Documentation for the -precert flag for "openssl req"

author Rob Percival <robpercival@google.com>

Thu, 10 Mar 2016 20:32:16 +0000 (20:32 +0000)

committer Rich Salz <rsalz@openssl.org>

Wed, 22 Feb 2017 15:40:30 +0000 (10:40 -0500)
author Rob Percival <robpercival@google.com>
Thu, 10 Mar 2016 20:32:16 +0000 (20:32 +0000)
committer Rich Salz <rsalz@openssl.org>
Wed, 22 Feb 2017 15:40:30 +0000 (10:40 -0500)
diff --git a/doc/man1/req.pod b/doc/man1/req.pod

index 83b5704bd979e1a3c454ca6baa0c81e645ccef88..5ac629aa4449837f3db83ab80d0e56ee7af319e1 100644 (file)
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -37,6 +37,7 @@ B<openssl> B<req>
  [B<-newhdr>]
  [B<-extensions section>]
  [B<-reqexts section>]
+[B<-precert>]
  [B<-utf8>]
  [B<-nameopt>]
  [B<-reqopt>]
@@ -253,6 +254,14 @@ request extensions. This allows several different sections to
  be used in the same configuration file to specify requests for
  a variety of purposes.
  
+=item B<-precert>
+
+a poison extension will be added to the certificate, making it a
+"pre-certificate" (see RFC6962). This can be submitted to Certificate
+Transparency logs in order to obtain signed certificate timestamps (SCTs).
+These SCTs can then be embedded into the pre-certificate as an extension, before
+removing the poison and signing the certificate.
+
  =item B<-utf8>
  
  this option causes field values to be interpreted as UTF8 strings, by
author	Rob Percival <robpercival@google.com>
	Thu, 10 Mar 2016 20:32:16 +0000 (20:32 +0000)
committer	Rich Salz <rsalz@openssl.org>
	Wed, 22 Feb 2017 15:40:30 +0000 (10:40 -0500)