doc: document that 'openssl rand' is cryptographically secure

[openssl.git] / doc / man1 / openssl-ca.pod.in

diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 6df41d897f76253ce6f3a1f6e20df93c1347eee0..720db228cb5222a297779647510629e8f4b54d4b 100644 (file)
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -1,9 +1,5 @@
 =pod
-
-=begin comment
-{- join("\n", @autowarntext) -}
-
-=end comment
+{- OpenSSL::safe::output_do_not_edit_headers(); -}
 
 =head1 NAME
 
@@ -27,6 +23,7 @@ B<openssl> B<ca>
 [B<-crl_CA_compromise> I<time>]
 [B<-crldays> I<days>]
 [B<-crlhours> I<hours>]
+[B<-crlsec> I<seconds>]
 [B<-crlexts> I<section>]
 [B<-startdate> I<date>]
 [B<-enddate> I<date>]
@@ -52,7 +49,6 @@ B<openssl> B<ca>
 [B<-msie_hack>]
 [B<-extensions> I<section>]
 [B<-extfile> I<section>]
-[B<-engine> I<id>]
 [B<-subj> I<arg>]
 [B<-utf8>]
 [B<-sigopt> I<nm>:I<v>]
@@ -62,6 +58,7 @@ B<openssl> B<ca>
 [B<-sm2-id> I<string>]
 [B<-sm2-hex-id> I<hex-string>]
 {- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
 [I<certreq>...]
 
 =for openssl ifdef engine sm2-id sm2-hex-id
@@ -153,6 +150,8 @@ Names and values of these options are algorithm-specific.
 
 =item B<-key> I<password>
 
+=for openssl foreign manual ps(1)
+
 The password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the L<ps(1)> utility) this option should be used with caution.
@@ -257,13 +256,6 @@ An additional configuration file to read certificate extensions from
 (using the default section unless the B<-extensions> option is also
 used).
 
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<ca>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
 =item B<-subj> I<arg>
 
 Supersedes subject name given in the request.
@@ -314,6 +306,8 @@ certificate. The argument for this option is string of hexadecimal digits.
 
 {- $OpenSSL::safe::opt_r_item -}
 
+{- $OpenSSL::safe::opt_engine_item -}
+
 =back
 
 =head1 CRL OPTIONS
@@ -333,6 +327,10 @@ now to place in the CRL nextUpdate field.
 
 The number of hours before the next CRL is due.
 
+=item B<-crlsec> I<num>
+
+The number of seconds before the next CRL is due.
+
 =item B<-revoke> I<filename>
 
 A filename containing a certificate to revoke.
@@ -446,7 +444,8 @@ CA private key. Mandatory.
 =item B<RANDFILE>
 
 At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<default_days>
 
@@ -654,7 +653,6 @@ A sample configuration file with the relevant sections for this command:
  serial         = $dir/serial           # serial no file
  #rand_serial    = yes                  # for random serial#'s
  private_key    = $dir/private/cakey.pem# CA private key
- RANDFILE       = $dir/private/.rand    # random number file
 
  default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
@@ -690,7 +688,6 @@ The values below reflect the default values.
  ./demoCA/index.txt             - CA text database file
  ./demoCA/index.txt.old         - CA text database backup file
  ./demoCA/certs                 - certificate output file
- ./demoCA/.rnd                  - CA random seed information
 
 =head1 RESTRICTIONS
 
@@ -767,6 +764,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
 earlier than year 2049 (included), and as GeneralizedTime if the dates
 are in year 2050 or later.
 
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,