=pod
-
-=begin comment
-{- join("\n", @autowarntext) -}
-
-=end comment
+{- OpenSSL::safe::output_do_not_edit_headers(); -}
=head1 NAME
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-CAform> B<DER>|B<PEM>]
-[B<-CAkeyform> B<DER>|B<PEM>]
+[B<-CAkeyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-serial>]
[B<-hash>]
[B<-subject_hash>]
+[B<-subject_hash_old>]
[B<-issuer_hash>]
+[B<-issuer_hash_old>]
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
-[B<-nameopt> I<option>]
[B<-email>]
[B<-ocsp_uri>]
[B<-startdate>]
[B<-days> I<arg>]
[B<-set_serial> I<n>]
[B<-signkey> I<filename>]
+[B<-badsig>]
[B<-passin> I<arg>]
[B<-x509toreq>]
[B<-req>]
[B<-CAcreateserial>]
[B<-CAserial> I<filename>]
[B<-new>]
+[B<-next_serial>]
+[B<-nocert>]
[B<-force_pubkey> I<filename>]
[B<-subj> I<arg>]
[B<-text>]
[B<-ext> I<extensions>]
[B<-certopt> I<option>]
+[B<-checkhost> I<host>]
+[B<-checkemail> I<host>]
+[B<-checkip> I<ipaddr>]
[B<-C>]
[B<-I<digest>>]
[B<-clrext>]
[B<-extfile> I<filename>]
[B<-extensions> I<section>]
[B<-sigopt> I<nm>:I<v>]
-[B<-engine> I<id>]
[B<-preserve_dates>]
+{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine subject_hash_old issuer_hash_old
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-preserve_dates>
When signing a certificate, preserve the "notBefore" and "notAfter" dates
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head2 Display Options
B<-certopt> switch may be also be used more than once to set multiple
options. See the L</Text Options> section for more information.
+=item B<-checkhost> I<host>
+
+Check that the certificate matches the specified host.
+
+=item B<-checkemail> I<email>
+
+Check that the certificate matches the specified email address.
+
+=item B<-checkip> I<ipaddr>
+
+Check that the certificate matches the specified IP address.
+
=item B<-noout>
This option prevents output of the encoded version of the certificate.
Outputs the issuer name.
-=item B<-nameopt> I<option>
-
-Option which determines how the subject or issuer names are displayed. The
-I<option> argument can be a single option or multiple options separated by
-commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L</Name Options> section for more information.
+{- $OpenSSL::safe::opt_name_item -}
=item B<-email>
It retains any certificate extensions unless the B<-clrext> option is supplied;
this includes, for example, any existing key identifier extensions.
+=item B<-badsig>
+
+Corrupt the signature before writing it; this can be useful
+for testing.
+
=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> and <-force_pubkey> options need to be given.
+=item B<-next_serial>
+
+Set the serial to be one more than the number in the certificate.
+
+=item B<-nocert>
+
+Do not generate or output a certificate.
+
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
=back
-=head2 Name Options
-
-The B<-nameopt> command line switch determines how the subject and issuer
-names are displayed. If no B<-nameopt> switch is present the default "oneline"
-format is used which is compatible with previous versions of OpenSSL.
-Each option is described in detail below, all options can be preceded by
-a B<-> to turn the option off. Only the first four will normally be used.
-
-=over 4
-
-=item B<compat>
-
-Use the old format.
-
-=item B<RFC2253>
-
-Displays names compatible with RFC2253 equivalent to B<esc_2253>, B<esc_ctrl>,
-B<esc_msb>, B<utf8>, B<dump_nostr>, B<dump_unknown>, B<dump_der>,
-B<sep_comma_plus>, B<dn_rev> and B<sname>.
-
-=item B<oneline>
-
-A oneline format which is more readable than RFC2253. It is equivalent to
-specifying the B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>,
-B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname>
-options. This is the I<default> of no name options are given explicitly.
-
-=item B<multiline>
-
-A multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
-B<space_eq>, B<lname> and B<align>.
-
-=item B<esc_2253>
-
-Escape the "special" characters required by RFC2253 in a field. That is
-B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
-and a space character at the beginning or end of a string.
-
-=item B<esc_2254>
-
-Escape the "special" characters required by RFC2254 in a field. That is
-the B<NUL> character as well as and B<()*>.
-
-=item B<esc_ctrl>
-
-Escape control characters. That is those with ASCII values less than
-0x20 (space) and the delete (0x7f) character. They are escaped using the
-RFC2253 \XX notation (where XX are two hex digits representing the
-character value).
-
-=item B<esc_msb>
-
-Escape characters with the MSB set, that is with ASCII values larger than
-127.
-
-=item B<use_quote>
-
-Escapes some characters by surrounding the whole string with B<"> characters,
-without the option all escaping is done with the B<\> character.
-
-=item B<utf8>
-
-Convert all strings to UTF8 format first. This is required by RFC2253. If
-you are lucky enough to have a UTF8 compatible terminal then the use
-of this option (and B<not> setting B<esc_msb>) may result in the correct
-display of multibyte (international) characters. Is this option is not
-present then multibyte characters larger than 0xff will be represented
-using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits.
-Also if this option is off any UTF8Strings will be converted to their
-character form first.
-
-=item B<ignore_type>
-
-This option does not attempt to interpret multibyte characters in any
-way. That is their content octets are merely dumped as though one octet
-represents each character. This is useful for diagnostic purposes but
-will result in rather odd looking output.
-
-=item B<show_type>
-
-Show the type of the ASN1 character string. The type precedes the
-field contents. For example "BMPSTRING: Hello World".
-
-=item B<dump_der>
-
-When this option is set any fields that need to be hexdumped will
-be dumped using the DER encoding of the field. Otherwise just the
-content octets will be displayed. Both options use the RFC2253
-B<#XXXX...> format.
-
-=item B<dump_nostr>
-
-Dump non character string types (for example OCTET STRING) if this
-option is not set then non character string types will be displayed
-as though each content octet represents a single character.
-
-=item B<dump_all>
-
-Dump all fields. This option when used with B<dump_der> allows the
-DER encoding of the structure to be unambiguously determined.
-
-=item B<dump_unknown>
-
-Dump any field whose OID is not recognised by OpenSSL.
-
-=item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>,
-B<sep_multiline>
-
-These options determine the field separators. The first character is
-between Relative Distinguished Names (RDNs) and the second is between
-multiple Attribute Value Assertions (AVAs, multiple AVAs are
-very rare and their use is discouraged). The options ending in
-"space" additionally place a space after the separator to make it
-more readable. The B<sep_multiline> uses a linefeed character for
-the RDN separator and a spaced B<+> for the AVA separator. It also
-indents the fields by four characters. If no field separator is specified
-then B<sep_comma_plus_space> is used by default.
-
-=item B<dn_rev>
-
-Reverse the fields of the DN. This is required by RFC2253. As a side
-effect this also reverses the order of multiple AVAs but this is
-permissible.
-
-=item B<nofname>, B<sname>, B<lname>, B<oid>
-
-These options alter how the field name is displayed. B<nofname> does
-not display the field at all. B<sname> uses the "short name" form
-(CN for commonName for example). B<lname> uses the long form.
-B<oid> represents the OID in numerical form and is useful for
-diagnostic purpose.
-
-=item B<align>
-
-Align field values for a more readable output. Only usable with
-B<sep_multiline>.
-
-=item B<space_eq>
-
-Places spaces round the B<=> character which follows the field
-name.
-
-=back
-
=head2 Text Options
As well as customising the name output format, it is also possible to