The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
-the 'ps' utility) this option should be used with caution.
+the L<ps(1)> utility) this option should be used with caution.
=item B<-selfsign>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-des>|B<-des3>|B<-idea>
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See L<KEY GENERATION OPTIONS> and
-L<PARAMETER GENERATION OPTIONS> below for more details.
+implementation. See L</KEY GENERATION OPTIONS> and
+L</PARAMETER GENERATION OPTIONS> below for more details.
=item B<-genparam>
=head2 EC Parameter Generation Options
The EC parameter generation options are the same as for key generation. See
-L<EC Key Generation Options> above.
+L</EC Key Generation Options> above.
=head1 NOTES
=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
-information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section
-in L<openssl(1)>.
+information about the format of I<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-password> I<arg>
=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
-the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+the format of I<arg> see L<openssl(1)/Pass phrase options>.
=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
-about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+about the format of I<arg> see L<openssl(1)/Pass phrase options>.
=item B<-chain>
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
-can be used (see B<NOTES> section for more information). If a cipher name
+can be used (see L</NOTES> section for more information). If a cipher name
(as output by C<openssl list -cipher-algorithms>) is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-iter> I<count>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-traditional>
Allows reading a public key option I<opt> from stdin or a password source.
If only I<opt> is specified, the user will be prompted to enter a password on
stdin. Alternatively, I<passarg> can be specified which can be any value
-supported by B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
+supported by L<openssl(1)/Pass phrase options>.
=item B<-hexdump>
=item B<-passout> I<arg>
-The output file password source. For more information about the format of
I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format of
B<arg>
+see L<openssl(1)/Pass phrase options>.
=item B<-text>
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
-for more details.
+implementation.
+See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
=item B<-key> I<filename>
=item B<-passout> I<arg>
The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-pass> I<arg>
the private key password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<depth>
In addition to the options below, this command also supports
the common and server only options documented
-in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
-manual page.
+L<SSL_CONF_cmd(3)/Supported Command Line Commands>
=over 4
the strengths defined in IETF RFC 5054.
The B<-passin> and B<-passout> arguments are parsed as described in
-the L<openssl(1)> command.
+the L<openssl(1)/Pass phrase options> command.
=head1 OPTIONS
this command will not consider certificate purpose during chain
verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
-B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
+B<smimesign>, B<smimeencrypt>. See the L</VERIFY OPERATION> section for more
information.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
The second operation is to check every untrusted certificate's extensions for
consistency with the supplied purpose. If the B<-purpose> option is not included
then no checks are done. The supplied or "leaf" certificate must have extensions
-compatible with the supplied purpose and all other certificates must also be valid
-CA certificates. The precise extensions required are described in more detail in
-the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
+compatible with the supplied purpose and all other certificates must also be
+valid CA certificates. The precise extensions required are described in more
+detail in L<openssl-x509(1)/CERTIFICATE EXTENSIONS>.
The third operation is to check the trust settings on the root CA. The root CA
should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes.
-The final operation is to check the validity of the certificate chain. The validity
-period is checked against the current system time and the notBefore and notAfter
-dates in the certificate. The certificate signatures are also checked at this
-point.
+The final operation is to check the validity of the certificate chain. The
+validity period is checked against the current system time and the notBefore
+and notAfter dates in the certificate. The certificate signatures are also
+checked at this point.
If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid.
=head2 Display Options
Note: the B<-alias> and B<-purpose> options are also display options
-but are described in the B<TRUST SETTINGS> section.
+but are described in the L</Trust Settings> section.
=over 4
Customise the output format used with B<-text>. The I<option> argument
can be a single option or multiple options separated by commas. The
B<-certopt> switch may be also be used more than once to set multiple
-options. See the B<TEXT OPTIONS> section for more information.
+options. See the L</Text Options> section for more information.
=item B<-noout>
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the B<NAME OPTIONS> section for more information.
+set multiple options. See the L</Name Options> section for more information.
=item B<-email>
=item B<-purpose>
This option performs tests on the certificate extensions and outputs
-the results. For a more complete description see the B<CERTIFICATE
-EXTENSIONS> section.
+the results. For a more complete description see the
+L</CERTIFICATE EXTENSIONS> section.
=back
projects / openssl.git / commitdiff