Add 'align' option to nameopt.

Add default values for display by the 'ca' utility
to openssl.cnf

Update docs.

apps/apps.c

@@ -796,6 +796,7 @@ int set_name_ex(unsigned long *flags, const char *arg)
 		{ "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
 		{ "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
 		{ "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
+		{ "align", XN_FLAG_FN_ALIGN, 0},
 		{ "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
 		{ "space_eq", XN_FLAG_SPC_EQ, 0},
 		{ "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},

apps/openssl.cnf

@@ -48,6 +48,11 @@ RANDFILE	= $dir/private/.rand	# private random number file
 
 x509_extensions	= usr_cert		# The extentions to add to the cert
 
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crl_extensions	= crl_ext

doc/apps/ca.pod

@@ -317,6 +317,23 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
+=item B<nameopt>, B<certopt>
+
+these options allow the format used to display the certificate details
+when asking the user to confirm signing. All the options supported by
+the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
+here, except the B<no_signame> and B<no_sigdump> are permanently set
+and cannot be disabled (this is because the certificate signature cannot
+be displayed because the certificate has not been signed at this point).
+
+For convenience the values B<default_ca> are accepted by both to produce
+a reasonable output.
+
+If neither option is present the format used in earlier versions of
+OpenSSL is used. Use of the old format is B<strongly> discouraged because
+it only displays fields mentioned in the B<policy> section, mishandles
+multicharacter string types and does not display extensions.
+
 =back
 
 =head1 POLICY FORMAT
@@ -407,6 +424,9 @@ A sample configuration file with the relevant sections for B<ca>:
 
  policy         = policy_any            # default policy
 
+ nameopt	= default_ca		# Subject name display option
+ certopt	= default_ca		# Certificate display option
+
  [ policy_any ]
  countryName            = supplied
  stateOrProvinceName    = optional
@@ -420,7 +440,7 @@ A sample configuration file with the relevant sections for B<ca>:
 The B<ca> command is quirky and at times downright unfriendly.
 
 The B<ca> utility was originally meant as an example of how to do things
-in a CA. It was not supposed be be used as a full blown CA itself:
+in a CA. It was not supposed to be used as a full blown CA itself:
 nevertheless some people are using it for this purpose.
 
 The B<ca> command is effectively a single user command: no locking is
@@ -487,9 +507,8 @@ exposed at either a command or interface level so a more friendly utility
 B<CA.pl> help a little but not very much.
 
 Any fields in a request that are not present in a policy are silently
-deleted. This does not happen if the B<-preserveDN> option is used but
-the extra fields are not displayed when the user is asked to certify
-a request. The behaviour should be more friendly and configurable.
+deleted. This does not happen if the B<-preserveDN> option is used.
+The behaviour should be more friendly and configurable.
 
 Cancelling some commands by refusing to certify a certificate can
 create an empty file.

doc/apps/x509.pod

@@ -115,9 +115,10 @@ any extensions present and any trust settings.
 
 =item B<-certopt option>
 
-customise the output format used with B<-text>. This option may be used more
-than once to set multiple options. See the B<OUTPUT OPTIONS> section for
-more information.
+customise the output format used with B<-text>. The B<option> argument can be
+a single option or multiple options separated by commas. The B<-certopt> switch
+may be also be used more than once to set multiple options. See the B<TEXT OPTIONS>
+section for more information.
 
 =item B<-noout>
 
@@ -148,9 +149,10 @@ outputs the issuer name.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. This
-option may be used more than once to set multiple options. See the B<NAME
-OPTIONS> section for more information.
+option which determines how the subject or issuer names are displayed. The
+B<option> argument can be a single option or multiple options separated by
+commas.  Alternatively the B<-nameopt> switch may be used more than once to
+set multiple options. See the B<NAME OPTIONS> section for more information.
 
 =item B<-email>
 
@@ -390,7 +392,7 @@ options.
 =item B<multiline>
 
 a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
-B<spc_eq> and B<lname>.
+B<spc_eq>, B<lname> and B<align>.
 
 =item B<esc_2253>
 
@@ -485,6 +487,11 @@ not display the field at all. B<sname> uses the "short name" form
 B<oid> represents the OID in numerical form and is useful for
 diagnostic purpose.
 
+=item B<align>
+
+align field values for a more readable output. Only usable with
+B<sep_multiline>.
+
 =item B<spc_eq>
 
 places spaces round the B<=> character which follows the field
@@ -492,7 +499,7 @@ name.
 
 =back
 
-=head1 OUTPUT OPTIONS
+=head1 TEXT OPTIONS
 
 As well as customising the name output format, it is also possible to
 customise the actual fields printed using the B<certopt> options when
@@ -562,6 +569,13 @@ ASN1 parse unsupported extensions.
 
 hex dump unsupported extensions.
 
+=item B<ca_default>
+
+the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>, B<no_header>,
+B<no_version>, B<no_sigdump> and B<no_signame>.
+
+
+
 =over 4
 
 =back
@@ -590,7 +604,7 @@ Display the certificate subject name in RFC2253 form:
 Display the certificate subject name in oneline form on a terminal
 supporting UTF8:
 
- openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb
+ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb
 
 Display the certificate MD5 fingerprint: