From 0286d944541b0622bcbf513d79083183d27c8603 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 13 Nov 1999 21:58:39 +0000 Subject: [PATCH] Add info about the header and footer lines used in PEM formats and add an nseq manpage. --- doc/man/dsa.pod | 7 +++++ doc/man/dsaparam.pod | 5 ++++ doc/man/nseq.pod | 70 ++++++++++++++++++++++++++++++++++++++++++++ doc/man/pkcs8.pod | 11 +++++++ doc/man/req.pod | 16 ++++++---- doc/man/rsa.pod | 7 +++++ doc/man/x509.pod | 12 ++++++++ 7 files changed, 123 insertions(+), 5 deletions(-) create mode 100644 doc/man/nseq.pod diff --git a/doc/man/dsa.pod b/doc/man/dsa.pod index 576731f92c..4187ef4b49 100644 --- a/doc/man/dsa.pod +++ b/doc/man/dsa.pod @@ -117,6 +117,13 @@ a public key. =back +=head1 NOTES + +The PEM private key format uses the header and footer lines: + + -----BEGIN DSA PRIVATE KEY----- + -----END DSA PRIVATE KEY----- + =head1 EXAMPLES To remove the pass phrase on a DSA private key: diff --git a/doc/man/dsaparam.pod b/doc/man/dsaparam.pod index 13a049ec67..6f05629b74 100644 --- a/doc/man/dsaparam.pod +++ b/doc/man/dsaparam.pod @@ -82,6 +82,11 @@ the input file (if any) is ignored. =head1 NOTES +PEM format DSA parameters use the header and footer lines: + + -----BEGIN DSA PARAMETERS----- + -----END DSA PARAMETERS----- + DSA parameter generation is a slow process and as a result the same set of DSA parameters is often used to generate several distinct keys. diff --git a/doc/man/nseq.pod b/doc/man/nseq.pod new file mode 100644 index 0000000000..a9af25b53d --- /dev/null +++ b/doc/man/nseq.pod @@ -0,0 +1,70 @@ +=pod + +=head1 NAME + +nseq - create or examine a netscape certificate sequence + +=head1 SYNOPSIS + +B B +[B<-in filename>] +[B<-out filename>] +[B<-toseq>] + +=head1 DESCRIPTION + +The B command takes a file containing a Netscape certificate +sequence and prints out the certificates contained in it or takes a +file of certificates and converts it into a Netscape certificate +sequence. + +=head1 COMMAND OPTIONS + +=over 4 + +=item B<-in filename> + +This specifies the input filename to read or standard input if this +option is not specified. + +=item B<-out filename> + +specifies the output filename or standard output by default. + +=item B<-toseq> + +normally a Netscape certificate sequence will be input and the output +is the certificates contained in it. With the B<-toseq> option the +situation is reversed: a Netscape certificate sequence is created from +a file of certificates. + +=back + +=head1 EXAMPLES + +Output the certificates in a Netscape certificate sequence + + openssl nseq -in nseq.pem -out certs.pem + +Create a Netscape certificate sequence + + openssl nseq -in certs.pem -toseq -out nseq.pem + +=head1 NOTES + +The B encoded form uses the same headers and footers as a certificate: + + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + +A Netscape certificate sequence is a Netscape specific form that can be sent +to browsers as an alternative to the standard PKCS#7 format when several +certificates are sent to the browser: for example during certificate erollment. +It is used by Netscape certificate server for example. + +=head1 BUGS + +This program needs a few more options: like allowing DER or PEM input and +output files and allowing multiple certificate files to be used. + +=cut diff --git a/doc/man/pkcs8.pod b/doc/man/pkcs8.pod index 64cf65a78c..eadfe31fbb 100644 --- a/doc/man/pkcs8.pod +++ b/doc/man/pkcs8.pod @@ -93,6 +93,17 @@ B, B and B. It is recommended that B is used. =head1 NOTES +The encrypted form of a PEM encode PKCS#8 files uses the following +headers and footers: + + -----BEGIN ENCRYPTED PRIVATE KEY----- + -----END ENCRYPTED PRIVATE KEY----- + +The unencrypted form uses: + + -----BEGIN PRIVATE KEY----- + -----END PRIVATE KEY----- + Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts are more secure that those encrypted using the traditional SSLeay compatible formats. So if additional security is considered diff --git a/doc/man/req.pod b/doc/man/req.pod index 5840013f06..9ca102579d 100644 --- a/doc/man/req.pod +++ b/doc/man/req.pod @@ -371,11 +371,17 @@ Sample configuration file: =head1 NOTES -The header and footer lines in the B format contain the words -B and B some software -(for example some versions of Netscape certificate server) requires the -words B and B -instead. +The header and footer lines in the B format are respectively: + + -----BEGIN CERTIFICATE REQUEST---- + -----END CERTIFICATE REQUEST---- + +some software (some versions of Netscape certificate server) instead needs: + + -----BEGIN NEW CERTIFICATE REQUEST---- + -----END NEW CERTIFICATE REQUEST---- + +but is otherwise compatible. Either form is accepted on input. The certificate requests generated by B with MSIE have extensions added. It includes the B extension which determines the type of diff --git a/doc/man/rsa.pod b/doc/man/rsa.pod index eea8539b61..9834eb395f 100644 --- a/doc/man/rsa.pod +++ b/doc/man/rsa.pod @@ -123,6 +123,13 @@ a public key. =back +=head1 NOTES + +The PEM private key format uses the header and footer lines: + + -----BEGIN RSA PRIVATE KEY----- + -----END RSA PRIVATE KEY----- + =head1 EXAMPLES To remove the pass phrase on an RSA private key: diff --git a/doc/man/x509.pod b/doc/man/x509.pod index 9068070b04..7e2036e65a 100644 --- a/doc/man/x509.pod +++ b/doc/man/x509.pod @@ -371,6 +371,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to openssl x509 -in cert.pem -addtrust sslclient \ -alias "Steve's Class 1 CA" -out trust.pem +=head1 NOTES + +The PEM format uses the header and footer lines: + + -----BEGIN CERTIFICATE---- + -----END CERTIFICATE---- + +it will also handle files containing: + + -----BEGIN X509 CERTIFICATE---- + -----END X509 CERTIFICATE---- + =head1 BUGS The way DNs are printed is in a "historical SSLeay" format which doesn't -- 2.25.1