doc/man1/x509.pod: corrected "S/MIME signing" requirements

[openssl.git] / doc / man1 / x509.pod

diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod
index d31460b5dc116f0addf023d08f293cf5a157b6ea..c375b3bcf3e32fe3a495f67e30ed117745ba21b9 100644 (file)
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -2,6 +2,7 @@
 
 =head1 NAME
 
+openssl-x509,
 x509 - Certificate display and signing utility
 
 =head1 SYNOPSIS
@@ -56,7 +57,7 @@ B<openssl> B<x509>
 [B<-ext extensions>]
 [B<-certopt option>]
 [B<-C>]
-[B<-[digest]>]
+[B<-I<digest>>]
 [B<-clrext>]
 [B<-extfile filename>]
 [B<-extensions section>]
@@ -109,7 +110,7 @@ if this option is not specified.
 This specifies the output filename to write to or standard output by
 default.
 
-=item B<-[digest]>
+=item B<-I<digest>>
 
 The digest to use.
 This affects any signing or display option that uses a message
@@ -258,8 +259,11 @@ non-zero if yes it will expire or zero if not.
 
 =item B<-fingerprint>
 
-Prints out the digest of the DER encoded version of the whole certificate
-(see digest options).
+Calculates and outputs the digest of the DER encoded version of the entire
+certificate (see digest options).
+This is commonly called a "fingerprint". Because of the nature of message
+digests, the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
 
 =item B<-C>
 
@@ -724,10 +728,6 @@ supporting UTF8:
 
  openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
 
-Display the certificate MD5 fingerprint:
-
- openssl x509 -in cert.pem -noout -fingerprint
-
 Display the certificate SHA1 fingerprint:
 
  openssl x509 -sha1 -in cert.pem -noout -fingerprint
@@ -781,13 +781,6 @@ T61Strings use the ISO8859-1 character set. This is wrong but Netscape
 and MSIE do this as do many certificates. So although this is incorrect
 it is more likely to display the majority of certificates correctly.
 
-The B<-fingerprint> option takes the digest of the DER encoded certificate.
-This is commonly called a "fingerprint". Because of the nature of message
-digests the fingerprint of a certificate is unique to that certificate and
-two certificates with the same fingerprint can be considered to be the same.
-
-The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
-
 The B<-email> option searches the subject name and the subject alternative
 name extension. Only unique email addresses will be printed out: it will
 not print the same address more than once.
@@ -878,8 +871,8 @@ this is because some Verisign certificates don't set the S/MIME bit.
 
 =item B<S/MIME Signing>
 
-In addition to the common S/MIME client tests the digitalSignature bit must
-be set if the keyUsage extension is present.
+In addition to the common S/MIME client tests the digitalSignature bit or
+the nonRepudiation bit must be set if the keyUsage extension is present.
 
 =item B<S/MIME Encryption>
 
@@ -933,7 +926,7 @@ the old form must have their links rebuilt using B<c_rehash> or similar.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy