[B<-keysig>]
[B<-password password>]
[B<-envpass var>]
+[B<-passin password>]
+[B<-envpassin var>]
+[B<-passout password>]
+[B<-envpassout var>]
+[B<-rand file(s)>]
=head1 DESCRIPTION
The filename to write certificates and private keys to, standard output by default.
They are all written in PEM format.
-=item B<-pass password>
+=item B<-pass password>, B<-passin password>
-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
+the command line visible this option should be used with caution.
-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassin password>
read the PKCS#12 file password from the environment variable B<var>.
+=item B<-passout password>
+
+pass phrase to encrypt any outputed private keys with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpass var>, B<-envpassin password>
+
+read the outputed private keys file password from the environment variable B<var>.
+
=item B<-noout>
this option inhibits output of the keys and certificates to the output file version
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
-=item B<-pass password>
+=item B<-pass password>, B<-passout password>
-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
+make the command line visible this option should be used with caution.
-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassout var>
read the PKCS#12 file password from the environment variable B<var>.
+=item B<-passin password>
+
+pass phrase to decrypt the input private key with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpassin password>
+
+read the input private key file password from the environment variable B<var>.
+
=item B<-chain>
if this option is present then an attempt is made to include the entire
This option is included for compatibility with previous versions, it used
to be needed to use MAC iterations counts but they are now used by default.
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator. Multiple files can be specified separated by a OS-dependent
+character. For MS-Windows, the separator is B<;>. For OpenVMS, it's
+B<,>. For all others, it's B<:>.
+
=back
=head1 NOTES
used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
for PKCS#12 file creation B<-export> and B<-name> are also used.
+If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
+then all certificates will be output in the order they appear in the input
+PKCS#12 files. There is no guarantee that the first certificate present is
+the one corresponding to the private key. Certain software which requires
+a private key and certificate and assumes the first certificate in the
+file is the one corresponding to the private key: this may not always
+be the case. Using the B<-clcerts> option will solve this problem by only
+outputing the certificate corresponding to the private key. If the CA
+certificates are required then they can be output to a separate file using
+the B<-nokeys -cacerts> options to just output CA certificates.
+
The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple DES
Some would argue that the PKCS#12 standard is one big bug :-)
-Need password options for the PEM files: this will probably be fixed before
-release.
-
=head1 SEE ALSO
-pkcs8(1)
+L<pkcs8(1)|pkcs8(1)>