Add 'align' option to nameopt.

[openssl.git] / doc / apps / ca.pod

diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 8121886ebbade4b6da61152fba4f3671369b9c12..e441a620c141104c86a8c9cf133a8f8b5f7e43bd 100644 (file)
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -13,6 +13,7 @@ B<openssl> B<ca>
 [B<-name section>]
 [B<-gencrl>]
 [B<-revoke file>]
+[B<-subj arg>]
 [B<-crldays days>]
 [B<-crlhours hours>]
 [B<-crlexts section>]
@@ -105,6 +106,7 @@ the 'ps' utility) this option should be used with caution.
 
 the key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-verbose>
 
 this prints extra details about the operations being performed.
@@ -197,6 +199,10 @@ the number of hours before the next CRL is due.
 
 a filename containing a certificate to revoke.
 
+=item B<-subj arg>
+
+supersedes subject name given in the request
+
 =item B<-crlexts section>
 
 the section of the configuration file containing CRL extensions to
@@ -311,6 +317,23 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
+=item B<nameopt>, B<certopt>
+
+these options allow the format used to display the certificate details
+when asking the user to confirm signing. All the options supported by
+the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
+here, except the B<no_signame> and B<no_sigdump> are permanently set
+and cannot be disabled (this is because the certificate signature cannot
+be displayed because the certificate has not been signed at this point).
+
+For convenience the values B<default_ca> are accepted by both to produce
+a reasonable output.
+
+If neither option is present the format used in earlier versions of
+OpenSSL is used. Use of the old format is B<strongly> discouraged because
+it only displays fields mentioned in the B<policy> section, mishandles
+multicharacter string types and does not display extensions.
+
 =back
 
 =head1 POLICY FORMAT
@@ -401,6 +424,9 @@ A sample configuration file with the relevant sections for B<ca>:
 
  policy         = policy_any            # default policy
 
+ nameopt       = default_ca            # Subject name display option
+ certopt       = default_ca            # Certificate display option
+
  [ policy_any ]
  countryName            = supplied
  stateOrProvinceName    = optional
@@ -414,7 +440,7 @@ A sample configuration file with the relevant sections for B<ca>:
 The B<ca> command is quirky and at times downright unfriendly.
 
 The B<ca> utility was originally meant as an example of how to do things
-in a CA. It was not supposed be be used as a full blown CA itself:
+in a CA. It was not supposed to be used as a full blown CA itself:
 nevertheless some people are using it for this purpose.
 
 The B<ca> command is effectively a single user command: no locking is
@@ -481,9 +507,8 @@ exposed at either a command or interface level so a more friendly utility
 B<CA.pl> help a little but not very much.
 
 Any fields in a request that are not present in a policy are silently
-deleted. This does not happen if the B<-preserveDN> option is used but
-the extra fields are not displayed when the user is asked to certify
-a request. The behaviour should be more friendly and configurable.
+deleted. This does not happen if the B<-preserveDN> option is used.
+The behaviour should be more friendly and configurable.
 
 Cancelling some commands by refusing to certify a certificate can
 create an empty file.