Common wording courtesy Richard Levitte.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10128)
doc/man1/openssl-crl.pod
doc/man1/openssl-dgst.pod
doc/man1/openssl-dhparam.pod
+doc/man1/openssl-dsa.pod
doc/man1/openssl-dsaparam.pod
+doc/man1/openssl-ec.pod
doc/man1/openssl-ecparam.pod
doc/man1/openssl-enc.pod
+doc/man1/openssl-engine.pod
doc/man1/openssl-gendsa.pod
+doc/man1/openssl-genpkey.pod
doc/man1/openssl-genrsa.pod
+doc/man1/openssl-info.pod
+doc/man1/openssl-list.pod
doc/man1/openssl-ocsp.pod
doc/man1/openssl-passwd.pod
doc/man1/openssl-pkcs12.pod
+doc/man1/openssl-pkcs7.pod
doc/man1/openssl-pkcs8.pod
+doc/man1/openssl-pkey.pod
+doc/man1/openssl-pkeyparam.pod
doc/man1/openssl-pkeyutl.pod
doc/man1/openssl-rand.pod
doc/man1/openssl-req.pod
+doc/man1/openssl-rsa.pod
doc/man1/openssl-rsautl.pod
doc/man1/openssl-s_client.pod
doc/man1/openssl-s_server.pod
doc/man1/openssl-s_time.pod
doc/man1/openssl-smime.pod
doc/man1/openssl-speed.pod
+doc/man1/openssl-spkac.pod
doc/man1/openssl-srp.pod
+doc/man1/openssl-storeutl.pod
doc/man1/openssl-ts.pod
doc/man1/openssl-verify.pod
doc/man1/openssl-x509.pod
+doc/man1/openssl.pod
# error code files
/crypto/err/openssl.txt.old
[B<-msie_hack>]
[B<-extensions> I<section>]
[B<-extfile> I<section>]
-[B<-engine> I<id>]
[B<-subj> I<arg>]
[B<-utf8>]
[B<-sigopt> I<nm>:I<v>]
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<certreq>...]
=for openssl ifdef engine sm2-id sm2-hex-id
(using the default section unless the B<-extensions> option is also
used).
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<ca>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-subj> I<arg>
Supersedes subject name given in the request.
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CRL OPTIONS
[B<-hmac> I<key>]
[B<-fips-fingerprint>]
[B<-engine> I<id>]
-[B<-engine_impl>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
[I<file> ...]
Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
-=item B<-engine> I<id>
-
-Use engine I<id> for operations (including private key storage).
-This engine is not used as source for digest algorithms, unless it is
-also specified in the configuration file or B<-engine_impl> is also
-specified.
-
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+The engine is not used for digests unless the B<-engine_impl> option is
+used or it is configured to do so, see L<config(5)/Engine Configuration Module>.
+
=item I<file> ...
File or files to digest. If no files are specified then standard input is
[B<-2>]
[B<-3>]
[B<-5>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
[I<numbits>]
This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<dhparam>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
{- $OpenSSL::safe::opt_r_item -}
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-dsa - DSA key processing
-
-=head1 SYNOPSIS
-
-B<openssl> B<dsa>
-[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>]
-[B<-in> I<filename>]
-[B<-passin> I<arg>]
-[B<-out> I<filename>]
-[B<-passout> I<arg>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-aria128>]
-[B<-aria192>]
-[B<-aria256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
-[B<-des>]
-[B<-des3>]
-[B<-idea>]
-[B<-text>]
-[B<-noout>]
-[B<-modulus>]
-[B<-pubin>]
-[B<-pubout>]
-[B<-engine> I<id>]
-
-=for openssl ifdef pvk-string pvk-weak pvk-none engine
-
-=head1 DESCRIPTION
-
-This command processes DSA keys. They can be converted between various
-forms and their components printed out. B<Note> This command uses the
-traditional SSLeay compatible format for private key encryption: newer
-applications should use the more secure PKCS#8 format using the B<pkcs8>
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-
-The input and formats; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
-B<q>, B<g>, and the public and and private key components. Public keys
-are a B<SubjectPublicKeyInfo> structure with the B<DSA> type.
-
-The B<PEM> format also accepts PKCS#8 data.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read a key from or standard input if this
-option is not specified. If the key is encrypted a pass phrase will be
-prompted for.
-
-=item B<-out> I<filename>
-
-This specifies the output filename to write a key to or standard output by
-is not specified. If any encryption options are set then a pass phrase will be
-prompted for. The output filename should B<not> be the same as the input
-filename.
-
-=item B<-passin> I<arg>, B<-passout> I<arg>
-
-The password source for the input and output file.
-For more information about the format of B<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
-
-These options encrypt the private key with the specified
-cipher before outputting it. A pass phrase is prompted for.
-If none of these options is specified the key is written in plain text. This
-means that this command can be used to remove the pass phrase from a key
-by not giving any encryption option is given, or to add or change the pass
-phrase by setting them.
-These options can only be used with PEM format output files.
-
-=item B<-text>
-
-Prints out the public, private key components and parameters.
-
-=item B<-noout>
-
-This option prevents output of the encoded version of the key.
-
-=item B<-modulus>
-
-This option prints out the value of the public key component of the key.
-
-=item B<-pubin>
-
-By default, a private key is read from the input file. With this option a
-public key is read instead.
-
-=item B<-pubout>
-
-By default, a private key is output. With this option a public
-key will be output instead. This option is automatically set if the input is
-a public key.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause L<openssl-dsa(1)>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=back
-
-=head1 EXAMPLES
-
-To remove the pass phrase on a DSA private key:
-
- openssl dsa -in key.pem -out keyout.pem
-
-To encrypt a private key using triple DES:
-
- openssl dsa -in key.pem -des3 -out keyout.pem
-
-To convert a private key from PEM to DER format:
-
- openssl dsa -in key.pem -outform DER -out keyout.der
-
-To print out the components of a private key to standard output:
-
- openssl dsa -in key.pem -text -noout
-
-To just output the public part of a private key:
-
- openssl dsa -in key.pem -pubout -out pubkey.pem
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-dsaparam(1)>,
-L<openssl-gendsa(1)>,
-L<openssl-rsa(1)>,
-L<openssl-genrsa(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-dsa - DSA key processing
+
+=head1 SYNOPSIS
+
+B<openssl> B<dsa>
+[B<-help>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-aria128>]
+[B<-aria192>]
+[B<-aria256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-modulus>]
+[B<-pubin>]
+[B<-pubout>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef pvk-string pvk-weak pvk-none engine
+
+=head1 DESCRIPTION
+
+This command processes DSA keys. They can be converted between various
+forms and their components printed out. B<Note> This command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the B<pkcs8>
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+Private keys are a sequence of B<ASN.1 INTEGERS>: the version (zero), B<p>,
+B<q>, B<g>, and the public and and private key components. Public keys
+are a B<SubjectPublicKeyInfo> structure with the B<DSA> type.
+
+The B<PEM> format also accepts PKCS#8 data.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-out> I<filename>
+
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passin> I<arg>, B<-passout> I<arg>
+
+The password source for the input and output file.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
+
+These options encrypt the private key with the specified
+cipher before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+Prints out the public, private key components and parameters.
+
+=item B<-noout>
+
+This option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+This option prints out the value of the public key component of the key.
+
+=item B<-pubin>
+
+By default, a private key is read from the input file. With this option a
+public key is read instead.
+
+=item B<-pubout>
+
+By default, a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+To remove the pass phrase on a DSA private key:
+
+ openssl dsa -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl dsa -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format:
+
+ openssl dsa -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl dsa -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl dsa -in key.pem -pubout -out pubkey.pem
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-dsaparam(1)>,
+L<openssl-gendsa(1)>,
+L<openssl-rsa(1)>,
+L<openssl-genrsa(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-text>]
[B<-C>]
[B<-genkey>]
-[B<-engine> I<id>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<numbits>]
=head1 DESCRIPTION
This option will generate a DSA either using the specified or generated
parameters.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
=item B<-verbose>
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<numbits>
This option specifies that a parameter set should be generated of size
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-ec - EC key processing
-
-=head1 SYNOPSIS
-
-B<openssl> B<ec>
-[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>]
-[B<-in> I<filename>]
-[B<-passin> I<arg>]
-[B<-out> I<filename>]
-[B<-passout> I<arg>]
-[B<-des>]
-[B<-des3>]
-[B<-idea>]
-[B<-text>]
-[B<-noout>]
-[B<-param_out>]
-[B<-pubin>]
-[B<-pubout>]
-[B<-conv_form> I<arg>]
-[B<-param_enc> I<arg>]
-[B<-no_public>]
-[B<-check>]
-[B<-engine> I<id>]
-
-=for openssl ifdef engine
-
-=head1 DESCRIPTION
-
-The L<openssl-ec(1)> command processes EC keys. They can be converted between
-various forms and their components printed out. B<Note> OpenSSL uses the
-private key format specified in 'SEC 1: Elliptic Curve Cryptography'
-(http://www.secg.org/). To convert an OpenSSL EC private key into the
-PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-
-The input and formats; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-Private keys are an SEC1 private key or PKCS#8 format.
-Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read a key from or standard input if this
-option is not specified. If the key is encrypted a pass phrase will be
-prompted for.
-
-=item B<-out> I<filename>
-
-This specifies the output filename to write a key to or standard output by
-is not specified. If any encryption options are set then a pass phrase will be
-prompted for. The output filename should B<not> be the same as the input
-filename.
-
-=item B<-passin> I<arg>, B<-passout> I<arg>
-
-The password source for the input and output file.
-For more information about the format of B<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-des>|B<-des3>|B<-idea>
-
-These options encrypt the private key with the DES, triple DES, IDEA or
-any other cipher supported by OpenSSL before outputting it. A pass phrase is
-prompted for.
-If none of these options is specified the key is written in plain text. This
-means that using this command to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
-These options can only be used with PEM format output files.
-
-=item B<-text>
-
-Prints out the public, private key components and parameters.
-
-=item B<-noout>
-
-This option prevents output of the encoded version of the key.
-
-=item B<-pubin>
-
-By default, a private key is read from the input file. With this option a
-public key is read instead.
-
-=item B<-pubout>
-
-By default a private key is output. With this option a public
-key will be output instead. This option is automatically set if the input is
-a public key.
-
-=item B<-conv_form> I<arg>
-
-This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: B<compressed> (the default
-value), B<uncompressed> and B<hybrid>. For more information regarding
-the point conversion forms please read the X9.62 standard.
-B<Note> Due to patent issues the B<compressed> option is disabled
-by default for binary curves and can be enabled by defining
-the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
-
-=item B<-param_enc> I<arg>
-
-This specifies how the elliptic curve parameters are encoded.
-Possible value are: B<named_curve>, i.e. the ec parameters are
-specified by an OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the
-EC parameters structures). The default value is B<named_curve>.
-B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
-is currently not implemented in OpenSSL.
-
-=item B<-no_public>
-
-This option omits the public key components from the private key output.
-
-=item B<-check>
-
-This option checks the consistency of an EC private or public key.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=back
-
-=head1 EXAMPLES
-
-To encrypt a private key using triple DES:
-
- openssl ec -in key.pem -des3 -out keyout.pem
-
-To convert a private key from PEM to DER format:
-
- openssl ec -in key.pem -outform DER -out keyout.der
-
-To print out the components of a private key to standard output:
-
- openssl ec -in key.pem -text -noout
-
-To just output the public part of a private key:
-
- openssl ec -in key.pem -pubout -out pubkey.pem
-
-To change the parameters encoding to B<explicit>:
-
- openssl ec -in key.pem -param_enc explicit -out keyout.pem
-
-To change the point conversion form to B<compressed>:
-
- openssl ec -in key.pem -conv_form compressed -out keyout.pem
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-ecparam(1)>,
-L<openssl-dsa(1)>,
-L<openssl-rsa(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-ec - EC key processing
+
+=head1 SYNOPSIS
+
+B<openssl> B<ec>
+[B<-help>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-param_out>]
+[B<-pubin>]
+[B<-pubout>]
+[B<-conv_form> I<arg>]
+[B<-param_enc> I<arg>]
+[B<-no_public>]
+[B<-check>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef engine
+
+=head1 DESCRIPTION
+
+The L<openssl-ec(1)> command processes EC keys. They can be converted between
+various forms and their components printed out. B<Note> OpenSSL uses the
+private key format specified in 'SEC 1: Elliptic Curve Cryptography'
+(http://www.secg.org/). To convert an OpenSSL EC private key into the
+PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+Private keys are an SEC1 private key or PKCS#8 format.
+Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-out> I<filename>
+
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passin> I<arg>, B<-passout> I<arg>
+
+The password source for the input and output file.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-des>|B<-des3>|B<-idea>
+
+These options encrypt the private key with the DES, triple DES, IDEA or
+any other cipher supported by OpenSSL before outputting it. A pass phrase is
+prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using this command to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+Prints out the public, private key components and parameters.
+
+=item B<-noout>
+
+This option prevents output of the encoded version of the key.
+
+=item B<-pubin>
+
+By default, a private key is read from the input file. With this option a
+public key is read instead.
+
+=item B<-pubout>
+
+By default a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+
+=item B<-conv_form> I<arg>
+
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: B<compressed> (the default
+value), B<uncompressed> and B<hybrid>. For more information regarding
+the point conversion forms please read the X9.62 standard.
+B<Note> Due to patent issues the B<compressed> option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
+
+=item B<-param_enc> I<arg>
+
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: B<named_curve>, i.e. the ec parameters are
+specified by an OID, or B<explicit> where the ec parameters are
+explicitly given (see RFC 3279 for the definition of the
+EC parameters structures). The default value is B<named_curve>.
+B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
+is currently not implemented in OpenSSL.
+
+=item B<-no_public>
+
+This option omits the public key components from the private key output.
+
+=item B<-check>
+
+This option checks the consistency of an EC private or public key.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+To encrypt a private key using triple DES:
+
+ openssl ec -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format:
+
+ openssl ec -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl ec -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl ec -in key.pem -pubout -out pubkey.pem
+
+To change the parameters encoding to B<explicit>:
+
+ openssl ec -in key.pem -param_enc explicit -out keyout.pem
+
+To change the point conversion form to B<compressed>:
+
+ openssl ec -in key.pem -conv_form compressed -out keyout.pem
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-ecparam(1)>,
+L<openssl-dsa(1)>,
+L<openssl-rsa(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-param_enc> I<arg>]
[B<-no_seed>]
[B<-genkey>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
=for openssl ifdef engine
This option will generate an EC private key using the specified parameters.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause B<ecparam>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
{- $OpenSSL::safe::opt_r_item -}
[B<-nopad>]
[B<-debug>]
[B<-none>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
=for openssl ifdef z engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 NOTES
Engines which provide entirely new encryption algorithms (such as the ccgost
engine which provides gost89 algorithm) should be configured in the
-configuration file. Engines specified on the command line using -engine
-options can only be used for hardware-assisted implementations of
+configuration file. Engines specified on the command line using B<-engine>
+option can only be used for hardware-assisted implementations of
ciphers which are supported by the OpenSSL core or another engine specified
in the configuration file.
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-engine> I<id>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<paramfile>]
=for openssl ifdef engine
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-verbose>
Print extra details about the operations being performed.
+{- $OpenSSL::safe::opt_r_item -}
+
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<paramfile>
The DSA parameter file to use. The parameters in this file determine
the size of the private key. DSA parameters can be generated and
examined using the L<openssl-dsaparam(1)> command.
-{- $OpenSSL::safe::opt_r_item -}
-
=back
=head1 NOTES
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-genpkey - generate a private key
-
-=head1 SYNOPSIS
-
-B<openssl> B<genpkey>
-[B<-help>]
-[B<-out> I<filename>]
-[B<-outform> B<DER>|B<PEM>]
-[B<-pass> I<arg>]
-[B<-I<cipher>>]
-[B<-engine> I<id>]
-[B<-paramfile> I<file>]
-[B<-algorithm> I<alg>]
-[B<-pkeyopt> I<opt>:I<value>]
-[B<-genparam>]
-[B<-text>]
-
-=for openssl ifdef engine
-
-=head1 DESCRIPTION
-
-This command generates a private key.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-out> I<filename>
-
-Output the key to the specified file. If this argument is not specified then
-standard output is used.
-
-=item B<-outform> B<DER>|B<PEM>
-
-The output format; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-=item B<-pass> I<arg>
-
-The output file password source. For more information about the format of I<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-I<cipher>>
-
-This option encrypts the private key with the supplied cipher. Any algorithm
-name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. If used this option should precede all other
-options.
-
-=item B<-algorithm> I<alg>
-
-Public key algorithm to use such as RSA, DSA or DH. If used this option must
-precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
-are mutually exclusive. Engines may add algorithms in addition to the standard
-built-in ones.
-
-Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC,
-X25519, X448, ED25519 and ED448.
-
-Valid built-in algorithm names for parameter generation (see the B<-genparam>
-option) are DH, DSA and EC.
-
-Note that the algorithm name X9.42 DH may be used as a synonym for the DH
-algorithm. These are identical and do not indicate the type of parameters that
-will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
-or X9.42 DH parameters are required. See L</DH Parameter Generation Options>
-below for more details.
-
-=item B<-pkeyopt> I<opt>:I<value>
-
-Set the public key algorithm option I<opt> to I<value>. The precise set of
-options supported depends on the public key algorithm used and its
-implementation. See L</KEY GENERATION OPTIONS> and
-L</PARAMETER GENERATION OPTIONS> below for more details.
-
-=item B<-genparam>
-
-Generate a set of parameters instead of a private key. If used this option must
-precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
-
-=item B<-paramfile> I<filename>
-
-Some public key algorithms generate a private key based on a set of parameters.
-They can be supplied using this option. If this option is used the public key
-algorithm used is determined by the parameters. If used this option must
-precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
-are mutually exclusive.
-
-=item B<-text>
-
-Print an (unencrypted) text representation of private and public keys and
-parameters along with the PEM or DER structure.
-
-=back
-
-=head1 KEY GENERATION OPTIONS
-
-The options supported by each algorithm and indeed each implementation of an
-algorithm can vary. The options for the OpenSSL implementations are detailed
-below. There are no key generation options defined for the X25519, X448, ED25519
-or ED448 algorithms.
-
-=head2 RSA Key Generation Options
-
-=over 4
-
-=item B<rsa_keygen_bits:numbits>
-
-The number of bits in the generated key. If not specified 2048 is used.
-
-=item B<rsa_keygen_primes:numprimes>
-
-The number of primes in the generated key. If not specified 2 is used.
-
-=item B<rsa_keygen_pubexp:value>
-
-The RSA public exponent value. This can be a large decimal or
-hexadecimal value if preceded by C<0x>. Default value is 65537.
-
-=back
-
-=head2 RSA-PSS Key Generation Options
-
-Note: by default an B<RSA-PSS> key has no parameter restrictions.
-
-=over 4
-
-=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>,
-B<rsa_keygen_pubexp>:I<value>
-
-These options have the same meaning as the B<RSA> algorithm.
-
-=item B<rsa_pss_keygen_md>:I<digest>
-
-If set the key is restricted and can only use I<digest> for signing.
-
-=item B<rsa_pss_keygen_mgf1_md>:I<digest>
-
-If set the key is restricted and can only use I<digest> as it's MGF1
-parameter.
-
-=item B<rsa_pss_keygen_saltlen>:I<len>
-
-If set the key is restricted and I<len> specifies the minimum salt length.
-
-=back
-
-=head2 EC Key Generation Options
-
-The EC key generation options can also be used for parameter generation.
-
-=over 4
-
-=item B<ec_paramgen_curve>:I<curve>
-
-The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
-
-=item B<ec_param_enc>:I<encoding>
-
-The encoding to use for parameters. The I<encoding> parameter must be either
-B<named_curve> or B<explicit>. The default value is B<named_curve>.
-
-=back
-
-=head1 PARAMETER GENERATION OPTIONS
-
-The options supported by each algorithm and indeed each implementation of an
-algorithm can vary. The options for the OpenSSL implementations are detailed
-below.
-
-=head2 DSA Parameter Generation Options
-
-=over 4
-
-=item B<dsa_paramgen_bits>:I<numbits>
-
-The number of bits in the generated prime. If not specified 2048 is used.
-
-=item B<dsa_paramgen_q_bits>:I<numbits>
-
-The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
-specified 224 is used.
-
-=item B<dsa_paramgen_md>:I<digest>
-
-The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
-or B<sha256>. If set, then the number of bits in B<q> will match the output size
-of the specified digest and the B<dsa_paramgen_q_bits> parameter will be
-ignored. If not set, then a digest will be used that gives an output matching
-the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it 224
-or B<sha256> if it is 256.
-
-=back
-
-=head2 DH Parameter Generation Options
-
-=over 4
-
-=item B<dh_paramgen_prime_len>:I<numbits>
-
-The number of bits in the prime parameter I<p>. The default is 2048.
-
-=item B<dh_paramgen_subprime_len>:I<numbits>
-
-The number of bits in the sub prime parameter I<q>. The default is 256 if the
-prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
-conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
-
-=item B<dh_paramgen_generator>:I<value>
-
-The value to use for the generator I<g>. The default is 2.
-
-=item B<dh_paramgen_type>:I<value>
-
-The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
-The default is 0.
-
-=item B<dh_rfc5114>:I<num>
-
-If this option is set, then the appropriate RFC5114 parameters are used
-instead of generating new parameters. The value I<num> can be one of
-1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
-1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
-and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
-2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
-options.
-
-=back
-
-=head2 EC Parameter Generation Options
-
-The EC parameter generation options are the same as for key generation. See
-L</EC Key Generation Options> above.
-
-=head1 NOTES
-
-The use of the genpkey program is encouraged over the algorithm specific
-utilities because additional algorithm options and ENGINE provided algorithms
-can be used.
-
-=head1 EXAMPLES
-
-Generate an RSA private key using default parameters:
-
- openssl genpkey -algorithm RSA -out key.pem
-
-Encrypt output private key using 128 bit AES and the passphrase "hello":
-
- openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
-
-Generate a 2048 bit RSA key using 3 as the public exponent:
-
- openssl genpkey -algorithm RSA -out key.pem \
- -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
-
-Generate 2048 bit DSA parameters:
-
- openssl genpkey -genparam -algorithm DSA -out dsap.pem \
- -pkeyopt dsa_paramgen_bits:2048
-
-Generate DSA key from parameters:
-
- openssl genpkey -paramfile dsap.pem -out dsakey.pem
-
-Generate 2048 bit DH parameters:
-
- openssl genpkey -genparam -algorithm DH -out dhp.pem \
- -pkeyopt dh_paramgen_prime_len:2048
-
-Generate 2048 bit X9.42 DH parameters:
-
- openssl genpkey -genparam -algorithm DH -out dhpx.pem \
- -pkeyopt dh_paramgen_prime_len:2048 \
- -pkeyopt dh_paramgen_type:1
-
-Output RFC5114 2048 bit DH parameters with 224 bit subgroup:
-
- openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2
-
-Generate DH key from parameters:
-
- openssl genpkey -paramfile dhp.pem -out dhkey.pem
-
-Generate EC parameters:
-
- openssl genpkey -genparam -algorithm EC -out ecp.pem \
- -pkeyopt ec_paramgen_curve:secp384r1 \
- -pkeyopt ec_param_enc:named_curve
-
-Generate EC key from parameters:
-
- openssl genpkey -paramfile ecp.pem -out eckey.pem
-
-Generate EC key directly:
-
- openssl genpkey -algorithm EC -out eckey.pem \
- -pkeyopt ec_paramgen_curve:P-384 \
- -pkeyopt ec_param_enc:named_curve
-
-Generate an X25519 private key:
-
- openssl genpkey -algorithm X25519 -out xkey.pem
-
-Generate an ED448 private key:
-
- openssl genpkey -algorithm ED448 -out xkey.pem
-
-=head1 HISTORY
-
-The ability to use NIST curve names, and to generate an EC key directly,
-were added in OpenSSL 1.0.2.
-The ability to generate X25519 keys was added in OpenSSL 1.1.0.
-The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1.
-
-=head1 COPYRIGHT
-
-Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-genpkey - generate a private key
+
+=head1 SYNOPSIS
+
+B<openssl> B<genpkey>
+[B<-help>]
+[B<-out> I<filename>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-pass> I<arg>]
+[B<-I<cipher>>]
+[B<-paramfile> I<file>]
+[B<-algorithm> I<alg>]
+[B<-pkeyopt> I<opt>:I<value>]
+[B<-genparam>]
+[B<-text>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef engine
+
+=head1 DESCRIPTION
+
+This command generates a private key.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-out> I<filename>
+
+Output the key to the specified file. If this argument is not specified then
+standard output is used.
+
+=item B<-outform> B<DER>|B<PEM>
+
+The output format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-pass> I<arg>
+
+The output file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-I<cipher>>
+
+This option encrypts the private key with the supplied cipher. Any algorithm
+name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
+
+=item B<-algorithm> I<alg>
+
+Public key algorithm to use such as RSA, DSA or DH. If used this option must
+precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
+are mutually exclusive. Engines may add algorithms in addition to the standard
+built-in ones.
+
+Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC,
+X25519, X448, ED25519 and ED448.
+
+Valid built-in algorithm names for parameter generation (see the B<-genparam>
+option) are DH, DSA and EC.
+
+Note that the algorithm name X9.42 DH may be used as a synonym for the DH
+algorithm. These are identical and do not indicate the type of parameters that
+will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
+or X9.42 DH parameters are required. See L</DH Parameter Generation Options>
+below for more details.
+
+=item B<-pkeyopt> I<opt>:I<value>
+
+Set the public key algorithm option I<opt> to I<value>. The precise set of
+options supported depends on the public key algorithm used and its
+implementation. See L</KEY GENERATION OPTIONS> and
+L</PARAMETER GENERATION OPTIONS> below for more details.
+
+=item B<-genparam>
+
+Generate a set of parameters instead of a private key. If used this option must
+precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
+
+=item B<-paramfile> I<filename>
+
+Some public key algorithms generate a private key based on a set of parameters.
+They can be supplied using this option. If this option is used the public key
+algorithm used is determined by the parameters. If used this option must
+precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
+are mutually exclusive.
+
+=item B<-text>
+
+Print an (unencrypted) text representation of private and public keys and
+parameters along with the PEM or DER structure.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 KEY GENERATION OPTIONS
+
+The options supported by each algorithm and indeed each implementation of an
+algorithm can vary. The options for the OpenSSL implementations are detailed
+below. There are no key generation options defined for the X25519, X448, ED25519
+or ED448 algorithms.
+
+=head2 RSA Key Generation Options
+
+=over 4
+
+=item B<rsa_keygen_bits:numbits>
+
+The number of bits in the generated key. If not specified 2048 is used.
+
+=item B<rsa_keygen_primes:numprimes>
+
+The number of primes in the generated key. If not specified 2 is used.
+
+=item B<rsa_keygen_pubexp:value>
+
+The RSA public exponent value. This can be a large decimal or
+hexadecimal value if preceded by C<0x>. Default value is 65537.
+
+=back
+
+=head2 RSA-PSS Key Generation Options
+
+Note: by default an B<RSA-PSS> key has no parameter restrictions.
+
+=over 4
+
+=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>,
+B<rsa_keygen_pubexp>:I<value>
+
+These options have the same meaning as the B<RSA> algorithm.
+
+=item B<rsa_pss_keygen_md>:I<digest>
+
+If set the key is restricted and can only use I<digest> for signing.
+
+=item B<rsa_pss_keygen_mgf1_md>:I<digest>
+
+If set the key is restricted and can only use I<digest> as it's MGF1
+parameter.
+
+=item B<rsa_pss_keygen_saltlen>:I<len>
+
+If set the key is restricted and I<len> specifies the minimum salt length.
+
+=back
+
+=head2 EC Key Generation Options
+
+The EC key generation options can also be used for parameter generation.
+
+=over 4
+
+=item B<ec_paramgen_curve>:I<curve>
+
+The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
+
+=item B<ec_param_enc>:I<encoding>
+
+The encoding to use for parameters. The I<encoding> parameter must be either
+B<named_curve> or B<explicit>. The default value is B<named_curve>.
+
+=back
+
+=head1 PARAMETER GENERATION OPTIONS
+
+The options supported by each algorithm and indeed each implementation of an
+algorithm can vary. The options for the OpenSSL implementations are detailed
+below.
+
+=head2 DSA Parameter Generation Options
+
+=over 4
+
+=item B<dsa_paramgen_bits>:I<numbits>
+
+The number of bits in the generated prime. If not specified 2048 is used.
+
+=item B<dsa_paramgen_q_bits>:I<numbits>
+
+The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
+specified 224 is used.
+
+=item B<dsa_paramgen_md>:I<digest>
+
+The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
+or B<sha256>. If set, then the number of bits in B<q> will match the output size
+of the specified digest and the B<dsa_paramgen_q_bits> parameter will be
+ignored. If not set, then a digest will be used that gives an output matching
+the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it 224
+or B<sha256> if it is 256.
+
+=back
+
+=head2 DH Parameter Generation Options
+
+=over 4
+
+=item B<dh_paramgen_prime_len>:I<numbits>
+
+The number of bits in the prime parameter I<p>. The default is 2048.
+
+=item B<dh_paramgen_subprime_len>:I<numbits>
+
+The number of bits in the sub prime parameter I<q>. The default is 256 if the
+prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
+conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
+
+=item B<dh_paramgen_generator>:I<value>
+
+The value to use for the generator I<g>. The default is 2.
+
+=item B<dh_paramgen_type>:I<value>
+
+The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
+The default is 0.
+
+=item B<dh_rfc5114>:I<num>
+
+If this option is set, then the appropriate RFC5114 parameters are used
+instead of generating new parameters. The value I<num> can be one of
+1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
+1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
+and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
+2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
+options.
+
+=back
+
+=head2 EC Parameter Generation Options
+
+The EC parameter generation options are the same as for key generation. See
+L</EC Key Generation Options> above.
+
+=head1 NOTES
+
+The use of the genpkey program is encouraged over the algorithm specific
+utilities because additional algorithm options and ENGINE provided algorithms
+can be used.
+
+=head1 EXAMPLES
+
+Generate an RSA private key using default parameters:
+
+ openssl genpkey -algorithm RSA -out key.pem
+
+Encrypt output private key using 128 bit AES and the passphrase "hello":
+
+ openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
+
+Generate a 2048 bit RSA key using 3 as the public exponent:
+
+ openssl genpkey -algorithm RSA -out key.pem \
+ -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
+
+Generate 2048 bit DSA parameters:
+
+ openssl genpkey -genparam -algorithm DSA -out dsap.pem \
+ -pkeyopt dsa_paramgen_bits:2048
+
+Generate DSA key from parameters:
+
+ openssl genpkey -paramfile dsap.pem -out dsakey.pem
+
+Generate 2048 bit DH parameters:
+
+ openssl genpkey -genparam -algorithm DH -out dhp.pem \
+ -pkeyopt dh_paramgen_prime_len:2048
+
+Generate 2048 bit X9.42 DH parameters:
+
+ openssl genpkey -genparam -algorithm DH -out dhpx.pem \
+ -pkeyopt dh_paramgen_prime_len:2048 \
+ -pkeyopt dh_paramgen_type:1
+
+Output RFC5114 2048 bit DH parameters with 224 bit subgroup:
+
+ openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2
+
+Generate DH key from parameters:
+
+ openssl genpkey -paramfile dhp.pem -out dhkey.pem
+
+Generate EC parameters:
+
+ openssl genpkey -genparam -algorithm EC -out ecp.pem \
+ -pkeyopt ec_paramgen_curve:secp384r1 \
+ -pkeyopt ec_param_enc:named_curve
+
+Generate EC key from parameters:
+
+ openssl genpkey -paramfile ecp.pem -out eckey.pem
+
+Generate EC key directly:
+
+ openssl genpkey -algorithm EC -out eckey.pem \
+ -pkeyopt ec_paramgen_curve:P-384 \
+ -pkeyopt ec_param_enc:named_curve
+
+Generate an X25519 private key:
+
+ openssl genpkey -algorithm X25519 -out xkey.pem
+
+Generate an ED448 private key:
+
+ openssl genpkey -algorithm ED448 -out xkey.pem
+
+=head1 HISTORY
+
+The ability to use NIST curve names, and to generate an EC key directly,
+were added in OpenSSL 1.0.2.
+The ability to generate X25519 keys was added in OpenSSL 1.1.0.
+The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1.
+
+=head1 COPYRIGHT
+
+Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-des3>]
[B<-idea>]
[B<-f4>|B<-3>]
-[B<-engine> I<id>]
[B<-primes> I<num>]
[B<-verbose>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[B<numbits>]
=for openssl ifdef engine
The public exponent to use, either 65537 or 3. The default is 65537.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-primes> I<num>
Specify the number of primes to use while generating the RSA key. The I<num>
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item B<numbits>
The size of the private key to generate in bits. This must be the last option
[B<-CSP> I<name>]
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 NOTES
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-pkcs7 - PKCS#7 utility
-
-=head1 SYNOPSIS
-
-B<openssl> B<pkcs7>
-[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>]
-[B<-in> I<filename>]
-[B<-out> I<filename>]
-[B<-print_certs>]
-[B<-text>]
-[B<-noout>]
-[B<-engine> I<id>]
-
-=for openssl ifdef engine
-
-=head1 DESCRIPTION
-
-This command processes PKCS#7 files. Note that it only understands PKCS#7
-v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as
-described in IETF RFC 2630.
-
-There is no option to print out all the fields of a PKCS#7 file.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-
-The input and formats; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-The data is a PKCS#7 Version 1.5 structure.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read from or standard input if this
-option is not specified.
-
-=item B<-out> I<filename>
-
-Specifies the output filename to write to or standard output by
-default.
-
-=item B<-print_certs>
-
-Prints out any certificates or CRLs contained in the file. They are
-preceded by their subject and issuer names in one line format.
-
-=item B<-text>
-
-Prints out certificates details in full rather than just subject and
-issuer names.
-
-=item B<-noout>
-
-Don't output the encoded version of the PKCS#7 structure (or certificates
-is B<-print_certs> is set).
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=back
-
-=head1 EXAMPLES
-
-Convert a PKCS#7 file from PEM to DER:
-
- openssl pkcs7 -in file.pem -outform DER -out file.der
-
-Output all certificates in a file:
-
- openssl pkcs7 -in file.pem -print_certs -out certs.pem
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-crl2pkcs7(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-pkcs7 - PKCS#7 utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-help>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-print_certs>]
+[B<-text>]
+[B<-noout>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef engine
+
+=head1 DESCRIPTION
+
+This command processes PKCS#7 files. Note that it only understands PKCS#7
+v 1.5 as specified in IETF RFC 2315. It cannot currently parse CMS as
+described in IETF RFC 2630.
+
+There is no option to print out all the fields of a PKCS#7 file.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+The data is a PKCS#7 Version 1.5 structure.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified.
+
+=item B<-out> I<filename>
+
+Specifies the output filename to write to or standard output by
+default.
+
+=item B<-print_certs>
+
+Prints out any certificates or CRLs contained in the file. They are
+preceded by their subject and issuer names in one line format.
+
+=item B<-text>
+
+Prints out certificates details in full rather than just subject and
+issuer names.
+
+=item B<-noout>
+
+Don't output the encoded version of the PKCS#7 structure (or certificates
+is B<-print_certs> is set).
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+Convert a PKCS#7 file from PEM to DER:
+
+ openssl pkcs7 -in file.pem -outform DER -out file.der
+
+Output all certificates in a file:
+
+ openssl pkcs7 -in file.pem -print_certs -out certs.pem
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-crl2pkcs7(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-v2> I<alg>]
[B<-v2prf> I<alg>]
[B<-v1> I<alg>]
-[B<-engine> I<id>]
[B<-scrypt>]
[B<-scrypt_N> I<N>]
[B<-scrypt_r> I<r>]
[B<-scrypt_p> I<p>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine scrypt scrypt_N scrypt_r scrypt_p
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 form is used.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-scrypt>
Uses the B<scrypt> algorithm for private key encryption using default
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 NOTES
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-pkey - public or private key processing tool
-
-=head1 SYNOPSIS
-
-B<openssl> B<pkey>
-[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>]
-[B<-in> I<filename>]
-[B<-passin> I<arg>]
-[B<-out> I<filename>]
-[B<-passout> I<arg>]
-[B<-traditional>]
-[B<-I<cipher>>]
-[B<-text>]
-[B<-text_pub>]
-[B<-noout>]
-[B<-pubin>]
-[B<-pubout>]
-[B<-engine> I<id>]
-[B<-check>]
-[B<-pubcheck>]
-
-=for openssl ifdef engine
-
-=head1 DESCRIPTION
-
-This command processes public or private keys. They can be
-converted between various forms and their components printed out.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-
-The input and formats; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read a key from or standard input if this
-option is not specified. If the key is encrypted a pass phrase will be
-prompted for.
-
-=item B<-passin> I<arg>, B<-passout> I<arg>
-
-The password source for the input and output file.
-For more information about the format of B<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-out> I<filename>
-
-This specifies the output filename to write a key to or standard output if this
-option is not specified. If any encryption options are set then a pass phrase
-will be prompted for. The output filename should B<not> be the same as the input
-filename.
-
-=item B<-traditional>
-
-Normally a private key is written using standard format: this is PKCS#8 form
-with the appropriate encryption algorithm (if any). If the B<-traditional>
-option is specified then the older "traditional" format is used instead.
-
-=item B<-I<cipher>>
-
-These options encrypt the private key with the supplied cipher. Any algorithm
-name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
-
-=item B<-text>
-
-Prints out the various public or private key components in
-plain text in addition to the encoded version.
-
-=item B<-text_pub>
-
-Print out only public key components even if a private key is being processed.
-
-=item B<-noout>
-
-Do not output the encoded version of the key.
-
-=item B<-pubin>
-
-By default a private key is read from the input file: with this
-option a public key is read instead.
-
-=item B<-pubout>
-
-By default a private key is output: with this option a public
-key will be output instead. This option is automatically set if
-the input is a public key.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=item B<-check>
-
-This option checks the consistency of a key pair for both public and private
-components.
-
-=item B<-pubcheck>
-
-This option checks the correctness of either a public key or the public component
-of a key pair.
-
-=back
-
-=head1 EXAMPLES
-
-To remove the pass phrase on an RSA private key:
-
- openssl pkey -in key.pem -out keyout.pem
-
-To encrypt a private key using triple DES:
-
- openssl pkey -in key.pem -des3 -out keyout.pem
-
-To convert a private key from PEM to DER format:
-
- openssl pkey -in key.pem -outform DER -out keyout.der
-
-To print out the components of a private key to standard output:
-
- openssl pkey -in key.pem -text -noout
-
-To print out the public components of a private key to standard output:
-
- openssl pkey -in key.pem -text_pub -noout
-
-To just output the public part of a private key:
-
- openssl pkey -in key.pem -pubout -out pubkey.pem
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-genpkey(1)>,
-L<openssl-rsa(1)>,
-L<openssl-pkcs8(1)>,
-L<openssl-dsa(1)>,
-L<openssl-genrsa(1)>,
-L<openssl-gendsa(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-pkey - public or private key processing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkey>
+[B<-help>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
+[B<-traditional>]
+[B<-I<cipher>>]
+[B<-text>]
+[B<-text_pub>]
+[B<-noout>]
+[B<-pubin>]
+[B<-pubout>]
+[B<-check>]
+[B<-pubcheck>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef engine
+
+=head1 DESCRIPTION
+
+This command processes public or private keys. They can be
+converted between various forms and their components printed out.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin> I<arg>, B<-passout> I<arg>
+
+The password source for the input and output file.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-out> I<filename>
+
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-traditional>
+
+Normally a private key is written using standard format: this is PKCS#8 form
+with the appropriate encryption algorithm (if any). If the B<-traditional>
+option is specified then the older "traditional" format is used instead.
+
+=item B<-I<cipher>>
+
+These options encrypt the private key with the supplied cipher. Any algorithm
+name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
+
+=item B<-text>
+
+Prints out the various public or private key components in
+plain text in addition to the encoded version.
+
+=item B<-text_pub>
+
+Print out only public key components even if a private key is being processed.
+
+=item B<-noout>
+
+Do not output the encoded version of the key.
+
+=item B<-pubin>
+
+By default a private key is read from the input file: with this
+option a public key is read instead.
+
+=item B<-pubout>
+
+By default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+
+=item B<-check>
+
+This option checks the consistency of a key pair for both public and private
+components.
+
+=item B<-pubcheck>
+
+This option checks the correctness of either a public key or the public component
+of a key pair.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+To remove the pass phrase on an RSA private key:
+
+ openssl pkey -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl pkey -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format:
+
+ openssl pkey -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl pkey -in key.pem -text -noout
+
+To print out the public components of a private key to standard output:
+
+ openssl pkey -in key.pem -text_pub -noout
+
+To just output the public part of a private key:
+
+ openssl pkey -in key.pem -pubout -out pubkey.pem
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-genpkey(1)>,
+L<openssl-rsa(1)>,
+L<openssl-pkcs8(1)>,
+L<openssl-dsa(1)>,
+L<openssl-genrsa(1)>,
+L<openssl-gendsa(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-pkeyparam - public key algorithm parameter processing tool
-
-=head1 SYNOPSIS
-
-B<openssl> B<pkeyparam>
-[B<-help>]
-[B<-in> I<filename>]
-[B<-out> I<filename>]
-[B<-text>]
-[B<-noout>]
-[B<-engine> I<id>]
-[B<-check>]
-
-=for openssl ifdef engine
-
-=head1 DESCRIPTION
-
-This command processes public key algorithm parameters.
-They can be checked for correctness and their components printed out.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read parameters from or standard input if
-this option is not specified.
-
-=item B<-out> I<filename>
-
-This specifies the output filename to write parameters to or standard output if
-this option is not specified.
-
-=item B<-text>
-
-Prints out the parameters in plain text in addition to the encoded version.
-
-=item B<-noout>
-
-Do not output the encoded version of the parameters.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=item B<-check>
-
-This option checks the correctness of parameters.
-
-=back
-
-=head1 EXAMPLES
-
-Print out text version of parameters:
-
- openssl pkeyparam -in param.pem -text
-
-=head1 NOTES
-
-There are no B<-inform> or B<-outform> options for this command because only
-PEM format is supported because the key type is determined by the PEM headers.
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-genpkey(1)>,
-L<openssl-rsa(1)>,
-L<openssl-pkcs8(1)>,
-L<openssl-dsa(1)>,
-L<openssl-genrsa(1)>,
-L<openssl-gendsa(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-pkeyparam - public key algorithm parameter processing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkeyparam>
+[B<-help>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-text>]
+[B<-noout>]
+[B<-check>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef engine
+
+=head1 DESCRIPTION
+
+This command processes public key algorithm parameters.
+They can be checked for correctness and their components printed out.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+
+=item B<-out> I<filename>
+
+This specifies the output filename to write parameters to or standard output if
+this option is not specified.
+
+=item B<-text>
+
+Prints out the parameters in plain text in addition to the encoded version.
+
+=item B<-noout>
+
+Do not output the encoded version of the parameters.
+
+=item B<-check>
+
+This option checks the correctness of parameters.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+Print out text version of parameters:
+
+ openssl pkeyparam -in param.pem -text
+
+=head1 NOTES
+
+There are no B<-inform> or B<-outform> options for this command because only
+PEM format is supported because the key type is determined by the PEM headers.
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-genpkey(1)>,
+L<openssl-rsa(1)>,
+L<openssl-pkcs8(1)>,
+L<openssl-dsa(1)>,
+L<openssl-genrsa(1)>,
+L<openssl-gendsa(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
[B<-asn1parse>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-engine_impl>]
{- $OpenSSL::safe::opt_r_synopsis -}
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+{- $OpenSSL::safe::opt_engine_item -}
=item B<-engine_impl>
[B<-sigopt> I<nm>:I<v>]
[B<-batch>]
[B<-verbose>]
-[B<-engine> I<id>]
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine keygen_engine sm2-id sm2-hex-id
Print extra details about the operations being performed.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-keygen_engine> I<id>
Specifies an engine (by its unique I<id> string) which would be used
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CONFIGURATION FILE FORMAT
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-rsa - RSA key processing tool
-
-=head1 SYNOPSIS
-
-B<openssl> B<rsa>
-[B<-help>]
-[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>]
-[B<-in> I<filename>]
-[B<-passin> I<arg>]
-[B<-out> I<filename>]
-[B<-passout> I<arg>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-aria128>]
-[B<-aria192>]
-[B<-aria256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
-[B<-des>]
-[B<-des3>]
-[B<-idea>]
-[B<-text>]
-[B<-noout>]
-[B<-modulus>]
-[B<-check>]
-[B<-pubin>]
-[B<-pubout>]
-[B<-RSAPublicKey_in>]
-[B<-RSAPublicKey_out>]
-[B<-engine> I<id>]
-
-=for openssl ifdef pvk-strong pvk-weak pvk-none engine
-
-=head1 DESCRIPTION
-
-This command processes RSA keys. They can be converted between
-various forms and their components printed out. B<Note> this command uses the
-traditional SSLeay compatible format for private key encryption: newer
-applications should use the more secure PKCS#8 format using the
-L<openssl-pkcs8(1)> command.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-
-=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-
-The input and formats; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-=item B<-inform> B<DER>|B<PEM>
-
-The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
-On input, PKCS#8 format private keys are also accepted.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read a key from or standard input if this
-option is not specified. If the key is encrypted a pass phrase will be
-prompted for.
-
-=item B<-passin> I<arg>, B<-passout> I<arg>
-
-The password source for the input and output file.
-For more information about the format of B<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-out> I<filename>
-
-This specifies the output filename to write a key to or standard output if this
-option is not specified. If any encryption options are set then a pass phrase
-will be prompted for. The output filename should B<not> be the same as the input
-filename.
-
-=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
-
-These options encrypt the private key with the specified
-cipher before outputting it. A pass phrase is prompted for.
-If none of these options is specified the key is written in plain text. This
-means that this command can be used to remove the pass phrase from a key
-by not giving any encryption option is given, or to add or change the pass
-phrase by setting them.
-These options can only be used with PEM format output files.
-
-=item B<-text>
-
-Prints out the various public or private key components in
-plain text in addition to the encoded version.
-
-=item B<-noout>
-
-This option prevents output of the encoded version of the key.
-
-=item B<-modulus>
-
-This option prints out the value of the modulus of the key.
-
-=item B<-check>
-
-This option checks the consistency of an RSA private key.
-
-=item B<-pubin>
-
-By default a private key is read from the input file: with this
-option a public key is read instead.
-
-=item B<-pubout>
-
-By default a private key is output: with this option a public
-key will be output instead. This option is automatically set if
-the input is a public key.
-
-=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
-
-Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=back
-
-=head1 EXAMPLES
-
-To remove the pass phrase on an RSA private key:
-
- openssl rsa -in key.pem -out keyout.pem
-
-To encrypt a private key using triple DES:
-
- openssl rsa -in key.pem -des3 -out keyout.pem
-
-To convert a private key from PEM to DER format:
-
- openssl rsa -in key.pem -outform DER -out keyout.der
-
-To print out the components of a private key to standard output:
-
- openssl rsa -in key.pem -text -noout
-
-To just output the public part of a private key:
-
- openssl rsa -in key.pem -pubout -out pubkey.pem
-
-Output the public part of a private key in B<RSAPublicKey> format:
-
- openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
-
-=head1 BUGS
-
-There should be an option that automatically handles F<.key> files,
-without having to manually edit them.
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-pkcs8(1)>,
-L<openssl-dsa(1)>,
-L<openssl-genrsa(1)>,
-L<openssl-gendsa(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-rsa - RSA key processing tool
+
+=head1 SYNOPSIS
+
+B<openssl> B<rsa>
+[B<-help>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-aria128>]
+[B<-aria192>]
+[B<-aria256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-modulus>]
+[B<-check>]
+[B<-pubin>]
+[B<-pubout>]
+[B<-RSAPublicKey_in>]
+[B<-RSAPublicKey_out>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef pvk-strong pvk-weak pvk-none engine
+
+=head1 DESCRIPTION
+
+This command processes RSA keys. They can be converted between
+various forms and their components printed out. B<Note> this command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the
+L<openssl-pkcs8(1)> command.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
+
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-inform> B<DER>|B<PEM>
+
+The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
+On input, PKCS#8 format private keys are also accepted.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin> I<arg>, B<-passout> I<arg>
+
+The password source for the input and output file.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-out> I<filename>
+
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
+
+These options encrypt the private key with the specified
+cipher before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+Prints out the various public or private key components in
+plain text in addition to the encoded version.
+
+=item B<-noout>
+
+This option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+This option prints out the value of the modulus of the key.
+
+=item B<-check>
+
+This option checks the consistency of an RSA private key.
+
+=item B<-pubin>
+
+By default a private key is read from the input file: with this
+option a public key is read instead.
+
+=item B<-pubout>
+
+By default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+
+=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
+
+Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+To remove the pass phrase on an RSA private key:
+
+ openssl rsa -in key.pem -out keyout.pem
+
+To encrypt a private key using triple DES:
+
+ openssl rsa -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format:
+
+ openssl rsa -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl rsa -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl rsa -in key.pem -pubout -out pubkey.pem
+
+Output the public part of a private key in B<RSAPublicKey> format:
+
+ openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
+
+=head1 BUGS
+
+There should be an option that automatically handles F<.key> files,
+without having to manually edit them.
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-pkcs8(1)>,
+L<openssl-dsa(1)>,
+L<openssl-genrsa(1)>,
+L<openssl-gendsa(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-starttls> I<protocol>]
[B<-xmpphost> I<hostname>]
[B<-name> I<hostname>]
-[B<-engine> I<id>]
[B<-tlsextdebug>]
[B<-no_ticket>]
[B<-sess_out> I<filename>]
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<host>:I<port>]
=for openssl ifdef engine ssl_client_engine ct noct ctlogfile
Load SSL session from I<filename>. The client will attempt to resume a
connection from this session.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-serverinfo> I<types>
A list of comma-separated TLS Extension Types (numbers between 0 and
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CONNECTED COMMANDS
[B<-nextprotoneg> I<val>]
[B<-use_srtp> I<val>]
[B<-alpn> I<val>]
-[B<-engine> I<val>]
[B<-keylogfile> I<outfile>]
[B<-max_early_data> I<int>]
[B<-early_data>]
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
-=item B<-engine> I<val>
-
-Specifying an engine (by its unique id string in I<val>) will cause
-this command to attempt to obtain a functional reference to the
-specified engine, thus initialising it if needed. The engine will then be
-set as the default for all available algorithms.
-
=item B<-keylogfile> I<outfile>
Appends TLS secrets to the specified keylog file such that external programs
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head1 CONNECTED COMMANDS
B<openssl speed>
[B<-help>]
-[B<-engine> I<id>]
[B<-elapsed>]
[B<-evp> I<algo>]
[B<-hmac> I<algo>]
[B<-seconds> I<num>]
[B<-bytes> I<num>]
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[I<algorithm> ...]
=for openssl ifdef cmac multi async_jobs engine
Print out a usage message.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-elapsed>
When calculating operations- or bytes-per-second, use wall-clock time
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=item I<algorithm> ...
If any I<algorithm> is given, then those algorithms are tested, otherwise a
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-spkac - SPKAC printing and generating utility
-
-=head1 SYNOPSIS
-
-B<openssl> B<spkac>
-[B<-help>]
-[B<-in> I<filename>]
-[B<-out> I<filename>]
-[B<-key> I<keyfile>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
-[B<-passin> I<arg>]
-[B<-challenge> I<string>]
-[B<-pubkey>]
-[B<-spkac> I<spkacname>]
-[B<-spksect> I<section>]
-[B<-noout>]
-[B<-verify>]
-[B<-engine> I<id>]
-
-=for openssl ifdef engine
-
-=head1 DESCRIPTION
-
-This command processes Netscape signed public key and challenge
-(SPKAC) files. It can print out their contents, verify the signature and
-produce its own SPKACs from a supplied private key.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-in> I<filename>
-
-This specifies the input filename to read from or standard input if this
-option is not specified. Ignored if the B<-key> option is used.
-
-=item B<-out> I<filename>
-
-Specifies the output filename to write to or standard output by
-default.
-
-=item B<-key> I<keyfile>
-
-Create an SPKAC file using the private key in I<keyfile>. The
-B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
-present.
-
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
-
-The key format; the default is B<PEM>.
-See L<openssl(1)/Format Options> for details.
-
-=item B<-passin> I<arg>
-
-The input file password source. For more information about the format of I<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-challenge> I<string>
-
-Specifies the challenge string if an SPKAC is being created.
-
-=item B<-spkac> I<spkacname>
-
-Allows an alternative name form the variable containing the
-SPKAC. The default is "SPKAC". This option affects both
-generated and input SPKAC files.
-
-=item B<-spksect> I<section>
-
-Allows an alternative name form the section containing the
-SPKAC. The default is the default section.
-
-=item B<-noout>
-
-Don't output the text version of the SPKAC (not used if an
-SPKAC is being created).
-
-=item B<-pubkey>
-
-Output the public key of an SPKAC (not used if an SPKAC is
-being created).
-
-=item B<-verify>
-
-Verifies the digital signature on the supplied SPKAC.
-
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
-=back
-
-=head1 EXAMPLES
-
-Print out the contents of an SPKAC:
-
- openssl spkac -in spkac.cnf
-
-Verify the signature of an SPKAC:
-
- openssl spkac -in spkac.cnf -noout -verify
-
-Create an SPKAC using the challenge string "hello":
-
- openssl spkac -key key.pem -challenge hello -out spkac.cnf
-
-Example of an SPKAC, (long lines split up for clarity):
-
- SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\
- 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\
- 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\
- FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\
- h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\
- dq+NQ3F+X4deMx9AaEglZtULwV4=
-
-=head1 NOTES
-
-A created SPKAC with suitable DN components appended can be fed to
-L<openssl-ca(1)>.
-
-SPKACs are typically generated by Netscape when a form is submitted
-containing the B<KEYGEN> tag as part of the certificate enrollment
-process.
-
-The challenge string permits a primitive form of proof of possession
-of private key. By checking the SPKAC signature and a random challenge
-string some guarantee is given that the user knows the private key
-corresponding to the public key being certified. This is important in
-some applications. Without this it is possible for a previous SPKAC
-to be used in a "replay attack".
-
-=head1 SEE ALSO
-
-L<openssl(1)>,
-L<openssl-ca(1)>
-
-=head1 COPYRIGHT
-
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-spkac - SPKAC printing and generating utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<spkac>
+[B<-help>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-key> I<keyfile>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-passin> I<arg>]
+[B<-challenge> I<string>]
+[B<-pubkey>]
+[B<-spkac> I<spkacname>]
+[B<-spksect> I<section>]
+[B<-noout>]
+[B<-verify>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+
+=for openssl ifdef engine
+
+=head1 DESCRIPTION
+
+This command processes Netscape signed public key and challenge
+(SPKAC) files. It can print out their contents, verify the signature and
+produce its own SPKACs from a supplied private key.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-in> I<filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified. Ignored if the B<-key> option is used.
+
+=item B<-out> I<filename>
+
+Specifies the output filename to write to or standard output by
+default.
+
+=item B<-key> I<keyfile>
+
+Create an SPKAC file using the private key in I<keyfile>. The
+B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
+present.
+
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+
+The key format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-passin> I<arg>
+
+The input file password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-challenge> I<string>
+
+Specifies the challenge string if an SPKAC is being created.
+
+=item B<-spkac> I<spkacname>
+
+Allows an alternative name form the variable containing the
+SPKAC. The default is "SPKAC". This option affects both
+generated and input SPKAC files.
+
+=item B<-spksect> I<section>
+
+Allows an alternative name form the section containing the
+SPKAC. The default is the default section.
+
+=item B<-noout>
+
+Don't output the text version of the SPKAC (not used if an
+SPKAC is being created).
+
+=item B<-pubkey>
+
+Output the public key of an SPKAC (not used if an SPKAC is
+being created).
+
+=item B<-verify>
+
+Verifies the digital signature on the supplied SPKAC.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 EXAMPLES
+
+Print out the contents of an SPKAC:
+
+ openssl spkac -in spkac.cnf
+
+Verify the signature of an SPKAC:
+
+ openssl spkac -in spkac.cnf -noout -verify
+
+Create an SPKAC using the challenge string "hello":
+
+ openssl spkac -key key.pem -challenge hello -out spkac.cnf
+
+Example of an SPKAC, (long lines split up for clarity):
+
+ SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\
+ 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\
+ 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\
+ FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\
+ h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\
+ dq+NQ3F+X4deMx9AaEglZtULwV4=
+
+=head1 NOTES
+
+A created SPKAC with suitable DN components appended can be fed to
+L<openssl-ca(1)>.
+
+SPKACs are typically generated by Netscape when a form is submitted
+containing the B<KEYGEN> tag as part of the certificate enrollment
+process.
+
+The challenge string permits a primitive form of proof of possession
+of private key. By checking the SPKAC signature and a random challenge
+string some guarantee is given that the user knows the private key
+corresponding to the public key being certified. This is important in
+some applications. Without this it is possible for a previous SPKAC
+to be used in a "replay attack".
+
+=head1 SEE ALSO
+
+L<openssl(1)>,
+L<openssl-ca(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
+++ /dev/null
-=pod
-
-=head1 NAME
-
-openssl-storeutl - STORE utility
-
-=head1 SYNOPSIS
-
-B<openssl> B<storeutl>
-[B<-help>]
-[B<-out> I<file>]
-[B<-noout>]
-[B<-passin> I<arg>]
-[B<-text> I<arg>]
-[B<-engine> I<id>]
-[B<-r>]
-[B<-certs>]
-[B<-keys>]
-[B<-crls>]
-[B<-subject> I<arg>]
-[B<-issuer> I<arg>]
-[B<-serial> I<arg>]
-[B<-alias> I<arg>]
-[B<-fingerprint> I<arg>]
-[B<-I<digest>>]
-I<uri> ...
-
-=head1 DESCRIPTION
-
-This command can be used to display the contents (after
-decryption as the case may be) fetched from the given URIs.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print out a usage message.
-
-=item B<-out> I<filename>
-
-specifies the output filename to write to or standard output by
-default.
-
-=item B<-noout>
-
-this option prevents output of the PEM data.
-
-=item B<-passin> I<arg>
-
-the key password source. For more information about the format of I<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
-=item B<-text>
-
-Prints out the objects in text form, similarly to the B<-text> output from
-L<openssl-x509(1)>, L<openssl-pkey(1)>, etc.
-
-=item B<-engine> I<id>
-
-specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
-
-=item B<-r>
-
-Fetch objects recursively when possible.
-
-=item B<-certs>
-
-=item B<-keys>
-
-=item B<-crls>
-
-Only select the certificates, keys or CRLs from the given URI.
-However, if this URI would return a set of names (URIs), those are always
-returned.
-
-=item B<-subject> I<arg>
-
-Search for an object having the subject name I<arg>.
-The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
-Keyword characters may be escaped by \ (backslash), and whitespace is retained.
-Empty values are permitted but are ignored for the search. That is,
-a search with an empty value will have the same effect as not specifying
-the type at all.
-
-=item B<-issuer> I<arg>
-
-=item B<-serial> I<arg>
-
-Search for an object having the given issuer name and serial number.
-These two options I<must> be used together.
-The issuer arg must be formatted as C</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
-The serial arg may be specified as a decimal value or a hex value if preceded
-by C<0x>.
-
-=item B<-alias> I<arg>
-
-Search for an object having the given alias.
-
-=item B<-fingerprint> I<arg>
-
-Search for an object having the given fingerprint.
-
-=item B<-I<digest>>
-
-The digest that was used to compute the fingerprint given with B<-fingerprint>.
-
-=back
-
-=head1 SEE ALSO
-
-L<openssl(1)>
-
-=head1 HISTORY
-
-This command was added in OpenSSL 1.1.1.
-
-=head1 COPYRIGHT
-
-Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
--- /dev/null
+=pod
+
+=begin comment
+{- join("\n", @autowarntext) -}
+
+=end comment
+
+=head1 NAME
+
+openssl-storeutl - STORE utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<storeutl>
+[B<-help>]
+[B<-out> I<file>]
+[B<-noout>]
+[B<-passin> I<arg>]
+[B<-text> I<arg>]
+[B<-r>]
+[B<-certs>]
+[B<-keys>]
+[B<-crls>]
+[B<-subject> I<arg>]
+[B<-issuer> I<arg>]
+[B<-serial> I<arg>]
+[B<-alias> I<arg>]
+[B<-fingerprint> I<arg>]
+[B<-I<digest>>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
+I<uri> ...
+
+=head1 DESCRIPTION
+
+This command can be used to display the contents (after
+decryption as the case may be) fetched from the given URIs.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-out> I<filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-noout>
+
+this option prevents output of the PEM data.
+
+=item B<-passin> I<arg>
+
+the key password source. For more information about the format of I<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-text>
+
+Prints out the objects in text form, similarly to the B<-text> output from
+L<openssl-x509(1)>, L<openssl-pkey(1)>, etc.
+
+=item B<-r>
+
+Fetch objects recursively when possible.
+
+=item B<-certs>
+
+=item B<-keys>
+
+=item B<-crls>
+
+Only select the certificates, keys or CRLs from the given URI.
+However, if this URI would return a set of names (URIs), those are always
+returned.
+
+=item B<-subject> I<arg>
+
+Search for an object having the subject name I<arg>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
+Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Empty values are permitted but are ignored for the search. That is,
+a search with an empty value will have the same effect as not specifying
+the type at all.
+
+=item B<-issuer> I<arg>
+
+=item B<-serial> I<arg>
+
+Search for an object having the given issuer name and serial number.
+These two options I<must> be used together.
+The issuer arg must be formatted as C</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+The serial arg may be specified as a decimal value or a hex value if preceded
+by C<0x>.
+
+=item B<-alias> I<arg>
+
+Search for an object having the given alias.
+
+=item B<-fingerprint> I<arg>
+
+Search for an object having the given fingerprint.
+
+=item B<-I<digest>>
+
+The digest that was used to compute the fingerprint given with B<-fingerprint>.
+
+{- $OpenSSL::safe::opt_engine_item -}
+
+=back
+
+=head1 SEE ALSO
+
+L<openssl(1)>
+
+=head1 HISTORY
+
+This command was added in OpenSSL 1.1.1.
+
+=head1 COPYRIGHT
+
+Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
[B<-out> I<response.tsr>]
[B<-token_out>]
[B<-text>]
-[B<-engine> I<id>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
B<openssl> B<ts>
B<-verify>
If this option is specified the output is human-readable text format
instead of DER. (Optional)
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. Default is built-in. (Optional)
+{- $OpenSSL::safe::opt_engine_item -}
=back
[B<-crl_download>]
[B<-crl_check>]
[B<-crl_check_all>]
-[B<-engine> I<id>]
[B<-explicit_policy>]
[B<-extended_crl>]
[B<-ignore_critical>]
[B<-sm2-hex-id> I<hex-string>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-->]
[I<certificate> ...]
Checks the validity of B<all> certificates in the chain by attempting
to look up valid CRLs.
-=item B<-engine> I<id>
-
-Specifying an engine I<id> will cause this command to attempt to load the
-specified engine.
-The engine will then be set as the default for all its supported algorithms.
-If you want to load certificates or CRLs that require engine support via any of
-the B<-trusted>, B<-untrusted> or B<-CRLfile> options, the B<-engine> option
-must be specified before those options.
-
=item B<-explicit_policy>
Set policy variable require-explicit-policy (see RFC5280).
{- $OpenSSL::safe::opt_trust_item -}
+{- $OpenSSL::safe::opt_engine_item -}
+To load certificates or CRLs that require engine support, specify the
+B<-engine> option before any of the
+B<-trusted>, B<-untrusted> or B<-CRLfile> options.
+
=item B<-->
Indicates the last option. All arguments following this are assumed to be
[B<-extfile> I<filename>]
[B<-extensions> I<section>]
[B<-sigopt> I<nm>:I<v>]
-[B<-engine> I<id>]
[B<-preserve_dates>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
=for openssl ifdef engine subject_hash_old issuer_hash_old
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-engine> I<id>
-
-Specifying an engine (by its unique I<id> string) will cause this command
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-
=item B<-preserve_dates>
When signing a certificate, preserve the "notBefore" and "notAfter" dates
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_item -}
+
=back
=head2 Display Options
=back
+=head2 Engine Options
+
+=over 4
+
+=item B<-engine> I<id>
+
+Use the engine identified by I<id> and use all the methods it
+implements (algorithms, key storage, etc.), unless specified otherwise in
+the command-specific documentation or it is configured to do so, as described
+in L<config(5)/Engine Configuration Module>.
+
+=back
+
=head1 ENVIRONMENT
The OpenSSL library can be take some configuration parameters from the
. "\n"
. "See L<openssl(1)/Random State Options> for details.";
+# Engine option
+$OpenSSL::safe::opt_engine_synopsis = ""
+. "[B<-engine> I<id>]";
+$OpenSSL::safe::opt_engine_item = ""
+. "=item B<-engine> I<id>\n"
+. "\n"
+. "See L<openssl(1)/Engine Options>.";
+
# Trusted certs options
$OpenSSL::safe::opt_trust_synopsis = ""
. "[B<-CAfile> I<file>]\n"
projects / oweals / openssl.git / commitdiff