NOTES> section for more information). If a cipher name
-(as output by the B<list-cipher-algorithms> command is specified then it
+can be used (see L</NOTES> section for more information). If a cipher name
+(as output by C<openssl list -cipher-algorithms>) is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
@@ -280,10 +278,9 @@ to be needed to use MAC iterations counts but they are now used by default.
Don't attempt to provide the MAC integrity.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -300,8 +297,8 @@ CA storage as a file.
=item B<-CApath> I<dir>
CA storage as a directory. This directory must be a standard certificate
-directory: that is a hash of each subject name (using B<x509 -hash>) should be
-linked to each certificate.
+directory: that is a hash of each subject name (using C<openssl x509 -hash>)
+should be linked to each certificate.
=item B<-no-CAfile>
@@ -313,7 +310,7 @@ Do not load the trusted CA certificates from the default directory location.
=item B<-CSP> I<name>
-Write B<name> as a Microsoft CSP name.
+Write I<name> as a Microsoft CSP name.
=back
@@ -339,7 +336,7 @@ algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple DES
encrypted private keys, then the option B<-keypbe> I<PBE-SHA1-RC2-40> can
be used to reduce the private key encryption to 40 bit RC2. A complete
-description of all algorithms is contained in the B<pkcs8> manual page.
+description of all algorithms is contained in L<openssl-pkcs8(1)>.
Prior 1.1 release passwords containing non-ASCII characters were encoded
in non-compliant manner, which limited interoperability, in first hand
@@ -349,7 +346,7 @@ this reason even legacy encodings is attempted when reading the
data. If you use PKCS#12 files in production application you are advised
to convert the data, because implemented heuristic approach is not
MT-safe, its sole goal is to facilitate the data upgrade with this
-utility.
+command.
=head1 EXAMPLES
diff --git a/doc/man1/openssl-pkcs7.pod b/doc/man1/openssl-pkcs7.pod
index 680cec70a3..b21feeea5f 100644
--- a/doc/man1/openssl-pkcs7.pod
+++ b/doc/man1/openssl-pkcs7.pod
@@ -21,7 +21,7 @@ B<openssl> B<pkcs7>
=head1 DESCRIPTION
-The B<pkcs7> command processes PKCS#7 files in DER or PEM format.
+This command processes PKCS#7 files in DER or PEM format.
=head1 OPTIONS
@@ -69,7 +69,7 @@ is B<-print_certs> is set).
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
diff --git a/doc/man1/openssl-pkcs8.pod b/doc/man1/openssl-pkcs8.pod
index e1cc0b38a5..a3b6b7b762 100644
--- a/doc/man1/openssl-pkcs8.pod
+++ b/doc/man1/openssl-pkcs8.pod
@@ -17,7 +17,7 @@ B<openssl> B<pkcs8>
[B<-passout> I<arg>]
[B<-iter> I<count>]
[B<-noiter>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-nocrypt>]
[B<-traditional>]
@@ -34,7 +34,7 @@ B<openssl> B<pkcs8>
=head1 DESCRIPTION
-The B<pkcs8> command processes private keys in PKCS#8 format. It can handle
+This command processes private keys in PKCS#8 format. It can handle
both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
@@ -75,7 +75,7 @@ prompted for.
=item B<-passin> I<arg>
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@@ -87,8 +87,8 @@ filename.
=item B<-passout> I<arg>
-The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-iter> I<count>
@@ -105,10 +105,9 @@ This option does not encrypt private keys at all and should only be used
when absolutely necessary. Certain software such as some versions of Java
code signing software used unencrypted private keys.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -122,7 +121,7 @@ This can be used with a subsequent B<-rand> flag.
This option sets the PKCS#5 v2.0 algorithm.
-The B<alg> argument is the encryption algorithm to use, valid values include
+The I<alg> argument is the encryption algorithm to use, valid values include
B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
is used.
@@ -143,7 +142,7 @@ If not specified PKCS#5 v2.0 form is used.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -157,13 +156,13 @@ B<-scrypt_p> and B<-v2> options.
=item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
-Sets the scrypt B<N>, B<r> or B<p> parameters.
+Sets the scrypt I<N>, I<r> or I<p> parameters.
=back
=head1 KEY FORMATS
-Various different formats are used by the pkcs8 utility. These are detailed
+Various different formats are used by this command. These are detailed
below.
If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
diff --git a/doc/man1/openssl-pkey.pod b/doc/man1/openssl-pkey.pod
index ea64ecff60..4177a6fedf 100644
--- a/doc/man1/openssl-pkey.pod
+++ b/doc/man1/openssl-pkey.pod
@@ -29,8 +29,8 @@ B<openssl> B<pkey>
=head1 DESCRIPTION
-The B<pkey> command processes public or private keys. They can be converted
-between various forms and their components printed out.
+This command processes public or private keys. They can be
+converted between various forms and their components printed out.
=head1 OPTIONS
@@ -57,7 +57,7 @@ prompted for.
=item B<-passin> I<arg>
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@@ -67,10 +67,10 @@ option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout> I<password>
+=item B<-passout> I<arg>
-The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-traditional>
@@ -109,7 +109,7 @@ the input is a public key.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<pkey>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
diff --git a/doc/man1/openssl-pkeyparam.pod b/doc/man1/openssl-pkeyparam.pod
index 34ae7c97c2..9b69c7bbf7 100644
--- a/doc/man1/openssl-pkeyparam.pod
+++ b/doc/man1/openssl-pkeyparam.pod
@@ -19,7 +19,7 @@ B<openssl> B<pkeyparam>
=head1 DESCRIPTION
-The B<pkeyparam> command processes public key algorithm parameters.
+This command processes public key algorithm parameters.
They can be checked for correctness and their components printed out.
=head1 OPTIONS
@@ -50,7 +50,7 @@ Do not output the encoded version of the parameters.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
diff --git a/doc/man1/openssl-pkeyutl.pod b/doc/man1/openssl-pkeyutl.pod
index a0f4555764..1f231ba325 100644
--- a/doc/man1/openssl-pkeyutl.pod
+++ b/doc/man1/openssl-pkeyutl.pod
@@ -29,11 +29,11 @@ B<openssl> B<pkeyutl>
[B<-derive>]
[B<-kdf> I<algorithm>]
[B<-kdflen> I<length>]
-[B<-pkeyopt> I<opt:value>]
-[B<-pkeyopt_passin> I<opt:passarg>]
+[B<-pkeyopt> I<opt>:I<value>]
+[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
[B<-asn1parse>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-engine_impl>]
@@ -42,8 +42,8 @@ B<openssl> B<pkeyutl>
=head1 DESCRIPTION
-The B<pkeyutl> command can be used to perform low level public key operations
-using any supported algorithm.
+This command can be used to perform low level public key
+operations using any supported algorithm.
=head1 OPTIONS
@@ -73,7 +73,7 @@ signature algorithm does not require one (for instance, EdDSA). If this option
is omitted but the signature algorithm requires one, a default value will be
used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the
default digest algorithm. For SM2, it will be SM3. If this option is present,
-then the B<-rawin> option must be also specified to B<pkeyutl>.
+then the B<-rawin> option must be also specified.
=item B<-out> I<filename>
@@ -82,7 +82,7 @@ default.
=item B<-sigfile> I<file>
-Signature file, required for B<verify> operations only
+Signature file, required for B<-verify> operations only
=item B<-inkey> I<file>
@@ -94,7 +94,7 @@ The key format PEM, DER or ENGINE. Default is PEM.
=item B<-passin> I<arg>
-The input key password source. For more information about the format of B<arg>
+The input key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-peerkey> I<file>
@@ -103,7 +103,7 @@ The peer key file, used by key derivation (agreement) operations.
=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
-The peer key format PEM, DER or ENGINE. Default is PEM.
+The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
=item B<-pubin>
@@ -146,7 +146,7 @@ Derive a shared secret using the peer key.
=item B<-kdf> I<algorithm>
-Use key derivation function B<algorithm>. The supported algorithms are
+Use key derivation function I<algorithm>. The supported algorithms are
at present B<TLS1-PRF> and B<HKDF>.
Note: additional parameters and the KDF output length will normally have to be
set for this to work.
@@ -157,16 +157,16 @@ for the supported string parameters of each algorithm.
Set the output length for KDF.
-=item B<-pkeyopt> I<opt:value>
+=item B<-pkeyopt> I<opt>:I<value>
Public key options specified as opt:value. See NOTES below for more details.
-=item B<-pkeyopt_passin> I<opt:passarg>
+=item B<-pkeyopt_passin> I<opt>[:I<passarg>]
-Allows reading a public key option B<opt> from stdin or a password source. If
-only opt is specified, the user will be prompted to enter the value on stdin.
-Alternatively, passarg can be specified which can be any value supported by
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
+Allows reading a public key option I<opt> from stdin or a password source.
+If only I<opt> is specified, the user will be prompted to enter a password on
+stdin. Alternatively, I<passarg> can be specified which can be any value
+supported by L<openssl(1)/Pass phrase options>.
=item B<-hexdump>
@@ -177,10 +177,9 @@ hex dump the output data.
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -192,7 +191,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -200,7 +199,7 @@ for all available algorithms.
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
-engine B<id> for crypto operations.
+engine I<id> for crypto operations.
=back
@@ -209,15 +208,15 @@ engine B<id> for crypto operations.
The operations and options supported vary according to the key algorithm
and its implementation. The OpenSSL operations and options are indicated below.
-Unless otherwise mentioned all algorithms support the B<digest:alg> option
+Unless otherwise mentioned all algorithms support the B<digest:>I<alg> option
which specifies the digest in use for sign, verify and verifyrecover operations.
-The value B<alg> should represent a digest name as used in the
+The value I<alg> should represent a digest name as used in the
EVP_get_digestbyname() function for example B<sha1>. This value is not used to
hash the input data. It is used (by some algorithms) for sanity-checking the
-lengths of data passed in to the B<pkeyutl> and for creating the structures that
-make up the signature (e.g. B<DigestInfo> in RSASSA PKCS#1 v1.5 signatures).
+lengths of data passed in and for creating the structures that make up the
+signature (e.g. B<DigestInfo> in RSASSA PKCS#1 v1.5 signatures).
-This utility does not hash the input data (except where -rawin is used) but
+This command does not hash the input data (except where -rawin is used) but
rather it will use the data directly as input to the signature algorithm.
Depending on the key type, signature type, and mode of padding, the maximum
acceptable lengths of input data differ. The signed data can't be longer than
@@ -238,9 +237,9 @@ B<pkeyopt> values are supported:
=over 4
-=item B<rsa_padding_mode:mode>
+=item B<rsa_padding_mode:>I<mode>
-This sets the RSA padding mode. Acceptable values for B<mode> are B<pkcs1> for
+This sets the RSA padding mode. Acceptable values for I<mode> are B<pkcs1> for
PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
@@ -258,15 +257,15 @@ verify and verifyrecover are can be performed in this mode.
For B<pss> mode only sign and verify are supported and the digest type must be
specified.
-=item B<rsa_pss_saltlen:len>
+=item B<rsa_pss_saltlen:>I<len>
For B<pss> mode only this option specifies the salt length. Three special
-values are supported: "digest" sets the salt length to the digest length,
-"max" sets the salt length to the maximum permissible value. When verifying
-"auto" causes the salt length to be automatically determined based on the
+values are supported: B<digest> sets the salt length to the digest length,
+B<max> sets the salt length to the maximum permissible value. When verifying
+B<auto> causes the salt length to be automatically determined based on the
B<PSS> block structure.
-=item B<rsa_mgf1_md:digest>
+=item B<rsa_mgf1_md:>I<digest>
For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
explicitly set in PSS mode then the signing digest is used.
@@ -277,11 +276,12 @@ explicitly set in PSS mode then the signing digest is used.
The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
supports the sign and verify operations with PSS padding. The following
-additional B<pkeyopt> values are supported:
+additional B<-pkeyopt> values are supported:
=over 4
-=item B<rsa_padding_mode:mode>, B<rsa_pss_saltlen:len>, B<rsa_mgf1_md:digest>
+=item B<rsa_padding_mode:>I<mode>, B<rsa_pss_saltlen:>I<len>,
+B<rsa_mgf1_md:>I<digest>
These have the same meaning as the B<RSA> algorithm with some additional
restrictions. The padding mode can only be set to B<pss> which is the
@@ -320,8 +320,8 @@ no additional options.
These algorithms only support signing and verifying. OpenSSL only implements the
"pure" variants of these algorithms so raw data can be passed directly to them
-without hashing them first. The option "-rawin" must be used with these
-algorithms with no "-digest" specified. Additionally OpenSSL only supports
+without hashing them first. The option B<-rawin> must be used with these
+algorithms with no B<-digest> specified. Additionally OpenSSL only supports
"oneshot" operation with these algorithms. This means that the entire file to
be signed/verified must be read into memory before processing it. Signing or
Verifying very large files should be avoided. Additionally the size of the file
@@ -332,17 +332,17 @@ must be known for this to work. If the size of the file cannot be determined
The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For
the sign and verify operations, SM2 requires an ID string to be passed in. The
-following B<pkeyopt> value is supported:
+following B<-pkeyopt> value is supported:
=over 4
-=item B<sm2_id:string>
+=item B<sm2_id:>I<string>
This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.
Otherwise the verification will fail.
-=item B<sm2_hex_id:hex_string>
+=item B<sm2_hex_id:>I<hex_string>
This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.
diff --git a/doc/man1/openssl-prime.pod b/doc/man1/openssl-prime.pod
index 618af6ae1a..c11bcc9c84 100644
--- a/doc/man1/openssl-prime.pod
+++ b/doc/man1/openssl-prime.pod
@@ -13,11 +13,11 @@ B<openssl prime>
[B<-bits> I<num>]
[B<-safe>]
[B<-checks> I<num>]
-[I<number...>]
+[I<number> ...]
=head1 DESCRIPTION
-The B<prime> command checks if the specified numbers are prime.
+This command checks if the specified numbers are prime.
If no numbers are given on the command line, the B<-generate> flag should
be used to generate primes according to the requirements specified by the
@@ -41,16 +41,16 @@ Generate a prime number.
=item B<-bits> I<num>
-Generate a prime with B<num> bits.
+Generate a prime with I<num> bits.
=item B<-safe>
When used with B<-generate>, generates a "safe" prime. If the number
-generated is B<n>, then check that B<(n-1)/2> is also prime.
+generated is I<n>, then check that C<(I<n>-1)/2> is also prime.
=item B<-checks> I<num>
-Perform the checks B<num> times to see that the generated number
+Perform the checks I<num> times to see that the generated number
is prime. The default is 20.
=back
diff --git a/doc/man1/openssl-provider.pod b/doc/man1/openssl-provider.pod
index a16c41845d..b29d2f5a26 100644
--- a/doc/man1/openssl-provider.pod
+++ b/doc/man1/openssl-provider.pod
@@ -11,12 +11,12 @@ B<openssl provider>
[B<-v>]
[B<-vv>]
[B<-vvv>]
-[ I<provider...> ]
+[I<provider> ...]
=head1 DESCRIPTION
-The B<provider> command is used to query the capabilities of the specified
-I<provider>'s.
+This command is used to query the capabilities of the
+specified I<provider>'s.
=head1 OPTIONS
diff --git a/doc/man1/openssl-rand.pod b/doc/man1/openssl-rand.pod
index 4d57265b13..6ce3326efd 100644
--- a/doc/man1/openssl-rand.pod
+++ b/doc/man1/openssl-rand.pod
@@ -9,7 +9,7 @@ openssl-rand - generate pseudo-random bytes
B<openssl rand>
[B<-help>]
[B<-out> I<file>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-base64>]
[B<-hex>]
@@ -19,11 +19,11 @@ I<num>
=head1 DESCRIPTION
-The B<rand> command outputs I<num> pseudo-random bytes after seeding
+This command outputs I<num> pseudo-random bytes after seeding
the random number generator once. As in other B<openssl> command
-line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd>
+line tools, PRNG seeding uses the file F<$HOME/.rnd> or F<.rnd>
in addition to the files given in the B<-rand> option. A new
-I<$HOME>/B<.rnd> or B<.rnd> file will be written back if enough
+F<$HOME/.rnd> or F<.rnd> file will be written back if enough
seeding was obtained from these sources.
=head1 OPTIONS
@@ -38,10 +38,9 @@ Print out a usage message.
Write to I<file> instead of standard output.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
diff --git a/doc/man1/openssl-rehash.pod b/doc/man1/openssl-rehash.pod
index 5dbb15de74..eed2864446 100644
--- a/doc/man1/openssl-rehash.pod
+++ b/doc/man1/openssl-rehash.pod
@@ -5,7 +5,8 @@ Original text by James Westby, contributed under the OpenSSL license.
=head1 NAME
-openssl-c_rehash - Create symbolic links to files named by the hash values
+openssl-rehash, c_rehash - Create symbolic links to files named by the hash
+values
=head1 SYNOPSIS
@@ -16,23 +17,28 @@ B<rehash>
[B<-old>]
[B<-n>]
[B<-v>]
-[I<directory>...]
+[I<directory>] ...
B<c_rehash>
-I<flags...>
+[B<-h>]
+[B<-help>]
+[B<-old>]
+[B<-n>]
+[B<-v>]
+[I<directory>] ...
=head1 DESCRIPTION
-On some platforms, the OpenSSL B<rehash> command is available as
-an external script called B<c_rehash>. They are functionally equivalent,
-except for minor differences noted below.
+On some platforms, this command isn't available, and the external
+script B<c_rehash> has to be used instead. They are functionally
+equivalent, except for minor differences noted below.
-B<rehash> scans directories and calculates a hash value of each
-C<.pem>, C<.crt>, C<.cer>, or C<.crl>
+B<openssl rehash> scans directories and calculates a hash value of
+each F<.pem>, F<.crt>, F<.cer>, or F<.crl>
file in the specified directory list and creates symbolic links
for each file, where the name of the link is the hash value.
(If the platform does not support symbolic links, a copy is made.)
-This utility is useful as many programs that use OpenSSL require
+This command is useful as many programs that use OpenSSL require
directories to be set up like this in order to find certificates.
If any directories are named on the command line, then those are
@@ -40,22 +46,22 @@ processed in turn. If not, then the B<SSL_CERT_DIR> environment variable
is consulted; this should be a colon-separated list of directories,
like the Unix B<PATH> variable.
If that is not set then the default directory (installation-specific
-but often B</usr/local/ssl/certs>) is processed.
+but often F</usr/local/ssl/certs>) is processed.
In order for a directory to be processed, the user must have write
permissions on that directory, otherwise an error will be generated.
-The links created are of the form C<HHHHHHHH.D>, where each B<H>
-is a hexadecimal character and B<D> is a single decimal digit.
-When processing a directory, B<rehash> will first remove all links
-that have a name in that syntax, even if they are being used for some
-other purpose.
+The links created are of the form I<HHHHHHHH.D>, where each I<H>
+is a hexadecimal character and I<D> is a single decimal digit.
+When a directory is processed, all links in it that have a name
+in that syntax are first removed, even if they are being used for
+some other purpose.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after
-the period, like this: C<HHHHHHHH.rD>.
+the period, like this: I<HHHHHHHH.>B<r>I<D>.
Multiple objects may have the same hash; they will be indicated by
-incrementing the B<D> value. Duplicates are found by comparing the
+incrementing the I<D> value. Duplicates are found by comparing the
full SHA-1 fingerprint. A warning will be displayed if a duplicate
is found.
@@ -75,7 +81,7 @@ a certificate or CRL:
$OPENSSL x509 -hash -fingerprint -noout -in FILENAME
$OPENSSL crl -hash -fingerprint -noout -in FILENAME
-where B<FILENAME> is the filename. It must output the hash of the
+where I<FILENAME> is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign.
@@ -107,7 +113,7 @@ releases.
=item B<-v>
Print messages about old links removed and new links created.
-By default, B<rehash> only lists each directory as it is processed.
+By default, this command only lists each directory as it is processed.
=back
diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod
index e010e00f01..d0d1700ef8 100644
--- a/doc/man1/openssl-req.pod
+++ b/doc/man1/openssl-req.pod
@@ -20,10 +20,9 @@ B<openssl> B<req>
[B<-verify>]
[B<-modulus>]
[B<-new>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
-[B<-newkey> I<rsa:bits>]
-[B<-newkey> I<alg:file>]
+[B<-newkey> I<arg>]
[B<-nodes>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>]
@@ -56,7 +55,7 @@ B<openssl> B<req>
=head1 DESCRIPTION
-The B<req> command primarily creates and processes certificate requests
+This command primarily creates and processes certificate requests
in PKCS#10 format. It can additionally create self signed certificates
for use as root CAs for example.
@@ -104,7 +103,7 @@ default.
=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-text>
@@ -142,10 +141,9 @@ in the configuration file and any requested extensions.
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -158,35 +156,36 @@ This can be used with a subsequent B<-rand> flag.
=item B<-newkey> I<arg>
This option creates a new certificate request and a new private
-key. The argument takes one of several forms. B<rsa:nbits>, where
-B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
+key. The argument takes one of several forms.
+
+B<rsa:>I<nbits>, where
+I<nbits> is the number of bits, generates an RSA key I<nbits>
+in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
the default key size, specified in the configuration file is used.
-All other algorithms support the B<-newkey> I<alg:file> form, where file may be
-an algorithm parameter file, created by the B<genpkey -genparam> command
-or and X.509 certificate for a key with appropriate algorithm.
+All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
+may be an algorithm parameter file, created with C<openssl genpkey -genparam>
+or an X.509 certificate for a key with appropriate algorithm.
-B<param:file> generates a key using the parameter file or certificate B<file>,
-the algorithm is determined by the parameters. B<algname:file> use algorithm
-B<algname> and parameter file B<file>: the two algorithms must match or an
-error occurs. B<algname> just uses algorithm B<algname>, and parameters,
-if necessary should be specified via B<-pkeyopt> parameter.
+B<param:>I<file> generates a key using the parameter file or certificate
+I<file>, the algorithm is determined by the parameters. I<algname>:I<file>
+use algorithm I<algname> and parameter file I<file>: the two algorithms must
+match or an error occurs. I<algname> just uses algorithm I<algname>, and
+parameters, if necessary should be specified via B<-pkeyopt> parameter.
-B<dsa:filename> generates a DSA key using the parameters
-in the file B<filename>. B<ec:filename> generates EC key (usable both with
-ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
-34.10-2001 key (requires B<ccgost> engine configured in the configuration
+B<dsa:>I<filename> generates a DSA key using the parameters
+in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
+ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
+34.10-2001 key (requires B<gost> engine configured in the configuration
file). If just B<gost2001> is specified a parameter set should be
specified by B<-pkeyopt> I<paramset:X>
+=item B<-pkeyopt> I<opt>:I<value>
-=item B<-pkeyopt> I<opt:value>
-
-Set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
-for more details.
+implementation.
+See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
=item B<-key> I<filename>
@@ -230,7 +229,7 @@ see L<openssl(1)/COMMAND SUMMARY>.
Sets subject name for new request or supersedes the subject name
when processing a request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
@@ -240,9 +239,9 @@ in the request.
This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
-I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+If -multi-rdn is not used then the UID value is C<123456+CN=John Doe>.
=item B<-x509>
@@ -250,7 +249,7 @@ This option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
-using the B<set_serial> option, a large random number will be used for
+using the B<-set_serial> option, a large random number will be used for
the serial number.
If existing request is specified with the B<-in> option, it is converted
@@ -259,13 +258,13 @@ to the self signed certificate otherwise new request is created.
=item B<-days> I<n>
When the B<-x509> option is being used this specifies the number of
-days to certify the certificate for, otherwise it is ignored. B<n> should
+days to certify the certificate for, otherwise it is ignored. I<n> should
be a positive integer. The default is 30 days.
=item B<-set_serial> I<n>
Serial number to use when outputting a self signed certificate. This
-may be specified as a decimal value or a hex value if preceded by B<0x>.
+may be specified as a decimal value or a hex value if preceded by C<0x>.
=item B<-addext> I<ext>
@@ -305,16 +304,16 @@ configuration file, must be valid UTF8 strings.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
-=item B<-reqopt>
+=item B<-reqopt> I<option>
-Customise the output format used with B<-text>. The B<option> argument can be
+Customise the output format used with B<-text>. The I<option> argument can be
a single option or multiple options separated by commas.
-See discussion of the B<-certopt> parameter in the L<x509(1)>
+See discussion of the B<-certopt> parameter in the L<openssl-x509(1)>
command.
=item B<-newhdr>
@@ -332,14 +331,14 @@ Print extra details about the operations being performed.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<req>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-keygen_engine> I<id>
-Specifies an engine (by its unique B<id> string) which would be used
+Specifies an engine (by its unique I<id> string) which would be used
for key generation operations.
=item B<-sm2-id>
@@ -486,8 +485,8 @@ just consist of field names and values: for example,
OU=My Organization
emailAddress=someone at somewhere.org
-This allows external programs (e.g. GUI based) to generate a template file
-with all the field names and values and just pass it to B<req>. An example
+This allows external programs (e.g. GUI based) to generate a template file with
+all the field names and values and just pass it to this command. An example
of this kind of configuration file is contained in the B<EXAMPLES> section.
Alternatively if the B<prompt> option is absent or not set to B<no> then the
@@ -666,7 +665,7 @@ The following messages are frequently asked about:
Using configuration from /some/path/openssl.cnf
Unable to load config info
-This is followed some time later by...
+This is followed some time later by:
unable to find 'distinguished_name' in config
problems making Certificate Request
diff --git a/doc/man1/openssl-rsa.pod b/doc/man1/openssl-rsa.pod
index 6b8fa44c60..7c2fd9effa 100644
--- a/doc/man1/openssl-rsa.pod
+++ b/doc/man1/openssl-rsa.pod
@@ -40,11 +40,11 @@ B<openssl> B<rsa>
=head1 DESCRIPTION
-The B<rsa> command processes RSA keys. They can be converted between various
-forms and their components printed out. B<Note> this command uses the
+This command processes RSA keys. They can be converted between
+various forms and their components printed out. B<Note> this command uses the
traditional SSLeay compatible format for private key encryption: newer
-applications should use the more secure PKCS#8 format using the B<pkcs8>
-utility.
+applications should use the more secure PKCS#8 format using the
+L<openssl-pkcs8(1)> command.
=head1 OPTIONS
@@ -75,7 +75,7 @@ prompted for.
=item B<-passin> I<arg>
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
@@ -85,19 +85,19 @@ option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout> I<password>
+=item B<-passout> I<arg>
-The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
-means that using the B<rsa> utility to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
These options can only be used with PEM format output files.
=item B<-text>
@@ -134,7 +134,7 @@ Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<rsa>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -186,7 +186,7 @@ Output the public part of a private key in B<RSAPublicKey> format:
=head1 BUGS
-There should be an option that automatically handles .key files,
+There should be an option that automatically handles F<.key> files,
without having to manually edit them.
=head1 SEE ALSO
diff --git a/doc/man1/openssl-rsautl.pod b/doc/man1/openssl-rsautl.pod
index fccd7a1ad7..0774b92797 100644
--- a/doc/man1/openssl-rsautl.pod
+++ b/doc/man1/openssl-rsautl.pod
@@ -18,7 +18,7 @@ B<openssl> B<rsautl>
[B<-verify>]
[B<-encrypt>]
[B<-decrypt>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-pkcs>]
[B<-ssl>]
@@ -30,7 +30,7 @@ B<openssl> B<rsautl>
=head1 DESCRIPTION
-The B<rsautl> command can be used to sign, verify, encrypt and decrypt
+This command can be used to sign, verify, encrypt and decrypt
data using the RSA algorithm.
=head1 OPTIONS
@@ -84,10 +84,9 @@ Encrypt the input data using an RSA public key.
Decrypt the input data using an RSA private key.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -117,7 +116,7 @@ B<-verify> option.
=head1 NOTES
-B<rsautl> because it uses the RSA algorithm directly can only be
+Since this command uses the RSA algorithm directly, it can only be
used to sign or verify small pieces of data.
=head1 EXAMPLES
@@ -148,8 +147,9 @@ encrypt and decrypt the block would have been of type 2 (the second byte)
and random padding data visible instead of the 0xff bytes.
It is possible to analyse the signature of certificates using this
-utility in conjunction with B<asn1parse>. Consider the self signed
-example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
+utility in conjunction with L<openssl-asn1parse(1)>. Consider the self signed
+example in F<certs/pca-cert.pem>. Running L<openssl-asn1parse(1)> as follows
+yields:
openssl asn1parse -in pca-cert.pem
diff --git a/doc/man1/openssl-s_client.pod b/doc/man1/openssl-s_client.pod
index 3baacd3f73..8ad2679b63 100644
--- a/doc/man1/openssl-s_client.pod
+++ b/doc/man1/openssl-s_client.pod
@@ -125,7 +125,7 @@ B<openssl> B<s_client>
[B<-no_ticket>]
[B<-sess_out> I<filename>]
[B<-sess_in> I<filename>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-serverinfo> I<types>]
[B<-status>]
@@ -151,13 +151,13 @@ B<openssl> B<s_client>
=head1 DESCRIPTION
-The B<s_client> command implements a generic SSL/TLS client which connects
-to a remote host using SSL/TLS. It is a I<very> useful diagnostic tool for
-SSL servers.
+This command implements a generic SSL/TLS client which
+connects to a remote host using SSL/TLS. It is a I<very> useful diagnostic
+tool for SSL servers.
=head1 OPTIONS
-In addition to the options below the B<s_client> utility also supports the
+In addition to the options below, this command also supports the
common and client only options documented
in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
manual page.
@@ -283,8 +283,8 @@ Extra certificate and private key format respectively.
=item B<-pass> I<arg>
-the private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+the private key password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<depth>
@@ -302,15 +302,15 @@ abort the handshake with a fatal error.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
-must be in "hash format", see L<verify(1)> for more information. These are
-also used when building the client certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the client certificate chain.
=item B<-CAfile> I<file>
@@ -320,7 +320,8 @@ and to use when attempting to build the client certificate chain.
=item B<-chainCApath> I<directory>
The directory to use for building the chain provided to the server. This
-directory must be in "hash format", see L<verify(1)> for more information.
+directory must be in "hash format", see L<openssl-verify(1)> for more
+information.
=item B<-chainCAfile> I<file>
@@ -360,7 +361,7 @@ at a positive depth or else "matched EE certificate" at depth 0.
=item B<-dane_tlsa_rrdata> I<rrdata>
Use one or more times to specify the RRDATA fields of the DANE TLSA
-RRset associated with the target service. The B<rrdata> value is
+RRset associated with the target service. The I<rrdata> value is
specied in "presentation form", that is four whitespace separated
fields that specify the usage, selector, matching type and associated
data, with the last of these encoded in hexadecimal. Optional
@@ -406,7 +407,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
=item B<-reconnect>
@@ -481,25 +482,25 @@ Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity> I<identity>
-Use the PSK identity B<identity> when using a PSK cipher suite.
+Use the PSK identity I<identity> when using a PSK cipher suite.
The default value is "Client_identity" (without the quotes).
=item B<-psk> I<key>
-Use the PSK key B<key> when using a PSK cipher suite. The key is
+Use the PSK key I<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
=item B<-psk_session> I<file>
-Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
+Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
These options require or disable the use of the specified SSL or TLS protocols.
-By default B<s_client> will negotiate the highest mutually supported protocol
+By default, this command will negotiate the highest mutually supported protocol
version.
When a specific TLS version is required, only that version will be offered to
and accepted from the server.
@@ -508,8 +509,8 @@ OpenSSL was built.
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-These options make B<s_client> use DTLS protocols instead of TLS.
-With B<-dtls>, B<s_client> will negotiate any supported DTLS protocol version,
+These options make this command use DTLS protocols instead of TLS.
+With B<-dtls>, it will negotiate any supported DTLS protocol version,
whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
respectively.
@@ -607,22 +608,22 @@ ultimately selected by the server. For a list of all curves, use:
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
configured. Although the server determines which ciphersuite is used it should
-take the first supported cipher in the list sent by the client. See the
-B<ciphers> command for more information.
+take the first supported cipher in the list sent by the client. See
+L<openssl-ciphers(1)> for more information.
=item B<-ciphersuites> I<val>
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
-take the first supported cipher in the list sent by the client. See the
-B<ciphers> command for more information. The format for this list is a simple
+take the first supported cipher in the list sent by the client. See
+L<openssl-ciphers(1)> for more information. The format for this list is a simple
colon (":") separated list of TLSv1.3 ciphersuite names.
=item B<-starttls> I<protocol>
Send the protocol-specific message(s) to switch to TLS for communication.
-B<protocol> is a keyword for the intended protocol. Currently, the only
+I<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
@@ -659,24 +660,23 @@ Disable RFC4507bis session ticket support.
=item B<-sess_out> I<filename>
-Output SSL session to B<filename>.
+Output SSL session to I<filename>.
-=item B<-sess_in> I<sess.pem>
+=item B<-sess_in> I<filename>
-Load SSL session from B<filename>. The client will attempt to resume a
+Load SSL session from I<filename>. The client will attempt to resume a
connection from this session.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<s_client>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -703,7 +703,7 @@ response (if any) is printed out.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
-The B<protocols> list is a comma-separated list of protocol names that
+The I<protocols> list is a comma-separated list of protocol names that
the client should advertise support for. The list should contain the most
desirable protocols first. Protocol names are printable ASCII strings,
for example "http/1.1" or "spdy/3".
@@ -784,7 +784,7 @@ Send a key update message to the server and request one back (TLSv1.3 only)
=head1 NOTES
-B<s_client> can be used to debug SSL servers. To connect to an SSL HTTP
+This command can be used to debug SSL servers. To connect to an SSL HTTP
server the command:
openssl s_client -connect servername:443
@@ -802,7 +802,7 @@ A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its "acceptable CA list" when it
-requests a certificate. By using B<s_client> the CA list can be viewed
+requests a certificate. By using this command, the CA list can be viewed
and checked. However some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
is necessary to use the B<-prexit> option and send an HTTP request
@@ -817,7 +817,7 @@ If there are problems verifying a server certificate then the
B<-showcerts> option can be used to show all the certificates sent by the
server.
-The B<s_client> utility is a test tool and is designed to continue the
+This command is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
accept any certificate chain (trusted or not) sent by the peer. None test
applications should B<not> do this as it makes them vulnerable to a MITM
@@ -830,8 +830,8 @@ connections to come from some particular address and or port.
=head1 BUGS
Because this program has a lot of options and also because some of the
-techniques used are rather old, the C source of B<s_client> is rather hard to
-read and not a model of how things should be done.
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
A typical SSL client program would be much simpler.
The B<-prexit> option is a bit of a hack. We should really report
diff --git a/doc/man1/openssl-s_server.pod b/doc/man1/openssl-s_server.pod
index 69275ed976..e99d3b6a66 100644
--- a/doc/man1/openssl-s_server.pod
+++ b/doc/man1/openssl-s_server.pod
@@ -52,7 +52,7 @@ B<openssl> B<s_server>
[B<-tlsextdebug>]
[B<-HTTP>]
[B<-id_prefix> I<val>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-keymatexport> I<val>]
[B<-keymatexportlen> I<+int>]
@@ -197,15 +197,14 @@ B<openssl> B<s_server>
=head1 DESCRIPTION
-The B<s_server> command implements a generic SSL/TLS server which listens
-for connections on a given port using SSL/TLS.
+This command implements a generic SSL/TLS server which
+listens for connections on a given port using SSL/TLS.
=head1 OPTIONS
-In addition to the options below the B<s_server> utility also supports the
-common and server only options documented
-in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
-manual page.
+In addition to the options below, this command also supports
+the common and server only options documented
+L<SSL_CONF_cmd(3)/Supported Command Line Commands>
=over 4
@@ -258,7 +257,7 @@ anonymous cipher suite or PSK) this option has no effect.
The certificate to use, most servers cipher suites require the use of a
certificate and some require a certificate with a certain public key type:
for example the DSS cipher suites require a certificate containing a DSS
-(DSA) key. If not specified then the filename "server.pem" will be used.
+(DSA) key. If not specified then the filename F<server.pem> will be used.
=item B<-cert_chain>
@@ -274,9 +273,9 @@ provided to the client.
=item B<-nameopt> I<val>
Option which determines how the subject or issuer names are displayed. The
-B<val> argument can be a single option or multiple options separated by
+I<val> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-naccept> I<+int>
@@ -381,13 +380,14 @@ a certificate is requested.
=item B<-CApath> I<dir>
The directory to use for client certificate verification. This directory
-must be in "hash format", see L<verify(1)> for more information. These are
-also used when building the server certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the server certificate chain.
=item B<-chainCApath> I<dir>
The directory to use for building the chain provided to the client. This
-directory must be in "hash format", see L<verify(1)> for more information.
+directory must be in "hash format", see L<openssl-verify(1)> for more
+information.
=item B<-chainCAfile> I<file>
@@ -423,7 +423,7 @@ web browser. Cannot be used in conjunction with B<-early_data>.
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
-requested the file ./page.html will be loaded. Cannot be used in conjunction
+requested the file F<./page.html> will be loaded. Cannot be used in conjunction
with B<-early_data>.
=item B<-tlsextdebug>
@@ -434,22 +434,21 @@ Print a hex dump of any TLS extensions received from the server.
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
-requested the file ./page.html will be loaded. The files loaded are
+requested the file F<./page.html> will be loaded. The files loaded are
assumed to contain a complete and correct HTTP response (lines that
are part of the HTTP response line and headers must end with CRLF). Cannot be
used in conjunction with B<-early_data>.
=item B<-id_prefix> I<val>
-Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
+Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (eg. with a certain prefix).
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -476,7 +475,7 @@ a verbose printout of the OCSP response.
=item B<-status_timeout> I<int>
-Sets the timeout for OCSP response to B<int> seconds.
+Sets the timeout for OCSP response to I<int> seconds.
=item B<-status_url> I<val>
@@ -543,8 +542,8 @@ further information).
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
These options require or disable the use of the specified SSL or TLS protocols.
-By default B<s_server> will negotiate the highest mutually supported protocol
-version.
+By default, this command will negotiate the highest mutually supported
+protocol version.
When a specific TLS version is required, only that version will be accepted
from the client.
Note that not all protocols and flags may be available, depending on how
@@ -610,7 +609,7 @@ modified. This list is combined with any TLSv1.3 ciphersuites that have been
configured. When the client sends a list of supported ciphers the first client
cipher also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist is irrelevant. See
-the B<ciphers> command for more information.
+L<openssl-ciphers(1)> for more information.
=item B<-ciphersuites> I<val>
@@ -619,16 +618,16 @@ This list is combined with any TLSv1.2 and below ciphersuites that have been
configured. When the client sends a list of supported ciphers the first client
cipher also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist is irrelevant. See
-the B<ciphers> command for more information. The format for this list is a
-simple colon (":") separated list of TLSv1.3 ciphersuite names.
+L<openssl-ciphers(1)> command for more information. The format for this list is
+a simple colon (":") separated list of TLSv1.3 ciphersuite names.
=item B<-dhparam> I<infile>
The DH parameter file to use. The ephemeral DH cipher suites generate keys
using a set of DH parameters. If not specified then an attempt is made to
load the parameters from the server certificate file.
-If this fails then a static set of parameters hard coded into the B<s_server>
-program will be used.
+If this fails then a static set of parameters hard coded into this command
+will be used.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
@@ -639,7 +638,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different peer certificate verification options.
-See the L<verify(1)> manual page for details.
+See the L<openssl-verify(1)> manual page for details.
=item B<-crl_check>, B<-crl_check_all>
@@ -653,42 +652,43 @@ Turns on non blocking I/O.
=item B<-psk_identity> I<val>
-Expect the client to send PSK identity B<val> when using a PSK
+Expect the client to send PSK identity I<val> when using a PSK
cipher suite, and warn if they do not. By default, the expected PSK
identity is the string "Client_identity".
=item B<-psk_hint> I<val>
-Use the PSK identity hint B<val> when using a PSK cipher suite.
+Use the PSK identity hint I<val> when using a PSK cipher suite.
=item B<-psk> I<val>
-Use the PSK key B<val> when using a PSK cipher suite. The key is
+Use the PSK key I<val> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
=item B<-psk_session> I<file>
-Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
+Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-listen>
This option can only be used in conjunction with one of the DTLS options above.
-With this option B<s_server> will listen on a UDP port for incoming connections.
+With this option, this command will listen on a UDP port for incoming
+connections.
Any ClientHellos that arrive will be checked to see if they have a cookie in
them or not.
Any without a cookie will be responded to with a HelloVerifyRequest.
-If a ClientHello with a cookie is received then B<s_server> will connect to
-that peer and complete the handshake.
+If a ClientHello with a cookie is received then this command will
+connect to that peer and complete the handshake.
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-These options make B<s_server> use DTLS protocols instead of TLS.
-With B<-dtls>, B<s_server> will negotiate any supported DTLS protocol version,
-whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and DTLSv1.2
-respectively.
+These options make this command use DTLS protocols instead of TLS.
+With B<-dtls>, it will negotiate any supported DTLS protocol
+version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and
+DTLSv1.2 respectively.
=item B<-sctp>
@@ -714,7 +714,7 @@ disabling the ephemeral DH cipher suites.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
-The B<val> list is a comma-separated list of supported protocol
+The I<val> list is a comma-separated list of supported protocol
names. The list should contain the most desirable protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
@@ -722,10 +722,10 @@ The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
=item B<-engine> I<val>
-Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+Specifying an engine (by its unique id string in I<val>) will cause
+this command to attempt to obtain a functional reference to the
+specified engine, thus initialising it if needed. The engine will then be
+set as the default for all available algorithms.
=item B<-keylogfile> I<outfile>
@@ -814,8 +814,8 @@ Send a certificate request to the client (TLSv1.3 only)
=head1 NOTES
-B<s_server> can be used to debug SSL clients. To accept connections from
-a web browser the command:
+This command can be used to debug SSL clients. To accept connections
+from a web browser the command:
openssl s_server -accept 443 -www
@@ -825,20 +825,20 @@ Although specifying an empty list of CAs when requesting a client certificate
is strictly speaking a protocol violation, some SSL clients interpret this to
mean any CA is acceptable. This is useful for debugging purposes.
-The session parameters can printed out using the B<sess_id> program.
+The session parameters can printed out using the L<openssl-sess_id(1)> command.
=head1 BUGS
Because this program has a lot of options and also because some of the
-techniques used are rather old, the C source of B<s_server> is rather hard to
-read and not a model of how things should be done.
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
A typical SSL server program would be much simpler.
The output of common ciphers is wrong: it just gives the list of ciphers that
OpenSSL recognizes and the client supports.
-There should be a way for the B<s_server> program to print out details of any
-unknown cipher suites a client says it supports.
+There should be a way for this command to print out details
+of any unknown cipher suites a client says it supports.
=head1 SEE ALSO
diff --git a/doc/man1/openssl-s_time.pod b/doc/man1/openssl-s_time.pod
index fa3dd685b7..edeeb87b69 100644
--- a/doc/man1/openssl-s_time.pod
+++ b/doc/man1/openssl-s_time.pod
@@ -8,7 +8,7 @@ openssl-s_time - SSL/TLS performance timing program
B<openssl> B<s_time>
[B<-help>]
-[B<-connect> I<host:port>]
+[B<-connect> I<host>:I<port>]
[B<-www> I<page>]
[B<-cert> I<filename>]
[B<-key> I<filename>]
@@ -34,11 +34,12 @@ B<openssl> B<s_time>
=head1 DESCRIPTION
-The B<s_time> command implements a generic SSL/TLS client which connects to a
-remote host using SSL/TLS. It can request a page from the server and includes
-the time to transfer the payload data in its timing measurements. It measures
-the number of connections within a given timeframe, the amount of data
-transferred (if any), and calculates the average time spent for one connection.
+This command implements a generic SSL/TLS client which
+connects to a remote host using SSL/TLS. It can request a page from the server
+and includes the time to transfer the payload data in its timing measurements.
+It measures the number of connections within a given timeframe, the amount of
+data transferred (if any), and calculates the average time spent for one
+connection.
=head1 OPTIONS
@@ -48,16 +49,16 @@ transferred (if any), and calculates the average time spent for one connection.
Print out a usage message.
-=item B<-connect> I<host:port>
+=item B<-connect> I<host>:I<port>
This specifies the host and optional port to connect to.
=item B<-www> I<page>
This specifies the page to GET from the server. A value of '/' gets the
-index.htm[l] page. If this parameter is not specified, then B<s_time> will only
-perform the handshake to establish SSL connections but not transfer any
-payload data.
+F<index.html> page. If this parameter is not specified, then this command
+will only perform the handshake to establish SSL connections but not transfer
+any payload data.
=item B<-cert> I<certname>
@@ -80,15 +81,15 @@ will never fail due to a server certificate verify failure.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
-must be in "hash format", see B<verify> for more information. These are
-also used when building the client certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the client certificate chain.
=item B<-CAfile> I<file>
@@ -118,8 +119,8 @@ specified, they are both on by default and executed in sequence.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
These options enable specific SSL or TLS protocol versions for the handshake
-initiated by B<s_time>.
-By default B<s_time> negotiates the highest mutually supported protocol
+initiated by this command.
+By default, it negotiates the highest mutually supported protocol
version.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
@@ -135,7 +136,7 @@ This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
-L<ciphers(1)> for more information.
+L<openssl-ciphers(1)> for more information.
=item B<-ciphersuites> I<val>
@@ -143,26 +144,27 @@ This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
-L<ciphers(1)> for more information. The format for this list is a simple
-colon (":") separated list of TLSv1.3 ciphersuite names.
+L<openssl-ciphers(1)> for more information. The format for this list is a
+simple colon (":") separated list of TLSv1.3 ciphersuite names.
=item B<-time> I<length>
-Specifies how long (in seconds) B<s_time> should establish connections and
-optionally transfer payload data from a server. Server and client performance
-and the link speed determine how many connections B<s_time> can establish.
+Specifies how long (in seconds) this command should establish connections
+and optionally transfer payload data from a server. Server and client
+performance and the link speed determine how many connections it
+can establish.
=back
=head1 NOTES
-B<s_time> can be used to measure the performance of an SSL connection.
+This command can be used to measure the performance of an SSL connection.
To connect to an SSL HTTP server and get the default page the command
openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
-would typically be used (https uses port 443). 'commoncipher' is a cipher to
-which both client and server can agree, see the L<ciphers(1)> command
+would typically be used (https uses port 443). I<commoncipher> is a cipher to
+which both client and server can agree, see the L<openssl-ciphers(1)> command
for details.
If the handshake fails then there are several possible causes, if it is
@@ -175,10 +177,10 @@ A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its "acceptable CA list" when it
-requests a certificate. By using L<s_client(1)> the CA list can be
+requests a certificate. By using L<openssl-s_client(1)> the CA list can be
viewed and checked. However some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
-is necessary to use the B<-prexit> option of L<s_client(1)> and
+is necessary to use the B<-prexit> option of L<openssl-s_client(1)> and
send an HTTP request for an appropriate page.
If a certificate is specified on the command line using the B<-cert>
@@ -189,8 +191,8 @@ on the command line is no guarantee that the certificate works.
=head1 BUGS
Because this program does not have all the options of the
-L<s_client(1)> program to turn protocols on and off, you may not be
-able to measure the performance of all protocols with all servers.
+L<openssl-s_client(1)> program to turn protocols on and off, you may not
+be able to measure the performance of all protocols with all servers.
The B<-verify> option should really exit if the server verification
fails.
diff --git a/doc/man1/openssl-sess_id.pod b/doc/man1/openssl-sess_id.pod
index ffec19147d..9e0b74f512 100644
--- a/doc/man1/openssl-sess_id.pod
+++ b/doc/man1/openssl-sess_id.pod
@@ -9,7 +9,7 @@ openssl-sess_id - SSL/TLS session handling utility
B<openssl> B<sess_id>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>|B<MSS>]
+[B<-outform> B<DER>|B<PEM>|B<NSS>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-text>]
@@ -18,11 +18,11 @@ B<openssl> B<sess_id>
=head1 DESCRIPTION
-The B<sess_id> process the encoded version of the SSL session structure
-and optionally prints out SSL session details (for example the SSL session
-master key) in human readable format. Since this is a diagnostic tool that
-needs some knowledge of the SSL protocol to use properly, most users will
-not need to use it.
+This command processes the encoded version of the SSL session
+structure and optionally prints out SSL session details (for example
+the SSL session master key) in human readable format. Since this is a
+diagnostic tool that needs some knowledge of the SSL protocol to use
+properly, most users will not need to use it.
=head1 OPTIONS
@@ -41,9 +41,9 @@ format base64 encoded with additional header and footer lines.
=item B<-outform> B<DER>|B<PEM>|B<NSS>
-This specifies the output format. The B<PEM> and B<DER> options have the same meaning
-and default as the B<-inform> option. The B<NSS> option outputs the session id and
-the master key in NSS keylog format.
+This specifies the output format. The B<PEM> and B<DER> options have the same
+meaning and default as the B<-inform> option. The B<NSS> option outputs the
+session id and the master key in NSS keylog format.
=item B<-in> I<filename>
diff --git a/doc/man1/openssl-smime.pod b/doc/man1/openssl-smime.pod
index dc4a5bcf2f..4faf37868d 100644
--- a/doc/man1/openssl-smime.pod
+++ b/doc/man1/openssl-smime.pod
@@ -65,17 +65,17 @@ B<openssl> B<smime>
[B<-indef>]
[B<-noindef>]
[B<-stream>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-md> I<digest>]
-[cert.pem]...
+I<cert.pem> ...
=for comment ifdef engine
=head1 DESCRIPTION
-The B<smime> command handles S/MIME mail. It can encrypt, decrypt, sign and
-verify S/MIME messages.
+This command handles S/MIME mail. It can encrypt, decrypt, sign
+and verify S/MIME messages.
=head1 OPTIONS
@@ -187,7 +187,7 @@ A file containing trusted CA certificates, only used with B<-verify>.
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using B<x509 -hash>) should be linked
+is a hash of each subject name (using C<openssl x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
@@ -208,7 +208,7 @@ default digest algorithm for the signing key will be used (usually SHA1).
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
+example B<-aes-128-cbc>. See L<openssl-enc(1)> for list of ciphers
supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt>.
@@ -295,13 +295,12 @@ specified, the argument is given to the engine as a key identifier.
=item B<-passin> I<arg>
-The private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -311,11 +310,6 @@ all others.
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<cert.pem...>
-
-One or more certificates of message recipients: used when encrypting
-a message.
-
=item B<-to>, B<-from>, B<-subject>
The relevant mail headers. These are included outside the signed
@@ -332,7 +326,12 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various options of certificate chain verification. See
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
+
+=item I<cert.pem> ...
+
+One or more certificates of message recipients, used when encrypting
+a message.
=back
diff --git a/doc/man1/openssl-speed.pod b/doc/man1/openssl-speed.pod
index c7577f5557..fd78872996 100644
--- a/doc/man1/openssl-speed.pod
+++ b/doc/man1/openssl-speed.pod
@@ -14,21 +14,21 @@ B<openssl speed>
[B<-hmac> I<algo>]
[B<-cmac> I<algo>]
[B<-decrypt>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-primes> I<num>]
[B<-seconds> I<num>]
[B<-bytes> I<num>]
-[B<algorithm...>]
+[I<algorithm> ...]
=for comment ifdef cmac multi async_jobs engine
=head1 DESCRIPTION
This command is used to test the performance of cryptographic algorithms.
-To see the list of supported algorithms, use the I<list --digest-commands>
-or I<list --cipher-commands> command. The global CSPRNG is denoted by
-the I<rand> algorithm name.
+To see the list of supported algorithms, use C<openssl list -digest-commands>
+or C<openssl list -cipher-commands> command. The global CSPRNG is denoted by
+the B<rand> algorithm name.
=head1 OPTIONS
@@ -40,7 +40,7 @@ Print out a usage message.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<speed>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -54,8 +54,8 @@ of hardware engines.
=item B<-evp> I<algo>
Use the specified cipher or message digest algorithm via the EVP interface.
-If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a
-TLS-like sequence. And if B<algo> is a multi-buffer capable cipher, e.g.
+If I<algo> is an AEAD cipher, then you can pass B<-aead> to benchmark a
+TLS-like sequence. And if I<algo> is a multi-buffer capable cipher, e.g.
aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
=item B<-hmac> I<digest>
@@ -64,16 +64,16 @@ Time the HMAC algorithm using the specified message digest.
=item B<-cmac> I<cipher>
-Time the CMAC algorithm using the specified cipher e.g. B<speed -cmac aes128>.
+Time the CMAC algorithm using the specified cipher e.g.
+C<openssl speed -cmac aes128>.
=item B<-decrypt>
Time the decryption instead of encryption. Affects only the EVP testing.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -85,20 +85,20 @@ This can be used with a subsequent B<-rand> flag.
=item B<-primes> I<num>
-Generate a B<num>-prime RSA key and use it to run the benchmarks. This option
+Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
is only effective if RSA algorithm is specified to test.
=item B<-seconds> I<num>
-Run benchmarks for B<num> seconds.
+Run benchmarks for I<num> seconds.
=item B<-bytes> I<num>
-Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
+Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
-=item B<algorithm...>
+=item I<algorithm> ...
-If any options are given, B<speed> tests those algorithms, otherwise a
+If any I<algorithm> is given, then those algorithms are tested, otherwise a
pre-compiled grand selection is tested.
=back
diff --git a/doc/man1/openssl-spkac.pod b/doc/man1/openssl-spkac.pod
index 03df087ee0..fb64a6793c 100644
--- a/doc/man1/openssl-spkac.pod
+++ b/doc/man1/openssl-spkac.pod
@@ -25,7 +25,7 @@ B<openssl> B<spkac>
=head1 DESCRIPTION
-The B<spkac> command processes Netscape signed public key and challenge
+This command processes Netscape signed public key and challenge
(SPKAC) files. It can print out their contents, verify the signature and
produce its own SPKACs from a supplied private key.
@@ -49,7 +49,7 @@ default.
=item B<-key> I<keyfile>
-Create an SPKAC file using the private key in B<keyfile>. The
+Create an SPKAC file using the private key in I<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
@@ -58,9 +58,9 @@ present.
Whether the key format is PEM, DER, or an engine-backed key.
The default is PEM.
-=item B<-passin> I<password>
+=item B<-passin> I<arg>
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-challenge> I<string>
@@ -94,7 +94,7 @@ Verifies the digital signature on the supplied SPKAC.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<spkac>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -126,8 +126,8 @@ Example of an SPKAC, (long lines split up for clarity):
=head1 NOTES
-A created SPKAC with suitable DN components appended can be fed into
-the B<ca> utility.
+A created SPKAC with suitable DN components appended can be fed to
+L<openssl-ca(1)>.
SPKACs are typically generated by Netscape when a form is submitted
containing the B<KEYGEN> tag as part of the certificate enrollment
diff --git a/doc/man1/openssl-srp.pod b/doc/man1/openssl-srp.pod
index 62a27c37ef..8890e00e94 100644
--- a/doc/man1/openssl-srp.pod
+++ b/doc/man1/openssl-srp.pod
@@ -17,22 +17,21 @@ B<openssl srp>
[B<-config> I<file>]
[B<-srpvfile> I<file>]
[B<-gn> I<identifier>]
-[B<-userinfo> I<text...>]
+[B<-userinfo> I<text>]
[B<-passin> I<arg>]
[B<-passout> I<arg>]
-[I<user...>]
+[I<user> ...]
=for comment ifdef engine
=head1 DESCRIPTION
-The B<srp> command is used to maintain an SRP (secure remote password)
-file.
+This command is used to maintain an SRP (secure remote password) file.
At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
can be specified.
These options take zero or more usernames as parameters and perform the
appropriate operation on the SRP file.
-For B<-list>, if no B<user> is given then all users are displayed.
+For B<-list>, if no I<user> is given then all users are displayed.
The configuration file to use, and the section within the file, can be
specified with the B<-config> and B<-name> flags, respectively.
@@ -42,11 +41,11 @@ just specify the file to operate on.
The B<-userinfo> option specifies additional information to add when
adding or modifying a user.
-The B<-gn> flag specifies the B<g> and B<N> values, using one of
+The B<-gn> flag specifies the I<g> and I<N> values, using one of
the strengths defined in IETF RFC 5054.
The B<-passin> and B<-passout> arguments are parsed as described in
-the L<openssl(1)> command.
+the L<openssl(1)/Pass phrase options> command.
=head1 OPTIONS
diff --git a/doc/man1/openssl-storeutl.pod b/doc/man1/openssl-storeutl.pod
index fb292a3cf7..dbe0d9f844 100644
--- a/doc/man1/openssl-storeutl.pod
+++ b/doc/man1/openssl-storeutl.pod
@@ -23,12 +23,12 @@ B<openssl> B<storeutl>
[B<-alias> I<arg>]
[B<-fingerprint> I<arg>]
[B<-I<digest>>]
-B<uri> ...
+I<uri> ...
=head1 DESCRIPTION
-The B<storeutl> command can be used to display the contents (after decryption
-as the case may be) fetched from the given URIs.
+This command can be used to display the contents (after
+decryption as the case may be) fetched from the given URIs.
=head1 OPTIONS
@@ -49,17 +49,17 @@ this option prevents output of the PEM data.
=item B<-passin> I<arg>
-the key password source. For more information about the format of B<arg>
+the key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-text>
Prints out the objects in text form, similarly to the B<-text> output from
-B<openssl x509>, B<openssl pkey>, etc.
+L<openssl-x509(1)>, L<openssl-pkey(1)>, etc.
=item B<-engine> I<id>
-specifying an engine (by its unique B<id> string) will cause B<storeutl>
+specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed.
The engine will then be set as the default for all available algorithms.
@@ -80,8 +80,8 @@ returned.
=item B<-subject> I<arg>
-Search for an object having the subject name B<arg>.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+Search for an object having the subject name I<arg>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted but are ignored for the search. That is,
a search with an empty value will have the same effect as not specifying
@@ -93,10 +93,10 @@ the type at all.
Search for an object having the given issuer name and serial number.
These two options I<must> be used together.
-The issuer arg must be formatted as I</type0=value0/type1=value1/type2=...>,
+The issuer arg must be formatted as C</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
The serial arg may be specified as a decimal value or a hex value if preceded
-by B<0x>.
+by C<0x>.
=item B<-alias> I<arg>
@@ -118,7 +118,7 @@ L<openssl(1)>
=head1 HISTORY
-The B<openssl> B<storeutl> app was added in OpenSSL 1.1.1.
+This command was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-ts.pod b/doc/man1/openssl-ts.pod
index 40906452f1..c97909d526 100644
--- a/doc/man1/openssl-ts.pod
+++ b/doc/man1/openssl-ts.pod
@@ -8,7 +8,7 @@ openssl-ts - Time Stamping Authority tool (client/server)
B<openssl> B<ts>
B<-query>
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-config> I<configfile>]
[B<-data> I<file_to_hash>]
@@ -86,8 +86,8 @@ I<verify options:>
=head1 DESCRIPTION
-The B<ts> command is a basic Time Stamping Authority (TSA) client and server
-application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A
+This command is a basic Time Stamping Authority (TSA) client and
+server application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A
TSA can be part of a PKI deployment and its role is to provide long
term proof of the existence of a certain datum before a particular
time. Here is a brief description of the protocol:
@@ -116,7 +116,7 @@ value that it had sent to the TSA.
There is one DER encoded protocol data unit defined for transporting a time
stamp request to the TSA and one for sending the timestamp response
-back to the client. The B<ts> command has three main functions:
+back to the client. This command has three main functions:
creating a timestamp request based on a data file,
creating a timestamp response based on a request, verifying if a
response corresponds to a particular request or a data file.
@@ -134,10 +134,9 @@ request with the following options:
=over 4
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -170,7 +169,7 @@ in use. (Optional)
=item B<-I<digest>>
The message digest to apply to the data file.
-Any digest supported by the OpenSSL B<dgst> command can be used.
+Any digest supported by the L<openssl-dgst(1)> command can be used.
The default is SHA-256. (Optional)
=item B<-tspolicy> I<object_id>
@@ -315,7 +314,7 @@ instead of DER. (Optional)
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ts>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. Default is built-in. (Optional)
@@ -362,7 +361,7 @@ of a timestamp response (TimeStampResp). (Optional)
=item B<-CApath> I<trusted_cert_path>
The name of the directory containing the trusted CA certificates of the
-client. See the similar option of L<verify(1)> for additional
+client. See the similar option of L<openssl-verify(1)> for additional
details. Either this option or B<-CAfile> must be specified. (Optional)
@@ -370,7 +369,7 @@ details. Either this option or B<-CAfile> must be specified. (Optional)
The name of the file containing a set of trusted self-signed CA
certificates in PEM format. See the similar option of
-L<verify(1)> for additional details. Either this option
+L<openssl-verify(1)> for additional details. Either this option
or B<-CApath> must be specified.
(Optional)
@@ -392,7 +391,7 @@ B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>,
B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>,
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
B<-verify_name>, and B<-x509_strict> can be used to control timestamp
-verification. See L<verify(1)>.
+verification. See L<openssl-verify(1)>.
=back
@@ -418,15 +417,15 @@ section can be overridden with the B<-section> command line switch. (Optional)
=item B<oid_file>
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
=item B<oid_section>
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
=item B<RANDFILE>
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
=item B<serial>
@@ -527,11 +526,11 @@ public key certificate identifier. Default is sha256. (Optional)
All the examples below presume that B<OPENSSL_CONF> is set to a proper
configuration file, e.g. the example configuration file
-openssl/apps/openssl.cnf will do.
+F<openssl/apps/openssl.cnf> will do.
=head2 Timestamp Request
-To create a timestamp request for design1.txt with SHA-256 digest,
+To create a timestamp request for F<design1.txt> with SHA-256 digest,
without nonce and policy, and without requirement for a certificate
in the response:
@@ -549,7 +548,7 @@ To print the content of the previous request in human readable format:
openssl ts -query -in design1.tsq -text
To create a timestamp request which includes the SHA-512 digest
-of design2.txt, requests the signer certificate and nonce, and
+of F<design2.txt>, requests the signer certificate and nonce, and
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
@@ -565,10 +564,10 @@ user certificate section of the config file to generate a proper certificate;
extendedKeyUsage = critical,timeStamping
-See L<req(1)>, L<ca(1)>, and L<x509(1)> for instructions. The examples
-below assume that cacert.pem contains the certificate of the CA,
-tsacert.pem is the signing certificate issued by cacert.pem and
-tsakey.pem is the private key of the TSA.
+See L<openssl-req(1)>, L<openssl-ca(1)>, and L<openssl-x509(1)> for
+instructions. The examples below assume that F<cacert.pem> contains the
+certificate of the CA, F<tsacert.pem> is the signing certificate issued
+by F<cacert.pem> and F<tsakey.pem> is the private key of the TSA.
To create a timestamp response for a request:
diff --git a/doc/man1/openssl-verify.pod b/doc/man1/openssl-verify.pod
index a83ffadc22..d795afca5d 100644
--- a/doc/man1/openssl-verify.pod
+++ b/doc/man1/openssl-verify.pod
@@ -52,13 +52,13 @@ B<openssl> B<verify>
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
[B<-->]
-[certificates]
+[I<certificate> ...]
=for comment ifdef engine sm2-id sm2-hex-id
=head1 DESCRIPTION
-The B<verify> command verifies certificate chains.
+This command verifies certificate chains.
=head1 OPTIONS
@@ -70,16 +70,16 @@ Print out a usage message.
=item B<-CAfile> I<file>
-A B<file> of trusted certificates.
+A I<file> of trusted certificates.
The file should contain one or more certificates in PEM format.
=item B<-CApath> I<directory>
A directory of trusted certificates. The certificates should have names
-of the form: hash.0 or have symbolic links to them of this
-form ("hash" is the hashed certificate subject name: see the B<-hash> option
-of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
-create symbolic links to a directory of certificates.
+of the form: F<I<hash>.0> or have symbolic links to them of this form
+(I<hash> is the hashed certificate subject name: see the L<openssl-x509(1)>
+B<-hash> option). Under Unix, L<openssl-rehash(1)> will automatically create
+symbolic links to a directory of certificates.
=item B<-no-CAfile>
@@ -95,8 +95,8 @@ Allow the verification of proxy certificates.
=item B<-attime> I<timestamp>
-Perform validation checks using time specified by B<timestamp> and not
-current system time. B<timestamp> is the number of seconds since
+Perform validation checks using time specified by I<timestamp> and not
+current system time. I<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
=item B<-check_ss_sig>
@@ -106,9 +106,9 @@ because it doesn't add any security.
=item B<-CRLfile> I<file>
-The B<file> should contain one or more CRLs in PEM format.
+The I<file> should contain one or more CRLs in PEM format.
This option can be specified more than once to include CRLs from multiple
-B<files>.
+I<file>s.
=item B<-crl_download>
@@ -126,7 +126,7 @@ to look up valid CRLs.
=item B<-engine> I<id>
-Specifying an engine B<id> will cause L<verify(1)> to attempt to load the
+Specifying an engine I<id> will cause this command to attempt to load the
specified engine.
The engine will then be set as the default for all its supported algorithms.
If you want to load certificates or CRLs that require engine support via any of
@@ -159,9 +159,9 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-no_check_time>
@@ -177,8 +177,8 @@ trusted certificate that might not be self-signed.
=item B<-policy> I<arg>
-Enable policy processing and add B<arg> to the user-initial-policy-set (see
-RFC5280). The policy B<arg> can be an object name an OID in numeric form.
+Enable policy processing and add I<arg> to the user-initial-policy-set (see
+RFC5280). The policy I<arg> can be an object name an OID in numeric form.
This argument can appear more than once.
=item B<-policy_check>
@@ -192,9 +192,10 @@ Print out diagnostics related to policy processing.
=item B<-purpose> I<purpose>
The intended use for the certificate. If this option is not specified,
-B<verify> will not consider certificate purpose during chain verification.
+this command will not consider certificate purpose during chain
+verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
-B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
+B<smimesign>, B<smimeencrypt>. See the L</VERIFY OPERATION> section for more
information.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
@@ -224,22 +225,22 @@ effect.
=item B<-untrusted> I<file>
-A B<file> of additional untrusted certificates (intermediate issuer CAs) used
+A I<file> of additional untrusted certificates (intermediate issuer CAs) used
to construct a certificate chain from the subject certificate to a trust-anchor.
-The B<file> should contain one or more certificates in PEM format.
+The I<file> should contain one or more certificates in PEM format.
This option can be specified more than once to include untrusted certificates
-from multiple B<files>.
+from multiple I<file>s.
=item B<-trusted> I<file>
-A B<file> of trusted certificates, which must be self-signed, unless the
+A I<file> of trusted certificates, which must be self-signed, unless the
B<-partial_chain> option is specified.
-The B<file> contains one or more certificates in PEM format.
+The I<file> contains one or more certificates in PEM format.
With this option, no additional (e.g., default) certificate lists are
consulted.
-That is, the only trust-anchors are those listed in B<file>.
+That is, the only trust-anchors are those listed in I<file>.
This option can be specified more than once to include trusted certificates
-from multiple B<files>.
+from multiple I<file>s.
This option implies the B<-no-CAfile> and B<-no-CApath> options.
This option cannot be used in combination with either of the B<-CAfile> or
B<-CApath> options.
@@ -254,11 +255,11 @@ Print extra information about the operations being performed.
=item B<-auth_level> I<level>
-Set the certificate chain authentication security level to B<level>.
+Set the certificate chain authentication security level to I<level>.
The authentication security level determines the acceptable signature and
public key strength when verifying certificate chains.
For a certificate chain to validate, the public keys of all the certificates
-must meet the specified security B<level>.
+must meet the specified security I<level>.
The signature algorithm security level is enforced for all the certificates in
the chain except for the chain's I<trust anchor>, which is either directly
trusted or validated by means other than its signature.
@@ -272,34 +273,33 @@ shorter than 1024 bits.
=item B<-verify_depth> I<num>
-Limit the certificate chain to B<num> intermediate CA certificates.
-A maximal depth chain can have up to B<num+2> certificates, since neither the
+Limit the certificate chain to I<num> intermediate CA certificates.
+A maximal depth chain can have up to I<num>+2 certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
B<-verify_depth> limit.
=item B<-verify_email> I<email>
-Verify if the B<email> matches the email address in Subject Alternative Name or
+Verify if I<email> matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
=item B<-verify_hostname> I<hostname>
-Verify if the B<hostname> matches DNS name in Subject Alternative Name or
+Verify if I<hostname> matches DNS name in Subject Alternative Name or
Common Name in the subject certificate.
=item B<-verify_ip> I<ip>
-Verify if the B<ip> matches the IP address in Subject Alternative Name of
+Verify if I<ip> matches the IP address in Subject Alternative Name of
the subject certificate.
=item B<-verify_name> I<name>
Use default verification policies like trust model and required certificate
-policies identified by B<name>.
+policies identified by I<name>.
The trust model determines which auxiliary trust or reject OIDs are applicable
to verifying the given certificate chain.
-See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line
-utility.
+See the B<-addtrust> and B<-addreject> options for L<openssl-x509(1)>.
Supported policy names include: B<default>, B<pkcs7>, B<smime_sign>,
B<ssl_client>, B<ssl_server>.
These mimics the combinations of purpose and trust settings used in SSL, CMS
@@ -333,26 +333,26 @@ certificate. The argument for this option is string of hexadecimal digits.
Indicates the last option. All arguments following this are assumed to be
certificate files. This is useful if the first certificate filename begins
-with a B<->.
+with a B<-->.
-=item B<certificates>
+=item I<certificate> ...
-One or more certificates to verify. If no certificates are given, B<verify>
-will attempt to read a certificate from standard input. Certificates must be
-in PEM format.
+One or more certificates to verify. If no certificates are given,
+this command will attempt to read a certificate from standard input.
+Certificates must be in PEM format.
=back
=head1 VERIFY OPERATION
-The B<verify> program uses the same functions as the internal SSL and S/MIME
-verification, therefore this description applies to these verify operations
-too.
+This command uses the same functions as the internal SSL
+and S/MIME verification, therefore this description applies to these verify
+operations too.
There is one crucial difference between the verify operations performed
-by the B<verify> program: wherever possible an attempt is made to continue
-after an error whereas normally the verify operation would halt on the
-first error. This allows all the problems with a certificate chain to be
+by this command: wherever possible an attempt is made to
+continue after an error whereas normally the verify operation would halt on
+the first error. This allows all the problems with a certificate chain to be
determined.
The verify operation consists of a number of separate steps.
@@ -383,19 +383,19 @@ list.
The second operation is to check every untrusted certificate's extensions for
consistency with the supplied purpose. If the B<-purpose> option is not included
then no checks are done. The supplied or "leaf" certificate must have extensions
-compatible with the supplied purpose and all other certificates must also be valid
-CA certificates. The precise extensions required are described in more detail in
-the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
+compatible with the supplied purpose and all other certificates must also be
+valid CA certificates. The precise extensions required are described in more
+detail in L<openssl-x509(1)/CERTIFICATE EXTENSIONS>.
The third operation is to check the trust settings on the root CA. The root CA
should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes.
-The final operation is to check the validity of the certificate chain. The validity
-period is checked against the current system time and the notBefore and notAfter
-dates in the certificate. The certificate signatures are also checked at this
-point.
+The final operation is to check the validity of the certificate chain. The
+validity period is checked against the current system time and the notBefore
+and notAfter dates in the certificate. The certificate signatures are also
+checked at this point.
If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid.
@@ -416,7 +416,8 @@ then 1 for the CA that signed the certificate and so on. Finally a text version
of the error number is presented.
A partial list of the error codes and messages is shown below, this also
-includes the name of the error code as defined in the header file x509_vfy.h
+includes the name of the error code as defined in the header file
+F<< <openssl/x509_vfy.h> >>.
Some of the error codes are defined but never returned: these are described
as "unused".
@@ -708,7 +709,7 @@ IP address mismatch.
DANE TLSA authentication is enabled, but no TLSA records matched the
certificate chain.
-This error is only possible in L<s_client(1)>.
+This error is only possible in L<openssl-s_client(1)>.
=item B<X509_V_ERR_EE_KEY_TOO_SMALL>
diff --git a/doc/man1/openssl-version.pod b/doc/man1/openssl-version.pod
index 278769423e..62d50ce701 100644
--- a/doc/man1/openssl-version.pod
+++ b/doc/man1/openssl-version.pod
@@ -80,7 +80,7 @@ The OpenSSL CPU settings info.
=head1 NOTES
-The output of B<openssl version -a> would typically be used when sending
+The output of C<openssl version -a> would typically be used when sending
in a bug report.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl-x509.pod b/doc/man1/openssl-x509.pod
index 99d06d025c..f7e56abf22 100644
--- a/doc/man1/openssl-x509.pod
+++ b/doc/man1/openssl-x509.pod
@@ -63,7 +63,7 @@ B<openssl> B<x509>
[B<-extfile> I<filename>]
[B<-extensions> I<section>]
[B<-sigopt> I<nm>:I<v>]
-[B<-rand> I<file...>]
+[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-preserve_dates>]
@@ -72,8 +72,8 @@ B<openssl> B<x509>
=head1 DESCRIPTION
-The B<x509> command is a multi purpose certificate utility. It can be
-used to display certificate information, convert certificates to
+This command is a multi purpose certificate utility. It can
+be used to display certificate information, convert certificates to
various forms, sign certificate requests like a "mini CA" or edit
certificate trust settings.
@@ -118,14 +118,13 @@ default.
The digest to use.
This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
-Any digest supported by the OpenSSL B<dgst> command can be used.
+Any digest supported by the L<openssl-dgst(1)> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-rand> I<file...>
+=item B<-rand> I<files>
-A file or files containing random data used to seed the random number
-generator.
+The files containing random data used to seed the random number generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
@@ -137,7 +136,7 @@ This can be used with a subsequent B<-rand> flag.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<x509>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
@@ -153,7 +152,7 @@ Cannot be used with the B<-days> option.
=head2 Display Options
Note: the B<-alias> and B<-purpose> options are also display options
-but are described in the B<TRUST SETTINGS> section.
+but are described in the L</Trust Settings> section.
=over 4
@@ -171,10 +170,10 @@ See the L<x509v3_config(5)> manual page for the extension names.
=item B<-certopt> I<option>
-Customise the output format used with B<-text>. The B<option> argument
+Customise the output format used with B<-text>. The I<option> argument
can be a single option or multiple options separated by commas. The
B<-certopt> switch may be also be used more than once to set multiple
-options. See the B<TEXT OPTIONS> section for more information.
+options. See the L</Text Options> section for more information.
=item B<-noout>
@@ -232,9 +231,9 @@ Outputs the issuer name.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the B<NAME OPTIONS> section for more information.
+set multiple options. See the L</Name Options> section for more information.
=item B<-email>
@@ -258,7 +257,7 @@ Prints out the start and expiry dates of a certificate.
=item B<-checkend> I<arg>
-Checks if the certificate expires within the next B<arg> seconds and exits
+Checks if the certificate expires within the next I<arg> seconds and exits
nonzero if yes it will expire or zero if not.
=item B<-fingerprint>
@@ -290,8 +289,8 @@ Trust settings currently are only used with a root CA. They allow a finer
control over the purposes the root CA can be used for. For example a CA
may be trusted for SSL client but not SSL server use.
-See the description of the B<verify> utility for more information on the
-meaning of trust settings.
+See the description in L<openssl-verify(1)> for more information
+on the meaning of trust settings.
Future versions of OpenSSL will recognize trust settings on any
certificate: not just root CAs.
@@ -301,7 +300,7 @@ certificate: not just root CAs.
=item B<-trustout>
-This causes B<x509> to output a B<trusted> certificate. An ordinary
+Output a B<trusted> certificate rather than an ordinary. An ordinary
or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded. With the
B<-trustout> option a trusted certificate is output. A trusted
@@ -342,14 +341,14 @@ option.
=item B<-purpose>
This option performs tests on the certificate extensions and outputs
-the results. For a more complete description see the B<CERTIFICATE
-EXTENSIONS> section.
+the results. For a more complete description see the
+L</CERTIFICATE EXTENSIONS> section.
=back
=head2 Signing Options
-The B<x509> utility can be used to sign certificates and requests: it
+This command can be used to sign certificates and requests: it
can thus behave like a "mini CA".
=over 4
@@ -373,7 +372,7 @@ Names and values of these options are algorithm-specific.
=item B<-passin> I<arg>
-The key password source. For more information about the format of B<arg>
+The key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-clrext>
@@ -410,13 +409,13 @@ the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
option the serial number file (as specified by the B<-CAserial> or
B<-CAcreateserial> options) is not used.
-The serial number can be decimal or hex (if preceded by B<0x>).
+The serial number can be decimal or hex (if preceded by C<0x>).
=item B<-CA> I<filename>
Specifies the CA certificate to be used for signing. When this option is
-present B<x509> behaves like a "mini CA". The input file is signed by this
-CA using this option: that is its issuer name is set to the subject name
+present, this command behaves like a "mini CA". The input file is signed by
+this CA using this option: that is its issuer name is set to the subject name
of the CA and it is digitally signed using the CAs private key.
This option is normally combined with the B<-req> option. Without the
@@ -438,8 +437,9 @@ an even number of hex digits with the serial number to use. After each
use the serial number is incremented and written out to the file again.
The default filename consists of the CA certificate file base name with
-".srl" appended. For example if the CA certificate file is called
-"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
+F<.srl> appended. For example if the CA certificate file is called
+F<mycacert.pem> it expects to find a serial number file called
+F<mycacert.srl>.
=item B<-CAcreateserial>
@@ -471,7 +471,7 @@ Instead, the B<-subj> and <-force_pubkey> options need to be given.
=item B<-force_pubkey> I<filename>
-When a certificate is created set its public key to the key in B<filename>
+When a certificate is created set its public key to the key in I<filename>
instead of the key contained in the input or given with the B<-signkey> option.
This option is useful for creating self-issued certificates that are not
@@ -484,10 +484,10 @@ The format of the key file can be specified using the B<-keyform> option.
=item B<-subj> I<arg>
When a certificate is created set its subject name to the given value.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
-in the certificate. Giving a single I</> will lead to an empty sequence of RDNs
+in the certificate. Giving a single C</> will lead to an empty sequence of RDNs
(a NULL subject DN).
Unless the B<-CA> option is given the issuer is set to the same value.
@@ -500,8 +500,8 @@ or certificate request.
=head2 Name Options
-The B<nameopt> command line switch determines how the subject and issuer
-names are displayed. If no B<nameopt> switch is present the default "oneline"
+The B<-nameopt> command line switch determines how the subject and issuer
+names are displayed. If no B<-nameopt> switch is present the default "oneline"
format is used which is compatible with previous versions of OpenSSL.
Each option is described in detail below, all options can be preceded by
a B<-> to turn the option off. Only the first four will normally be used.
@@ -718,7 +718,7 @@ Hex dump unsupported extensions.
=item B<ca_default>
-The value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
+The value used by L<openssl-ca(1)>, equivalent to B<no_issuer>, B<no_pubkey>,
B<no_header>, and B<no_version>.
=back
@@ -953,9 +953,9 @@ L<x509v3_config(5)>
The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
-of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
-canonical version of the DN using SHA1. This means that any directories using
-the old form must have their links rebuilt using B<c_rehash> or similar.
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
+version of the DN using SHA1. This means that any directories using the old
+form must have their links rebuilt using L<openssl-rehash(1)> or similar.
=head1 COPYRIGHT
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index dade253e71..00800d8c0b 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -8,10 +8,18 @@ openssl - OpenSSL command line tool
B<openssl>
I<command>
-[ I<command_opts> ]
-[ I<command_args> ]
+[ I<command_opts> ... ]
+[ I<command_args> ... ]
-B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<mac-algorithms> | B<public-key-algorithms>]
+B<openssl>
+B<list>
+B<-standard-commands> |
+B<-digest-commands> |
+B<-cipher-commands> |
+B<-cipher-algorithms> |
+B<-digest-algorithms> |
+B<-mac-algorithms> |
+B<-public-key-algorithms>
B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
@@ -36,8 +44,8 @@ It can be used for
=head1 COMMAND SUMMARY
-The B<openssl> program provides a rich variety of commands (I<command> in the
-SYNOPSIS above), each of which often has a wealth of options and arguments
+The B<openssl> program provides a rich variety of sub-commands (I<command> in
+the SYNOPSIS above), each of which often has a wealth of options and arguments
(I<command_opts> and I<command_args> in the SYNOPSIS).
Detailed documentation and use cases for most standard subcommands are available
@@ -48,22 +56,22 @@ arguments and have a B<-config> option to specify that file.
The environment variable B<OPENSSL_CONF> can be used to specify
the location of the file.
If the environment variable is not specified, then the file is named
-B<openssl.cnf> in the default certificate storage area, whose value
+F<openssl.cnf> in the default certificate storage area, whose value
depends on the configuration flags specified when the OpenSSL
was built.
-The list parameters B<standard-commands>, B<digest-commands>,
-and B<cipher-commands> output a list (one entry per line) of the names
+The list options B<-standard-commands>, B<-digest-commands>,
+and B<-cipher-commands> output a list (one entry per line) of the names
of all standard commands, message digest commands, or cipher commands,
-respectively, that are available in the present B<openssl> utility.
+respectively, that are available.
-The list parameters B<cipher-algorithms>, B<digest-algorithms>,
-and B<mac-algorithms> list all cipher, message digest, and message
+The list parameters B<-cipher-algorithms>, B<-digest-algorithms>,
+and B<-mac-algorithms> list all cipher, message digest, and message
authentication code names, one entry per line. Aliases are listed as:
from => to
-The list parameter B<public-key-algorithms> lists all supported public
+The list parameter B<-public-key-algorithms> lists all supported public
key algorithms.
The command B<no->I<XXX> tests whether a command of the
@@ -77,7 +85,7 @@ availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
not able to detect pseudo-commands such as B<quit>,
B<list>, or B<no->I<XXX> itself.)
-=head2 Standard Commands
+=head2 Standard Sub-commands
=over 4
@@ -108,17 +116,17 @@ CRL to PKCS#7 Conversion.
=item B<dgst>
Message Digest calculation. MAC calculations are superseded by
-L<mac(1)>.
+L<openssl-mac(1)>.
=item B<dh>
Diffie-Hellman Parameter Management.
-Obsoleted by L<dhparam(1)>.
+Obsoleted by L<openssl-dhparam(1)>.
=item B<dhparam>
Generation and Management of Diffie-Hellman Parameters. Superseded by
-L<genpkey(1)> and L<pkeyparam(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
=item B<dsa>
@@ -127,7 +135,7 @@ DSA Data Management.
=item B<dsaparam>
DSA Parameter Generation and Management. Superseded by
-L<genpkey(1)> and L<pkeyparam(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
=item B<ec>
@@ -152,12 +160,12 @@ Error Number to Error String Conversion.
=item B<gendh>
Generation of Diffie-Hellman Parameters.
-Obsoleted by L<dhparam(1)>.
+Obsoleted by L<openssl-dhparam(1)>.
=item B<gendsa>
Generation of DSA Private Key from Parameters. Superseded by
-L<genpkey(1)> and L<pkey(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkey(1)>.
=item B<genpkey>
@@ -165,7 +173,7 @@ Generation of Private Key or Parameters.
=item B<genrsa>
-Generation of RSA Private Key. Superseded by L<genpkey(1)>.
+Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
=item B<info>
@@ -238,7 +246,7 @@ RSA key management.
=item B<rsautl>
RSA utility for signing, verification, encryption, and decryption. Superseded
-by L<pkeyutl(1)>.
+by L<openssl-pkeyutl(1)>.
=item B<s_client>
@@ -390,7 +398,8 @@ The following aliases provide convenient access to the most used encodings
and ciphers.
Depending on how OpenSSL was configured and built, not all ciphers listed
-here may be present. See L<enc(1)> for more information and command usage.
+here may be present. See L<openssl-enc(1)> for more information and command
+usage.
=over 4
@@ -514,29 +523,29 @@ L<passphrase-encoding(7)>.
=over 4
-=item B<pass:password>
+=item B<pass:>I<password>
-The actual password is B<password>. Since the password is visible
+The actual password is I<password>. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
-=item B<env:var>
+=item B<env:>I<var>
-Obtain the password from the environment variable B<var>. Since
+Obtain the password from the environment variable I<var>. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
-=item B<file:pathname>
+=item B<file:>I<pathname>
-The first line of B<pathname> is the password. If the same B<pathname>
+The first line of I<pathname> is the password. If the same I<pathname>
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
-password. B<pathname> need not refer to a regular file: it could for example
+password. I<pathname> need not refer to a regular file: it could for example
refer to a device or named pipe.
-=item B<fd:number>
+=item B<fd:>I<number>
-Read the password from the file descriptor B<number>. This can be used to
+Read the password from the file descriptor I<number>. This can be used to
send the data via a pipe for example.
=item B<stdin>
@@ -549,7 +558,7 @@ Read the password from standard input.
=over 4
-=item B<OPENSSL_TRACE=>I<name,...>
+=item B<OPENSSL_TRACE=>I<name>[,...]
Enable tracing output of OpenSSL library, by name.
This output will only make sense if you know OpenSSL internals well.
@@ -671,7 +680,7 @@ L<x509v3_config(5)>
=head1 HISTORY
-The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
+The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0;
For notes on the availability of other commands, see their individual
manual pages.
diff --git a/doc/man1/openssl-tsget.pod b/doc/man1/tsget.pod
similarity index 61%
rename from doc/man1/openssl-tsget.pod
rename to doc/man1/tsget.pod
index 2806762926..19c689ef6c 100644
--- a/doc/man1/openssl-tsget.pod
+++ b/doc/man1/tsget.pod
@@ -7,31 +7,30 @@ tsget - Time Stamping HTTP/HTTPS client
=head1 SYNOPSIS
B<tsget>
-B<-h> server_url
-[B<-e> extension]
-[B<-o> output]
+B<-h> I<server_url>
+[B<-e> I<extension>]
+[B<-o> I<output>]
[B<-v>]
[B<-d>]
-[B<-k> private_key.pem]
-[B<-p> key_password]
-[B<-c> client_cert.pem]
-[B<-C> CA_certs.pem]
-[B<-P> CA_path]
-[B<-r> file:file...]
-[B<-g> EGD_socket]
-[B<request...>
+[B<-k> I<private_key.pem>]
+[B<-p> I<key_password>]
+[B<-c> I<client_cert.pem>]
+[B<-C> I<CA_certs.pem>]
+[B<-P> I<CA_path>]
+[B<-r> I<files>]
+[B<-g> I<EGD_socket>]
+[I<request> ...]
=head1 DESCRIPTION
-The B<tsget> command can be used for sending a timestamp request, as
-specified in B<RFC 3161>, to a timestamp server over HTTP or HTTPS and storing
-the timestamp response in a file. This tool cannot be used for creating the
-requests and verifying responses, you can use the OpenSSL B<ts(1)> command to
-do that. B<tsget> can send several requests to the server without closing
-the TCP connection if more than one requests are specified on the command
-line.
+This command can be used for sending a timestamp request, as specified
+in B<RFC 3161>, to a timestamp server over HTTP or HTTPS and storing the
+timestamp response in a file. It cannot be used for creating the requests
+and verifying responses, you have to use L<openssl-ts(1)> to do that. This
+command can send several requests to the server without closing the TCP
+connection if more than one requests are specified on the command line.
-The tool sends the following HTTP request for each timestamp request:
+This command sends the following HTTP request for each timestamp request:
POST url HTTP/1.1
User-Agent: OpenTSA tsget.pl/<version>
@@ -43,24 +42,24 @@ The tool sends the following HTTP request for each timestamp request:
...binary request specified by the user...
-B<tsget> expects a response of type application/timestamp-reply, which is
+It expects a response of type application/timestamp-reply, which is
written to a file without any interpretation.
=head1 OPTIONS
=over 4
-=item B<-h> server_url
+=item B<-h> I<server_url>
The URL of the HTTP/HTTPS server listening for timestamp requests.
-=item B<-e> extension
+=item B<-e> I<extension>
If the B<-o> option is not given this argument specifies the extension of the
output files. The base name of the output file will be the same as those of
-the input files. Default extension is '.tsr'. (Optional)
+the input files. Default extension is F<.tsr>. (Optional)
-=item B<-o> output
+=item B<-o> I<output>
This option can be specified only when just one request is sent to the
server. The timestamp response will be written to the given output file. '-'
@@ -75,57 +74,59 @@ error. (Optional)
=item B<-d>
-Switches on verbose mode for the underlying B<curl> library. You can see
-detailed debug messages for the connection. (Optional)
+=for comment perlpodstyle(1) says to refer to modules without section
-=item B<-k> private_key.pem
+Switches on verbose mode for the underlying perl module L<WWW::Curl::Easy>.
+You can see detailed debug messages for the connection. (Optional)
+
+=item B<-k> I<private_key.pem>
(HTTPS) In case of certificate-based client authentication over HTTPS
-<private_key.pem> must contain the private key of the user. The private key
+I<private_key.pem> must contain the private key of the user. The private key
file can optionally be protected by a passphrase. The B<-c> option must also
be specified. (Optional)
-=item B<-p> key_password
+=item B<-p> I<key_password>
(HTTPS) Specifies the passphrase for the private key specified by the B<-k>
-argument. If this option is omitted and the key is passphrase protected B<tsget>
-will ask for it. (Optional)
+argument. If this option is omitted and the key is passphrase protected,
+it will be prompted for. (Optional)
-=item B<-c> client_cert.pem
+=item B<-c> I<client_cert.pem>
(HTTPS) In case of certificate-based client authentication over HTTPS
-<client_cert.pem> must contain the X.509 certificate of the user. The B<-k>
+I<client_cert.pem> must contain the X.509 certificate of the user. The B<-k>
option must also be specified. If this option is not specified no
certificate-based client authentication will take place. (Optional)
-=item B<-C> CA_certs.pem
+=item B<-C> I<CA_certs.pem>
(HTTPS) The trusted CA certificate store. The certificate chain of the peer's
certificate must include one of the CA certificates specified in this file.
Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
-=item B<-P> CA_path
+=item B<-P> I<CA_path>
(HTTPS) The path containing the trusted CA certificates to verify the peer's
-certificate. The directory must be prepared with the B<c_rehash>
-OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
-HTTPS. (Optional)
+certificate. The directory must be prepared with L<openssl-rehash(1)>. Either
+option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
-=item B<-rand> file:file...
+=item B<-r> I<files>
The files containing random data for seeding the random number
generator. Multiple files can be specified, the separator is B<;> for
MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional)
-=item B<-g> EGD_socket
+=item B<-g> I<EGD_socket>
The name of an EGD socket to get random data from. (Optional)
-=item B<request...>
+=item I<request> ...
List of files containing B<RFC 3161> DER-encoded timestamp requests. If no
-requests are specified only one request will be sent to the server and it will be
-read from the standard input. (Optional)
+requests are specified only one request will be sent to the server and it will
+be read from the standard input.
+(Optional)
=back
@@ -137,37 +138,37 @@ arguments.
=head1 EXAMPLES
-The examples below presume that B<file1.tsq> and B<file2.tsq> contain valid
+The examples below presume that F<file1.tsq> and F<file2.tsq> contain valid
timestamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests
and at port 8443 for HTTPS requests, the TSA service is available at the /tsa
absolute path.
-Get a timestamp response for file1.tsq over HTTP, output is written to
-file1.tsr:
+Get a timestamp response for F<file1.tsq> over HTTP, output is written to
+F<file1.tsr>:
tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq
-Get a timestamp response for file1.tsq and file2.tsq over HTTP showing
-progress, output is written to file1.reply and file2.reply respectively:
+Get a timestamp response for F<file1.tsq> and F<file2.tsq> over HTTP showing
+progress, output is written to F<file1.reply> and F<file2.reply> respectively:
tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \
file1.tsq file2.tsq
-Create a timestamp request, write it to file3.tsq, send it to the server and
-write the response to file3.tsr:
+Create a timestamp request, write it to F<file3.tsq>, send it to the server and
+write the response to F<file3.tsr>:
openssl ts -query -data file3.txt -cert | tee file3.tsq \
| tsget -h http://tsa.opentsa.org:8080/tsa \
-o file3.tsr
-Get a timestamp response for file1.tsq over HTTPS without client
+Get a timestamp response for F<file1.tsq> over HTTPS without client
authentication:
tsget -h https://tsa.opentsa.org:8443/tsa \
-C cacerts.pem file1.tsq
-Get a timestamp response for file1.tsq over HTTPS with certificate-based
-client authentication (it will ask for the passphrase if client_key.pem is
+Get a timestamp response for F<file1.tsq> over HTTPS with certificate-based
+client authentication (it will ask for the passphrase if F<client_key.pem> is
protected):
tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
@@ -184,12 +185,12 @@ example:
=head1 SEE ALSO
-=for comment foreign manuals: curl(1)
+=for comment foreign manuals: WWW::Curl::Easy
L<openssl(1)>,
L<openssl-ts(1)>,
-L<openssl-curl(1)>,
-B<RFC 3161>
+L<WWW::Curl::Easy>,
+L<RFC 3161|https://www.rfc-editor.org/rfc/rfc3161.html>
=head1 COPYRIGHT
diff --git a/util/find-doc-nits b/util/find-doc-nits
index ea5254b729..eac87dedd0 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -884,7 +884,7 @@ if ( $opt_n ) {
# If not given args, check that all man1 commands are named properly.
if ( scalar @ARGV == 0 ) {
foreach (glob('doc/man1/*.pod')) {
- next if /CA.pl/ || /openssl.pod/;
+ next if /CA.pl/ || /openssl\.pod/ || /tsget\.pod/;
err("$_ doesn't start with openssl-") unless /openssl-/;
}
}
More information about the openssl-commits
mailing list