src - OpenBSD base system

diff options


context:
space:
mode:

author	Jason McIntyre <jmc@cvs.openbsd.org>	2004-01-23 21:43:10 +0000
committer	Jason McIntyre <jmc@cvs.openbsd.org>	2004-01-23 21:43:10 +0000
commit	e897930083fdf0dee849a5415abf18153f4c2ed4 (patch)
tree	45f75f148b14ac82b3e09cc8917b76da469638bb
parent	a6e02997902a9bec2277d9a6654f989264aa9d8f (diff)

sort options and clean up openssl ocsp;

plus a stab at making this page more consistent;

Diffstat

-rw-r--r--

usr.sbin/openssl/openssl.1

714

1 files changed, 359 insertions, 355 deletions

diff --git a/usr.sbin/openssl/openssl.1 b/usr.sbin/openssl/openssl.1
index 625f98385d6..6284c5bc49d 100644
--- a/usr.sbin/openssl/openssl.1
+++ b/usr.sbin/openssl/openssl.1

@@ -1,4 +1,4 @@

-.\" $OpenBSD: openssl.1,v 1.29 2004/01/23 14:31:11 jmc Exp $

+.\" $OpenBSD: openssl.1,v 1.30 2004/01/23 21:43:09 jmc Exp $

.\" ====================================================================

.\"

@@ -409,19 +409,19 @@ Since the environment of other processes is visible on certain platforms

under certain

.Ux

OSes) this option should be used with caution.

-.It Ar file : Ns Ar pathname

+.It Ar file : Ns Ar path

The first line of

-.Ar pathname

+.Ar path

is the password.

If the same

-.Ar pathname

+.Ar path

argument is supplied to

.Fl passin

and

.Fl passout ,

then the first line will be used for the input password and the next line

for the output password.

-.Ar pathname

+.Ar path

need not refer to a regular file:

it could, for example, refer to a device or named pipe.

.It Ar fd : Ns Ar number

@@ -441,12 +441,12 @@ Read the password from standard input.

.Op Fl i

.Op Fl noout

.Op Fl dlimit Ar number

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl inform Ar DER | PEM | TXT

.Op Fl length Ar number

.Op Fl offset Ar number

-.Op Fl oid Ar filename

-.Op Fl out Ar filename

+.Op Fl oid Ar file

+.Op Fl out Ar file

.Op Fl strparse Ar offset

.Ek

.Pp

@@ -467,7 +467,7 @@ Dump unknown data in hex form.

Indents the output according to the

.Qq depth

of the structures.

-.It Fl in Ar filename

+.It Fl in Ar file

The input file; default is standard input.

.It Fl inform Ar DER | PEM | TXT

The input format.

@@ -485,13 +485,13 @@ Number of bytes to parse; default is until end of file.

Don't output the parsed version of the input file.

.It Fl offset Ar number

Starting offset to begin parsing; default is start of file.

-.It Fl oid Ar filename

+.It Fl oid Ar file

A file containing additional object identifiers

.Pq OIDs .

The format of this file is described in the

.Sx ASN1PARSE NOTES

section below.

-.It Fl out Ar filename

+.It Fl out Ar file

Output file to place the

.Em DER

encoded data into.

@@ -602,7 +602,7 @@ The output of some ASN.1 types is not well handled

.Op Fl updatedb

.Op Fl verbose

.Op Fl cert Ar file

-.Op Fl config Ar filename

+.Op Fl config Ar file

.Op Fl crl_CA_compromise Ar time

.Op Fl crl_compromise Ar time

.Op Fl crl_hold Ar instruction

@@ -649,7 +649,7 @@ In this mode no questions will be asked

and all certificates will be certified automatically.

.It Fl cert Ar file

The CA certificate file.

-.It Fl config Ar filename

+.It Fl config Ar file

Specifies the configuration file to use.

.It Fl days Ar arg

The number of days to certify the certificate for.

@@ -683,9 +683,9 @@ to read certificate extensions from

(using the default section unless the

.Fl extensions

option is also used).

-.It Fl in Ar filename

+.It Fl in Ar file

An input

-.Ar filename

+.Ar file

containing a single certificate request to be signed by the CA.

.It Fl infiles

If present, this should be the last option; all subsequent arguments

@@ -698,7 +698,7 @@ Since on some systems the command line arguments are visible

with the

.Xr ps 1

utility) this option should be used with caution.

-.It Fl keyfile Ar filename

+.It Fl keyfile Ar file

The private key to sign requests with.

.It Fl keyform Ar PEM | ENGINE

Private key file format.

@@ -741,7 +741,7 @@ The

keyword can be used in the configuration file to enable this behaviour.

.It Fl notext

Don't output the text form of a certificate to the output file.

-.It Fl out Ar filename

+.It Fl out Ar file

The output file to output certificates to.

The default is standard output.

The certificate details will also be printed out to this file.

@@ -749,7 +749,7 @@ The certificate details will also be printed out to this file.

The

.Ar directory

to output certificates to.

-The certificate will be written to a filename consisting of the

+The certificate will be written to a file consisting of the

serial number in hex with

.Qq .pem

appended.

@@ -777,13 +777,13 @@ This is largely for compatibility with the older IE enrollment control

which would only accept certificates if their DNs matched the order of the

request.

This is not needed for Xenroll.

-.It Fl spkac Ar filename

+.It Fl spkac Ar file

A file containing a single Netscape signed public key and challenge,

and additional field values to be signed by the CA.

See the

.Sx SPKAC FORMAT

section for information on the required format.

-.It Fl ss_cert Ar filename

+.It Fl ss_cert Ar file

A single self-signed certificate to be signed by the CA.

.It Fl startdate Ar date

This allows the start date to be explicitly set.

@@ -851,9 +851,9 @@ can't handle V2 CRLs.

The number of hours before the next CRL is due.

.It Fl gencrl

This option generates a CRL based on information in the index file.

-.It Fl revoke Ar filename

+.It Fl revoke Ar file

-.Ar filename

+.Ar file

containing a certificate to revoke.

.It Fl subj Ar arg

Supersedes the subject name given in the request.

@@ -1688,9 +1688,9 @@ selection options were added in version 0.9.7.

.Op Fl text

.Op Cm CAfile Ar file

.Op Cm CApath Ar dir

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl inform Ar DER | PEM

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl outform Ar DER | PEM

.Ek

.Pp

@@ -1719,8 +1719,8 @@ Print the CRL fingerprint.

.It Fl hash

Output a hash of the issuer name.

This can be used to look up CRLs in a directory by issuer name.

-.It Fl in Ar filename

-This specifies the input filename to read from, or standard input if this

+.It Fl in Ar file

+This specifies the input file to read from, or standard input if this

option is not specified.

.It Fl inform Ar DER | PEM

This specifies the input format.

@@ -1741,8 +1741,8 @@ Output the

field.

.It Fl noout

Don't output the encoded version of the CRL.

-.It Fl out Ar filename

-Specifies the output filename to write to, or standard output by

+.It Fl out Ar file

+Specifies the output file to write to, or standard output by

default.

.It Fl outform Ar DER | PEM

This specifies the output format; the options have the same meaning as the

@@ -1780,10 +1780,10 @@ and files too.

.Nm openssl crl2pkcs7

.Bk -words

.Op Fl nocrl

-.Op Fl certfile Ar filename

-.Op Fl in Ar filename

+.Op Fl certfile Ar file

+.Op Fl in Ar file

.Op Fl inform Ar DER | PEM

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl outform Ar DER | PEM

.Ek

.Pp

@@ -1796,18 +1796,18 @@ structure.

.Pp

The options are as follows:

.Bl -tag -width "XXXX"

-.It Fl certfile Ar filename

+.It Fl certfile Ar file

Specifies a

-.Ar filename

+.Ar file

containing one or more certificates in

.Ar PEM

format.

All certificates in the file will be added to the PKCS#7 structure.

This option can be used more than once to read certificates from multiple

files.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read a CRL from or standard input if this option is not specified.

.It Fl inform Ar DER | PEM

This specifies the CRL input format.

@@ -1820,9 +1820,9 @@ is a base64 encoded version of the DER form with header and footer lines.

Normally, a CRL is included in the output file.

With this option, no CRL is

included in the output file and a CRL is not read from the input file.

-.It Fl out Ar filename

+.It Fl out Ar file

Specifies the output

-.Ar filename

+.Ar file

to write the PKCS#7 structure to or standard output by default.

.It Fl outform Ar DER | PEM

This specifies the PKCS#7 structure output format.

@@ -1875,12 +1875,12 @@ install user certificates and CAs in MSIE using the Xenroll control.

.Op Fl hex

.Op Fl engine Ar id

.Op Fl keyform Ar PEM | ENGINE

-.Op Fl out Ar filename

-.Op Fl prverify Ar filename

+.Op Fl out Ar file

+.Op Fl prverify Ar file

.Op Fl rand Ar file ...

-.Op Fl sign Ar filename

-.Op Fl signature Ar filename

-.Op Fl verify Ar filename

+.Op Fl sign Ar file

+.Op Fl signature Ar file

+.Op Fl verify Ar file

.Op Ar file ...

.Ek

.Pp

@@ -1925,11 +1925,11 @@ This is the default case for a

digest as opposed to a digital signature.

.It Fl keyform Ar PEM | ENGINE

Key file format.

-.It Fl out Ar filename

-Filename to output to, or standard output by default.

-.It Fl prverify Ar filename

+.It Fl out Ar file

+file to output to, or standard output by default.

+.It Fl prverify Ar file

Verify the signature using the private key in

-.Ar filename .

+.Ar file .

The output is either

.Qq Verification OK

@@ -1940,14 +1940,14 @@ generator, or an EGD socket (see

.Xr RAND_egd 3 ) .

Multiple files can be specified separated by a

.Sq \&: .

-.It Fl sign Ar filename

+.It Fl sign Ar file

Digitally sign the digest using the private key in

-.Ar filename .

-.It Fl signature Ar filename

+.Ar file .

+.It Fl signature Ar file

The actual signature to verify.

-.It Fl verify Ar filename

+.It Fl verify Ar file

Verify the signature using the public key in

-.Ar filename .

+.Ar file .

The output is either

.Qq Verification OK

@@ -1993,9 +1993,9 @@ below.

.Op Fl noout

.Op Fl text

.Op Fl engine Ar id

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl inform Ar DER | PEM

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl outform Ar DER | PEM

.Op Fl rand Ar file ...

.Op Ar numbits

@@ -2043,9 +2043,9 @@ string) will cause

to attempt to obtain a functional reference to the specified engine,

thus initialising it if needed.

The engine will then be set as the default for all available algorithms.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read parameters from or standard input if this option is not specified.

.It Fl inform Ar DER | PEM

This specifies the input format.

@@ -2067,9 +2067,9 @@ It must be the last option.

If not present, then a value of 512 is used.

If this value is present, then the input file is ignored and

parameters are generated instead.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write parameters to.

Standard output is used if this option is not present.

The output filename should

@@ -2148,9 +2148,9 @@ option was added in

.Op Fl pubout

.Op Fl text

.Op Fl engine Ar id

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl inform Ar DER | PEM

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl outform Ar DER | PEM

.Op Fl passin Ar arg

.Op Fl passout Ar arg

@@ -2196,9 +2196,9 @@ string) will cause

to attempt to obtain a functional reference to the specified engine,

thus initialising it if needed.

The engine will then be set as the default for all available algorithms.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read a key from or standard input if this option is not specified.

If the key is encrypted, a pass phrase will be prompted for.

.It Fl inform Ar DER | PEM

@@ -2224,9 +2224,9 @@ In the case of a private key, PKCS#8 format is also accepted.

This option prints out the value of the public key component of the key.

.It Fl noout

This option prevents output of the encoded version of the key.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write a key to, or standard output if not specified.

If any encryption options are set then a pass phrase will be

prompted for.

@@ -2308,9 +2308,9 @@ To just output the public part of a private key:

.Op Fl noout

.Op Fl text

.Op Fl engine Ar id

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl inform Ar DER | PEM

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl outform Ar DER | PEM

.Op Fl rand Ar file ...

.Op Ar numbits

@@ -2338,9 +2338,9 @@ The engine will then be set as the default for all available algorithms.

.It Fl genkey

This option will generate a DSA either using the specified or generated

parameters.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read parameters from, or standard input if this option is not specified.

If the

.Ar numbits

@@ -2366,9 +2366,9 @@ It must be the last option.

If this option is included, then the input file

.Pq if any

is ignored.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write parameters to.

Standard output is used if this option is not present.

The output filename should

@@ -2411,12 +2411,12 @@ DSA parameters is often used to generate several distinct keys.

.Op Fl nosalt

.Op Fl salt

.Op Fl bufsize Ar number

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl iv Ar IV

.Op Fl K Ar key

.Op Fl k Ar password

-.Op Fl kfile Ar filename

-.Op Fl out Ar filename

+.Op Fl kfile Ar file

+.Op Fl out Ar file

.Op Fl pass Ar arg

.Op Fl S Ar salt

.Ek

@@ -2455,9 +2455,9 @@ string) will cause

to attempt to obtain a functional reference to the specified engine,

thus initialising it if needed.

The engine will then be set as the default for all available algorithms.

-.It Fl in Ar filename

+.It Fl in Ar file

The input

-.Ar filename ;

+.Ar file ;

standard input by default.

.It Fl iv Ar IV

The actual

@@ -2510,9 +2510,9 @@ This is for compatibility with previous versions of

Superseded by the

.Fl pass

option.

-.It Fl kfile Ar filename

+.It Fl kfile Ar file

Read the password to derive the key from the first line of

-.Ar filename .

+.Ar file .

This is for compatibility with previous versions of

.Nm OpenSSL .

Superseded by the

@@ -2528,9 +2528,9 @@ This is the default for compatibility with previous versions of

.Nm OpenSSL

and

.Nm SSLeay .

-.It Fl out Ar filename

+.It Fl out Ar file

The output

-.Ar filename ,

+.Ar file ,

standard output by default.

.It Fl P

Print out the

@@ -2788,7 +2788,7 @@ above.

.Fl des | des3

.Oc

.Op Fl engine Ar id

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl rand Ar file ...

.Op Ar paramfile

.Ek

@@ -2818,9 +2818,9 @@ string) will cause

to attempt to obtain a functional reference to the specified engine,

thus initialising it if needed.

The engine will then be set as the default for all available algorithms.

-.It Fl out Ar filename

+.It Fl out Ar file

The output

-.Ar filename .

+.Ar file .

If this argument is not specified, standard output is used.

.It Ar paramfile

This option specifies the DSA parameter file to use.

@@ -2850,7 +2850,7 @@ much quicker than RSA key generation, for example.

.Oc

.Op Fl engine Ar id

.Op Fl 3 | f4

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl passout Ar arg

.Op Fl rand Ar file ...

.Op Ar numbits

@@ -2888,9 +2888,9 @@ The default is 65537.

The size of the private key to generate in bits.

This must be the last option specified.

The default is 512.

-.It Fl out Ar filename

+.It Fl out Ar file

The output

-.Ar filename .

+.Ar file .

If this argument is not specified, standard output is used.

.It Fl passout Ar arg

The output file password source.

@@ -2935,8 +2935,8 @@ they will be much larger

.Sh NSEQ

.Nm openssl nseq

.Op Fl toseq

-.Op Fl in Ar filename

-.Op Fl out Ar filename

+.Op Fl in Ar file

+.Op Fl out Ar file

.Pp

The

.Nm nseq

@@ -2947,13 +2947,13 @@ sequence.

.Pp

The options are as follows:

.Bl -tag -width "-toseq"

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read or standard input if this option is not specified.

-.It Fl out Ar filename

+.It Fl out Ar file

Specifies the output

-.Ar filename

+.Ar file

or standard output by default.

.It Fl toseq

Normally, a Netscape certificate sequence will be input and the output

@@ -3000,53 +3000,53 @@ input and output files and allowing multiple certificate files to be used.

.Sh OCSP

.Nm openssl ocsp

.Bk -words

-.Op Fl out Ar file

-.Op Fl issuer Ar file

-.Op Fl cert Ar file

-.Op Fl serial Ar n

-.Op Fl signer Ar file

-.Op Fl signkey Ar file

-.Op Fl sign_other Ar file

+.Op Fl no_cert_checks

+.Op Fl no_cert_verify

.Op Fl no_certs

+.Op Fl no_chain

+.Op Fl no_intern

+.Op Fl no_nonce

+.Op Fl no_signature_verify

+.Op Fl nonce

+.Op Fl noverify

.Op Fl req_text

+.Op Fl resp_key_id

+.Op Fl resp_no_certs

.Op Fl resp_text

.Op Fl text

-.Op Fl reqout Ar file

-.Op Fl respout Ar file

-.Op Fl reqin Ar file

-.Op Fl respin Ar file

-.Op Fl nonce

-.Op Fl no_nonce

-.Op Fl url Ar URL

+.Op Fl trust_other

+.Op Fl CA Ar file

+.Op Fl CAfile Ar file

+.Op Fl CApath Ar path

+.Op Fl cert Ar file

.Oo

.Fl host

.Ar hostname : Ns Ar port

.Oc

-.Op Fl path

-.Op Fl CApath Ar dir

-.Op Fl CAfile Ar file

-.Op Fl VAfile Ar file

-.Op Fl validity_period Ar n

-.Op Fl status_age Ar n

-.Op Fl noverify

-.Op Fl verify_other Ar file

-.Op Fl trust_other

-.Op Fl no_intern

-.Op Fl no_signature_verify

-.Op Fl no_cert_verify

-.Op Fl no_chain

-.Op Fl no_cert_checks

-.Op Fl port Ar num

-.Op Fl index Ar file

-.Op Fl CA Ar file

-.Op Fl rsigner Ar file

+.Op Fl index Ar indexfile

+.Op Fl issuer Ar file

+.Op Fl ndays Ar days

+.Op Fl nmin Ar minutes

+.Op Fl nrequest Ar number

+.Op Fl out Ar file

+.Op Fl path Ar path

+.Op Fl port Ar portnum

+.Op Fl reqin Ar file

+.Op Fl reqout Ar file

+.Op Fl respin Ar file

+.Op Fl respout Ar file

.Op Fl rkey Ar file

.Op Fl rother Ar file

-.Op Fl resp_no_certs

-.Op Fl nmin Ar n

-.Op Fl ndays Ar n

-.Op Fl resp_key_id

-.Op Fl nrequest Ar n

+.Op Fl rsigner Ar file

+.Op Fl serial Ar number

+.Op Fl sign_other Ar file

+.Op Fl signer Ar file

+.Op Fl signkey Ar file

+.Op Fl status_age Ar age

+.Op Fl url Ar responder_url

+.Op Fl VAfile Ar file

+.Op Fl validity_period Ar nsec

+.Op Fl verify_other Ar file

.Ek

.Pp

The Online Certificate Status Protocol

@@ -3065,49 +3065,67 @@ and behave like a mini OCSP server itself.

.Pp

The options are as follows:

.Bl -tag -width "XXXX"

-.It Fl out Ar filename

-Specify output

-.Ar filename ,

-default is standard output.

-.It Fl issuer Ar filename

-This specifies the current issuer certificate.

-This option can be used multiple times.

-The certificate specified in

-.Ar filename

-must be in

-.Ar PEM

-format.

-.It Fl cert Ar filename

+.It Fl CAfile Ar file , Fl CApath Ar path

+.Ar file

+or

+.Ar path

+containing trusted CA certificates.

+These are used to verify the signature on the OCSP response.

+.It Fl cert Ar file

Add the certificate

-.Ar filename

+.Ar file

to the request.

The issuer certificate is taken from the previous

.Fl issuer

option, or an error occurs if no issuer certificate is specified.

-.It Fl serial Ar num

-Same as the

-.Fl cert

-option except the certificate with serial number

-.Ar num

-is added to the request.

-The serial number is interpreted as a decimal integer unless preceded by

-.Sq 0x .

-Negative integers can also be specified by preceding the value with a

-.Sq -

-sign.

-.It Fl signer Ar filename , Fl signkey Ar filename

-Sign the OCSP request using the certificate specified in the

-.Fl signer

-option and the private key specified by the

-.Fl signkey

-option.

+.It Xo

+.Fl host Ar hostname : Ns Ar port ,

+.Fl path Ar path

+.Xc

If the

-.Fl signkey

-option is not present, then the private key is read from the same file

-as the certificate.

-If neither option is specified, then the OCSP request is not signed.

-.It Fl sign_other Ar filename

-Additional certificates to include in the signed request.

+.Fl host

+option is present, then the OCSP request is sent to the host

+.Ar hostname

+on port

+.Ar port .

+.Fl path

+specifies the HTTP path name to use, or

+.Sq /

+by default.

+.It Fl issuer Ar file

+This specifies the current issuer certificate.

+This option can be used multiple times.

+The certificate specified in

+.Ar file

+must be in

+.Ar PEM

+format.

+.It Fl no_cert_checks

+Don't perform any additional checks on the OCSP response signer's certificate.

+That is, do not make any checks to see if the signer's certificate is

+authorised to provide the necessary status information:

+as a result this option should only be used for testing purposes.

+.It Fl no_cert_verify

+Don't verify the OCSP response signer's certificate at all.

+Since this option allows the OCSP response to be signed by any certificate,

+it should only be used for testing purposes.

+.It Fl no_certs

+Don't include any certificates in signed request.

+.It Fl no_chain

+Do not use certificates in the response as additional untrusted CA

+certificates.

+.It Fl no_intern

+Ignore certificates contained in the OCSP response

+when searching for the signer's certificate.

+With this option, the signer's certificate must be specified with either the

+.Fl verify_certs

+or

+.Fl VAfile

+options.

+.It Fl no_signature_verify

+Don't check the signature on the OCSP response.

+Since this option tolerates invalid signatures on OCSP responses,

+it will normally only be used for testing purposes.

.It Fl nonce , no_nonce

Add an OCSP

.Em nonce

@@ -3133,52 +3151,57 @@ a

is automatically added; specifying

.Fl no_nonce

overrides this.

+.It Fl noverify

+Don't attempt to verify the OCSP response signature or the

+.Em nonce

+values.

+This option will normally only be used for debugging

+since it disables all verification of the responder's certificate.

+.It Fl out Ar file

+Specify output

+.Ar file ;

+default is standard output.

.It Fl req_text , resp_text , text

Print out the text form of the OCSP request, response, or both, respectively.

-.It Fl reqout Ar file , Fl respout Ar file

-Write out the DER encoded certificate request or response to

-.Ar file .

.It Fl reqin Ar file , Fl respin Ar file

Read an OCSP request or response file from

.Ar file .

These option are ignored

if an OCSP request or response creation is implied by other options

(for example with the

-.Fl serial , cert

+.Fl serial , cert ,

and

.Fl host

options).

-.It Fl url Ar responder_url

-Specify the responder URL.

-Both HTTP and HTTPS

-.Pq SSL/TLS

-URLs can be specified.

-.It Xo

-.Fl host Ar hostname : Ns Ar port ,

-.Fl path Ar pathname

-.Xc

+.It Fl reqout Ar file , Fl respout Ar file

+Write out the

+.Ar DER

+encoded certificate request or response to

+.Ar file .

+.It Fl serial Ar num

+Same as the

+.Fl cert

+option except the certificate with serial number

+.Ar num

+is added to the request.

+The serial number is interpreted as a decimal integer unless preceded by

+.Sq 0x .

+Negative integers can also be specified by preceding the value with a

+.Sq -

+sign.

+.It Fl sign_other Ar file

+Additional certificates to include in the signed request.

+.It Fl signer Ar file , Fl signkey Ar file

+Sign the OCSP request using the certificate specified in the

+.Fl signer

+option and the private key specified by the

+.Fl signkey

+option.

If the

-.Fl host

-option is present, then the OCSP request is sent to the host

-.Ar hostname

-on port

-.Ar port .

-.Fl path

-specifies the HTTP path name to use, or

-.Sq /

-by default.

-.It Fl CAfile Ar file , Fl CApath Ar pathname

-.Ar file

-or

-.Ar pathname

-containing trusted CA certificates.

-These are used to verify the signature on the OCSP response.

-.It Fl verify_other Ar file

-.Ar file

-containing additional certificates to search when attempting to locate

-the OCSP response signing certificate.

-Some responders omit the actual signer's certificate from the response:

-this option can be used to supply the necessary certificate in such cases.

+.Fl signkey

+option is not present, then the private key is read from the same file

+as the certificate.

+If neither option is specified, then the OCSP request is not signed.

.It Fl trust_other

The certificates specified by the

.Fl verify_certs

@@ -3186,6 +3209,11 @@ option should be explicitly trusted and no additional checks will be

performed on them.

This is useful when the complete responder certificate chain is not available

or trusting a root CA is not appropriate.

+.It Fl url Ar responder_url

+Specify the responder URL.

+Both HTTP and HTTPS

+.Pq SSL/TLS

+URLs can be specified.

.It Fl VAfile Ar file

.Ar file

containing explicitly trusted responder certificates.

@@ -3194,36 +3222,6 @@ Equivalent to the

and

.Fl trust_other

options.

-.It Fl noverify

-Don't attempt to verify the OCSP response signature or the

-.Em nonce

-values.

-This option will normally only be used for debugging

-since it disables all verification of the responders certificate.

-.It Fl no_intern

-Ignore certificates contained in the OCSP response

-when searching for the signer's certificate.

-With this option the signer's certificate must be specified with either the

-.Fl verify_certs

-or

-.Fl VAfile

-options.

-.It Fl no_signature_verify

-Don't check the signature on the OCSP response.

-Since this option tolerates invalid signatures on OCSP responses,

-it will normally only be used for testing purposes.

-.It Fl no_cert_verify

-Don't verify the OCSP response signer's certificate at all.

-Since this option allows the OCSP response to be signed by any certificate,

-it should only be used for testing purposes.

-.It Fl no_chain

-Do not use certificates in the response as additional untrusted CA

-certificates.

-.It Fl no_cert_checks

-Don't perform any additional checks on the OCSP response signer's certificate.

-That is, do not make any checks to see if the signer's certificate is

-authorised to provide the necessary status information:

-as a result this option should only be used for testing purposes.

.It Fl validity_period Ar nsec , Fl status_age Ar age

These options specify the range of times, in seconds, which will be tolerated

in an OCSP response.

@@ -3251,9 +3249,18 @@ field is checked to see it is not older than

.Ar age

seconds old.

By default, this additional check is not performed.

+.It Fl verify_other Ar file

+.Ar file

+containing additional certificates to search when attempting to locate

+the OCSP response signing certificate.

+Some responders omit the actual signer's certificate from the response;

+this option can be used to supply the necessary certificate in such cases.

.El

.Sh OCSP SERVER OPTIONS

.Bl -tag -width "XXXX"

+.It Fl CA Ar file

+CA certificate corresponding to the revocation information in

+.Ar indexfile .

.It Fl index Ar indexfile

.Ar indexfile

is a text index file in

@@ -3289,32 +3296,6 @@ option is present, then the

and

.Fl rsigner

options must also be present.

-.It Fl CA Ar file

-CA certificate corresponding to the revocation information in

-.Ar indexfile .

-.It Fl rsigner Ar file

-The certificate to sign OCSP responses with.

-.It Fl rother Ar file

-Additional certificates to include in the OCSP response.

-.It Fl resp_no_certs

-Don't include any certificates in the OCSP response.

-.It Fl resp_key_id

-Identify the signer certificate using the key ID,

-default is to use the subject name.

-.It Fl rkey Ar file

-The private key to sign OCSP responses with;

-if not present, the file specified in the

-.Fl rsigner

-option is used.

-.It Fl port Ar portnum

-Port to listen for OCSP requests on.

-The port may also be specified using the

-.Fl url

-option.

-.It Fl nrequest Ar number

-The OCSP server will exit after receiving

-.Ar number

-requests, default unlimited.

.It Fl nmin Ar minutes , Fl ndays Ar days

Number of

.Ar minutes

@@ -3326,6 +3307,29 @@ field.

If neither option is present, then the

.Em nextUpdate

field is omitted, meaning fresh revocation information is immediately available.

+.It Fl nrequest Ar number

+The OCSP server will exit after receiving

+.Ar number

+requests, default unlimited.

+.It Fl port Ar portnum

+Port to listen for OCSP requests on.

+The port may also be specified using the

+.Fl url

+option.

+.It Fl resp_key_id

+Identify the signer certificate using the key ID;

+default is to use the subject name.

+.It Fl resp_no_certs

+Don't include any certificates in the OCSP response.

+.It Fl rkey Ar file

+The private key to sign OCSP responses with;

+if not present, the file specified in the

+.Fl rsigner

+option is used.

+.It Fl rother Ar file

+Additional certificates to include in the OCSP response.

+.It Fl rsigner Ar file

+The certificate to sign OCSP responses with.

.El

.Sh OCSP RESPONSE VERIFICATION

OCSP Response follows the rules specified in RFC 2560.

@@ -3423,7 +3427,7 @@ $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e

-url http://ocsp.myhost.com/ -resp_text -respout resp.der

.Ed

.Pp

-Read in an OCSP response and print out text form:

+Read in an OCSP response and print out in text form:

.Pp

.Dl $ openssl ocsp -respin resp.der -text

.Pp

@@ -3448,8 +3452,8 @@ $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e

demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1

.Ed

.Pp

-Query status information using request read from a file, write response to a

-second file:

+Query status information using request read from a file and write

+the response to a second file:

.Bd -literal -offset indent

$ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e

demoCA/cacert.pem -reqin req.der -respout resp.der

@@ -3554,8 +3558,8 @@ prints

.Bk -words

.Op Fl inform Ar DER | PEM

.Op Fl outform Ar DER | PEM

-.Op Fl in Ar filename

-.Op Fl out Ar filename

+.Op Fl in Ar file

+.Op Fl out Ar file

.Op Fl print_certs

.Op Fl text

.Op Fl noout

@@ -3583,13 +3587,13 @@ is a base64 encoded version of the DER form with header and footer lines.

This specifies the output format; the options have the same meaning as the

.Fl inform

option.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read from or standard input if this option is not specified.

-.It Fl out Ar filename

+.It Fl out Ar file

Specifies the output

-.Ar filename

+.Ar file

to write to or standard output by default.

.It Fl print_certs

Prints out any certificates or CRLs contained in the file.

@@ -3650,9 +3654,9 @@ They cannot currently parse, for example, the new CMS as described in RFC 2630.

.Op Fl topk8

.Op Fl inform Ar DER | PEM

.Op Fl outform Ar DER | PEM

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl passin Ar arg

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl passout Ar arg

.Op Fl noiter

.Op Fl nocrypt

@@ -3698,9 +3702,9 @@ format of the traditional format private key is used.

This specifies the output format; the options have the same meaning as the

.Fl inform

option.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read a key from or standard input if this option is not specified.

If the key is encrypted, a pass phrase will be prompted for.

.It Fl passin Ar arg

@@ -3710,9 +3714,9 @@ For more information about the format of

see the

.Sx PASS PHRASE ARGUMENTS

section above.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write a key to or standard output by default.

If any encryption options are set then a pass phrase will be prompted for.

The output filename should

@@ -3907,14 +3911,14 @@ compatibility, several of the utilities use the old format at present.

.Bk -words

.Op Fl export

.Op Fl chain

-.Op Fl inkey Ar filename

-.Op Fl certfile Ar filename

+.Op Fl inkey Ar file

+.Op Fl certfile Ar file

.Op Fl CApath Ar directory

-.Op Fl CAfile Ar filename

+.Op Fl CAfile Ar file

.Op Fl name Ar name

.Op Fl caname Ar name

-.Op Fl in Ar filename

-.Op Fl out Ar filename

+.Op Fl in Ar file

+.Op Fl out Ar file

.Op Fl noout

.Op Fl nomacver

.Op Fl nocerts

@@ -3959,14 +3963,14 @@ option

.Pq see below .

.Sh PKCS12 PARSING OPTIONS

.Bl -tag -width "XXXX"

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the

-.Ar filename

+.Ar file

of the PKCS#12 file to be parsed.

Standard input is used by default.

-.It Fl out Ar filename

+.It Fl out Ar file

The

-.Ar filename

+.Ar file

to write certificates and private keys to, standard output by default.

They are all written in

.Em PEM

@@ -4024,14 +4028,14 @@ PKCS#12 files unreadable.

.It Fl export

This option specifies that a PKCS#12 file will be created rather than

parsed.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies

-.Ar filename

+.Ar file

to write the PKCS#12 file to.

Standard output is used by default.

-.It Fl in Ar filename

+.It Fl in Ar file

The

-.Ar filename

+.Ar file

to read certificates and private keys from, standard input by default.

They must all be in

.Em PEM

@@ -4040,7 +4044,7 @@ The order doesn't matter but one private key and its corresponding

certificate should be present.

If additional certificates are present, they will also be included

in the PKCS#12 file.

-.It Fl inkey Ar filename

+.It Fl inkey Ar file

File to read private key from.

If not present then a private key must be present in the input file.

.It Fl name Ar friendlyname

@@ -4048,12 +4052,12 @@ This specifies the

.Qq friendly name

for the certificate and private key.

This name is typically displayed in list boxes by software importing the file.

-.It Fl certfile Ar filename

-A filename to read additional certificates from.

+.It Fl certfile Ar file

+A file to read additional certificates from.

.It Fl CApath Ar directory

Directory of CAs

.Pq PEM format .

-.It Fl CAfile Ar filename

+.It Fl CAfile Ar file

File of CAs

.Pq PEM format .

.It Fl caname Ar friendlyname

@@ -4334,9 +4338,9 @@ The engine will then be set as the default for all available algorithms.

.Bk -words

.Op Fl inform Ar DER | PEM

.Op Fl outform Ar DER | PEM

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl passin Ar arg

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl passout Ar arg

.Op Fl text

.Op Fl pubkey

@@ -4357,11 +4361,11 @@ The engine will then be set as the default for all available algorithms.

.Oc

.Op Fl nodes

.Op Fl subject

-.Op Fl key Ar filename

+.Op Fl key Ar file

.Op Fl keyform Ar DER | PEM

-.Op Fl keyout Ar filename

+.Op Fl keyout Ar file

.Op Fl md5 | sha1 | md2 | md4

-.Op Fl config Ar filename

+.Op Fl config Ar file

.Op Fl subj Ar arg

.Op Fl x509

.Op Fl days Ar n

@@ -4401,9 +4405,9 @@ footer lines.

This specifies the output format; the options have the same meaning as the

.Fl inform

option.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read a request from, or standard input

if this option is not specified.

A request is only read if the creation options

@@ -4418,9 +4422,9 @@ For more information about the format of

see the

.Sx PASS PHRASE ARGUMENTS

section above.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write to, or standard output by default.

.It Fl passout Ar arg

The output file password source.

@@ -4465,10 +4469,10 @@ where

is the number of bits, generates an RSA key

.Ar nbits

in size.

-.Ar dsa : Ns Ar filename

+.Ar dsa : Ns Ar file

generates a DSA key using the parameters in the file

-.Ar filename .

-.It Fl key Ar filename

+.Ar file .

+.It Fl key Ar file

This specifies the file to read the private key from.

It also accepts PKCS#8 format private keys for

.Em PEM

@@ -4479,9 +4483,9 @@ The format of the private key file specified in the

argument.

.Ar PEM

is the default.

-.It Fl keyout Ar filename

+.It Fl keyout Ar file

This gives the

-.Ar filename

+.Ar file

to write the newly created private key to.

If this option is not specified, then the filename present in the

configuration file is used.

@@ -4494,7 +4498,7 @@ Output the request's subject.

This specifies the message digest to sign the request with.

This overrides the digest algorithm specified in the configuration file.

This option is ignored for DSA requests: they always use SHA1.

-.It Fl config Ar filename

+.It Fl config Ar file

This allows an alternative configuration file to be specified;

this overrides the compile time filename or any specified in

the

@@ -4628,7 +4632,7 @@ It can be overridden by using the

.Fl newkey

option.

.It Ar default_keyfile

-This is the default filename to write a private key to.

+This is the default file to write a private key to.

If not specified, the key is written to standard output.

This can be overridden by the

.Fl keyout

@@ -4647,7 +4651,7 @@ object identifier followed by

and the numerical form.

The short and long names are the same when this option is used.

.It Ar RANDFILE

-This specifies a filename in which random number seed information is

+This specifies a file in which random number seed information is

placed and read from, or an EGD socket (see

.Xr RAND_egd 3 ) .

It is used for private key generation.

@@ -5062,9 +5066,9 @@ should be input by the user.

.Bk -words

.Op Fl inform Ar DER | NET | PEM

.Op Fl outform Ar DER | NET | PEM

-.Op Fl in Ar filename

+.Op Fl in Ar file

.Op Fl passin Ar arg

-.Op Fl out Ar filename

+.Op Fl out Ar file

.Op Fl passout Ar arg

.Op Fl sgckey

.Oo

@@ -5116,9 +5120,9 @@ section.

This specifies the output format; the options have the same meaning as the

.Fl inform

option.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read a key from or standard input if this

option is not specified.

If the key is encrypted, a pass phrase will be prompted for.

@@ -5129,9 +5133,9 @@ For more information about the format of

see the

.Sx PASS PHRASE ARGUMENTS

section above.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write a key to, or standard output if this option is not specified.

If any encryption options are set then, a pass phrase will be prompted for.

The output filename should

@@ -5289,14 +5293,14 @@ data using the RSA algorithm.

.Pp

The options are as follows:

.Bl -tag -width "XXXX"

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read data from or standard input

if this option is not specified.

-.It Fl out Ar filename

+.It Fl out Ar file

Specifies the output

-.Ar filename

+.Ar file

to write to or standard output by

default.

.It Fl inkey Ar file

@@ -5451,10 +5455,10 @@ which it can be seen agrees with the recovered value above.

.Fl connect Ar host : Ns Ar port

.Oc

.Op Fl verify Ar depth

-.Op Fl cert Ar filename

-.Op Fl key Ar filename

+.Op Fl cert Ar file

+.Op Fl key Ar file

.Op Fl CApath Ar directory

-.Op Fl CAfile Ar filename

+.Op Fl CAfile Ar file

.Op Fl reconnect

.Op Fl pause

.Op Fl showcerts

@@ -5713,11 +5717,11 @@ We should really report information whenever a session is renegotiated.

.Op Fl context Ar id

.Op Fl verify Ar depth

.Op Fl Verify Ar depth

-.Op Fl cert Ar filename

+.Op Fl cert Ar file

.Op Fl key Ar keyfile

-.Op Fl dcert Ar filename

+.Op Fl dcert Ar file

.Op Fl dkey Ar keyfile

-.Op Fl dhparam Ar filename

+.Op Fl dhparam Ar file

.Op Fl nbio

.Op Fl nbio_test

.Op Fl crlf

@@ -5725,7 +5729,7 @@ We should really report information whenever a session is renegotiated.

.Op Fl msg

.Op Fl state

.Op Fl CApath Ar directory

-.Op Fl CAfile Ar filename

+.Op Fl CAfile Ar file

.Op Fl nocert

.Op Fl cipher Ar cipherlist

.Op Fl serverpref

@@ -5770,13 +5774,13 @@ certificate and some require a certificate with a certain public key type:

for example the DSS cipher suites require a certificate containing a DSS

.Pq DSA

key.

-If not specified, then the filename

+If not specified, then the file

.Pa server.pem

will be used.

.It Fl key Ar keyfile

The private key to use.

If not specified, then the certificate file will be used.

-.It Fl dcert Ar filename , Fl dkey Ar keyname

+.It Fl dcert Ar file , Fl dkey Ar keyname

Specify an additional certificate and private key; these behave in the

same manner as the

.Fl cert

@@ -5797,7 +5801,7 @@ by using an appropriate certificate.

If this option is set, then no certificate is used.

This restricts the cipher suites available to the anonymous ones

.Pq currently just anonymous DH .

-.It Fl dhparam Ar filename

+.It Fl dhparam Ar file

The DH parameter file to use.

The ephemeral DH cipher suites generate keys

using a set of DH parameters.

@@ -6005,8 +6009,8 @@ utility is currently undocumented.

.Bk -words

.Op Fl inform Ar DER | PEM

.Op Fl outform Ar DER | PEM

-.Op Fl in Ar filename

-.Op Fl out Ar filename

+.Op Fl in Ar file

+.Op Fl out Ar file

.Op Fl text

.Op Fl cert

.Op Fl noout

@@ -6039,13 +6043,13 @@ format base64 encoded with additional header and footer lines.

This specifies the output format; the options have the same meaning as the

.Fl inform

option.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read session information from, or standard input by default.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write session information to, or standard

output if this option is not specified.

.It Fl text

@@ -6214,7 +6218,7 @@ Both clear text and opaque signing is supported.

Takes an input message and writes out a

.Em PEM

encoded PKCS#7 structure.

-.It Fl in Ar filename

+.It Fl in Ar file

The input message to be encrypted or signed or the

.Em MIME

message to

@@ -6237,7 +6241,7 @@ structure; if no PKCS#7 structure is being input (for example with

.Fl sign ) ,

this option has no effect.

-.It Fl out Ar filename

+.It Fl out Ar file

The message text that has been decrypted or verified, or the output

.Em MIME

format message that has been signed or verified.

@@ -6259,7 +6263,7 @@ structure; if no PKCS#7 structure is being output (for example with

.Fl decrypt )

this option has no effect.

-.It Fl content Ar filename

+.It Fl content Ar file

This specifies a file containing the detached content.

This is only useful with the

.Fl verify

@@ -6673,8 +6677,8 @@ for all available algorithms.

.\"

.Sh SPKAC

.Nm openssl spkac

-.Op Fl in Ar filename

-.Op Fl out Ar filename

+.Op Fl in Ar file

+.Op Fl out Ar file

.Op Fl key Ar keyfile

.Op Fl passin Ar arg

.Op Fl challenge Ar string

@@ -6695,16 +6699,16 @@ produce its own SPKACs from a supplied private key.

.Pp

The options are as follows:

.Bl -tag -width "XXXX"

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read from or standard input if this option is not specified.

Ignored if the

.Fl key

option is used.

-.It Fl out Ar filename

+.It Fl out Ar file

Specifies the output

-.Ar filename

+.Ar file

to write to or standard output by default.

.It Fl key Ar keyfile

Create an SPKAC file using the private key in

@@ -6889,7 +6893,7 @@ This is useful if the first certificate filename begins with a

One or more

.Ar certificates

to verify.

-If no certificate filenames are included, then an attempt is made to read

+If no certificate files are included, then an attempt is made to read

a certificate from standard input.

They should all be in

.Em PEM

@@ -7196,8 +7200,8 @@ option was added in

.Op Fl keyform Ar DER | PEM

.Op Fl CAform Ar DER | PEM

.Op Fl CAkeyform Ar DER | PEM

-.Op Fl in Ar filename

-.Op Fl out Ar filename

+.Op Fl in Ar file

+.Op Fl out Ar file

.Op Fl passin Ar arg

.Op Fl serial

.Op Fl hash

@@ -7224,18 +7228,18 @@ option was added in

.Op Fl days Ar arg

.Op Fl checkend Ar arg

.Op Fl set_serial Ar n

-.Op Fl signkey Ar filename

+.Op Fl signkey Ar file

.Op Fl x509toreq

.Op Fl req

-.Op Fl CA Ar filename

-.Op Fl CAkey Ar filename

+.Op Fl CA Ar file

+.Op Fl CAkey Ar file

.Op Fl CAcreateserial

-.Op Fl CAserial Ar filename

+.Op Fl CAserial Ar file

.Op Fl text

.Op Fl C

.Op Fl md2 | md5 | sha1

.Op Fl clrext

-.Op Fl extfile Ar filename

+.Op Fl extfile Ar file

.Op Fl extensions Ar section

.Op Fl engine Ar id

.Ek

@@ -7271,13 +7275,13 @@ obsolete.

This specifies the output format; the options have the same meaning as the

.Fl inform

option.

-.It Fl in Ar filename

+.It Fl in Ar file

This specifies the input

-.Ar filename

+.Ar file

to read a certificate from or standard input if this option is not specified.

-.It Fl out Ar filename

+.It Fl out Ar file

This specifies the output

-.Ar filename

+.Ar file

to write to or standard output by default.

.It Fl passin Ar arg

The key password source.

@@ -7472,7 +7476,7 @@ utility can be used to sign certificates and requests: it

can thus behave like a

.Qq mini CA .

.Bl -tag -width "XXXX"

-.It Fl signkey Ar filename

+.It Fl signkey Ar file

This option causes the input file to be self-signed using the supplied

private key.

.Pp

@@ -7542,7 +7546,7 @@ options) is not used.

The serial number can be decimal or hex (if preceded by

.Sq 0x ) .

Negative serial numbers can also be specified but their use is not recommended.

-.It Fl CA Ar filename

+.It Fl CA Ar file

Specifies the CA certificate to be used for signing.

When this option is present,

.Nm x509

@@ -7558,11 +7562,11 @@ option.

Without the

.Fl req

option, the input is a certificate which must be self-signed.

-.It Fl CAkey Ar filename

+.It Fl CAkey Ar file

Sets the CA private key to sign a certificate with.

If this option is not specified, then it is assumed that the CA private key

is present in the CA certificate file.

-.It Fl CAserial Ar filename

+.It Fl CAserial Ar file

Sets the CA serial number file to use.

.Pp

When the

@@ -7591,7 +7595,7 @@ as its serial number.

Normally, if the

.Fl CA

option is specified and the serial number file does not exist, it is an error.

-.It Fl extfile Ar filename

+.It Fl extfile Ar file

File containing certificate extensions to use.

If not specified, then no extensions are added to the certificate.

.It Fl extensions Ar section