Add info about the header and footer lines used in PEM formats

and add an nseq manpage.

diff --git a/doc/man/dsa.pod b/doc/man/dsa.pod
index 576731f92ca11c5613c93ad08b2275f2e7d5b34e..4187ef4b49654783bc62ddb43a0aa9a81ae3bfae 100644 (file)
--- a/doc/man/dsa.pod
+++ b/doc/man/dsa.pod
@@ -117,6 +117,13 @@ a public key.
 
 =back
 
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN DSA PRIVATE KEY-----
+ -----END DSA PRIVATE KEY-----
+
 =head1 EXAMPLES
 
 To remove the pass phrase on a DSA private key:

diff --git a/doc/man/dsaparam.pod b/doc/man/dsaparam.pod
index 13a049ec67c00e102bb73ad5126df1e62bb1ae26..6f05629b7444b6b8908b73361ffb3ba28909e188 100644 (file)
--- a/doc/man/dsaparam.pod
+++ b/doc/man/dsaparam.pod
@@ -82,6 +82,11 @@ the input file (if any) is ignored.
 
 =head1 NOTES
 
+PEM format DSA parameters use the header and footer lines:
+
+ -----BEGIN DSA PARAMETERS-----
+ -----END DSA PARAMETERS-----
+
 DSA parameter generation is a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.
 

diff --git a/doc/man/nseq.pod b/doc/man/nseq.pod
new file mode 100644 (file)
index 0000000..a9af25b
--- /dev/null
+++ b/doc/man/nseq.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+nseq - create or examine a netscape certificate sequence
+
+=head1 SYNOPSIS
+
+B<openssl> B<nseq>
+[B<-in filename>]
+[B<-out filename>]
+[B<-toseq>]
+
+=head1 DESCRIPTION
+
+The B<nseq> command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename or standard output by default.
+
+=item B<-toseq>
+
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the B<-toseq> option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Output the certificates in a Netscape certificate sequence
+
+ openssl nseq -in nseq.pem -out certs.pem
+
+Create a Netscape certificate sequence
+
+ openssl nseq -in certs.pem -toseq -out nseq.pem
+
+=head1 NOTES
+
+The B<PEM> encoded form uses the same headers and footers as a certificate:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate erollment.
+It is used by Netscape certificate server for example.
+
+=head1 BUGS
+
+This program needs a few more options: like allowing DER or PEM input and
+output files and allowing multiple certificate files to be used.
+
+=cut

diff --git a/doc/man/pkcs8.pod b/doc/man/pkcs8.pod
index 64cf65a78c7d2660dfd9959881d2d33669a45852..eadfe31fbb3cf9e8131e7845d32d2e5cee90bdd1 100644 (file)
--- a/doc/man/pkcs8.pod
+++ b/doc/man/pkcs8.pod
@@ -93,6 +93,17 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
 
 =head1 NOTES
 
+The encrypted form of a PEM encode PKCS#8 files uses the following
+headers and footers:
+
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ -----END ENCRYPTED PRIVATE KEY-----
+
+The unencrypted form uses:
+
+ -----BEGIN PRIVATE KEY-----
+ -----END PRIVATE KEY-----
+
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered

diff --git a/doc/man/req.pod b/doc/man/req.pod
index 5840013f063500bbbea36f8a7c29ca3818817084..9ca102579d1ba422b86bac04f05f6bebf9f75bf3 100644 (file)
--- a/doc/man/req.pod
+++ b/doc/man/req.pod
@@ -371,11 +371,17 @@ Sample configuration file:
 
 =head1 NOTES
 
-The header and footer lines in the B<PEM> format contain the words
-B<BEGIN CERTIFICATE REQUEST> and B<END CERTIFICATE REQUEST> some software
-(for example some versions of Netscape certificate server) requires the
-words B<BEGIN NEW CERTIFICATE REQUEST> and B<END NEW CERTIFICATE REQUEST>
-instead.
+The header and footer lines in the B<PEM> format are respectively:
+
+ -----BEGIN CERTIFICATE REQUEST----
+ -----END CERTIFICATE REQUEST----
+
+some software (some versions of Netscape certificate server) instead needs:
+
+ -----BEGIN NEW CERTIFICATE REQUEST----
+ -----END NEW CERTIFICATE REQUEST----
+
+but is otherwise compatible. Either form is accepted on input.
 
 The certificate requests generated by B<Xenroll> with MSIE have extensions
 added. It includes the B<keyUsage> extension which determines the type of

diff --git a/doc/man/rsa.pod b/doc/man/rsa.pod
index eea8539b61ac058f91154b19a80c70f128024438..9834eb395fbcddfb3a641d88c114652607bdc83b 100644 (file)
--- a/doc/man/rsa.pod
+++ b/doc/man/rsa.pod
@@ -123,6 +123,13 @@ a public key.
 
 =back
 
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+
 =head1 EXAMPLES
 
 To remove the pass phrase on an RSA private key:

diff --git a/doc/man/x509.pod b/doc/man/x509.pod
index 9068070b04841e5f2f45d9984adb7316d74cbd0d..7e2036e65a6e44a3ac63c3671a01d8adf7c2c27e 100644 (file)
--- a/doc/man/x509.pod
+++ b/doc/man/x509.pod
@@ -371,6 +371,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to
        openssl x509 -in cert.pem -addtrust sslclient \
                -alias "Steve's Class 1 CA" -out trust.pem
 
+=head1 NOTES
+
+The PEM format uses the header and footer lines:
+
+ -----BEGIN CERTIFICATE----
+ -----END CERTIFICATE----
+
+it will also handle files containing:
+
+ -----BEGIN X509 CERTIFICATE----
+ -----END X509 CERTIFICATE----
+
 =head1 BUGS
 
 The way DNs are printed is in a "historical SSLeay" format which doesn't