=back
+=head1 NOTES
+
+The PEM CRL format uses the header and footer lines:
+
+ -----BEGIN X509 CRL-----
+ -----END X509 CRL-----
+
=head1 EXAMPLES
Convert a CRL file from PEM to DER:
These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
-means that using the B<rsa> utility to read in an encrypted key with no
+means that using the B<dsa> utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with PEM format output files.
=item B<-pubin>
-by default a private key is input file with this option a public key is input
-instead.
+by default a private key is read from the input file: with this option a
+public key is read instead.
=item B<-pubout>
-----BEGIN DSA PRIVATE KEY-----
-----END DSA PRIVATE KEY-----
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
=head1 EXAMPLES
To remove the pass phrase on a DSA private key:
used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
for PKCS#12 file creation B<-export> and B<-name> are also used.
+If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
+then all certificates will be output in the order they appear in the input
+PKCS#12 files. There is no guarantee that the first certificate present is
+the one corresponding to the private key. Certain software which requires
+a private key and certificate and assumes the first certificate in the
+file is the one corresponding to the private key: this may not always
+be the case. Using the B<-clcerts> option will solve this problem by only
+outputing the certificate corresponding to the private key. If the CA
+certificates are required then they can be output to a separate file using
+the B<-nokeys -cacerts> options to just output CA certificates.
+
The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple DES
algorithms are concerned.
The format of PKCS#8 DSA (and other) private keys is not well documented:
-it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's DSA private
-key format complies with this standard.
+it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
+PKCS#8 private key format complies with this standard.
=head1 BUGS
=item B<-pubin>
-by default a private key is input file with this option a public key is input
-instead.
+by default a private key is read from the input file: with this
+option a public key is read instead.
=item B<-pubout>
-by default a private key is output with this option a public
-key will be output instead. This option is automatically set if the input is
-a public key.
+by default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
=back
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
=head1 EXAMPLES
To remove the pass phrase on an RSA private key:
projects / oweals / openssl.git / commitdiff