Add P12 format description.
Remove PEM NOTES sections; it's in openssl.pod
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10142)
=item B<-inform> B<DER>|B<PEM>
-The input format. B<DER> is binary format and B<PEM> (the default) is base64
-encoded.
+The input format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
=item B<-keyform> B<DER>|B<PEM>
-The format of the data in the private key file.
-The default is PEM.
+The format of the private key file; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>
[B<-sign_receipt>]
[B<-verify_receipt> I<receipt>]
[B<-in> I<filename>]
-[B<-inform> B<DER>|B<PEM>|B<SMIME>]
-[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
[B<-out> I<filename>]
+[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
+[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-stream>]
[B<-indef>]
[B<-noindef>]
The input message to be encrypted or signed or the message to be decrypted
or verified.
+=item B<-out> I<filename>
+
+The message text that has been decrypted or verified or the output MIME
+format message that has been signed or verified.
+
=item B<-inform> B<DER>|B<PEM>|B<SMIME>
-This specifies the input format for the CMS structure. The default
-is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
-format change this to expect PEM and DER format CMS structures
-instead. This currently only affects the input format of the CMS
-structure, if no CMS structure is being input (for example with
-B<-encrypt> or B<-sign>) this option has no effect.
+The input format of the CMS structure (if one is being read);
+the default is B<SMIME>.
+See L<openssl(1)/Format Options> for details.
-=item B<-
rctform> B<DER>|B<PEM>|B<SMIME>
+=item B<-
outform> B<DER>|B<PEM>|B<SMIME>
-Specify the format for a signed receipt for use with the B<-receipt_verify>
-operation.
+The output format of the CMS structure (if one is being written);
+the default is B<SMIME>.
+See L<openssl(1)/Format Options> for details.
-=item B<-out> I<filename>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-The message text that has been decrypted or verified or the output MIME
-format message that has been signed or verified.
+The format of the private key file; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-
outform> B<DER>|B<PEM>|B<SMIME>
+=item B<-
rctform> B<DER>|B<PEM>|B<SMIME>
-This specifies the output format for the CMS structure. The default
-is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
-format change this to write PEM and DER format CMS structures
-instead. This currently only affects the output format of the CMS
-structure, if no CMS structure is being output (for example with
-B<-verify> or B<-decrypt>) this option has no effect.
+The signed receipt format for use with the B<-receipt_verify>; the default
+is B<SMIME>.
+See L<openssl(1)/Format Options> for details.
=item B<-stream>, B<-indef>, B<-noindef>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-outform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-text>]
[B<-in> I<filename>]
[B<-out> I<filename>]
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. B<DER> format is DER encoded CRL
-structure. B<PEM> (the default) is a base64 encoded version of
-the DER form with header and footer lines.
+The input and output formats of the CRL; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The format of the private key file; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
=back
-=head1 NOTES
-
-The PEM CRL format uses the header and footer lines:
-
- -----BEGIN X509 CRL-----
- -----END X509 CRL-----
-
=head1 EXAMPLES
Convert a CRL file from PEM to DER:
=item B<-inform> B<DER>|B<PEM>
-This specifies the CRL input format. B<DER> format is DER encoded CRL
-structure.B<PEM> (the default) is a base64 encoded version of
-the DER form with header and footer lines. The default format is PEM.
+The input format of the CRL; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-outform> B<DER>|B<PEM>
-This specifies the PKCS#7 structure output format. B<DER> format is DER
-encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
-the DER form with header and footer lines. The default format is PEM.
+The output format of the PKCS#7 object; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
[B<-r>]
[B<-out> I<filename>]
[B<-sign> I<filename>]
-[B<-keyform> I<arg>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-verify> I<filename>]
[B<-prverify> I<filename>]
does not support Ed25519 or Ed448 private keys. Use the L<openssl-pkeyutl(1)>
command instead for this.
-=item B<-keyform> I<arg>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-Specifies the key format to sign digest with. The DER, PEM, P12,
-and ENGINE formats are supported.
+The format of the key to sign with; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-sigopt> I<nm>:I<v>
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
-form compatible with the PKCS#3 DHparameter structure. The PEM form is the
-default format: it consists of the B<DER> format base64 encoded with
-additional header and footer lines.
-
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The input format and output format; the default is B<PEM>.
+The object is compatible with the PKCS#3 B<DHparameter> structure.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
=head1 NOTES
-PEM format DH parameters use the header and footer lines:
-
- -----BEGIN DH PARAMETERS-----
- -----END DH PARAMETERS-----
-
OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
DH.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option with a private key uses
-an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
-version (currently zero), p, q, g, the public and private key components
-respectively as ASN.1 INTEGERs. When used with a public key it uses a
-SubjectPublicKeyInfo structure: it is an error if the key is not DSA.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-The B<PEM> form is the default format: it consists of the B<DER> format base64
-encoded with additional header and footer lines. In the case of a private key
-PKCS#8 format is also accepted.
+Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
+B<q>, B<g>, and the public and and private key components. Public keys
+are a B<SubjectPublicKeyInfo> structure with the B<DSA> type.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The B<PEM> format also accepts PKCS#8 data.
=item B<-in> I<filename>
=back
-=head1 NOTES
-
-The PEM private key format uses the header and footer lines:
-
- -----BEGIN DSA PRIVATE KEY-----
- -----END DSA PRIVATE KEY-----
-
-The PEM public key format uses the header and footer lines:
-
- -----BEGIN PUBLIC KEY-----
- -----END PUBLIC KEY-----
-
=head1 EXAMPLES
To remove the pass phrase on a DSA private key:
This command is used to manipulate or generate DSA parameter files.
+DSA parameter generation can be a slow process and as a result the same set of
+DSA parameters is often used to generate several distinct keys.
+
=head1 OPTIONS
=over 4
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
-form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
-of p, q and g respectively. The PEM form is the default format: it consists
-of the B<DER> format base64 encoded with additional header and footer lines.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+Parameters are a sequence of B<ASN.1 INTEGER>s: B<p>, B<q>, and B<g>.
+This is compatible with RFC 2459 B<DSS-Parms> structure.
=item B<-in> I<filename>
=back
-=head1 NOTES
-
-PEM format DSA parameters use the header and footer lines:
-
- -----BEGIN DSA PARAMETERS-----
- -----END DSA PARAMETERS-----
-
-DSA parameter generation is a slow process and as a result the same set of
-DSA parameters is often used to generate several distinct keys.
-
=head1 SEE ALSO
L<openssl(1)>,
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option with a private key uses
-an ASN.1 DER encoded SEC1 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
-The B<PEM> form is the default format: it consists of the B<DER> format base64
-encoded with additional header and footer lines. In the case of a private key
-PKCS#8 format is also accepted.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+Private keys are an SEC1 private key or PKCS#8 format.
+Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
=item B<-in> I<filename>
=back
-=head1 NOTES
-
-The PEM private key format uses the header and footer lines:
-
- -----BEGIN EC PRIVATE KEY-----
- -----END EC PRIVATE KEY-----
-
-The PEM public key format uses the header and footer lines:
-
- -----BEGIN PUBLIC KEY-----
- -----END PUBLIC KEY-----
-
=head1 EXAMPLES
To encrypt a private key using triple DES:
This command is used to manipulate or generate EC parameter files.
+OpenSSL is currently not able to generate new groups and therefore
+this command can only create EC parameters from known (named) curves.
+
=head1 OPTIONS
=over 4
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
-form compatible with RFC 3279 EcpkParameters. The PEM form is the default
-format: it consists of the B<DER> format base64 encoded with additional
-header and footer lines.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+Parameters are encoded as B<EcpkParameters> as specified in IETF RFC 3279.
=item B<-in> I<filename>
=back
-=head1 NOTES
-
-PEM format EC parameters use the header and footer lines:
-
- -----BEGIN EC PARAMETERS-----
- -----END EC PARAMETERS-----
-
-OpenSSL is currently not able to generate new groups and therefore
-B<openssl ecparam> can only create EC parameters from known (named) curves.
-
=head1 EXAMPLES
To create EC parameters with the group 'prime192v1':
=item B<-outform> B<DER>|B<PEM>
-This specifies the output format DER or PEM. The default format is PEM.
+The output format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>
file of certificates and converts it into a Netscape certificate
sequence.
+A Netscape certificate sequence is an old Netscape-specific format that
+can be sometimes be sent to browsers as an alternative to the standard PKCS#7
+format when several certificates are sent to the browser, for example during
+certificate enrollment. It was also used by Netscape certificate server.
+
=head1 OPTIONS
=over 4
openssl nseq -in certs.pem -toseq -out nseq.pem
-=head1 NOTES
-
-The B<PEM> encoded form uses the same headers and footers as a certificate:
-
- -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
-
-A Netscape certificate sequence is a Netscape specific format that can be sent
-to browsers as an alternative to the standard PKCS#7 format when several
-certificates are sent to the browser: for example during certificate enrollment.
-It is used by Netscape certificate server for example.
-
-=head1 BUGS
-
-This program needs a few more options: like allowing DER or PEM input and
-output files and allowing multiple certificate files to be used.
-
=head1 COPYRIGHT
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
=head1 DESCRIPTION
-This command processes PKCS#7 files in DER or PEM format.
+This command processes PKCS#7 files. Note that it only understands PKCS#7
+v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as
+described in IETF RFC 2630.
+
+There is no option to print out all the fields of a PKCS#7 file.
=head1 OPTIONS
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
-
-This specifies the input format. B<DER> format is DER encoded PKCS#7
-v1.5 structure.B<PEM> (the default) is a base64 encoded version of
-the DER form with header and footer lines.
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-=item B<-outform> B<DER>|B<PEM>
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The data is a PKCS#7 Version 1.5 structure.
=item B<-in> I<filename>
openssl pkcs7 -in file.pem -print_certs -out certs.pem
-=head1 NOTES
-
-The PEM PKCS#7 format uses the header and footer lines:
-
- -----BEGIN PKCS7-----
- -----END PKCS7-----
-
-For compatibility with some CAs it will also accept:
-
- -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
-
-=head1 RESTRICTIONS
-
-There is no option to print out all the fields of a PKCS#7 file.
-
-This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
-cannot currently parse, for example, the new CMS as described in RFC2630.
-
=head1 SEE ALSO
L<openssl(1)>,
written to the output file. With the B<-topk8> option the situation is
reversed: it reads a private key and writes a PKCS#8 format key.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format: see L<KEY FORMATS> for more details. The default
-format is PEM.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
+If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
+not used) then the input file must be in PKCS#8 format. An encrypted
+key is expected unless B<-nocrypt> is included.
+
+If B<-topk8> is not used and B<PEM> mode is set the output file will be an
+unencrypted private key in PKCS#8 format. If the B<-traditional> option is
+used then a traditional format private key is written instead.
+
+If B<-topk8> is not used and B<DER> mode is set the output file will be an
+unencrypted private key in traditional DER format.
+
+If B<-topk8> is used then any supported private key can be used for the input
+file in a format specified by B<-inform>. The output file will be encrypted
+PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
+is included.
-This specifies the output format: see L<KEY FORMATS> for more details. The default
-format is PEM.
=item B<-traditional>
=back
-=head1 KEY FORMATS
-
-Various different formats are used by this command. These are detailed
-below.
-
-If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
-not used) then the input file must be in PKCS#8 format. An encrypted
-key is expected unless B<-nocrypt> is included.
-
-If B<-topk8> is not used and B<PEM> mode is set the output file will be an
-unencrypted private key in PKCS#8 format. If the B<-traditional> option is
-used then a traditional format private key is written instead.
-
-If B<-topk8> is not used and B<DER> mode is set the output file will be an
-unencrypted private key in traditional DER format.
-
-If B<-topk8> is used then any supported private key can be used for the input
-file in a format specified by B<-inform>. The output file will be encrypted
-PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
-is included.
-
=head1 NOTES
By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
encryption algorithms such as 56 bit DES.
-The encrypted form of a PEM encode PKCS#8 files uses the following
-headers and footers:
-
- -----BEGIN ENCRYPTED PRIVATE KEY-----
- -----END ENCRYPTED PRIVATE KEY-----
-
-The unencrypted form uses:
-
- -----BEGIN PRIVATE KEY-----
- -----END PRIVATE KEY-----
-
Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
counts are more secure that those encrypted using the traditional
SSLeay compatible formats. So if additional security is considered
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format DER or PEM. The default format is PEM.
-
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-in> I<filename>
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-The key format PEM, DER or ENGINE. Default is PEM.
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
-The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
+The peer key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-pubin>
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
-form compatible with the PKCS#10. The B<PEM> form is the default format: it
-consists of the B<DER> format base64 encoded with additional header and
-footer lines.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The data is a PKCS#10 object.
=item B<-in> I<filename>
=item B<-keyform> B<DER>|B<PEM>
-The format of the private key file specified in the B<-key>
-argument. PEM is the default.
+The format of the private key; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-keyout> I<filename>
=head1 NOTES
-The header and footer lines in the B<PEM> format are normally:
-
- -----BEGIN CERTIFICATE REQUEST-----
- -----END CERTIFICATE REQUEST-----
-
-some software (some versions of Netscape certificate server) instead needs:
-
- -----BEGIN NEW CERTIFICATE REQUEST-----
- -----END NEW CERTIFICATE REQUEST-----
-
-which is produced with the B<-newhdr> option but is otherwise compatible.
-Either form is accepted transparently on input.
-
The certificate requests generated by B<Xenroll> with MSIE have extensions
added. It includes the B<keyUsage> extension which determines the type of
key (signature only or general purpose) and any additional OIDs entered
-by the script in an extendedKeyUsage extension.
+by the script in an B<extendedKeyUsage> extension.
=head1 DIAGNOSTICS
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
-form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
-The B<PEM> form is the default format: it consists of the B<DER> format base64
-encoded with additional header and footer lines. On input PKCS#8 format private
-keys are also accepted.
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-
outform> B<DER>|B<PEM>
+=item B<-
inform> B<DER>|B<PEM>
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
+On input, PKCS#8 format private keys are also accepted.
=item B<-in> I<filename>
=back
-=head1 NOTES
-
-The PEM private key format uses the header and footer lines:
-
- -----BEGIN RSA PRIVATE KEY-----
- -----END RSA PRIVATE KEY-----
-
-The PEM public key format uses the header and footer lines:
-
- -----BEGIN PUBLIC KEY-----
- -----END PUBLIC KEY-----
-
-The PEM B<RSAPublicKey> format uses the header and footer lines:
-
- -----BEGIN RSA PUBLIC KEY-----
- -----END RSA PUBLIC KEY-----
-
=head1 EXAMPLES
To remove the pass phrase on an RSA private key:
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-The key format PEM, DER or ENGINE.
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-pubin>
[B<-verify_return_error>]
[B<-cert> I<filename>]
[B<-certform> B<DER>|B<PEM>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>]
[B<-cert_chain> I<filename>]
The certificate format to use: DER or PEM. PEM is the default.
+=item B<-CRLform> B<DER>|B<PEM>
+
+The CRL format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
=item B<-key> I<keyfile>
The private key to use. If not specified then the certificate file will
=item B<-keyform> I<format>
-The private format to use: DER or PEM. PEM is the default.
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-cert_chain>
=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
+See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>
[B<-serverinfo> I<val>]
[B<-certform> B<DER>|B<PEM>]
[B<-key> I<infile>]
-[B<-keyform> I<format>]
+[B<-keyform> B<DER>|B<PEM>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
[B<-dcertform> B<DER>|B<PEM>]
[B<-verifyCApath> I<dir>]
[B<-no_cache>]
[B<-ext_cache>]
-[B<-CRLform> B<DER>|B<PEM>]
[B<-verify_return_error>]
[B<-verify_quiet>]
[B<-build_chain>]
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-xcertform> B<DER>|B<PEM>]
[B<-xkeyform> B<DER>|B<PEM>]
[B<-nbio>]
an empty TLS ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
-The certificate format to use: DER or PEM. PEM is the default.
+The certificate and CRL format; the default is PEM.
+See L<openssl(1)/Format Options> for details.
=item B<-key> I<infile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform> I<format>
+=item B<-keyform> B<DER>|B<PEM>]
-The private format to use: DER or PEM. PEM is the default.
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-pass> I<val>
-The private key password source. For more information about the format of B<val>
+The private key password source.
+For more information about the format of I<val>,
see L<openssl(1)/Pass Phrase Options>.
=item B<-dcert> I<infile>, B<-dkey> I<infile>
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>, B<-dpass> I<val>
+=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
+
+The format of the certificate and private key; the default is B<PEM>
+see L<openssl(1)/Format Options>.
-Additional certificate and private key format and passphrase respectively.
+=item B<-dpass> I<val>
+
+The passphrase for the additional private key.
+For more information about the format of I<val>,
+see L<openssl(1)/Pass Phrase Options>.
=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
-Extra certificate and private key format respectively.
+The format for the extra certificate and private key, respectively;
+the default format is B<PEM>.
+see L<openssl(1)/Pass Phrase Options>.
=item B<-nbio_test>
diagnostic tool that needs some knowledge of the SSL protocol to use
properly, most users will not need to use it.
+The precise format of the data can vary across OpenSSL versions and
+is not documented.
+
=head1 OPTIONS
=over 4
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
-
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
-format containing session details. The precise format can vary from one version
-to the next. The B<PEM> form is the default format: it consists of the B<DER>
-format base64 encoded with additional header and footer lines.
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>|B<NSS>
-=item B<-outform> B<DER>|B<PEM>|B<NSS>
+The input and output formats; the default is PEM.
+See L<openssl(1)/Format Options> for details.
-This specifies the output format. The B<PEM> and B<DER> options have the same
-meaning and default as the B<-inform> option. The B<NSS> option outputs the
-session id and the master key in NSS keylog format.
+For B<NSS> output, the session ID and master key are reported in NSS "keylog"
+format.
=item B<-in> I<filename>
=head1 NOTES
-The PEM encoded session format uses the header and footer lines:
-
- -----BEGIN SSL SESSION PARAMETERS-----
- -----END SSL SESSION PARAMETERS-----
-
Since the SSL session output contains the master key it is
possible to read the contents of an encrypted session using this
information. Therefore appropriate security precautions should be taken if
[B<-signer> I<file>]
[B<-recip> I< file>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
+[B<-outform> B<DER>|B<PEM>|B<SMIME>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-inkey> I<file_or_id>]
[B<-out> I<file>]
-[B<-outform> B<DER>|B<PEM>|B<SMIME>]
[B<-content> I<file>]
[B<-to> I<addr>]
[B<-from> I<ad>]
The input message to be encrypted or signed or the MIME message to
be decrypted or verified.
-=item B<-inform> B<DER>|B<PEM>|B<SMIME>
-
-This specifies the input format for the PKCS#7 structure. The default
-is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
-format change this to expect PEM and DER format PKCS#7 structures
-instead. This currently only affects the input format of the PKCS#7
-structure, if no PKCS#7 structure is being input (for example with
-B<-encrypt> or B<-sign>) this option has no effect.
-
=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
+=item B<-inform> B<DER>|B<PEM>|B<SMIME>
+
+The input format of the PKCS#7 (S/MIME) structure (if one is being read);
+the default is B<SMIME>.
+See L<openssl(1)/Format Options> for details.
+
=item B<-outform> B<DER>|B<PEM>|B<SMIME>
-This specifies the output format for the PKCS#7 structure. The default
-is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
-format change this to write PEM and DER format PKCS#7 structures
-instead. This currently only affects the output format of the PKCS#7
-structure, if no PKCS#7 structure is being output (for example with
-B<-verify> or B<-decrypt>) this option has no effect.
+The output format of the PKCS#7 (S/MIME) structure (if one is being written);
+the default is B<SMIME>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-keyform> B<DER>|B<PEM>
+
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-stream>, B<-indef>, B<-noindef>
=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-Whether the key format is PEM, DER, or an engine-backed key.
-The default is PEM.
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-passin> I<arg>
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format normally the command will expect an X509
-certificate but this can change if other options such as B<-req> are
-present. The DER format is the DER encoding of the certificate and PEM
-is the base64 encoding of the DER encoding with header and footer lines
-added. The default format is PEM.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The input is normally an X.509 certificate, but this can change if other
+options such as B<-req> are used.
=item B<-in> I<filename>
=item B<-keyform> B<DER>|B<PEM>
-Specifies the format (DER or PEM) of the private key file used in the
-B<-signkey> option.
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-CAform> B<DER>|B<PEM>, B<-CAkeyform> B<DER>|B<PEM>
+
+The format for the CA certificate and key; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-days> I<arg>
=head1 NOTES
-The PEM format uses the header and footer lines:
-
- -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
-
-it will also handle files containing:
-
- -----BEGIN X509 CERTIFICATE-----
- -----END X509 CERTIFICATE-----
-
-Trusted certificates have the lines
-
- -----BEGIN TRUSTED CERTIFICATE-----
- -----END TRUSTED CERTIFICATE-----
-
The conversion to UTF8 format used with the name options assumes that
T61Strings use the ISO8859-1 character set. This is wrong but Netscape
and MSIE do this as do many certificates. So although this is incorrect
=back
+=head2 Format Options
+
+Several OpenSSL commands can take input or generate output in a variety
+of formats. The list of acceptable formats, and the default, is
+described in each command documentation. The list of formats is
+described below. Both uppercase and lowercase are accepted.
+
+=over 4
+
+=item B<DER>
+
+A binary format, encoded or parsed according to Distinguished Encoding Rules
+(DER) of the ASN.1 data language.
+
+=item B<ENGINE>
+
+Used to specify that the cryptographic material is in an OpenSSL B<engine>.
+An engine must be configured or specified using the B<-engine> option.
+In addition, the B<-input> flag can be used to name a specific object in
+the engine.
+A password, such as the B<-passin> flag often must be specified as well.
+
+=item B<P12>
+
+A DER-encoded file containing a PKCS#12 object.
+It might be necessary to provide a decryption password to retrieve
+the private key.
+
+=item B<PEM>
+
+A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is
+a block of base-64 encoding (defined in IETF RFC 4648), with specific
+lines used to mark the start and end:
+
+ Text before the BEGIN line is ignored.
+ ----- BEGIN object-type -----
+ OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
+ xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
+ UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
+ ----- END object-type -----
+ Text after the END line is also ignored
+
+The I<object-type> must match the type of object that is expected.
+For example a C<BEGIN X509 CERTIFICATE> will not match if the command
+is trying to read a private key. The types supported include:
+
+ ANY PRIVATE KEY
+ CERTIFICATE
+ CERTIFICATE REQUEST
+ CMS
+ DH PARAMETERS
+ DSA PARAMETERS
+ DSA PUBLIC KEY
+ EC PARAMETERS
+ EC PRIVATE KEY
+ ECDSA PUBLIC KEY
+ ENCRYPTED PRIVATE KEY
+ PARAMETERS
+ PKCS #7 SIGNED DATA
+ PKCS7
+ PRIVATE KEY
+ PUBLIC KEY
+ RSA PRIVATE KEY
+ SSL SESSION PARAMETERS
+ TRUSTED CERTIFICATE
+ X509 CRL
+ X9.42 DH PARAMETERS
+
+The following legacy I<object-type>'s are also supported for compatibility
+with earlier releases:
+
+ DSA PRIVATE KEY
+ NEW CERTIFICATE REQUEST
+ RSA PUBLIC KEY
+ X509 CERTIFICATE
+
+=item B<SMIME>
+
+An S/MIME object as described in IETF RFC 8551.
+Earlier versions were known as CMS and are compatible.
+Note that the parsing is simple and might fail to parse some legal data.
+
+=back
+
+The options to specify the format are as follows. Refer to the individual
+manpage to see which options are accepted.
+
+=over 4
+
+=item B<-inform> I<format>, B<-outform> I<format>
+
+The format of the input or output streams.
+
+=item B<-keyform> I<format>
+
+Format of a private key input source.
+
+=item B<-CRLform> I<fornat>
+
+Format of a CRL input source.
+
+=back
+
=head2 Pass Phrase Options
Several commands accept password arguments, typically using B<-passin>
projects / oweals / openssl.git / commitdiff