Add info about the header and footer lines used in PEM formats

and add an nseq manpage.
1999-11-13 21:58:39 +00:00 · 1999-11-13 21:58:39 +00:00 · 0286d94454
commit 0286d94454
parent 938ead8f88
7 changed files with 123 additions and 5 deletions
--- a/doc/man/dsa.pod
+++ b/doc/man/dsa.pod
@ -117,6 +117,13 @@ a public key.

 =back

+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN DSA PRIVATE KEY-----
+ -----END DSA PRIVATE KEY-----
+
 =head1 EXAMPLES

 To remove the pass phrase on a DSA private key:
--- a/doc/man/dsaparam.pod
+++ b/doc/man/dsaparam.pod
@ -82,6 +82,11 @@ the input file (if any) is ignored.

 =head1 NOTES

+PEM format DSA parameters use the header and footer lines:
+
+ -----BEGIN DSA PARAMETERS-----
+ -----END DSA PARAMETERS-----
+
 DSA parameter generation is a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.

--- a/doc/man/nseq.pod
+++ b/doc/man/nseq.pod
@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+nseq - create or examine a netscape certificate sequence
+
+=head1 SYNOPSIS
+
+B<openssl> B<nseq>
+[B<-in filename>]
+[B<-out filename>]
+[B<-toseq>]
+
+=head1 DESCRIPTION
+
+The B<nseq> command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename or standard output by default.
+
+=item B<-toseq>
+
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the B<-toseq> option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Output the certificates in a Netscape certificate sequence
+
+ openssl nseq -in nseq.pem -out certs.pem
+
+Create a Netscape certificate sequence
+
+ openssl nseq -in certs.pem -toseq -out nseq.pem
+
+=head1 NOTES
+
+The B<PEM> encoded form uses the same headers and footers as a certificate:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate erollment.
+It is used by Netscape certificate server for example.
+
+=head1 BUGS
+
+This program needs a few more options: like allowing DER or PEM input and
+output files and allowing multiple certificate files to be used.
+
+=cut
--- a/doc/man/pkcs8.pod
+++ b/doc/man/pkcs8.pod
@ -93,6 +93,17 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.

 =head1 NOTES

+The encrypted form of a PEM encode PKCS#8 files uses the following
+headers and footers:
+
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ -----END ENCRYPTED PRIVATE KEY-----
+
+The unencrypted form uses:
+
+ -----BEGIN PRIVATE KEY-----
+ -----END PRIVATE KEY-----
+
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
--- a/doc/man/req.pod
+++ b/doc/man/req.pod
@ -371,11 +371,17 @@ Sample configuration file:

 =head1 NOTES

-The header and footer lines in the B<PEM> format contain the words
-B<BEGIN CERTIFICATE REQUEST> and B<END CERTIFICATE REQUEST> some software
-(for example some versions of Netscape certificate server) requires the
-words B<BEGIN NEW CERTIFICATE REQUEST> and B<END NEW CERTIFICATE REQUEST>
-instead.
+The header and footer lines in the B<PEM> format are respectively:
+
+ -----BEGIN CERTIFICATE REQUEST----
+ -----END CERTIFICATE REQUEST----
+
+some software (some versions of Netscape certificate server) instead needs:
+
+ -----BEGIN NEW CERTIFICATE REQUEST----
+ -----END NEW CERTIFICATE REQUEST----
+
+but is otherwise compatible. Either form is accepted on input.

 The certificate requests generated by B<Xenroll> with MSIE have extensions
 added. It includes the B<keyUsage> extension which determines the type of
--- a/doc/man/rsa.pod
+++ b/doc/man/rsa.pod
@ -123,6 +123,13 @@ a public key.

 =back

+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+
 =head1 EXAMPLES

 To remove the pass phrase on an RSA private key:
--- a/doc/man/x509.pod
+++ b/doc/man/x509.pod
@ -371,6 +371,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to
 	openssl x509 -in cert.pem -addtrust sslclient \
 		-alias "Steve's Class 1 CA" -out trust.pem

+=head1 NOTES
+
+The PEM format uses the header and footer lines:
+
+ -----BEGIN CERTIFICATE----
+ -----END CERTIFICATE----
+
+it will also handle files containing:
+
+ -----BEGIN X509 CERTIFICATE----
+ -----END X509 CERTIFICATE----
+
 =head1 BUGS

 The way DNs are printed is in a "historical SSLeay" format which doesn't