Command docs: more reference fixes

Normalise on L<openssl-cmd(1)> over L<cmd(1)>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

doc/man1/CA.pl.pod

@@ -48,18 +48,18 @@ Prints a usage message.
 
 Creates a new self signed certificate. The private key is written to the file
 F<newkey.pem> and the request written to the file F<newreq.pem>.
-This argument invokes L<openssl-req(1)> command.
+Invokes L<openssl-req(1)>.
 
 =item B<-newreq>
 
 Creates a new certificate request. The private key is written to the file
 F<newkey.pem> and the request written to the file F<newreq.pem>.
-Executes L<openssl-req(1)> command below the hood.
+Executes L<openssl-req(1)> under the hood.
 
 =item B<-newreq-nodes>
 
 Is like B<-newreq> except that the private key will not be encrypted.
-Uses L<openssl-req(1)> command.
+Uses L<openssl-req(1)>.
 
 =item B<-newca>
 
@@ -68,7 +68,7 @@ and B<-xsign> options). The user is prompted to enter the filename of the CA
 certificates (which should also contain the private key) or by hitting ENTER
 details of the CA will be prompted for. The relevant files and directories
 are created in a directory called F<demoCA> in the current directory.
-L<openssl-req(1)> and L<openssl-ca(1)> commands are get invoked.
+Uses L<openssl-req(1)> and L<openssl-ca(1)>.
 
 =item B<-pkcs12>
 
@@ -80,31 +80,31 @@ B<-sign> option. The PKCS#12 file can be imported directly into a browser.
 If there is an additional argument on the command line it will be used as the
 "friendly name" for the certificate (which is typically displayed in the browser
 list box), otherwise the name "My Certificate" is used.
-Delegates work to L<openssl-pkcs12(1)> command.
+Delegates work to L<openssl-pkcs12(1)>.
 
 =item B<-sign>, B<-signcert>, B<-xsign>
 
 Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the
 request to be in the file F<newreq.pem>. The new certificate is written to the
 file F<newcert.pem> except in the case of the B<-xsign> option when it is
-written to standard output. Leverages L<openssl-ca(1)> command.
+written to standard output.
 
 =item B<-signCA>
 
 This option is the same as the B<-signreq> option except it uses the
 configuration file section B<v3_ca> and so makes the signed request a
 valid CA certificate. This is useful when creating intermediate CA from
-a root CA.  Extra params are passed on to L<openssl-ca(1)> command.
+a root CA.  Extra params are passed to L<openssl-ca(1)>.
 
 =item B<-signcert>
 
 This option is the same as B<-sign> except it expects a self signed certificate
 to be present in the file F<newreq.pem>.
-Extra params are passed on to L<openssl-x509(1)> and L<openssl-ca(1)> commands.
+Extra params are passed to L<openssl-x509(1)> and L<openssl-ca(1)>.
 
 =item B<-crl>
 
-Generate a CRL. Executes L<openssl-ca(1)> command.
+Generate a CRL. Executes L<openssl-ca(1)>.
 
 =item B<-revoke> I<certfile> [I<reason>]
 
@@ -112,13 +112,13 @@ Revoke the certificate contained in the specified B<certfile>. An optional
 reason may be specified, and must be one of: B<unspecified>,
 B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
 B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
-Leverages L<openssl-ca(1)> command.
+Leverages L<openssl-ca(1)>.
 
 =item B<-verify>
 
 Verifies certificates against the CA certificate for F<demoCA>. If no
 certificates are specified on the command line it tries to verify the file
-F<newcert.pem>.  Invokes L<openssl-verify(1)> command.
+F<newcert.pem>.  Invokes L<openssl-verify(1)>.
 
 =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
 
@@ -147,7 +147,7 @@ the request and finally create a PKCS#12 file containing it.
 =head1 DSA CERTIFICATES
 
 Although the B<CA.pl> creates RSA CAs and requests it is still possible to
-use it with DSA certificates and requests using the L<req(1)> command
+use it with DSA certificates and requests using the L<openssl-req(1)> command
 directly. The following example shows the steps that would typically be taken.
 
 Create some DSA parameters:

doc/man1/openssl-cms.pod

@@ -314,7 +314,7 @@ default digest algorithm for the signing key will be used (usually SHA1).
 The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
 or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
 EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes-128-cbc>. See L<enc(1)> for a list of ciphers
+example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
 supported by your version of OpenSSL.
 
 If not specified triple DES is used. Only used with B<-encrypt> and
@@ -509,7 +509,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set various certificate chain validation options. See the
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
 
 =back
 

doc/man1/openssl-crl.pod

@@ -64,7 +64,7 @@ Print out the CRL in text form.
 =item B<-nameopt> I<option>
 
 Option which determines how the subject or issuer names are displayed. See
-the description of B<-nameopt> in L<x509(1)>.
+the description of B<-nameopt> in L<openssl-x509(1)>.
 
 =item B<-noout>
 

doc/man1/openssl-genpkey.pod

@@ -76,7 +76,7 @@ option) are DH, DSA and EC.
 Note that the algorithm name X9.42 DH may be used as a synonym for the DH
 algorithm. These are identical and do not indicate the type of parameters that
 will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
-or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
+or X9.42 DH parameters are required. See L</DH Parameter Generation Options>
 below for more details.
 
 =item B<-pkeyopt> I<opt>:I<value>

doc/man1/openssl-list.pod

@@ -52,7 +52,7 @@ Display a list of standard commands.
 =item B<-digest-commands>
 
 Display a list of message digest commands, which are typically used
-as input to the L<dgst(1)> or L<speed(1)> commands.
+as input to the L<openssl-dgst(1)> or L<openssl-speed(1)> commands.
 
 =item B<-digest-algorithms>
 
@@ -76,7 +76,7 @@ Display a list of message authentication code algorithms.
 =item B<-cipher-commands>
 
 Display a list of cipher commands, which are typically used as input
-to the L<dgst(1)> or L<speed(1)> commands.
+to the L<openssl-dgst(1)> or L<openssl-speed(1)> commands.
 
 =item B<-cipher-algorithms>
 

doc/man1/openssl-ocsp.pod

@@ -229,7 +229,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set different certificate verification options.
-See L<verify(1)> manual page for details.
+See L<openssl-verify(1)> manual page for details.
 
 =item B<-verify_other> I<file>
 

doc/man1/openssl-req.pod

@@ -306,14 +306,14 @@ configuration file, must be valid UTF8 strings.
 Option which determines how the subject or issuer names are displayed. The
 I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
 
 =item B<-reqopt> I<option>
 
 Customise the output format used with B<-text>. The I<option> argument can be
 a single option or multiple options separated by commas.
 
-See discussion of the  B<-certopt> parameter in the L<x509(1)>
+See discussion of the  B<-certopt> parameter in the L<openssl-x509(1)>
 command.
 
 =item B<-newhdr>

doc/man1/openssl-s_client.pod

@@ -304,13 +304,13 @@ abort the handshake with a fatal error.
 Option which determines how the subject or issuer names are displayed. The
 I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
 
 =item B<-CApath> I<directory>
 
 The directory to use for server certificate verification. This directory
-must be in "hash format", see L<verify(1)> for more information. These are
-also used when building the client certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the client certificate chain.
 
 =item B<-CAfile> I<file>
 
@@ -320,7 +320,8 @@ and to use when attempting to build the client certificate chain.
 =item B<-chainCApath> I<directory>
 
 The directory to use for building the chain provided to the server. This
-directory must be in "hash format", see L<verify(1)> for more information.
+directory must be in "hash format", see L<openssl-verify(1)> for more
+information.
 
 =item B<-chainCAfile> I<file>
 
@@ -406,7 +407,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set various certificate chain validation options. See the
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
 
 =item B<-reconnect>
 

doc/man1/openssl-s_server.pod

@@ -275,7 +275,7 @@ provided to the client.
 Option which determines how the subject or issuer names are displayed. The
 I<val> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
 
 =item B<-naccept> I<+int>
 
@@ -380,13 +380,14 @@ a certificate is requested.
 =item B<-CApath> I<dir>
 
 The directory to use for client certificate verification. This directory
-must be in "hash format", see L<verify(1)> for more information. These are
-also used when building the server certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the server certificate chain.
 
 =item B<-chainCApath> I<dir>
 
 The directory to use for building the chain provided to the client. This
-directory must be in "hash format", see L<verify(1)> for more information.
+directory must be in "hash format", see L<openssl-verify(1)> for more
+information.
 
 =item B<-chainCAfile> I<file>
 
@@ -637,7 +638,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set different peer certificate verification options.
-See the L<verify(1)> manual page for details.
+See the L<openssl-verify(1)> manual page for details.
 
 =item B<-crl_check>, B<-crl_check_all>
 

doc/man1/openssl-s_time.pod

@@ -83,7 +83,7 @@ will never fail due to a server certificate verify failure.
 Option which determines how the subject or issuer names are displayed. The
 I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
 
 =item B<-CApath> I<directory>
 
@@ -136,7 +136,7 @@ This allows the TLSv1.2 and below cipher list sent by the client to be modified.
 This list will be combined with any TLSv1.3 ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
 take the first supported cipher in the list sent by the client. See
-L<ciphers(1)> for more information.
+L<openssl-ciphers(1)> for more information.
 
 =item B<-ciphersuites> I<val>
 
@@ -144,8 +144,8 @@ This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
 list will be combined with any TLSv1.2 and below ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
 take the first supported cipher in the list sent by the client. See
-L<ciphers(1)> for more information. The format for this list is a simple
-colon (":") separated list of TLSv1.3 ciphersuite names.
+L<openssl-ciphers(1)> for more information. The format for this list is a
+simple colon (":") separated list of TLSv1.3 ciphersuite names.
 
 =item B<-time> I<length>
 
@@ -177,10 +177,10 @@ A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
 list to choose from. This is normally because the server is not sending
 the clients certificate authority in its "acceptable CA list" when it
-requests a certificate. By using L<s_client(1)> the CA list can be
+requests a certificate. By using L<openssl-s_client(1)> the CA list can be
 viewed and checked. However some servers only request client authentication
 after a specific URL is requested. To obtain the list in this case it
-is necessary to use the B<-prexit> option of L<s_client(1)> and
+is necessary to use the B<-prexit> option of L<openssl-s_client(1)> and
 send an HTTP request for an appropriate page.
 
 If a certificate is specified on the command line using the B<-cert>
@@ -191,8 +191,8 @@ on the command line is no guarantee that the certificate works.
 =head1 BUGS
 
 Because this program does not have all the options of the
-L<s_client(1)> program to turn protocols on and off, you may not be
-able to measure the performance of all protocols with all servers.
+L<openssl-s_client(1)> program to turn protocols on and off, you may not
+be able to measure the performance of all protocols with all servers.
 
 The B<-verify> option should really exit if the server verification
 fails.

doc/man1/openssl-smime.pod

@@ -326,7 +326,7 @@ B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set various options of certificate chain verification. See
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
 
 =item I<cert.pem> ...
 

doc/man1/openssl-ts.pod

@@ -361,7 +361,7 @@ of a timestamp response (TimeStampResp). (Optional)
 =item B<-CApath> I<trusted_cert_path>
 
 The name of the directory containing the trusted CA certificates of the
-client. See the similar option of L<verify(1)> for additional
+client. See the similar option of L<openssl-verify(1)> for additional
 details. Either this option or B<-CAfile> must be specified. (Optional)
 
 
@@ -369,7 +369,7 @@ details. Either this option or B<-CAfile> must be specified. (Optional)
 
 The name of the file containing a set of trusted self-signed CA
 certificates in PEM format. See the similar option of
-L<verify(1)> for additional details. Either this option
+L<openssl-verify(1)> for additional details. Either this option
 or B<-CApath> must be specified.
 (Optional)
 
@@ -417,15 +417,15 @@ section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
 
 =item B<oid_section>
 
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
 
 =item B<RANDFILE>
 
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
 
 =item B<serial>
 
@@ -564,10 +564,10 @@ user certificate section of the config file to generate a proper certificate;
 
    extendedKeyUsage = critical,timeStamping
 
-See L<req(1)>, L<ca(1)>, and L<x509(1)> for instructions. The examples
-below assume that F<cacert.pem> contains the certificate of the CA,
-F<tsacert.pem> is the signing certificate issued by F<cacert.pem> and
-F<tsakey.pem> is the private key of the TSA.
+See L<openssl-req(1)>, L<openssl-ca(1)>, and L<openssl-x509(1)> for
+instructions. The examples below assume that F<cacert.pem> contains the
+certificate of the CA, F<tsacert.pem> is the signing certificate issued
+by F<cacert.pem> and F<tsakey.pem> is the private key of the TSA.
 
 To create a timestamp response for a request:
 

doc/man1/openssl-verify.pod

@@ -161,7 +161,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
 Option which determines how the subject or issuer names are displayed. The
 I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
 
 =item B<-no_check_time>
 
@@ -709,7 +709,7 @@ IP address mismatch.
 
 DANE TLSA authentication is enabled, but no TLSA records matched the
 certificate chain.
-This error is only possible in L<s_client(1)>.
+This error is only possible in L<openssl-s_client(1)>.
 
 =item B<X509_V_ERR_EE_KEY_TOO_SMALL>
 

doc/man1/openssl.pod

@@ -116,17 +116,17 @@ CRL to PKCS#7 Conversion.
 =item B<dgst>
 
 Message Digest calculation. MAC calculations are superseded by
-L<mac(1)>.
+L<openssl-mac(1)>.
 
 =item B<dh>
 
 Diffie-Hellman Parameter Management.
-Obsoleted by L<dhparam(1)>.
+Obsoleted by L<openssl-dhparam(1)>.
 
 =item B<dhparam>
 
 Generation and Management of Diffie-Hellman Parameters. Superseded by
-L<genpkey(1)> and L<pkeyparam(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
 
 =item B<dsa>
 
@@ -135,7 +135,7 @@ DSA Data Management.
 =item B<dsaparam>
 
 DSA Parameter Generation and Management. Superseded by
-L<genpkey(1)> and L<pkeyparam(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
 
 =item B<ec>
 
@@ -160,12 +160,12 @@ Error Number to Error String Conversion.
 =item B<gendh>
 
 Generation of Diffie-Hellman Parameters.
-Obsoleted by L<dhparam(1)>.
+Obsoleted by L<openssl-dhparam(1)>.
 
 =item B<gendsa>
 
 Generation of DSA Private Key from Parameters. Superseded by
-L<genpkey(1)> and L<pkey(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkey(1)>.
 
 =item B<genpkey>
 
@@ -173,7 +173,7 @@ Generation of Private Key or Parameters.
 
 =item B<genrsa>
 
-Generation of RSA Private Key. Superseded by L<genpkey(1)>.
+Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
 
 =item B<info>
 
@@ -246,7 +246,7 @@ RSA key management.
 =item B<rsautl>
 
 RSA utility for signing, verification, encryption, and decryption. Superseded
-by  L<pkeyutl(1)>.
+by  L<openssl-pkeyutl(1)>.
 
 =item B<s_client>
 
@@ -398,7 +398,8 @@ The following aliases provide convenient access to the most used encodings
 and ciphers.
 
 Depending on how OpenSSL was configured and built, not all ciphers listed
-here may be present. See L<enc(1)> for more information and command usage.
+here may be present. See L<openssl-enc(1)> for more information and command
+usage.
 
 =over 4