*Shane Lontis*
+ * The openssl commands that read keys, certificates, and CRLs now
+ automatically detect the PEM or DER format of the input files so it is not
+ necessary to explicitly specify the input format anymore. However if the
+ input format option is used the specified format will be required.
+
+ *David von Oheimb, Richard Levitte, and Tomáš Mráz*
+
* Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX`
and (where relevant) a property query. Other APIs which handle PKCS#7 and
PKCS#8 objects have also been enhanced where required. This includes:
=item B<-inform> B<DER>|B<PEM>
-The format of the data in certificate request input files.
-The default is PEM.
+The format of the data in certificate request input files;
+unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-ss_cert> I<filename>
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The format of the data in certificate input files.
-This option has no effect and is retained for backward compatibility only.
+The format of the data in certificate input files; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-keyfile> I<filename>|I<uri>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key input file; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the private key input file; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-sigopt> I<nm>:I<v>
The B<-section> option was added in OpenSSL 3.0.0.
-The B<-certform> and B<-multivalue-rdn> options
-have become obsolete in OpenSSL 3.0.0 and have no effect.
-
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
+The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
+has no effect.
The B<-engine> option was deprecated in OpenSSL 3.0.
=item B<-keyform> I<PEM|DER|P12|ENGINE>
-The format of the key input.
-The only value with effect is B<ENGINE>.
+The format of the key input; unspecified by default.
See L<openssl(1)/Format Options> for details.
=item B<-otherpass> I<arg>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key file; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the private key file; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
The -no_alt_chains option was added in OpenSSL 1.0.2b.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-nameopt> option was added in OpenSSL 3.0.0.
The B<-engine> option was deprecated in OpenSSL 3.0.
=item B<-inform> B<DER>|B<PEM>
-The CRL input format.
-This option has no effect and is retained for backward compatibility only.
+The CRL input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>
=item B<-keyform> B<DER>|B<PEM>|B<P12>
-The format of the private key file.
-This option has no effect and is retained for backward compatibility only.
+The format of the private key file; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-in> I<filename>
L<openssl-x509(1)>,
L<ossl_store-file(7)>
-=head1 HISTORY
-
-The B<-inform> and B<-keyform> options have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the key to sign with; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the key to sign with; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-sigopt> I<nm>:I<v>
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and formats; the default is B<PEM>.
+The key input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The key output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-This option has become obsolete.
+The DSA parameters input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The DSA parameters output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Parameters are a sequence of B<ASN.1 INTEGER>s: B<p>, B<q>, and B<g>.
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>
-The key output formats; the default is B<PEM>.
+The key output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Private keys are an SEC1 private key or PKCS#8 format.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input and formats; the default is B<PEM>.
+The EC parameters input format; unspecified by default.
+See L<openssl-format-options(1)> for details.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The EC parameters output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.
Parameters are encoded as B<EcpkParameters> as specified in IETF RFC 3279.
Several OpenSSL commands can take input or generate output in a variety
of formats.
+
Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
-files in any of the B<DER>, B<PEM> or B<P12> formats,
-while specifying their input format is no more needed.
+files in any of the B<DER>, B<PEM> or B<P12> formats. Specifying their input
+format is no more needed and the openssl commands will automatically try all
+the possible formats. However if the B<DER> or B<PEM> input format is specified
+it will be enforced.
+
In order to access a key via an engine the input format B<ENGINE> may be used;
alternatively the key identifier in the <uri> argument of the respective key
option may be preceded by C<org.openssl.engine:>.
=item B<-keyform> I<format>
Format of a private key input source.
-The only value with effect is B<ENGINE>; all others have become obsolete.
-See L<openssl(1)/Format Options> for details.
=item B<-CRLform> I<format>
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-passin> I<arg>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-passin> I<arg>
=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The peer key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The peer key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pubin>
=head1 HISTORY
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-The input and output formats; the default is B<PEM>.
+The input and output formats; unspecified by default.
See L<openssl-format-options(1)> for details.
The data is a PKCS#10 object.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the private key; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format of the private key; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-keyout> I<filename>
The B<-section> option was added in OpenSSL 3.0.0.
-All B<-keyform> values except B<ENGINE> and the B<-multivalue-rdn> option
-have become obsolete in OpenSSL 3.0.0 and have no effect.
+The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
+has no effect.
The B<-engine> option was deprecated in OpenSSL 3.0.
The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pubin>
This command was deprecated in OpenSSL 3.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The client certificate file format to use; the default is B<PEM>.
-This option has no effect and is retained for backward compatibility only.
+The client certificate file format to use; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-cert_chain>
=item B<-CRLform> B<DER>|B<PEM>
-The CRL file format; the default is B<PEM>.
+The CRL file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-crl_download>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pass> I<arg>
The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The server certificate file format.
-This option has no effect and is retained for backward compatibility only.
+The server certificate file format; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-cert_chain>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pass> I<val>
=item B<-dcertform> B<DER>|B<PEM>|B<P12>
-The format of the additional certificate file.
-This option has no effect and is retained for backward compatibility only.
+The format of the additional certificate file; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the additional private key; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
-See L<openssl-format-options(1)>.
+The format of the additional private key; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-dpass> I<val>
=item B<-CRLform> B<DER>|B<PEM>
-The CRL file format; the default is B<PEM>.
+The CRL file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-crl_download>
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
-All B<-keyform> and B<-dkeyform> values except B<ENGINE>
-have become obsolete in OpenSSL 3.0.0 and have no effect.
-
-The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-stream>, B<-indef>, B<-noindef>
The -no_alt_chains option was added in OpenSSL 1.1.0.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-passin> I<arg>
=head1 HISTORY
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
=item B<-inform> B<DER>|B<PEM>
-The CSR input file format; the default is B<PEM>.
+The input file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-vfyopt> I<nm>:I<v>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key input format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-out> I<filename>
=item B<-CAform> B<DER>|B<PEM>|B<P12>,
-The format for the CA certificate.
-This option has no effect and is retained for backward compatibility.
+The format for the CA certificate; unspecifed by default.
+See L<openssl-format-options(1)> for details.
=item B<-CAkey> I<filename>|I<uri>
=item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format for the CA key; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The format for the CA key; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-CAserial> I<filename>
The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
keeping the old name as an alias.
-All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
-have become obsolete in OpenSSL 3.0.0 and have no effect.
-
-The B<-CAform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
The B<-C> option was removed in OpenSSL 3.0.