QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 11:14:36 +00:00
Code Issues Projects Releases Wiki Activity

Document the -inform, etc., in openssl.pod

Browse Source 
Add P12 format description.
Remove PEM NOTES sections; it's in openssl.pod

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10142)
This commit is contained in:
Rich Salz 2019-10-09 21:48:33 -04:00 committed by Tomas Mraz
parent 3c77a41b30
commit 777182a0c7
27 changed files with 303 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/man1/openssl-asn1parse.pod
View File

@ -39,8 +39,8 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.
The input format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>

4
doc/man1/openssl-ca.pod
View File

@ -135,8 +135,8 @@ The private key to sign requests with.
=item B<-keyform> B<DER>|B<PEM>
The format of the data in the private key file.
The default is PEM.
The format of the private key file; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>

45
doc/man1/openssl-cms.pod
View File

@ -25,10 +25,11 @@ B<openssl> B<cms>
[B<-sign_receipt>]
[B<-verify_receipt> I<receipt>]
[B<-in> I<filename>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
[B<-out> I<filename>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-stream>]
[B<-indef>]
[B<-noindef>]
@ -216,33 +217,33 @@ to the B<-verify> operation.
The input message to be encrypted or signed or the message to be decrypted
or verified.
=item B<-inform> B<DER>|B<PEM>|B<SMIME>
This specifies the input format for the CMS structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format CMS structures
instead. This currently only affects the input format of the CMS
structure, if no CMS structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
Specify the format for a signed receipt for use with the B<-receipt_verify>
operation.
=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-inform> B<DER>|B<PEM>|B<SMIME>
The input format of the CMS structure (if one is being read);
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>|B<SMIME>
This specifies the output format for the CMS structure. The default
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format CMS structures
instead. This currently only affects the output format of the CMS
structure, if no CMS structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
The output format of the CMS structure (if one is being written);
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The format of the private key file; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
The signed receipt format for use with the B<-receipt_verify>; the default
is B<SMIME>.
See L<openssl(1)/Format Options> for details.
=item B<-stream>, B<-indef>, B<-noindef>

21
doc/man1/openssl-crl.pod
View File

@ -10,6 +10,7 @@ B<openssl> B<crl>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-text>]
[B<-in> I<filename>]
[B<-out> I<filename>]
@ -38,16 +39,15 @@ This command processes CRL files in DER or PEM format.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. B<DER> format is DER encoded CRL
structure. B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
The input and output formats of the CRL; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The format of the private key file; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
@ -100,13 +100,6 @@ See L<openssl(1)/Trusted Certificate Options> for more information.
=back
=head1 NOTES
The PEM CRL format uses the header and footer lines:
-----BEGIN X509 CRL-----
-----END X509 CRL-----
=head1 EXAMPLES
Convert a CRL file from PEM to DER:

10
doc/man1/openssl-crl2pkcs7.pod
View File

@ -31,15 +31,13 @@ Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
This specifies the CRL input format. B<DER> format is DER encoded CRL
structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines. The default format is PEM.
The input format of the CRL; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the PKCS#7 structure output format. B<DER> format is DER
encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines. The default format is PEM.
The output format of the PKCS#7 object; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>

8
doc/man1/openssl-dgst.pod
View File

@ -17,7 +17,7 @@ B<openssl> B<dgst>|I<digest>
[B<-r>]
[B<-out> I<filename>]
[B<-sign> I<filename>]
[B<-keyform> I<arg>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-verify> I<filename>]
[B<-prverify> I<filename>]
@ -94,10 +94,10 @@ Digitally sign the digest using the private key in "filename". Note this option
does not support Ed25519 or Ed448 private keys. Use the L<openssl-pkeyutl(1)>
command instead for this.
=item B<-keyform> I<arg>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
Specifies the key format to sign digest with. The DER, PEM, P12,
and ENGINE formats are supported.
The format of the key to sign with; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>

19
doc/man1/openssl-dhparam.pod
View File

@ -39,17 +39,11 @@ This command is used to manipulate DH parameter files.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#3 DHparameter structure. The PEM form is the
default format: it consists of the B<DER> format base64 encoded with
additional header and footer lines.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The input format and output format; the default is B<PEM>.
The object is compatible with the PKCS#3 B<DHparameter> structure.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
@ -130,11 +124,6 @@ may have different purposes in future versions of OpenSSL.
=head1 NOTES
PEM format DH parameters use the header and footer lines:
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH.

32
doc/man1/openssl-dsa.pod
View File

@ -50,22 +50,16 @@ applications should use the more secure PKCS#8 format using the B<pkcs8>
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option with a private key uses
an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
version (currently zero), p, q, g, the public and private key components
respectively as ASN.1 INTEGERs. When used with a public key it uses a
SubjectPublicKeyInfo structure: it is an error if the key is not DSA.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
B<q>, B<g>, and the public and and private key components. Public keys
are a B<SubjectPublicKeyInfo> structure with the B<DSA> type.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The B<PEM> format also accepts PKCS#8 data.
=item B<-in> I<filename>
@ -128,18 +122,6 @@ for all available algorithms.
=back
=head1 NOTES
The PEM private key format uses the header and footer lines:
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
The PEM public key format uses the header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
=head1 EXAMPLES
To remove the pass phrase on a DSA private key:

27
doc/man1/openssl-dsaparam.pod
View File

@ -26,6 +26,9 @@ B<openssl dsaparam>
This command is used to manipulate or generate DSA parameter files.
DSA parameter generation can be a slow process and as a result the same set of
DSA parameters is often used to generate several distinct keys.
=head1 OPTIONS
=over 4
@ -34,17 +37,13 @@ This command is used to manipulate or generate DSA parameter files.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
of p, q and g respectively. The PEM form is the default format: it consists
of the B<DER> format base64 encoded with additional header and footer lines.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
Parameters are a sequence of B<ASN.1 INTEGER>s: B<p>, B<q>, and B<g>.
This is compatible with RFC 2459 B<DSS-Parms> structure.
=item B<-in> I<filename>
@ -99,16 +98,6 @@ the input file (if any) is ignored.
=back
=head1 NOTES
PEM format DSA parameters use the header and footer lines:
-----BEGIN DSA PARAMETERS-----
-----END DSA PARAMETERS-----
DSA parameter generation is a slow process and as a result the same set of
DSA parameters is often used to generate several distinct keys.
=head1 SEE ALSO
L<openssl(1)>,

28
doc/man1/openssl-ec.pod
View File

@ -46,19 +46,13 @@ PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option with a private key uses
an ASN.1 DER encoded SEC1 private key. When used with a public key it
uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
Private keys are an SEC1 private key or PKCS#8 format.
Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
=item B<-in> I<filename>
@ -146,18 +140,6 @@ for all available algorithms.
=back
=head1 NOTES
The PEM private key format uses the header and footer lines:
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
The PEM public key format uses the header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
=head1 EXAMPLES
To encrypt a private key using triple DES:

26
doc/man1/openssl-ecparam.pod
View File

@ -33,6 +33,9 @@ B<openssl ecparam>
This command is used to manipulate or generate EC parameter files.
OpenSSL is currently not able to generate new groups and therefore
this command can only create EC parameters from known (named) curves.
=head1 OPTIONS
=over 4
@ -41,17 +44,12 @@ This command is used to manipulate or generate EC parameter files.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
form compatible with RFC 3279 EcpkParameters. The PEM form is the default
format: it consists of the B<DER> format base64 encoded with additional
header and footer lines.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
Parameters are encoded as B<EcpkParameters> as specified in IETF RFC 3279.
=item B<-in> I<filename>
@ -137,16 +135,6 @@ for all available algorithms.
=back
=head1 NOTES
PEM format EC parameters use the header and footer lines:
-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
OpenSSL is currently not able to generate new groups and therefore
B<openssl ecparam> can only create EC parameters from known (named) curves.
=head1 EXAMPLES
To create EC parameters with the group 'prime192v1':

3
doc/man1/openssl-genpkey.pod
View File

@ -40,7 +40,8 @@ standard output is used.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format DER or PEM. The default format is PEM.
The output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>

22
doc/man1/openssl-nseq.pod
View File

@ -19,6 +19,11 @@ sequence and prints out the certificates contained in it or takes a
file of certificates and converts it into a Netscape certificate
sequence.
A Netscape certificate sequence is an old Netscape-specific format that
can be sometimes be sent to browsers as an alternative to the standard PKCS#7
format when several certificates are sent to the browser, for example during
certificate enrollment. It was also used by Netscape certificate server.
=head1 OPTIONS
=over 4
@ -55,23 +60,6 @@ Create a Netscape certificate sequence
openssl nseq -in certs.pem -toseq -out nseq.pem
=head1 NOTES
The B<PEM> encoded form uses the same headers and footers as a certificate:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A Netscape certificate sequence is a Netscape specific format that can be sent
to browsers as an alternative to the standard PKCS#7 format when several
certificates are sent to the browser: for example during certificate enrollment.
It is used by Netscape certificate server for example.
=head1 BUGS
This program needs a few more options: like allowing DER or PEM input and
output files and allowing multiple certificate files to be used.
=head1 COPYRIGHT
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

37
doc/man1/openssl-pkcs7.pod
View File

@ -21,7 +21,11 @@ B<openssl> B<pkcs7>
=head1 DESCRIPTION
This command processes PKCS#7 files in DER or PEM format.
This command processes PKCS#7 files. Note that it only understands PKCS#7
v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as
described in IETF RFC 2630.
There is no option to print out all the fields of a PKCS#7 file.
=head1 OPTIONS
@ -31,16 +35,12 @@ This command processes PKCS#7 files in DER or PEM format.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. B<DER> format is DER encoded PKCS#7
v1.5 structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The data is a PKCS#7 Version 1.5 structure.
=item B<-in> I<filename>
@ -86,25 +86,6 @@ Output all certificates in a file:
openssl pkcs7 -in file.pem -print_certs -out certs.pem
=head1 NOTES
The PEM PKCS#7 format uses the header and footer lines:
-----BEGIN PKCS7-----
-----END PKCS7-----
For compatibility with some CAs it will also accept:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
=head1 RESTRICTIONS
There is no option to print out all the fields of a PKCS#7 file.
This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
cannot currently parse, for example, the new CMS as described in RFC2630.
=head1 SEE ALSO
L<openssl(1)>,

56
doc/man1/openssl-pkcs8.pod
View File

@ -52,15 +52,27 @@ Normally a PKCS#8 private key is expected on input and a private key will be
written to the output file. With the B<-topk8> option the situation is
reversed: it reads a private key and writes a PKCS#8 format key.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format: see L<KEY FORMATS> for more details. The default
format is PEM.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
not used) then the input file must be in PKCS#8 format. An encrypted
key is expected unless B<-nocrypt> is included.
If B<-topk8> is not used and B<PEM> mode is set the output file will be an
unencrypted private key in PKCS#8 format. If the B<-traditional> option is
used then a traditional format private key is written instead.
If B<-topk8> is not used and B<DER> mode is set the output file will be an
unencrypted private key in traditional DER format.
If B<-topk8> is used then any supported private key can be used for the input
file in a format specified by B<-inform>. The output file will be encrypted
PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
is included.
This specifies the output format: see L<KEY FORMATS> for more details. The default
format is PEM.
=item B<-traditional>
@ -148,27 +160,6 @@ Sets the scrypt I<N>, I<r> or I<p> parameters.
=back
=head1 KEY FORMATS
Various different formats are used by this command. These are detailed
below.
If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
not used) then the input file must be in PKCS#8 format. An encrypted
key is expected unless B<-nocrypt> is included.
If B<-topk8> is not used and B<PEM> mode is set the output file will be an
unencrypted private key in PKCS#8 format. If the B<-traditional> option is
used then a traditional format private key is written instead.
If B<-topk8> is not used and B<DER> mode is set the output file will be an
unencrypted private key in traditional DER format.
If B<-topk8> is used then any supported private key can be used for the input
file in a format specified by B<-inform>. The output file will be encrypted
PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
is included.
=head1 NOTES
By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
@ -178,17 +169,6 @@ Some older implementations do not support PKCS#5 v2.0 format and require
the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
encryption algorithms such as 56 bit DES.
The encrypted form of a PEM encode PKCS#8 files uses the following
headers and footers:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
The unencrypted form uses:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
counts are more secure that those encrypted using the traditional
SSLeay compatible formats. So if additional security is considered

10
doc/man1/openssl-pkey.pod
View File

@ -40,14 +40,10 @@ converted between various forms and their components printed out.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format DER or PEM. The default format is PEM.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>

6
doc/man1/openssl-pkeyutl.pod
View File

@ -90,7 +90,8 @@ The input key file, by default it should be a private key.
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format PEM, DER or ENGINE. Default is PEM.
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
@ -103,7 +104,8 @@ The peer key file, used by key derivation (agreement) operations.
=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
The peer key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-pubin>

32
doc/man1/openssl-req.pod
View File

@ -67,17 +67,12 @@ for use as root CAs for example.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#10. The B<PEM> form is the default format: it
consists of the B<DER> format base64 encoded with additional header and
footer lines.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The data is a PKCS#10 object.
=item B<-in> I<filename>
@ -182,8 +177,8 @@ accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform> B<DER>|B<PEM>
The format of the private key file specified in the B<-key>
argument. PEM is the default.
The format of the private key; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-keyout> I<filename>
@ -628,23 +623,10 @@ on the command line:
=head1 NOTES
The header and footer lines in the B<PEM> format are normally:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
some software (some versions of Netscape certificate server) instead needs:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
which is produced with the B<-newhdr> option but is otherwise compatible.
Either form is accepted transparently on input.
The certificate requests generated by B<Xenroll> with MSIE have extensions
added. It includes the B<keyUsage> extension which determines the type of
key (signature only or general purpose) and any additional OIDs entered
by the script in an extendedKeyUsage extension.
by the script in an B<extendedKeyUsage> extension.
=head1 DIAGNOSTICS

35
doc/man1/openssl-rsa.pod
View File

@ -54,18 +54,16 @@ L<openssl-pkcs8(1)> command.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. On input PKCS#8 format private
keys are also accepted.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
On input, PKCS#8 format private keys are also accepted.
=item B<-in> I<filename>
@ -137,23 +135,6 @@ for all available algorithms.
=back
=head1 NOTES
The PEM private key format uses the header and footer lines:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The PEM public key format uses the header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
The PEM B<RSAPublicKey> format uses the header and footer lines:
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
=head1 EXAMPLES
To remove the pass phrase on an RSA private key:

3
doc/man1/openssl-rsautl.pod
View File

@ -57,7 +57,8 @@ The input key file, by default it should be an RSA private key.
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format PEM, DER or ENGINE.
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-pubin>

10
doc/man1/openssl-s_client.pod
View File

@ -22,6 +22,7 @@ B<openssl> B<s_client>
[B<-verify_return_error>]
[B<-cert> I<filename>]
[B<-certform> B<DER>|B<PEM>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>]
[B<-cert_chain> I<filename>]
@ -244,6 +245,11 @@ not to use a certificate.
The certificate format to use: DER or PEM. PEM is the default.
=item B<-CRLform> B<DER>|B<PEM>
The CRL format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-key> I<keyfile>
The private key to use. If not specified then the certificate file will
@ -251,7 +257,8 @@ be used.
=item B<-keyform> I<format>
The private format to use: DER or PEM. PEM is the default.
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-cert_chain>
@ -280,6 +287,7 @@ B<-xcert> I<infile>, B<-xchain> options.
=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>

32
doc/man1/openssl-s_server.pod
View File

@ -23,7 +23,7 @@ B<openssl> B<s_server>
[B<-serverinfo> I<val>]
[B<-certform> B<DER>|B<PEM>]
[B<-key> I<infile>]
[B<-keyform> I<format>]
[B<-keyform> B<DER>|B<PEM>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
[B<-dcertform> B<DER>|B<PEM>]
@ -64,7 +64,6 @@ B<openssl> B<s_server>
[B<-verifyCApath> I<dir>]
[B<-no_cache>]
[B<-ext_cache>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-verify_return_error>]
[B<-verify_quiet>]
[B<-build_chain>]
@ -151,6 +150,7 @@ B<openssl> B<s_server>
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-xcertform> B<DER>|B<PEM>]
[B<-xkeyform> B<DER>|B<PEM>]
[B<-nbio>]
@ -290,22 +290,25 @@ followed by "length" bytes of extension data). If the client sends
an empty TLS ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
=item B<-certform> B<DER>|B<PEM>
=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
The certificate format to use: DER or PEM. PEM is the default.
The certificate and CRL format; the default is PEM.
See L<openssl(1)/Format Options> for details.
=item B<-key> I<infile>
The private key to use. If not specified then the certificate file will
be used.
=item B<-keyform> I<format>
=item B<-keyform> B<DER>|B<PEM>]
The private format to use: DER or PEM. PEM is the default.
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<val>
The private key password source. For more information about the format of B<val>
The private key password source.
For more information about the format of I<val>,
see L<openssl(1)/Pass Phrase Options>.
=item B<-dcert> I<infile>, B<-dkey> I<infile>
@ -325,9 +328,16 @@ A file containing trusted certificates to use when attempting to build the
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>, B<-dpass> I<val>
=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
Additional certificate and private key format and passphrase respectively.
The format of the certificate and private key; the default is B<PEM>
see L<openssl(1)/Format Options>.
=item B<-dpass> I<val>
The passphrase for the additional private key.
For more information about the format of I<val>,
see L<openssl(1)/Pass Phrase Options>.
=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
@ -344,7 +354,9 @@ B<-xcert> I<infile>, B<-xchain> options.
=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
The format for the extra certificate and private key, respectively;
the default format is B<PEM>.
see L<openssl(1)/Pass Phrase Options>.
=item B<-nbio_test>

23
doc/man1/openssl-sess_id.pod
View File

@ -24,6 +24,9 @@ the SSL session master key) in human readable format. Since this is a
diagnostic tool that needs some knowledge of the SSL protocol to use
properly, most users will not need to use it.
The precise format of the data can vary across OpenSSL versions and
is not documented.
=head1 OPTIONS
=over 4
@ -32,18 +35,13 @@ properly, most users will not need to use it.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>|B<NSS>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
format containing session details. The precise format can vary from one version
to the next. The B<PEM> form is the default format: it consists of the B<DER>
format base64 encoded with additional header and footer lines.
The input and output formats; the default is PEM.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>|B<NSS>
This specifies the output format. The B<PEM> and B<DER> options have the same
meaning and default as the B<-inform> option. The B<NSS> option outputs the
session id and the master key in NSS keylog format.
For B<NSS> output, the session ID and master key are reported in NSS "keylog"
format.
=item B<-in> I<filename>
@ -134,11 +132,6 @@ This is the return code when an SSL client certificate is verified.
=head1 NOTES
The PEM encoded session format uses the header and footer lines:
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
Since the SSL session output contains the master key it is
possible to read the contents of an encrypted session using this
information. Therefore appropriate security precautions should be taken if

32
doc/man1/openssl-smime.pod
View File

@ -53,10 +53,11 @@ B<openssl> B<smime>
[B<-signer> I<file>]
[B<-recip> I< file>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-inkey> I<file_or_id>]
[B<-out> I<file>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-content> I<file>]
[B<-to> I<addr>]
[B<-from> I<ad>]
@ -126,28 +127,27 @@ Resign a message: take an existing message and one or more new signers.
The input message to be encrypted or signed or the MIME message to
be decrypted or verified.
=item B<-inform> B<DER>|B<PEM>|B<SMIME>
This specifies the input format for the PKCS#7 structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format PKCS#7 structures
instead. This currently only affects the input format of the PKCS#7
structure, if no PKCS#7 structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-inform> B<DER>|B<PEM>|B<SMIME>
The input format of the PKCS#7 (S/MIME) structure (if one is being read);
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>|B<SMIME>
This specifies the output format for the PKCS#7 structure. The default
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format PKCS#7 structures
instead. This currently only affects the output format of the PKCS#7
structure, if no PKCS#7 structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
The output format of the PKCS#7 (S/MIME) structure (if one is being written);
the default is B<SMIME>.
See L<openssl(1)/Format Options> for details.
=item B<-keyform> B<DER>|B<PEM>
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-stream>, B<-indef>, B<-noindef>

4
doc/man1/openssl-spkac.pod
View File

@ -55,8 +55,8 @@ present.
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
Whether the key format is PEM, DER, or an engine-backed key.
The default is PEM.
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>

39
doc/man1/openssl-x509.pod
View File

@ -90,18 +90,13 @@ various sections.
Print out a usage message.
=item B<-inform> B<DER>|B<PEM>
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as B<-req> are
present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer lines
added. The default format is PEM.
The input and formats; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
The input is normally an X.509 certificate, but this can change if other
options such as B<-req> are used.
=item B<-in> I<filename>
@ -376,8 +371,13 @@ retained.
=item B<-keyform> B<DER>|B<PEM>
Specifies the format (DER or PEM) of the private key file used in the
B<-signkey> option.
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-CAform> B<DER>|B<PEM>, B<-CAkeyform> B<DER>|B<PEM>
The format for the CA certificate and key; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-days> I<arg>
@ -782,21 +782,6 @@ Set a certificate to be trusted for SSL client use and change set its alias to
=head1 NOTES
The PEM format uses the header and footer lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
it will also handle files containing:
-----BEGIN X509 CERTIFICATE-----
-----END X509 CERTIFICATE-----
Trusted certificates have the lines
-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----
The conversion to UTF8 format used with the name options assumes that
T61Strings use the ISO8859-1 character set. This is wrong but Netscape
and MSIE do this as do many certificates. So although this is incorrect

103
doc/man1/openssl.pod
View File

@ -516,6 +516,109 @@ parameters start with a minus sign:
=back
=head2 Format Options
Several OpenSSL commands can take input or generate output in a variety
of formats. The list of acceptable formats, and the default, is
described in each command documentation. The list of formats is
described below. Both uppercase and lowercase are accepted.
=over 4
=item B<DER>
A binary format, encoded or parsed according to Distinguished Encoding Rules
(DER) of the ASN.1 data language.
=item B<ENGINE>
Used to specify that the cryptographic material is in an OpenSSL B<engine>.
An engine must be configured or specified using the B<-engine> option.
In addition, the B<-input> flag can be used to name a specific object in
the engine.
A password, such as the B<-passin> flag often must be specified as well.
=item B<P12>
A DER-encoded file containing a PKCS#12 object.
It might be necessary to provide a decryption password to retrieve
the private key.
=item B<PEM>
A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is
a block of base-64 encoding (defined in IETF RFC 4648), with specific
lines used to mark the start and end:
Text before the BEGIN line is ignored.
----- BEGIN object-type -----
OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
----- END object-type -----
Text after the END line is also ignored
The I<object-type> must match the type of object that is expected.
For example a C<BEGIN X509 CERTIFICATE> will not match if the command
is trying to read a private key. The types supported include:
ANY PRIVATE KEY
CERTIFICATE
CERTIFICATE REQUEST
CMS
DH PARAMETERS
DSA PARAMETERS
DSA PUBLIC KEY
EC PARAMETERS
EC PRIVATE KEY
ECDSA PUBLIC KEY
ENCRYPTED PRIVATE KEY
PARAMETERS
PKCS #7 SIGNED DATA
PKCS7
PRIVATE KEY
PUBLIC KEY
RSA PRIVATE KEY
SSL SESSION PARAMETERS
TRUSTED CERTIFICATE
X509 CRL
X9.42 DH PARAMETERS
The following legacy I<object-type>'s are also supported for compatibility
with earlier releases:
DSA PRIVATE KEY
NEW CERTIFICATE REQUEST
RSA PUBLIC KEY
X509 CERTIFICATE
=item B<SMIME>
An S/MIME object as described in IETF RFC 8551.
Earlier versions were known as CMS and are compatible.
Note that the parsing is simple and might fail to parse some legal data.
=back
The options to specify the format are as follows. Refer to the individual
manpage to see which options are accepted.
=over 4
=item B<-inform> I<format>, B<-outform> I<format>
The format of the input or output streams.
=item B<-keyform> I<format>
Format of a private key input source.
=item B<-CRLform> I<fornat>
Format of a CRL input source.
=back
=head2 Pass Phrase Options
Several commands accept password arguments, typically using B<-passin>