generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'rsalz-docfixes'

Browse Source
This commit is contained in:
Rich Salz
2014-07-02 22:44:53 -04:00
parent 23396f5500
commit 835e32f9f6
28 changed files with 373 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
doc/apps/asn1parse.pod
View File

@@ -15,6 +15,8 @@ B<openssl> B<asn1parse>
[B<-length number>]
[B<-i>]
[B<-oid filename>]
[B<-dump>]
[B<-dlimit num>]
[B<-strparse offset>]
[B<-genstr string>]
[B<-genconf file>]
@@ -64,6 +66,14 @@ indents the output according to the "depth" of the structures.
a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.
=item B<-dump>
dump unknown data in hex format.
=item B<-dlimit num>
like B<-dump>, but only the first B<num> bytes are output.
=item B<-strparse offset>
parse the contents octets of the ASN.1 object starting at B<offset>. This

25
doc/apps/ca.pod
View File

@@ -13,6 +13,8 @@ B<openssl> B<ca>
[B<-name section>]
[B<-gencrl>]
[B<-revoke file>]
[B<-status serial>]
[B<-updatedb>]
[B<-crl_reason reason>]
[B<-crl_hold instruction>]
[B<-crl_compromise time>]
@@ -26,6 +28,7 @@ B<openssl> B<ca>
[B<-md arg>]
[B<-policy arg>]
[B<-keyfile arg>]
[B<-keyform PEM|DER>]
[B<-key arg>]
[B<-passin arg>]
[B<-cert file>]
@@ -83,7 +86,7 @@ a single self signed certificate to be signed by the CA.
a file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
section for information on the required format.
section for information on the required input and output format.
=item B<-infiles>
@@ -94,7 +97,7 @@ are assumed to the the names of files containing certificate requests.
the output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file.
file in PEM format (except that B<-spkac> outputs DER format).
=item B<-outdir directory>
@@ -110,6 +113,11 @@ the CA certificate file.
the private key to sign requests with.
=item B<-keyform PEM|DER>
the format of the data in the private key file.
The default is PEM.
=item B<-key password>
the password used to encrypt the private key. Since on some
@@ -267,6 +275,15 @@ the number of hours before the next CRL is due.
a filename containing a certificate to revoke.
=item B<-status serial>
displays the revocation status of the certificate with the specified
serial number and exits.
=item B<-updatedb>
Updates the database index to purge expired certificates.
=item B<-crl_reason reason>
revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
@@ -499,6 +516,10 @@ the SPKAC and also the required DN components as name value pairs.
If you need to include the same component twice then it can be
preceded by a number and a '.'.
When processing SPKAC format, the output is DER if the B<-out>
flag is used, but PEM format if sending to stdout or the B<-outdir>
flag is used.
=head1 EXAMPLES
Note: these examples assume that the B<ca> directory structure is

6
doc/apps/crl.pod
View File

@@ -12,6 +12,7 @@ B<openssl> B<crl>
[B<-text>]
[B<-in filename>]
[B<-out filename>]
[B<-nameopt option>]
[B<-noout>]
[B<-hash>]
[B<-issuer>]
@@ -53,6 +54,11 @@ default.
print out the CRL in text form.
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)|x509(1)>.
=item B<-noout>
don't output the encoded version of the CRL.

5
doc/apps/dhparam.pod
View File

@@ -12,6 +12,7 @@ B<openssl dhparam>
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-dsaparam>]
[B<-check>]
[B<-noout>]
[B<-text>]
[B<-C>]
@@ -64,6 +65,10 @@ exchange more efficient. Beware that with such DSA-style DH
parameters, a fresh DH key should be created for each use to
avoid small-subgroup attacks that may be possible otherwise.
=item B<-check>
check if the parameters are valid primes and generator.
=item B<-2>, B<-5>
The generator to use, either 2 or 5. 2 is the default. If present then the

12
doc/apps/dsa.pod
View File

@@ -13,6 +13,12 @@ B<openssl> B<dsa>
[B<-passin arg>]
[B<-out filename>]
[B<-passout arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -74,10 +80,10 @@ filename.
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<dsa> utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by

2
doc/apps/ecparam.pod
View File

@@ -16,7 +16,7 @@ B<openssl ecparam>
[B<-C>]
[B<-check>]
[B<-name arg>]
[B<-list_curve>]
[B<-list_curves>]
[B<-conv_form arg>]
[B<-param_enc arg>]
[B<-no_seed>]

12
doc/apps/gendsa.pod
View File

@@ -8,6 +8,12 @@ gendsa - generate a DSA private key from a set of parameters
B<openssl> B<gendsa>
[B<-out filename>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -24,10 +30,10 @@ The B<gendsa> command generates a DSA private key from a DSA parameter file
=over 4
=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
=item B<-rand file(s)>

18
doc/apps/genrsa.pod
View File

@@ -9,6 +9,18 @@ genrsa - generate an RSA private key
B<openssl> B<genrsa>
[B<-out filename>]
[B<-passout arg>]
[B<-aes128>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -36,10 +48,10 @@ used.
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. If none of these options is
These options encrypt the private key with specified
cipher before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> argument.

12
doc/apps/rsa.pod
View File

@@ -15,6 +15,12 @@ B<openssl> B<rsa>
[B<-out filename>]
[B<-passout arg>]
[B<-sgckey>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -82,10 +88,10 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
use the modified NET algorithm used with some versions of Microsoft IIS and SGC
keys.
=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<rsa> utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by

16
doc/apps/s_client.pod
View File

@@ -9,6 +9,7 @@ s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-connect host:port>]
[B<-servername name>]
[B<-verify depth>]
[B<-verify_return_error>]
[B<-cert filename>]
@@ -28,6 +29,7 @@ B<openssl> B<s_client>
[B<-nbio>]
[B<-crlf>]
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-quiet>]
[B<-ssl2>]
[B<-ssl3>]
@@ -37,6 +39,7 @@ B<openssl> B<s_client>
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
[B<-serverpref>]
[B<-starttls protocol>]
[B<-engine id>]
[B<-tlsextdebug>]
@@ -60,6 +63,10 @@ SSL servers.
This specifies the host and optional port to connect to. If not specified
then an attempt is made to connect to the local host on port 4433.
=item B<-servername name>
Set the TLS SNI (Server Name Indication) extension in the ClientHello message.
=item B<-cert certname>
The certificate to use, if one is requested by the server. The default is
@@ -172,6 +179,11 @@ input.
inhibit printing of session and certificate information. This implicitly
turns on B<-ign_eof> as well.
=item B<-no_ign_eof>
shut down the connection when end of file is reached in the input.
Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
@@ -205,6 +217,10 @@ the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
=item B<-serverpref>
use the server's cipher preferences; only used for SSLV2.
=item B<-starttls protocol>
send the protocol-specific message(s) to switch to TLS for communication.

5
doc/apps/s_server.pod
View File

@@ -35,6 +35,7 @@ B<openssl> B<s_server>
[B<-CAfile filename>]
[B<-nocert>]
[B<-cipher cipherlist>]
[B<-serverpref>]
[B<-quiet>]
[B<-no_tmp_rsa>]
[B<-ssl2>]
@@ -231,6 +232,10 @@ also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist irrelevant. See
the B<ciphers> command for more information.
=item B<-serverpref>
use the server's cipher preferences, rather than the client's preferences.
=item B<-tlsextdebug>
print out a hex dump of any TLS extensions received from the server.

11
doc/apps/verify.pod
View File

@@ -12,6 +12,7 @@ B<openssl> B<verify>
[B<-purpose purpose>]
[B<-policy arg>]
[B<-ignore_critical>]
[B<-crlfile file>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-policy_check>]
@@ -47,11 +48,17 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option
of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates.
=item B<-CAfile file>
=item B<-crlfile file>
A file of trusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
File containing one or more CRL's (in PEM format) to load.
=item B<-crl_check>
Checks end entity certificate validity by attempting to look up a valid CRL.
If a valid CRL cannot be found an error occurs.
=item B<-untrusted file>
A file of untrusted certificates. The file should contain multiple certificates

20
doc/apps/x509.pod
View File

@@ -19,6 +19,7 @@ B<openssl> B<x509>
[B<-hash>]
[B<-subject_hash>]
[B<-issuer_hash>]
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
[B<-nameopt option>]
@@ -28,6 +29,7 @@ B<openssl> B<x509>
[B<-enddate>]
[B<-purpose>]
[B<-dates>]
[B<-checkend num>]
[B<-modulus>]
[B<-fingerprint>]
[B<-alias>]
@@ -41,6 +43,7 @@ B<openssl> B<x509>
[B<-days arg>]
[B<-set_serial n>]
[B<-signkey filename>]
[B<-passin arg>]
[B<-x509toreq>]
[B<-req>]
[B<-CA filename>]
@@ -48,6 +51,7 @@ B<openssl> B<x509>
[B<-CAcreateserial>]
[B<-CAserial filename>]
[B<-text>]
[B<-certopt option>]
[B<-C>]
[B<-md2|-md5|-sha1|-mdc2>]
[B<-clrext>]
@@ -154,6 +158,10 @@ name.
outputs the "hash" of the certificate issuer name.
=item B<-ocspid>
outputs the OCSP hash values for the subject name and public key.
=item B<-hash>
synonym for "-subject_hash" for backward compatibility reasons.
@@ -203,6 +211,11 @@ prints out the expiry date of the certificate, that is the notAfter date.
prints out the start and expiry dates of a certificate.
=item B<-checkend arg>
checks if the certificate expires within the next B<arg> seconds and exits
non-zero if yes it will expire or zero if not.
=item B<-fingerprint>
prints out the digest of the DER encoded version of the whole certificate
@@ -308,6 +321,11 @@ If the input is a certificate request then a self signed certificate
is created using the supplied private key using the subject name in
the request.
=item B<-passin arg>
the key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-clrext>
delete any extensions from a certificate. This option is used when a
@@ -463,7 +481,7 @@ using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits.
Also if this option is off any UTF8Strings will be converted to their
character form first.
=item B<no_type>
=item B<ignore_type>
this option does not attempt to interpret multibyte characters in any
way. That is their content octets are merely dumped as though one octet

2
doc/apps/x509v3_config.pod
View File

@@ -174,7 +174,7 @@ The IP address used in the B<IP> options can be in either IPv4 or IPv6 format.
The value of B<dirName> should point to a section containing the distinguished
name to use as a set of name value pairs. Multi values AVAs can be formed by
preceeding the name with a B<+> character.
prefacing the name with a B<+> character.
otherName can include arbitrary data associated with an OID: the value
should be the OID followed by a semicolon and the content in standard