summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/openssl/openssl.181
1 files changed, 13 insertions, 68 deletions
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 004839f448f..a290433d92d 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.72 2016/09/15 17:49:03 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.73 2016/09/15 20:54:28 jmc Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
@@ -4946,13 +4946,9 @@ If this variable is set to no,
only the signing certificate identifier is included.
The default is no.
.El
-.\"
-.\" SPKAC
-.\"
.Sh SPKAC
.nr nS 1
.Nm "openssl spkac"
-.Bk -words
.Op Fl challenge Ar string
.Op Fl in Ar file
.Op Fl key Ar keyfile
@@ -4963,25 +4959,21 @@ The default is no.
.Op Fl spkac Ar spkacname
.Op Fl spksect Ar section
.Op Fl verify
-.Ek
.nr nS 0
.Pp
The
.Nm spkac
-command processes Netscape signed public key and challenge
-.Pq SPKAC
-files.
+command processes signed public key and challenge (SPKAC) files.
It can print out their contents, verify the signature,
and produce its own SPKACs from a supplied private key.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl challenge Ar string
-Specifies the challenge string if an SPKAC is being created.
+The challenge string, if an SPKAC is being created.
.It Fl in Ar file
-This specifies the input
-.Ar file
-to read from, or standard input if this option is not specified.
+The input file to read from,
+or standard input if not specified.
Ignored if the
.Fl key
option is used.
@@ -4992,74 +4984,27 @@ The
.Fl in , noout , spksect ,
and
.Fl verify
-options are ignored if present.
+options are ignored, if present.
.It Fl noout
-Don't output the text version of the SPKAC
-.Pq not used if an SPKAC is being created .
+Do not output the text version of the SPKAC.
.It Fl out Ar file
-Specifies the output
-.Ar file
-to write to, or standard output by default.
+The output file to write to,
+or standard output if not specified.
.It Fl passin Ar arg
The key password source.
.It Fl pubkey
-Output the public key of an SPKAC
-.Pq not used if an SPKAC is being created .
+Output the public key of an SPKAC.
.It Fl spkac Ar spkacname
-Allows an alternative name for the variable containing the SPKAC.
+An alternative name for the variable containing the SPKAC.
The default is "SPKAC".
This option affects both generated and input SPKAC files.
.It Fl spksect Ar section
-Allows an alternative name for the
+An alternative name for the
.Ar section
containing the SPKAC.
-The default is the default section.
.It Fl verify
-Verifies the digital signature on the supplied SPKAC.
+Verify the digital signature on the supplied SPKAC.
.El
-.Sh SPKAC EXAMPLES
-Print out the contents of an SPKAC:
-.Pp
-.Dl $ openssl spkac -in spkac.cnf
-.Pp
-Verify the signature of an SPKAC:
-.Pp
-.Dl $ openssl spkac -in spkac.cnf -noout -verify
-.Pp
-Create an SPKAC using the challenge string
-.Qq hello :
-.Pp
-.Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf
-.Pp
-Example of an SPKAC,
-.Pq long lines split up for clarity :
-.Bd -unfilled -offset indent
-SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
-PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
-PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
-2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
-4=
-.Ed
-.Sh SPKAC NOTES
-A created SPKAC with suitable DN components appended can be fed into
-the
-.Nm ca
-utility.
-.Pp
-SPKACs are typically generated by Netscape when a form is submitted
-containing the
-.Em KEYGEN
-tag as part of the certificate enrollment process.
-.Pp
-The challenge string permits a primitive form of proof of possession
-of private key.
-By checking the SPKAC signature and a random challenge
-string, some guarantee is given that the user knows the private key
-corresponding to the public key being certified.
-This is important in some applications.
-Without this it is possible for a previous SPKAC
-to be used in a
-.Qq replay attack .
.\"
.\" VERIFY
.\"