Add some newlines needed for pod2man, and run ispell.
Submitted by: Reviewed by: PR:
This commit is contained in:
parent
35f4850ae0
commit
19d2bb574b
@ -1,4 +1,4 @@
|
||||
This is *very* preliminiary documentation for some
|
||||
This is *very* preliminary documentation for some
|
||||
of the main commands in the openssl utility. The
|
||||
information reflects the way the commands may work
|
||||
when OpenSSL 0.9.5 is released. They are subject
|
||||
|
@ -43,7 +43,7 @@ combined with the B<-strparse> option.
|
||||
|
||||
=item B<-noout>
|
||||
|
||||
don't ouput the parsed version of the input file.
|
||||
don't output the parsed version of the input file.
|
||||
|
||||
=item B<-offset number>
|
||||
|
||||
|
@ -94,7 +94,7 @@ the private key to sign requests with.
|
||||
|
||||
=item B<-key password>
|
||||
|
||||
the password used to encrrypt the private key. Since on some
|
||||
the password used to encrypt the private key. Since on some
|
||||
systems the command line arguments are visible (e.g. Unix with
|
||||
the 'ps' utility) this option should be used with caution.
|
||||
|
||||
@ -140,7 +140,7 @@ need this option.
|
||||
|
||||
Normally the DN order of a certificate is the same as the order of the
|
||||
fields in the relevant policy section. When this option is set the order
|
||||
is the same as the request. This is largely for compatability with the
|
||||
is the same as the request. This is largely for compatibility with the
|
||||
older IE enrollment control which would only accept certificates if their
|
||||
DNs match the order of the request. This is not needed for Xenroll.
|
||||
|
||||
@ -401,7 +401,7 @@ on the same database can have unpredictable results.
|
||||
=head1 FILES
|
||||
|
||||
Note: the location of all files can change either by compile time options,
|
||||
configration file entries, environment variables or command line options.
|
||||
configuration file entries, environment variables or command line options.
|
||||
The values below reflect the default values.
|
||||
|
||||
/usr/local/ssl/lib/openssl.cnf - master configuration file
|
||||
|
@ -3,11 +3,11 @@
|
||||
|
||||
=head1 NAME
|
||||
|
||||
config - OpenSSL CONF library configuaration files
|
||||
config - OpenSSL CONF library configuration files
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The OpenSSL CONF library can be used to read confiuration files.
|
||||
The OpenSSL CONF library can be used to read configuration files.
|
||||
It is used for the OpenSSL master configuration file B<openssl.cnf>
|
||||
and in a few other places like B<SPKAC> files and certificate extension
|
||||
files for the B<x509> utility.
|
||||
@ -40,7 +40,7 @@ The value string undergoes variable expansion. This can be done by
|
||||
including the form B<$var> or B<${var}>: this will substitute the value
|
||||
of the named variable in the current section. It is also possible to
|
||||
substitute a value from another section using the syntax B<$section::name>
|
||||
or B<${section::name}>. By using the form B<$ENV::name> environement
|
||||
or B<${section::name}>. By using the form B<$ENV::name> environment
|
||||
variables can be substituted. It is also possible to assign values to
|
||||
environment variables by using the name B<ENV::name>, this will work
|
||||
if the program looks up environment variables using the B<CONF> library
|
||||
@ -53,7 +53,7 @@ the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognised.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
If a configuration file attempts to expand a varible that doesn't exist
|
||||
If a configuration file attempts to expand a variable that doesn't exist
|
||||
then an error is flagged and the file will not load. This can happen
|
||||
if an attempt is made to expand an environment variable that doesn't
|
||||
exist. For example the default OpenSSL master configuration file used
|
||||
|
@ -1,4 +1,5 @@
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
dgst, md5, md2, sha1, sha, mdc2, ripemd160 - message digests
|
||||
|
@ -1,4 +1,5 @@
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
enc - symmetric cipher routines
|
||||
@ -23,7 +24,7 @@ B<openssl enc -ciphername>
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The symmetric cipher commands allow data to be encrytped or decrypted
|
||||
The symmetric cipher commands allow data to be encrypted or decrypted
|
||||
using various block and stream ciphers using keys based on passwords
|
||||
or explicitly provided. Base64 encoding or decoding can also be performed
|
||||
either by itself or in addition to the encryption or decryption.
|
||||
@ -43,14 +44,14 @@ the output filename, standard output by default.
|
||||
=item B<-salt>
|
||||
|
||||
use a salt in the key derivation routines. This option should B<ALWAYS>
|
||||
be used unless compatability with previous versions of OpenSSL or SSLeay
|
||||
be used unless compatibility with previous versions of OpenSSL or SSLeay
|
||||
is required. This option is only present on OpenSSL versions 0.9.5 or
|
||||
above.
|
||||
|
||||
=item B<-nosalt>
|
||||
|
||||
don't use a salt in the key derivation routines. This is the default for
|
||||
compatability with previous versions of OpenSSL and SSLeay.
|
||||
compatibility with previous versions of OpenSSL and SSLeay.
|
||||
|
||||
=item B<-e>
|
||||
|
||||
@ -120,7 +121,7 @@ B<openssl enc -ciphername>.
|
||||
A password will be prompted for to derive the key and IV if necessary.
|
||||
|
||||
The B<-salt> option should B<ALWAYS> be used if the key is being derived
|
||||
from a password unless you want compatability with previous versions of
|
||||
from a password unless you want compatibility with previous versions of
|
||||
OpenSSL and SSLeay.
|
||||
|
||||
Without the B<-salt> option it is possible to perform efficient dictionary
|
||||
@ -149,7 +150,7 @@ Blowfish and RC5 algorithms use a 128 bit key.
|
||||
|
||||
bf-cbc Blowfish in CBC mode
|
||||
bf Alias for bf-cbc
|
||||
bf-cfb Blowish in CFB mode
|
||||
bf-cfb Blowfish in CFB mode
|
||||
bf-ecb Blowfish in ECB mode
|
||||
bf-ofb Blowfish in OFB mode
|
||||
|
||||
|
@ -59,7 +59,7 @@ The B<PEM> encoded form uses the same headers and footers as a certificate:
|
||||
|
||||
A Netscape certificate sequence is a Netscape specific form that can be sent
|
||||
to browsers as an alternative to the standard PKCS#7 format when several
|
||||
certificates are sent to the browser: for example during certificate erollment.
|
||||
certificates are sent to the browser: for example during certificate enrollment.
|
||||
It is used by Netscape certificate server for example.
|
||||
|
||||
=head1 BUGS
|
||||
|
@ -214,7 +214,7 @@ There should be an option that prints out the encryption algorithm
|
||||
in use and other details such as the iteration count.
|
||||
|
||||
PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
|
||||
key format for OpenSSL: for compatability several of the utilities use
|
||||
key format for OpenSSL: for compatibility several of the utilities use
|
||||
the old format at present.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
@ -194,7 +194,7 @@ It should be noted that very few CAs still require the use of this option.
|
||||
|
||||
=head1 CONFIGURATION FILE FORMAT
|
||||
|
||||
The configuation options are specified in the B<req> section of
|
||||
The configuration options are specified in the B<req> section of
|
||||
the configuration file. As with all configuration files if no
|
||||
value is specified in the specific section (i.e. B<req>) then
|
||||
the initial unnamed or B<default> section is searched too.
|
||||
@ -214,13 +214,13 @@ B<envpassout> override the configuration file values.
|
||||
|
||||
This specifies the default key size in bits. If not specified then
|
||||
512 is used. It is used if the B<-new> option is used. It can be
|
||||
overriden by using the B<-newkey> option.
|
||||
overridden by using the B<-newkey> option.
|
||||
|
||||
=item B<default_keyfile>
|
||||
|
||||
This is the default filename to write a private key to. If not
|
||||
specified the key is written to standard output. This can be
|
||||
overriden by the B<-keyout> option.
|
||||
overridden by the B<-keyout> option.
|
||||
|
||||
=item B<oid_file>
|
||||
|
||||
@ -245,7 +245,7 @@ placed and read from. It is used for private key generation.
|
||||
|
||||
If this is set to B<no> then if a private key is generated it is
|
||||
B<not> encrypted. This is equivalent to the B<-nodes> command line
|
||||
option. For compatability B<encrypt_rsai_key> is an equivalent option.
|
||||
option. For compatibility B<encrypt_rsai_key> is an equivalent option.
|
||||
|
||||
=item B<default_md>
|
||||
|
||||
@ -284,12 +284,12 @@ is used. It can be overridden by the B<-extensions> command line switch.
|
||||
this specifies the section containing any request attributes: its format
|
||||
is the same as B<distinguished_name> described below. Typically these
|
||||
may contain the challengePassword or unstructuredName types. They are
|
||||
currently ignored by OpenSSLs request signing utilities but some CAs
|
||||
currently ignored by OpenSSL's request signing utilities but some CAs
|
||||
might want them.
|
||||
|
||||
=item B<distinguished_name>
|
||||
|
||||
This specifies the section containing the distiguished name fields to
|
||||
This specifies the section containing the distinguished name fields to
|
||||
prompt for when generating a certificate or certificate request. This
|
||||
consists of lines of the form:
|
||||
|
||||
@ -299,7 +299,7 @@ consists of lines of the form:
|
||||
fieldName_max= 4
|
||||
|
||||
"fieldName" is the field name being used, for example commonName (or CN).
|
||||
The "prompt" string is used to ask the user to enter the relvant
|
||||
The "prompt" string is used to ask the user to enter the relevant
|
||||
details. If the user enters nothing then the default value is used if no
|
||||
default value is present then the field is omitted. A field can
|
||||
still be omitted if a default value is present if the user just
|
||||
@ -432,7 +432,7 @@ This is followed some time later by...
|
||||
The first error message is the clue: it can't find the configuration
|
||||
file! Certain operations (like examining a certificate request) don't
|
||||
need a configuration file so its use isn't enforced. Generation of
|
||||
certficates or requests however does need a configuration file. This
|
||||
certificates or requests however does need a configuration file. This
|
||||
could be regarded as a bug.
|
||||
|
||||
Another puzzling message is this:
|
||||
@ -454,13 +454,13 @@ for more information.
|
||||
|
||||
The variable B<OPENSSL_CONF> if defined allows an alternative configuration
|
||||
file location to be specified, it will be overridden by the B<-config> command
|
||||
line switch if it is present. For compatability reasons the B<SSLEAY_CONF>
|
||||
line switch if it is present. For compatibility reasons the B<SSLEAY_CONF>
|
||||
environment variable serves the same purpose but its use is discouraged.
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
OpenSSLs handling of T61Strings (aka TeletexStrings) is broken: it effectively
|
||||
treats them as ISO-8859-1 (latin 1), Netscape and MSIE have similar behaviour.
|
||||
OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
|
||||
treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
|
||||
This can cause problems if you need characters that aren't available in
|
||||
PrintableStrings and you don't want to or can't use BMPStrings.
|
||||
|
||||
|
@ -115,7 +115,7 @@ do not verify the signers certificate of a signed message.
|
||||
|
||||
=item B<-nochain>
|
||||
|
||||
do not do chain verification of signers certfificates: that is don't
|
||||
do not do chain verification of signers certificates: that is don't
|
||||
use the certificates in the signed message as untrusted CAs.
|
||||
|
||||
=item B<-nosigs>
|
||||
@ -205,7 +205,7 @@ message: see the examples section.
|
||||
|
||||
This version of the program only allows one signer per message but it
|
||||
will verify multiple signers on received messages. Some S/MIME clients
|
||||
choke if a message contains mutiple signers. It is possible to sign
|
||||
choke if a message contains multiple signers. It is possible to sign
|
||||
messages "in parallel" by signing an already signed message.
|
||||
|
||||
The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
|
||||
@ -239,7 +239,7 @@ an error occurred decrypting or verifying the message.
|
||||
|
||||
=item 5
|
||||
|
||||
the message was verified correctly but an error occured writing out
|
||||
the message was verified correctly but an error occurred writing out
|
||||
the signers certificates.
|
||||
|
||||
=back
|
||||
|
@ -74,11 +74,11 @@ verifies the digital signature on the supplied SPKAC.
|
||||
|
||||
Print out the contents of an SPKAC:
|
||||
|
||||
openssl spkac -in skpac.cnf
|
||||
openssl spkac -in spkac.cnf
|
||||
|
||||
Verify the signature of an SPKAC:
|
||||
|
||||
openssl spkac -in skpac.cnf -noout -verify
|
||||
openssl spkac -in spkac.cnf -noout -verify
|
||||
|
||||
Create an SPKAC using the challenge string "hello":
|
||||
|
||||
|
@ -92,7 +92,7 @@ up. The chain is built up by looking up a certificate whose subject name
|
||||
matches the issuer name of the current certificate. If a certificate is found
|
||||
whose subject and issuer names are identical it is assumed to be the root CA.
|
||||
The lookup first looks in the list of untrusted certificates and if no match
|
||||
is found the remaining lookups are from the trusted certficates. The root CA
|
||||
is found the remaining lookups are from the trusted certificates. The root CA
|
||||
is always looked up in the trusted certificate list: if the certificate to
|
||||
verify is a root certificate then an exact match must be found in the trusted
|
||||
list.
|
||||
@ -105,7 +105,7 @@ CA certificates. The precise extensions required are described in more detail in
|
||||
the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
|
||||
|
||||
The third operation is to check the trust settings on the root CA. The root
|
||||
CA should be trusted for the supplied purpose. For compatability with previous
|
||||
CA should be trusted for the supplied purpose. For compatibility with previous
|
||||
versions of SSLeay and OpenSSL a certificate with no trust settings is considered
|
||||
to be valid for all purposes.
|
||||
|
||||
@ -158,7 +158,7 @@ the certificate signature could not be decrypted. This means that the actual sig
|
||||
could not be determined rather than it not matching the expected value, this is only
|
||||
meaningful for RSA keys.
|
||||
|
||||
=item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's's signature>
|
||||
=item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
|
||||
|
||||
the CRL signature could not be decrypted: this means that the actual signature value
|
||||
could not be determined rather than it not matching the expected value. Unused.
|
||||
@ -209,7 +209,7 @@ the CRL nextUpdate field contains an invalid time. Unused.
|
||||
|
||||
=item B<17 X509_V_ERR_OUT_OF_MEM: out of memory>
|
||||
|
||||
an error occured trying to allocate memory. This should never happen.
|
||||
an error occurred trying to allocate memory. This should never happen.
|
||||
|
||||
=item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
|
||||
|
||||
|
@ -100,7 +100,7 @@ this option has no effect: SHA1 is always used with DSA keys.
|
||||
=head1 DISPLAY OPTIONS
|
||||
|
||||
Note: the B<-alias> and B<-purpose> options are also display options
|
||||
but are desribed in the B<TRUST OPTIONS> section.
|
||||
but are described in the B<TRUST OPTIONS> section.
|
||||
|
||||
=over 4
|
||||
|
||||
@ -196,7 +196,7 @@ certificate is automatically output if any trust settings are modified.
|
||||
=item B<-setalias arg>
|
||||
|
||||
sets the alias of the certificate. This will allow the certificate
|
||||
to be reffered to using a nickname for example "Steve's Certificate".
|
||||
to be referred to using a nickname for example "Steve's Certificate".
|
||||
|
||||
=item B<-alias>
|
||||
|
||||
@ -363,7 +363,7 @@ extensions for a CA:
|
||||
openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
|
||||
-signkey key.pem -out cacert.pem
|
||||
|
||||
Sign a certificate request using the CA certifcate above and add user
|
||||
Sign a certificate request using the CA certificate above and add user
|
||||
certificate extensions:
|
||||
|
||||
openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
|
||||
|
Loading…
x
Reference in New Issue
Block a user