Add info about the header and footer lines used in PEM formats

and add an nseq manpage.

Add info about the header and footer lines used in PEM formats
and add an nseq manpage.
0286d944 · Dr. Stephen Henson · 938ead8f · 0286d944 · 0286d944 · 0286d944
7 changed file
--- a/doc/man/dsa.pod
+++ b/doc/man/dsa.pod
@@ -117,6 +117,13 @@ a public key.

 =back

+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN DSA PRIVATE KEY-----
+ -----END DSA PRIVATE KEY-----
+
 =head1 EXAMPLES

 To remove the pass phrase on a DSA private key:

--- a/doc/man/dsaparam.pod
+++ b/doc/man/dsaparam.pod
@@ -82,6 +82,11 @@ the input file (if any) is ignored.

 =head1 NOTES

+PEM format DSA parameters use the header and footer lines:
+
+ -----BEGIN DSA PARAMETERS-----
+ -----END DSA PARAMETERS-----
+
 DSA parameter generation is a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.


--- a/doc/man/nseq.pod
+++ b/doc/man/nseq.pod
+=pod
+
+=head1 NAME
+
+nseq - create or examine a netscape certificate sequence
+
+=head1 SYNOPSIS
+
+B<openssl> B<nseq>
+[B<-in filename>]
+[B<-out filename>]
+[B<-toseq>]
+
+=head1 DESCRIPTION
+
+The B<nseq> command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename or standard output by default.
+
+=item B<-toseq>
+
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the B<-toseq> option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Output the certificates in a Netscape certificate sequence
+
+ openssl nseq -in nseq.pem -out certs.pem
+
+Create a Netscape certificate sequence
+
+ openssl nseq -in certs.pem -toseq -out nseq.pem
+
+=head1 NOTES
+
+The B<PEM> encoded form uses the same headers and footers as a certificate:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate erollment.
+It is used by Netscape certificate server for example.
+
+=head1 BUGS
+
+This program needs a few more options: like allowing DER or PEM input and
+output files and allowing multiple certificate files to be used.
+
+=cut
--- a/doc/man/pkcs8.pod
+++ b/doc/man/pkcs8.pod
@@ -93,6 +93,17 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.

 =head1 NOTES

+The encrypted form of a PEM encode PKCS#8 files uses the following
+headers and footers:
+
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ -----END ENCRYPTED PRIVATE KEY-----
+
+The unencrypted form uses:
+
+ -----BEGIN PRIVATE KEY-----
+ -----END PRIVATE KEY-----
+
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered

--- a/doc/man/req.pod
+++ b/doc/man/req.pod
@@ -371,11 +371,17 @@ Sample configuration file:

 =head1 NOTES

-The header and footer lines in the B<PEM> format contain the words
-B<BEGIN CERTIFICATE REQUEST> and B<END CERTIFICATE REQUEST> some software
-(for example some versions of Netscape certificate server) requires the
-words B<BEGIN NEW CERTIFICATE REQUEST> and B<END NEW CERTIFICATE REQUEST>
-instead.
+The header and footer lines in the B<PEM> format are respectively:
+
+ -----BEGIN CERTIFICATE REQUEST----
+ -----END CERTIFICATE REQUEST----
+
+some software (some versions of Netscape certificate server) instead needs:
+
+ -----BEGIN NEW CERTIFICATE REQUEST----
+ -----END NEW CERTIFICATE REQUEST----
+
+but is otherwise compatible. Either form is accepted on input.

 The certificate requests generated by B<Xenroll> with MSIE have extensions
 added. It includes the B<keyUsage> extension which determines the type of

--- a/doc/man/rsa.pod
+++ b/doc/man/rsa.pod
@@ -123,6 +123,13 @@ a public key.

 =back

+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+
 =head1 EXAMPLES

 To remove the pass phrase on an RSA private key:

--- a/doc/man/x509.pod
+++ b/doc/man/x509.pod
@@ -371,6 +371,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to
 	openssl x509 -in cert.pem -addtrust sslclient \
 		-alias "Steve's Class 1 CA" -out trust.pem

+=head1 NOTES
+
+The PEM format uses the header and footer lines:
+
+ -----BEGIN CERTIFICATE----
+ -----END CERTIFICATE----
+
+it will also handle files containing:
+
+ -----BEGIN X509 CERTIFICATE----
+ -----END X509 CERTIFICATE----
+
 =head1 BUGS

 The way DNs are printed is in a "historical SSLeay" format which doesn't