Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
15 files changed:
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
-the 'ps' utility) this option should be used with caution.
+the L<ps(1)> utility) this option should be used with caution.
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-des>|B<-des3>|B<-idea>
=item B<-des>|B<-des3>|B<-idea>
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See L<KEY GENERATION OPTIONS> and
-L<PARAMETER GENERATION OPTIONS> below for more details.
+implementation. See L</KEY GENERATION OPTIONS> and
+L</PARAMETER GENERATION OPTIONS> below for more details.
=head2 EC Parameter Generation Options
The EC parameter generation options are the same as for key generation. See
=head2 EC Parameter Generation Options
The EC parameter generation options are the same as for key generation. See
-L<EC Key Generation Options> above.
+L</EC Key Generation Options> above.
=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
-information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section
-in L<openssl(1)>.
+information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-password> I<arg>
=item B<-password> I<arg>
=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
-the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+the format of I<arg> see L<openssl(1)/Pass phrase options>.
=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
-about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+about the format of I<arg> see L<openssl(1)/Pass phrase options>.
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
-can be used (see B<NOTES> section for more information). If a cipher name
+can be used (see L</NOTES> section for more information). If a cipher name
(as output by C<openssl list -cipher-algorithms>) is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
(as output by C<openssl list -cipher-algorithms>) is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
Allows reading a public key option I<opt> from stdin or a password source.
If only I<opt> is specified, the user will be prompted to enter a password on
stdin. Alternatively, I<passarg> can be specified which can be any value
Allows reading a public key option I<opt> from stdin or a password source.
If only I<opt> is specified, the user will be prompted to enter a password on
stdin. Alternatively, I<passarg> can be specified which can be any value
-supported by B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
+supported by L<openssl(1)/Pass phrase options>.
-The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of B<arg>
+see L<openssl(1)/Pass phrase options>.
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
-for more details.
+implementation.
+See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
=item B<-key> I<filename>
=item B<-key> I<filename>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-pass> I<arg>
the private key password source. For more information about the format of I<arg>
=item B<-pass> I<arg>
the private key password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<depth>
=item B<-verify> I<depth>
In addition to the options below, this command also supports
the common and server only options documented
In addition to the options below, this command also supports
the common and server only options documented
-in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
-manual page.
+L<SSL_CONF_cmd(3)/Supported Command Line Commands>
the strengths defined in IETF RFC 5054.
The B<-passin> and B<-passout> arguments are parsed as described in
the strengths defined in IETF RFC 5054.
The B<-passin> and B<-passout> arguments are parsed as described in
-the L<openssl(1)> command.
+the L<openssl(1)/Pass phrase options> command.
this command will not consider certificate purpose during chain
verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
this command will not consider certificate purpose during chain
verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
-B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
+B<smimesign>, B<smimeencrypt>. See the L</VERIFY OPERATION> section for more
information.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
information.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
The second operation is to check every untrusted certificate's extensions for
consistency with the supplied purpose. If the B<-purpose> option is not included
then no checks are done. The supplied or "leaf" certificate must have extensions
The second operation is to check every untrusted certificate's extensions for
consistency with the supplied purpose. If the B<-purpose> option is not included
then no checks are done. The supplied or "leaf" certificate must have extensions
-compatible with the supplied purpose and all other certificates must also be valid
-CA certificates. The precise extensions required are described in more detail in
-the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
+compatible with the supplied purpose and all other certificates must also be
+valid CA certificates. The precise extensions required are described in more
+detail in L<openssl-x509(1)/CERTIFICATE EXTENSIONS>.
The third operation is to check the trust settings on the root CA. The root CA
should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes.
The third operation is to check the trust settings on the root CA. The root CA
should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes.
-The final operation is to check the validity of the certificate chain. The validity
-period is checked against the current system time and the notBefore and notAfter
-dates in the certificate. The certificate signatures are also checked at this
-point.
+The final operation is to check the validity of the certificate chain. The
+validity period is checked against the current system time and the notBefore
+and notAfter dates in the certificate. The certificate signatures are also
+checked at this point.
If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid.
If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid.
=head2 Display Options
Note: the B<-alias> and B<-purpose> options are also display options
=head2 Display Options
Note: the B<-alias> and B<-purpose> options are also display options
-but are described in the B<TRUST SETTINGS> section.
+but are described in the L</Trust Settings> section.
Customise the output format used with B<-text>. The I<option> argument
can be a single option or multiple options separated by commas. The
B<-certopt> switch may be also be used more than once to set multiple
Customise the output format used with B<-text>. The I<option> argument
can be a single option or multiple options separated by commas. The
B<-certopt> switch may be also be used more than once to set multiple
-options. See the B<TEXT OPTIONS> section for more information.
+options. See the L</Text Options> section for more information.
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the B<NAME OPTIONS> section for more information.
+set multiple options. See the L</Name Options> section for more information.
=item B<-purpose>
This option performs tests on the certificate extensions and outputs
=item B<-purpose>
This option performs tests on the certificate extensions and outputs
-the results. For a more complete description see the B<CERTIFICATE
-EXTENSIONS> section.
+the results. For a more complete description see the
+L</CERTIFICATE EXTENSIONS> section.