Command docs: replacables are in italics, options always start with a dash

Quite a lot of replacables were still bold, and some options were
mentioned without a beginning dash.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

doc/man1/CA.pl.pod

@@ -120,7 +120,7 @@ Verifies certificates against the CA certificate for "demoCA". If no
 certificates are specified on the command line it tries to verify the file
 "newcert.pem".  Invokes B<openssl verify> command.
 
-=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
+=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
 
 The purpose of these parameters is to allow optional parameters to be supplied
 to B<openssl> that this command executes. The B<-extra-cmd> are specific to the

doc/man1/openssl-asn1parse.pod

@@ -39,7 +39,7 @@ Print out a usage message.
 
 =item B<-inform> B<DER>|B<PEM>
 
-The input format. I<DER> is binary format and I<PEM> (the default) is base64
+The input format. B<DER> is binary format and B<PEM> (the default) is base64
 encoded.
 
 =item B<-in> I<filename>
@@ -88,12 +88,12 @@ option can be used multiple times to "drill down" into a nested structure.
 
 =item B<-genstr> I<string>, B<-genconf> I<file>
 
-Generate encoded data based on B<string>, B<file> or both using
-L<ASN1_generate_nconf(3)> format. If B<file> only is
+Generate encoded data based on I<string>, I<file> or both using
+L<ASN1_generate_nconf(3)> format. If I<file> only is
 present then the string is obtained from the default section using the name
 B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
 though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option.
+file using the B<-out> option.
 
 =item B<-strictpem>
 
@@ -105,8 +105,8 @@ END marker in a PEM file.
 
 =item B<-item> I<name>
 
-Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
-print out the fields of any supported ASN.1 structure if the type is known.
+Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used
+to print out the fields of any supported ASN.1 structure if the type is known.
 
 =back
 

doc/man1/openssl-ca.pod

@@ -251,7 +251,7 @@ used).
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<ca>
+Specifying an engine (by its unique I<id> string) will cause B<ca>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -259,7 +259,7 @@ for all available algorithms.
 =item B<-subj> I<arg>
 
 Supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
 Keyword characters may be escaped by \ (backslash), and whitespace is retained.
 Empty values are permitted, but the corresponding type will not be included
 in the resulting certificate.
@@ -291,7 +291,7 @@ support for multivalued RDNs. Example:
 
 I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
 
-If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+If B<-multi-rdn> is not used then the UID value is I<123456+CN=John Doe>.
 
 =item B<-rand> I<files>
 
@@ -353,9 +353,9 @@ Updates the database index to purge expired certificates.
 
 =item B<-crl_reason> I<reason>
 
-Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
 B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
-B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
+B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
 insensitive. Setting any revocation reason will make the CRL v2.
 
 In practice B<removeFromCRL> is not particularly useful because it is only used
@@ -364,14 +364,14 @@ in delta CRLs which are not currently implemented.
 =item B<-crl_hold> I<instruction>
 
 This sets the CRL revocation reason code to B<certificateHold> and the hold
-instruction to B<instruction> which must be an OID. Although any OID can be
+instruction to I<instruction> which must be an OID. Although any OID can be
 used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
 B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
 
 =item B<-crl_compromise> I<time>
 
 This sets the revocation reason to B<keyCompromise> and the compromise time to
-B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
+I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
 
 =item B<-crl_CA_compromise> I<time>
 

doc/man1/openssl-ciphers.pod

@@ -22,7 +22,7 @@ B<openssl> B<ciphers>
 [B<-stdname>]
 [B<-convert> I<name>]
 [B<-ciphersuites> I<val>]
-[B<cipherlist>]
+[I<cipherlist>]
 
 =for comment ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp
 
@@ -87,7 +87,7 @@ Precede each cipher suite by its standard name.
 
 =item B<-convert> I<name>
 
-Convert a standard cipher B<name> to its OpenSSL name.
+Convert a standard cipher I<name> to its OpenSSL name.
 
 =item B<-ciphersuites> I<val>
 
@@ -147,8 +147,8 @@ will not moved to the end of the list.
 The cipher string B<@STRENGTH> can be used at any point to sort the current
 cipher list in order of encryption algorithm key length.
 
-The cipher string B<@SECLEVEL=n> can be used at any point to set the security
-level to B<n>, which should be a number between zero and five, inclusive.
+The cipher string B<@SECLEVEL>=I<n> can be used at any point to set the security
+level to I<n>, which should be a number between zero and five, inclusive.
 See L<SSL_CTX_set_security_level> for a description of what each level means.
 
 The cipher list can be prefixed with the B<DEFAULT> keyword, which enables

doc/man1/openssl-cmds.pod

@@ -57,13 +57,13 @@ x509
 
 =for comment generic
 
-B<openssl> B<cmd> [B<-help>] [B<...>]
+B<openssl> I<cmd> B<-help> | [I<-option> | I<-option> I<arg>] ... [I<arg>] ...
 
 =head1 DESCRIPTION
 
-Every B<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
-It has its own detailed manual page at B<openssl-cmd(1)>. For example, to view
-the manual page for the B<openssl dgst> command, type B<man openssl-dgst>.
+Every I<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
+It has its own detailed manual page at B<openssl-I<cmd>>(1). For example, to
+view the manual page for the B<openssl dgst> command, type C<man openssl-dgst>.
 
 =head1 OPTIONS
 
@@ -132,8 +132,8 @@ L<openssl-x509(1)>,
 
 =head1 HISTORY
 
-Initially, the manual page entry for the B<openssl cmd> command used
-to be available at B<cmd(1)>. Later, the alias B<openssl-cmd(1)> was
+Initially, the manual page entry for the C<openssl I<cmd>> command used
+to be available at I<cmd>(1). Later, the alias B<openssl-I<cmd>>(1) was
 introduced, which made it easier to group the openssl commands using
 the L<apropos(1)> command or the shell's tab completion.
 

doc/man1/openssl-cms.pod

@@ -385,7 +385,7 @@ the signers certificates. The certificates should be in PEM format.
 
 =item B<-certsout> I<file>
 
-Any certificates contained in the message are written to B<file>.
+Any certificates contained in the message are written to I<file>.
 
 =item B<-signer> I<file>
 
@@ -446,14 +446,14 @@ content encryption key using an AES key in the B<KEKRecipientInfo> type.
 
 The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
 This option B<must> be present if the B<-secretkey> option is used with
-B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
+B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
 relevant key if it is not supplied then an attempt is used to decrypt any
 B<KEKRecipientInfo> structures.
 
 =item B<-econtent_type> I<type>
 
-Set the encapsulated content type to B<type> if not supplied the B<Data> type
-is used. The B<type> argument can be any valid OID name in either text or
+Set the encapsulated content type to I<type> if not supplied the B<Data> type
+is used. The I<type> argument can be any valid OID name in either text or
 numerical format.
 
 =item B<-inkey> I<file>
@@ -766,7 +766,7 @@ No revocation checking is done on the signer's certificate.
 The use of multiple B<-signer> options and the B<-resign> command were first
 added in OpenSSL 1.0.0.
 
-The B<keyopt> option was added in OpenSSL 1.0.2.
+The B<-keyopt> option was added in OpenSSL 1.0.2.
 
 Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
 

doc/man1/openssl-crl.pod

@@ -95,12 +95,12 @@ Output the nextUpdate field.
 =item B<-CAfile> I<file>
 
 Verify the signature on a CRL by looking up the issuing certificate in
-B<file>.
+I<file>.
 
 =item B<-CApath> I<dir>
 
 Verify the signature on a CRL by looking up the issuing certificate in
-B<dir>. This directory must be a standard certificate directory: that
+I<dir>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 

doc/man1/openssl-dgst.pod

@@ -39,7 +39,7 @@ signatures using message digests.
 
 The generic name, B<dgst>, may be used with an option specifying the
 algorithm to be used.
-The default digest is I<sha256>.
+The default digest is B<sha256>.
 A supported I<digest> name may also be used as the command name.
 To see the list of supported algorithms, use the I<list --digest-commands>
 command.
@@ -60,7 +60,7 @@ supported digests, use the command C<list --digest-commands>.
 =item B<-c>
 
 Print out the digest in two digit groups separated by colons, only relevant if
-B<hex> format output is used.
+the B<-hex> option is given as well.
 
 =item B<-d>
 
@@ -103,7 +103,7 @@ Names and values of these options are algorithm-specific.
 
 =item B<-passin> I<arg>
 
-The private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-verify> I<filename>
@@ -144,13 +144,13 @@ Following options are supported by both by B<HMAC> and B<gost-mac>:
 
 =over 4
 
-=item B<key:string>
+=item B<key>:I<string>
 
 Specifies MAC key as alphanumeric string (use if key contain printable
 characters only). String length must conform to any restrictions of
 the MAC algorithm for example exactly 32 chars for gost-mac.
 
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
 
 Specifies MAC key in hexadecimal form (two hex digits per byte).
 Key length must conform to any restrictions of the MAC algorithm
@@ -179,7 +179,7 @@ Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
 
 =item B<-engine> I<id>
 
-Use engine B<id> for operations (including private key storage).
+Use engine I<id> for operations (including private key storage).
 This engine is not used as source for digest algorithms, unless it is
 also specified in the configuration file or B<-engine_impl> is also
 specified.
@@ -187,7 +187,7 @@ specified.
 =item B<-engine_impl>
 
 When used with the B<-engine> option, it specifies to also use
-engine B<id> for digest operations.
+engine I<id> for digest operations.
 
 =item I<file> ...
 

doc/man1/openssl-dhparam.pod

@@ -83,7 +83,7 @@ displays a warning if not.
 
 The generator to use, either 2, 3 or 5. If present then the
 input file is ignored and parameters are generated instead. If not
-present but B<numbits> is present, parameters are generated with the
+present but I<numbits> is present, parameters are generated with the
 default generator 2.
 
 =item B<-rand> I<files>
@@ -122,7 +122,7 @@ be loaded by calling the get_dhNNNN() function.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<dhparam>
+Specifying an engine (by its unique I<id> string) will cause B<dhparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-dsa.pod

@@ -75,7 +75,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -87,7 +87,7 @@ filename.
 
 =item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
@@ -125,7 +125,7 @@ a public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<dsa>
+Specifying an engine (by its unique I<id> string) will cause B<dsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-dsaparam.pod

@@ -49,7 +49,7 @@ as the B<-inform> option.
 =item B<-in> I<filename>
 
 This specifies the input filename to read parameters from or standard input if
-this option is not specified. If the B<numbits> parameter is included then
+this option is not specified. If the I<numbits> parameter is included then
 this option will be ignored.
 
 =item B<-out> I<filename>
@@ -90,7 +90,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique I<id> string) will cause B<dsaparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -99,10 +99,10 @@ for all available algorithms.
 
 Print extra details about the operations being performed.
 
-=item B<numbits>
+=item I<numbits>
 
 This option specifies that a parameter set should be generated of size
-B<numbits>. It must be the last option. If this option is included then
+I<numbits>. It must be the last option. If this option is included then
 the input file (if any) is ignored.
 
 =back

doc/man1/openssl-ec.pod

@@ -68,7 +68,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -80,7 +80,7 @@ filename.
 
 =item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-des>|B<-des3>|B<-idea>
@@ -113,7 +113,7 @@ By default a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
 
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
 
 This specifies how the points on the elliptic curve are converted
 into octet strings. Possible values are: B<compressed> (the default
@@ -143,7 +143,7 @@ This option checks the consistency of an EC private or public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<ec>
+Specifying an engine (by its unique I<id> string) will cause B<ec>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-ecparam.pod

@@ -96,7 +96,7 @@ to get a list of all currently implemented EC parameters.
 If this options is specified B<ecparam> will print out a list of all
 currently implemented EC parameters names and exit.
 
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
 
 This specifies how the points on the elliptic curve are converted
 into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
@@ -139,7 +139,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<ecparam>
+Specifying an engine (by its unique I<id> string) will cause B<ecparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-enc.pod

@@ -72,7 +72,7 @@ The output filename, standard output by default.
 
 =item B<-pass> I<arg>
 
-The password source. For more information about the format of B<arg>
+The password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-e>
@@ -104,7 +104,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument.
 
 =item B<-kfile> I<filename>
 
-Read the password to derive the key from the first line of B<filename>.
+Read the password to derive the key from the first line of I<filename>.
 This is for compatibility with previous versions of OpenSSL. Superseded by
 the B<-pass> argument.
 
@@ -202,7 +202,7 @@ This can be used with a subsequent B<-rand> flag.
 =head1 NOTES
 
 The program can be called either as B<openssl cipher> or
-B<openssl enc -cipher>. The first form doesn't work with
+B<openssl enc -I<cipher>>. The first form doesn't work with
 engine-provided ciphers, because this form is processed before the
 configuration file is read and any ENGINEs loaded.
 Use the B<list> command to get a list of supported ciphers.
@@ -251,7 +251,7 @@ Blowfish and RC5 algorithms use a 128 bit key.
 Note that some of these ciphers can be disabled at compile time
 and some are available only if an appropriate engine is configured
 in the configuration file. The output of the B<enc> command run with
-the B<-ciphers> option (that is B<openssl enc -ciphers>) produces a
+the B<-I<ciphers>> option (that is B<openssl enc -I<ciphers>>) produces a
 list of ciphers, supported by your version of OpenSSL, including
 ones provided by configured engines.
 

doc/man1/openssl-engine.pod

@@ -15,14 +15,14 @@ B<openssl engine>
 [B<-c>]
 [B<-t>]
 [B<-tt>]
-[B<-pre> I<command>]
-[B<-post> I<command>]
+[B<-pre> I<command>] ...
+[B<-post> I<command>] ...
 [I<engine> ...]
 
 =head1 DESCRIPTION
 
 The B<engine> command is used to query the status and capabilities
-of the specified B<engine>'s.
+of the specified I<engine>'s.
 Engines may be specified before and after all other command-line flags.
 Only those specified are queried.
 
@@ -56,10 +56,13 @@ Displays an error trace for any unavailable engine.
 Command-line configuration of engines.
 The B<-pre> command is given to the engine before it is loaded and
 the B<-post> command is given after the engine is loaded.
-The I<command> is of the form I<cmd:val> where I<cmd> is the command,
+The I<command> is of the form I<cmd>:I<val> where I<cmd> is the command,
 and I<val> is the value for the command.
 See the example below.
 
+These two options are cumulative, so they may be given more than once in the
+same command.
+
 =back
 
 =head1 EXAMPLES

doc/man1/openssl-errstr.pod

@@ -6,7 +6,7 @@ openssl-errstr - lookup error codes
 
 =head1 SYNOPSIS
 
-B<openssl errstr error_code>
+B<openssl errstr> I<error_code>
 
 =head1 DESCRIPTION
 

doc/man1/openssl-fipsinstall.pod

@@ -83,20 +83,20 @@ Common control strings used for fipsinstall are:
 
 =over 4
 
-=item B<key:string>
+=item B<key>:I<string>
 
 Specifies the MAC key as an alphanumeric string (use if the key contains
 printable characters only).
 The string length must conform to any restrictions of the MAC algorithm.
 A key must be specified for every MAC algorithm.
 
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
 
 Specifies the MAC key in hexadecimal form (two hex digits per byte).
 The key length must conform to any restrictions of the MAC algorithm.
 A key must be specified for every MAC algorithm.
 
-=item B<digest:string>
+=item B<digest>:I<string>
 
 Used by HMAC as an alphanumeric string (use if the key contains printable
 characters only).

doc/man1/openssl-gendsa.pod

@@ -25,7 +25,7 @@ B<openssl> B<gendsa>
 [B<-writerand> I<file>]
 [B<-engine> I<id>]
 [B<-verbose>]
-[B<paramfile>]
+[I<paramfile>]
 
 =for comment ifdef engine
 
@@ -67,7 +67,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<gendsa>
+Specifying an engine (by its unique I<id> string) will cause B<gendsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -76,11 +76,11 @@ for all available algorithms.
 
 Print extra details about the operations being performed.
 
-=item B<paramfile>
+=item I<paramfile>
 
-This option specifies the DSA parameter file to use. The parameters in this
-file determine the size of the private key. DSA parameters can be generated
-and examined using the B<openssl dsaparam> command.
+The DSA parameter file to use. The parameters in this file determine
+the size of the private key. DSA parameters can be generated and
+examined using the B<openssl dsaparam> command.
 
 =back
 

doc/man1/openssl-genpkey.pod

@@ -15,7 +15,7 @@ B<openssl> B<genpkey>
 [B<-engine> I<id>]
 [B<-paramfile> I<file>]
 [B<-algorithm> I<alg>]
-[B<-pkeyopt> I<opt:value>]
+[B<-pkeyopt> I<opt>:I<value>]
 [B<-genparam>]
 [B<-text>]
 
@@ -44,7 +44,7 @@ This specifies the output format DER or PEM. The default format is PEM.
 
 =item B<-pass> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-I<cipher>>
@@ -54,7 +54,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<genpkey>
+Specifying an engine (by its unique I<id> string) will cause B<genpkey>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. If used this option should precede all other
@@ -79,9 +79,9 @@ will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
 or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
 below for more details.
 
-=item B<-pkeyopt> I<opt:value>
+=item B<-pkeyopt> I<opt>:I<value>
 
-Set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option I<opt> to I<value>. The precise set of
 options supported depends on the public key algorithm used and its
 implementation. See L<KEY GENERATION OPTIONS> and
 L<PARAMETER GENERATION OPTIONS> below for more details.
@@ -138,22 +138,23 @@ Note: by default an B<RSA-PSS> key has no parameter restrictions.
 
 =over 4
 
-=item B<rsa_keygen_bits:numbits>, B<rsa_keygen_primes:numprimes>,  B<rsa_keygen_pubexp:value>
+=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>,
+B<rsa_keygen_pubexp>:I<value>
 
 These options have the same meaning as the B<RSA> algorithm.
 
-=item B<rsa_pss_keygen_md:digest>
+=item B<rsa_pss_keygen_md>:I<digest>
 
-If set the key is restricted and can only use B<digest> for signing.
+If set the key is restricted and can only use I<digest> for signing.
 
-=item B<rsa_pss_keygen_mgf1_md:digest>
+=item B<rsa_pss_keygen_mgf1_md>:I<digest>
 
-If set the key is restricted and can only use B<digest> as it's MGF1
+If set the key is restricted and can only use I<digest> as it's MGF1
 parameter.
 
-=item B<rsa_pss_keygen_saltlen:len>
+=item B<rsa_pss_keygen_saltlen>:I<len>
 
-If set the key is restricted and B<len> specifies the minimum salt length.
+If set the key is restricted and I<len> specifies the minimum salt length.
 
 =back
 
@@ -163,14 +164,14 @@ The EC key generation options can also be used for parameter generation.
 
 =over 4
 
-=item B<ec_paramgen_curve:curve>
+=item B<ec_paramgen_curve>:I<curve>
 
 The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
 
-=item B<ec_param_enc:encoding>
+=item B<ec_param_enc>:I<encoding>
 
-The encoding to use for parameters. The "encoding" parameter must be either
-"named_curve" or "explicit". The default value is "named_curve".
+The encoding to use for parameters. The I<encoding> parameter must be either
+B<named_curve> or B<explicit>. The default value is B<named_curve>.
 
 =back
 
@@ -184,16 +185,16 @@ below.
 
 =over 4
 
-=item B<dsa_paramgen_bits:numbits>
+=item B<dsa_paramgen_bits>:I<numbits>
 
 The number of bits in the generated prime. If not specified 2048 is used.
 
-=item B<dsa_paramgen_q_bits:numbits>
+=item B<dsa_paramgen_q_bits>:I<numbits>
 
 The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
 specified 224 is used.
 
-=item B<dsa_paramgen_md:digest>
+=item B<dsa_paramgen_md>:I<digest>
 
 The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
 or B<sha256>. If set, then the number of bits in B<q> will match the output size
@@ -208,30 +209,30 @@ or B<sha256> if it is 256.
 
 =over 4
 
-=item B<dh_paramgen_prime_len:numbits>
+=item B<dh_paramgen_prime_len>:I<numbits>
 
-The number of bits in the prime parameter B<p>. The default is 2048.
+The number of bits in the prime parameter I<p>. The default is 2048.
 
-=item B<dh_paramgen_subprime_len:numbits>
+=item B<dh_paramgen_subprime_len>:I<numbits>
 
-The number of bits in the sub prime parameter B<q>. The default is 256 if the
+The number of bits in the sub prime parameter I<q>. The default is 256 if the
 prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
 conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
 
-=item B<dh_paramgen_generator:value>
+=item B<dh_paramgen_generator>:I<value>
 
-The value to use for the generator B<g>. The default is 2.
+The value to use for the generator I<g>. The default is 2.
 
-=item B<dh_paramgen_type:value>
+=item B<dh_paramgen_type>:I<value>
 
 The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
 The default is 0.
 
-=item B<dh_rfc5114:num>
+=item B<dh_rfc5114>:I<num>
 
 If this option is set, then the appropriate RFC5114 parameters are used
-instead of generating new parameters. The value B<num> can take the
-values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
+instead of generating new parameters. The value I<num> can be one of
+1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
 1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
 and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
 2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter

doc/man1/openssl-genrsa.pod

@@ -22,8 +22,7 @@ B<openssl> B<genrsa>
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
-[B<-f4>]
-[B<-3>]
+[B<-f4>|B<-3>]
 [B<-rand> I<files>]
 [B<-writerand> I<file>]
 [B<-engine> I<id>]
@@ -80,16 +79,16 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<genrsa>
+Specifying an engine (by its unique I<id> string) will cause B<genrsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-primes> I<num>
 
-Specify the number of primes to use while generating the RSA key. The B<num>
+Specify the number of primes to use while generating the RSA key. The I<num>
 parameter must be a positive integer that is greater than 1 and less than 16.
-If B<num> is greater than 2, then the generated key is called a 'multi-prime'
+If I<num> is greater than 2, then the generated key is called a 'multi-prime'
 RSA key, which is defined in RFC 8017.
 
 =item B<-verbose>

doc/man1/openssl-mac.pod

@@ -12,7 +12,7 @@ B<openssl mac>
 [B<-in> I<filename>]
 [B<-out> I<filename>]
 [B<-binary>]
-B<mac_name>
+I<mac_name>
 
 =head1 DESCRIPTION
 
@@ -51,55 +51,55 @@ Common parameter names used by EVP_MAC_CTX_get_params() are:
 
 =over 4
 
-=item B<key:string>
+=item B<key:>I<string>
 
 Specifies the MAC key as an alphanumeric string (use if the key contains
 printable characters only).
 The string length must conform to any restrictions of the MAC algorithm.
 A key must be specified for every MAC algorithm.
 
-=item B<hexkey:string>
+=item B<hexkey:>I<string>
 
 Specifies the MAC key in hexadecimal form (two hex digits per byte).
 The key length must conform to any restrictions of the MAC algorithm.
 A key must be specified for every MAC algorithm.
 
-=item B<digest:string>
+=item B<digest:>I<string>
 
 Used by HMAC as an alphanumeric string (use if the key contains printable
 characters only).
 The string length must conform to any restrictions of the MAC algorithm.
 To see the list of supported digests, use the command I<list -digest-commands>.
 
-=item B<cipher:string>
+=item B<cipher:>I<string>
 
 Used by CMAC and GMAC to specify the cipher algorithm.
 For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC or
 DES-EDE3-CBC.
 For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.
 
-=item B<iv:string>
+=item B<iv:>I<string>
 
 Used by GMAC to specify an IV as an alphanumeric string (use if the IV contains
 printable characters only).
 
-=item B<hexiv:string>
+=item B<hexiv:>I<string>
 
 Used by GMAC to specify an IV in hexadecimal form (two hex digits per byte).
 
-=item B<outlen:int>
+=item B<outlen:>I<int>
 
 Used by KMAC128 or KMAC256 to specify an output length.
 The default sizes are 32 or 64 bytes respectively.
 
-=item B<custom:string>
+=item B<custom:>I<string>
 
 Used by KMAC128 or KMAC256 to specify a customization string.
 The default is the empty string "".
 
 =back
 
-=item B<mac_name>
+=item I<mac_name>
 
 Specifies the name of a supported MAC algorithm which will be used.
 To see the list of supported MAC's use the command I<list -mac-algorithms>.

doc/man1/openssl-ocsp.pod

@@ -26,7 +26,7 @@ B<openssl> B<ocsp>
 [B<-nonce>]
 [B<-no_nonce>]
 [B<-url> I<URL>]
-[B<-host> I<host:port>]
+[B<-host> I<host>:I<port>]
 [B<-multi> I<process-count>]
 [B<-header>]
 [B<-path>]
@@ -121,27 +121,27 @@ specify output filename, default is standard output.
 =item B<-issuer> I<filename>
 
 This specifies the current issuer certificate. This option can be used
-multiple times. The certificate specified in B<filename> must be in
+multiple times. The certificate specified in I<filename> must be in
 PEM format. This option B<MUST> come before any B<-cert> options.
 
 =item B<-cert> I<filename>
 
-Add the certificate B<filename> to the request. The issuer certificate
-is taken from the previous B<issuer> option, or an error occurs if no
+Add the certificate I<filename> to the request. The issuer certificate
+is taken from the previous B<-issuer> option, or an error occurs if no
 issuer certificate is specified.
 
 =item B<-serial> I<num>
 
-Same as the B<cert> option except the certificate with serial number
+Same as the B<-cert> option except the certificate with serial number
 B<num> is added to the request. The serial number is interpreted as a
 decimal integer unless preceded by B<0x>. Negative integers can also
 be specified by preceding the value by a B<-> sign.
 
 =item B<-signer> I<filename>, B<-signkey> I<filename>
 
-Sign the OCSP request using the certificate specified in the B<signer>
-option and the private key specified by the B<signkey> option. If
-the B<signkey> option is not present then the private key is read
+Sign the OCSP request using the certificate specified in the B<-signer>
+option and the private key specified by the B<-signkey> option. If
+the B<-signkey> option is not present then the private key is read
 from the same file as the certificate. If neither option is specified then
 the OCSP request is not signed.
 
@@ -152,10 +152,10 @@ Additional certificates to include in the signed request.
 =item B<-nonce>, B<-no_nonce>
 
 Add an OCSP nonce extension to a request or disable OCSP nonce addition.
-Normally if an OCSP request is input using the B<reqin> option no
-nonce is added: using the B<nonce> option will force addition of a nonce.
-If an OCSP request is being created (using B<cert> and B<serial> options)
-a nonce is automatically added specifying B<no_nonce> overrides this.
+Normally if an OCSP request is input using the B<-reqin> option no
+nonce is added: using the B<-nonce> option will force addition of a nonce.
+If an OCSP request is being created (using B<-cert> and B<-serial> options)
+a nonce is automatically added specifying B<-no_nonce> overrides this.
 
 =item B<-req_text>, B<-resp_text>, B<-text>
 
@@ -163,28 +163,28 @@ Print out the text form of the OCSP request, response or both respectively.
 
 =item B<-reqout> I<file>, B<-respout> I<file>
 
-Write out the DER encoded certificate request or response to B<file>.
+Write out the DER encoded certificate request or response to I<file>.
 
 =item B<-reqin> I<file>, B<-respin> I<file>
 
-Read OCSP request or response file from B<file>. These option are ignored
+Read OCSP request or response file from I<file>. These option are ignored
 if OCSP request or response creation is implied by other options (for example
-with B<serial>, B<cert> and B<host> options).
+with B<-serial>, B<-cert> and B<-host> options).
 
 =item B<-url> I<responder_url>
 
 Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
 
-=item B<-host> I<hostname:port>, B<-path> I<pathname>
+=item B<-host> I<hostname>:I<port>, B<-path> I<pathname>
 
-If the B<host> option is present then the OCSP request is sent to the host
-B<hostname> on port B<port>. B<path> specifies the HTTP pathname to use
-or "/" by default.  This is equivalent to specifying B<-url> with scheme
+If the B<-host> option is present then the OCSP request is sent to the host
+I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
+to use or "/" by default.  This is equivalent to specifying B<-url> with scheme
 http:// and the given hostname, port, and pathname.
 
-=item B<-header> I<name=value>
+=item B<-header> I<name>=I<value>
 
-Adds the header B<name> with the specified B<value> to the OCSP request
+Adds the header I<name> with the specified I<value> to the OCSP request
 that is sent to the responder.
 This may be repeated.
 
@@ -303,7 +303,7 @@ seconds, the default value is 5 minutes.
 
 If the B<notAfter> time is omitted from a response then this means that new
 status information is immediately available. In this case the age of the
-B<notBefore> field is checked to see it is not older than B<age> seconds old.
+B<notBefore> field is checked to see it is not older than I<age> seconds old.
 By default this additional check is not performed.
 
 =item B<-rcid> I<digest>
@@ -327,21 +327,22 @@ digest used by subsequent certificate identifiers.
 
 =item B<-index> I<indexfile>
 
-The B<indexfile> parameter is the name of a text index file in B<ca>
+The I<indexfile> parameter is the name of a text index file in B<ca>
 format containing certificate revocation information.
 
-If the B<index> option is specified the B<ocsp> utility is in responder
+If the B<-index> option is specified the B<ocsp> utility is in responder
 mode, otherwise it is in client mode. The request(s) the responder
-processes can be either specified on the command line (using B<issuer>
-and B<serial> options), supplied in a file (using the B<reqin> option)
-or via external OCSP clients (if B<port> or B<url> is specified).
+processes can be either specified on the command line (using B<-issuer>
+and B<-serial> options), supplied in a file (using the B<-reqin> option)
+or via external OCSP clients (if B<-port> or B<-url> is specified).
 
-If the B<index> option is present then the B<CA> and B<rsigner> options
+If the B<-index> option is present then the B<-CA> and B<-rsigner> options
 must also be present.
 
 =item B<-CA> I<file>
 
-CA certificate corresponding to the revocation information in B<indexfile>.
+CA certificate corresponding to the revocation information in the index
+file given with B<-index>.
 
 =item B<-rsigner> I<file>
 
@@ -363,7 +364,7 @@ subject name.
 =item B<-rkey> I<file>
 
 The private key to sign OCSP responses with: if not present the file
-specified in the B<rsigner> option is used.
+specified in the B<-rsigner> option is used.
 
 =item B<-rsigopt> I<nm>:I<v>
 
@@ -383,7 +384,7 @@ running instead of terminating upon receiving a malformed request.
 
 =item B<-nrequest> I<number>
 
-The OCSP server will exit after receiving B<number> requests, default unlimited.
+The OCSP server will exit after receiving I<number> requests, default unlimited.
 
 =item B<-nmin> I<minutes>, B<-ndays> I<days>
 
@@ -403,8 +404,8 @@ the OCSP request checked using the responder certificate's public key.
 
 Then a normal certificate verify is performed on the OCSP responder certificate
 building up a certificate chain in the process. The locations of the trusted
-certificates used to build the chain can be specified by the B<CAfile>
-and B<CApath> options or they will be looked for in the standard OpenSSL
+certificates used to build the chain can be specified by the B<-CAfile>
+and B<-CApath> options or they will be looked for in the standard OpenSSL
 certificates directory.
 
 If the initial verify fails then the OCSP verify process halts with an
@@ -452,7 +453,7 @@ format of revocation is also inefficient for large quantities of revocation
 data.
 
 It is possible to run the B<ocsp> application in responder mode via a CGI
-script using the B<reqin> and B<respout> options.
+script using the B<-reqin> and B<-respout> options.
 
 =head1 EXAMPLES
 

doc/man1/openssl-passwd.pod

@@ -32,8 +32,9 @@ The B<passwd> command computes the hash of a password typed at
 run-time or the hash of each password in a list.  The password list is
 taken from the named file for option B<-in>, from stdin for
 option B<-stdin>, or from the command line, or from the terminal otherwise.
-The Unix standard algorithm B<crypt> and the MD5-based BSD password
-algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available.
+The Unix standard algorithm B<-crypt> and the MD5-based BSD password
+algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are
+available.
 
 =head1 OPTIONS
 

doc/man1/openssl-pkcs12.pod

@@ -79,13 +79,13 @@ default.  They are all written in PEM format.
 =item B<-passin> I<arg>
 
 The PKCS#12 file (i.e. input file) password source. For more information about
-the format of B<arg>
+the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-passout> I<arg>
 
 Pass phrase source to encrypt any outputted private keys with. For more
-information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
+information about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section
 in L<openssl(1)>.
 
 =item B<-password> I<arg>
@@ -207,13 +207,13 @@ displays them.
 =item B<-pass> I<arg>, B<-passout> I<arg>
 
 The PKCS#12 file (i.e. output file) password source. For more information about
-the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
 L<openssl(1)>.
 
 =item B<-passin> I<password>
 
 Pass phrase source to decrypt any input private keys with. For more information
-about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+about the format of I<arg> see the B<PASS PHRASE ARGUMENTS> section in
 L<openssl(1)>.
 
 =item B<-chain>
@@ -312,7 +312,7 @@ Do not load the trusted CA certificates from the default directory location.
 
 =item B<-CSP> I<name>
 
-Write B<name> as a Microsoft CSP name.
+Write I<name> as a Microsoft CSP name.
 
 =back
 

doc/man1/openssl-pkcs8.pod

@@ -75,7 +75,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -87,7 +87,7 @@ filename.
 
 =item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-iter> I<count>
@@ -121,7 +121,7 @@ This can be used with a subsequent B<-rand> flag.
 
 This option sets the PKCS#5 v2.0 algorithm.
 
-The B<alg> argument is the encryption algorithm to use, valid values include
+The I<alg> argument is the encryption algorithm to use, valid values include
 B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
 is used.
 
@@ -142,7 +142,7 @@ If not specified PKCS#5 v2.0 form is used.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
+Specifying an engine (by its unique I<id> string) will cause B<pkcs8>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -156,7 +156,7 @@ B<-scrypt_p> and B<-v2> options.
 
 =item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
 
-Sets the scrypt B<N>, B<r> or B<p> parameters.
+Sets the scrypt I<N>, I<r> or I<p> parameters.
 
 =back
 

doc/man1/openssl-pkey.pod

@@ -57,7 +57,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -67,9 +67,9 @@ option is not specified. If any encryption options are set then a pass phrase
 will be prompted for. The output filename should B<not> be the same as the input
 filename.
 
-=item B<-passout> I<password>
+=item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-traditional>
@@ -109,7 +109,7 @@ the input is a public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<pkey>
+Specifying an engine (by its unique I<id> string) will cause B<pkey>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-pkeyparam.pod

@@ -50,7 +50,7 @@ Do not output the encoded version of the parameters.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
+Specifying an engine (by its unique I<id> string) will cause B<pkeyparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-pkeyutl.pod

@@ -29,8 +29,8 @@ B<openssl> B<pkeyutl>
 [B<-derive>]
 [B<-kdf> I<algorithm>]
 [B<-kdflen> I<length>]
-[B<-pkeyopt> I<opt:value>]
-[B<-pkeyopt_passin> I<opt:passarg>]
+[B<-pkeyopt> I<opt>:I<value>]
+[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
 [B<-hexdump>]
 [B<-asn1parse>]
 [B<-rand> I<files>]
@@ -82,7 +82,7 @@ default.
 
 =item B<-sigfile> I<file>
 
-Signature file, required for B<verify> operations only
+Signature file, required for B<-verify> operations only
 
 =item B<-inkey> I<file>
 
@@ -94,7 +94,7 @@ The key format PEM, DER or ENGINE. Default is PEM.
 
 =item B<-passin> I<arg>
 
-The input key password source. For more information about the format of B<arg>
+The input key password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-peerkey> I<file>
@@ -103,7 +103,7 @@ The peer key file, used by key derivation (agreement) operations.
 
 =item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
 
-The peer key format PEM, DER or ENGINE. Default is PEM.
+The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
 
 =item B<-pubin>
 
@@ -146,7 +146,7 @@ Derive a shared secret using the peer key.
 
 =item B<-kdf> I<algorithm>
 
-Use key derivation function B<algorithm>.  The supported algorithms are
+Use key derivation function I<algorithm>.  The supported algorithms are
 at present B<TLS1-PRF> and B<HKDF>.
 Note: additional parameters and the KDF output length will normally have to be
 set for this to work.
@@ -157,16 +157,16 @@ for the supported string parameters of each algorithm.
 
 Set the output length for KDF.
 
-=item B<-pkeyopt> I<opt:value>
+=item B<-pkeyopt> I<opt>:I<value>
 
 Public key options specified as opt:value. See NOTES below for more details.
 
-=item B<-pkeyopt_passin> I<opt:passarg>
+=item B<-pkeyopt_passin> I<opt>[:I<passarg>]
 
-Allows reading a public key option B<opt> from stdin or a password source. If
-only opt is specified, the user will be prompted to enter the value on stdin.
-Alternatively, passarg can be specified which can be any value supported by
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
+Allows reading a public key option I<opt> from stdin or a password source.
+If only I<opt> is specified, the user will be prompted to enter a password on
+stdin.  Alternatively, I<passarg> can be specified which can be any value
+supported by B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
 
 =item B<-hexdump>
 
@@ -191,7 +191,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
+Specifying an engine (by its unique I<id> string) will cause B<pkeyutl>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -199,7 +199,7 @@ for all available algorithms.
 =item B<-engine_impl>
 
 When used with the B<-engine> option, it specifies to also use
-engine B<id> for crypto operations.
+engine I<id> for crypto operations.
 
 =back
 
@@ -208,9 +208,9 @@ engine B<id> for crypto operations.
 The operations and options supported vary according to the key algorithm
 and its implementation. The OpenSSL operations and options are indicated below.
 
-Unless otherwise mentioned all algorithms support the B<digest:alg> option
+Unless otherwise mentioned all algorithms support the B<digest:>I<alg> option
 which specifies the digest in use for sign, verify and verifyrecover operations.
-The value B<alg> should represent a digest name as used in the
+The value I<alg> should represent a digest name as used in the
 EVP_get_digestbyname() function for example B<sha1>. This value is not used to
 hash the input data. It is used (by some algorithms) for sanity-checking the
 lengths of data passed in to the B<pkeyutl> and for creating the structures that
@@ -237,9 +237,9 @@ B<pkeyopt> values are supported:
 
 =over 4
 
-=item B<rsa_padding_mode:mode>
+=item B<rsa_padding_mode:>I<mode>
 
-This sets the RSA padding mode. Acceptable values for B<mode> are B<pkcs1> for
+This sets the RSA padding mode. Acceptable values for I<mode> are B<pkcs1> for
 PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
 for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
 
@@ -257,15 +257,15 @@ verify and verifyrecover are can be performed in this mode.
 For B<pss> mode only sign and verify are supported and the digest type must be
 specified.
 
-=item B<rsa_pss_saltlen:len>
+=item B<rsa_pss_saltlen:>I<len>
 
 For B<pss> mode only this option specifies the salt length. Three special
-values are supported: "digest" sets the salt length to the digest length,
-"max" sets the salt length to the maximum permissible value. When verifying
-"auto" causes the salt length to be automatically determined based on the
+values are supported: B<digest> sets the salt length to the digest length,
+B<max> sets the salt length to the maximum permissible value. When verifying
+B<auto> causes the salt length to be automatically determined based on the
 B<PSS> block structure.
 
-=item B<rsa_mgf1_md:digest>
+=item B<rsa_mgf1_md:>I<digest>
 
 For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
 explicitly set in PSS mode then the signing digest is used.
@@ -276,11 +276,12 @@ explicitly set in PSS mode then the signing digest is used.
 
 The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
 supports the sign and verify operations with PSS padding. The following
-additional B<pkeyopt> values are supported:
+additional B<-pkeyopt> values are supported:
 
 =over 4
 
-=item B<rsa_padding_mode:mode>, B<rsa_pss_saltlen:len>, B<rsa_mgf1_md:digest>
+=item B<rsa_padding_mode:>I<mode>, B<rsa_pss_saltlen:>I<len>,
+B<rsa_mgf1_md:>I<digest>
 
 These have the same meaning as the B<RSA> algorithm with some additional
 restrictions. The padding mode can only be set to B<pss> which is the
@@ -319,8 +320,8 @@ no additional options.
 
 These algorithms only support signing and verifying. OpenSSL only implements the
 "pure" variants of these algorithms so raw data can be passed directly to them
-without hashing them first. The option "-rawin" must be used with these
-algorithms with no "-digest" specified. Additionally OpenSSL only supports
+without hashing them first. The option B<-rawin> must be used with these
+algorithms with no B<-digest> specified. Additionally OpenSSL only supports
 "oneshot" operation with these algorithms. This means that the entire file to
 be signed/verified must be read into memory before processing it. Signing or
 Verifying very large files should be avoided. Additionally the size of the file
@@ -331,17 +332,17 @@ must be known for this to work. If the size of the file cannot be determined
 
 The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For
 the sign and verify operations, SM2 requires an ID string to be passed in. The
-following B<pkeyopt> value is supported:
+following B<-pkeyopt> value is supported:
 
 =over 4
 
-=item B<sm2_id:string>
+=item B<sm2_id:>I<string>
 
 This sets the ID string used in SM2 sign or verify operations. While verifying
 an SM2 signature, the ID string must be the same one used when signing the data.
 Otherwise the verification will fail.
 
-=item B<sm2_hex_id:hex_string>
+=item B<sm2_hex_id:>I<hex_string>
 
 This sets the ID string used in SM2 sign or verify operations. While verifying
 an SM2 signature, the ID string must be the same one used when signing the data.

doc/man1/openssl-prime.pod

@@ -41,16 +41,16 @@ Generate a prime number.
 
 =item B<-bits> I<num>
 
-Generate a prime with B<num> bits.
+Generate a prime with I<num> bits.
 
 =item B<-safe>
 
 When used with B<-generate>, generates a "safe" prime. If the number
-generated is B<n>, then check that B<(n-1)/2> is also prime.
+generated is I<n>, then check that C<(I<n>-1)/2> is also prime.
 
 =item B<-checks> I<num>
 
-Perform the checks B<num> times to see that the generated number
+Perform the checks I<num> times to see that the generated number
 is prime.  The default is 20.
 
 =back

doc/man1/openssl-rehash.pod

@@ -45,17 +45,17 @@ but often B</usr/local/ssl/certs>) is processed.
 In order for a directory to be processed, the user must have write
 permissions on that directory, otherwise an error will be generated.
 
-The links created are of the form C<HHHHHHHH.D>, where each B<H>
-is a hexadecimal character and B<D> is a single decimal digit.
+The links created are of the form I<HHHHHHHH.D>, where each I<H>
+is a hexadecimal character and I<D> is a single decimal digit.
 When processing a directory, B<rehash> will first remove all links
 that have a name in that syntax, even if they are being used for some
 other purpose.
 To skip the removal step, use the B<-n> flag.
 Hashes for CRL's look similar except the letter B<r> appears after
-the period, like this: C<HHHHHHHH.rD>.
+the period, like this: I<HHHHHHHH.>B<r>I<D>.
 
 Multiple objects may have the same hash; they will be indicated by
-incrementing the B<D> value. Duplicates are found by comparing the
+incrementing the I<D> value. Duplicates are found by comparing the
 full SHA-1 fingerprint. A warning will be displayed if a duplicate
 is found.
 
@@ -75,7 +75,7 @@ a certificate or CRL:
   $OPENSSL x509 -hash -fingerprint -noout -in FILENAME
   $OPENSSL crl -hash -fingerprint -noout -in FILENAME
 
-where B<FILENAME> is the filename. It must output the hash of the
+where I<FILENAME> is the filename. It must output the hash of the
 file on the first line, and the fingerprint on the second,
 optionally prefixed with some text and an equals sign.
 

doc/man1/openssl-req.pod

@@ -22,8 +22,7 @@ B<openssl> B<req>
 [B<-new>]
 [B<-rand> I<files>]
 [B<-writerand> I<file>]
-[B<-newkey> I<rsa:bits>]
-[B<-newkey> I<alg:file>]
+[B<-newkey> I<arg>]
 [B<-nodes>]
 [B<-key> I<filename>]
 [B<-keyform> B<DER>|B<PEM>]
@@ -103,7 +102,7 @@ default.
 
 =item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-text>
@@ -157,32 +156,33 @@ This can be used with a subsequent B<-rand> flag.
 =item B<-newkey> I<arg>
 
 This option creates a new certificate request and a new private
-key. The argument takes one of several forms. B<rsa:nbits>, where
-B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
+key. The argument takes one of several forms.
+
+B<rsa:>I<nbits>, where
+I<nbits> is the number of bits, generates an RSA key I<nbits>
+in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
 the default key size, specified in the configuration file is used.
 
-All other algorithms support the B<-newkey> I<alg:file> form, where file may be
-an algorithm parameter file, created by the B<genpkey -genparam> command
-or and X.509 certificate for a key with appropriate algorithm.
+All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
+may be an algorithm parameter file, created with B<genpkey -genparam>
+or an X.509 certificate for a key with appropriate algorithm.
 
-B<param:file> generates a key using the parameter file or certificate B<file>,
-the algorithm is determined by the parameters. B<algname:file> use algorithm
-B<algname> and parameter file B<file>: the two algorithms must match or an
-error occurs. B<algname> just uses algorithm B<algname>, and parameters,
-if necessary should be specified via B<-pkeyopt> parameter.
+B<param:>I<file> generates a key using the parameter file or certificate
+I<file>, the algorithm is determined by the parameters. I<algname>:I<file>
+use algorithm I<algname> and parameter file I<file>: the two algorithms must
+match or an error occurs. I<algname> just uses algorithm I<algname>, and
+parameters, if necessary should be specified via B<-pkeyopt> parameter.
 
-B<dsa:filename> generates a DSA key using the parameters
-in the file B<filename>. B<ec:filename> generates EC key (usable both with
-ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
-34.10-2001 key (requires B<ccgost> engine configured in the configuration
+B<dsa:>I<filename> generates a DSA key using the parameters
+in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
+ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
+34.10-2001 key (requires B<gost> engine configured in the configuration
 file). If just B<gost2001> is specified a parameter set should be
 specified by B<-pkeyopt> I<paramset:X>
 
+=item B<-pkeyopt> I<opt>:I<value>
 
-=item B<-pkeyopt> I<opt:value>
-
-Set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option I<opt> to I<value>. The precise set of
 options supported depends on the public key algorithm used and its
 implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
 for more details.
@@ -249,7 +249,7 @@ This option outputs a self signed certificate instead of a certificate
 request. This is typically used to generate a test certificate or
 a self signed root CA. The extensions added to the certificate
 (if any) are specified in the configuration file. Unless specified
-using the B<set_serial> option, a large random number will be used for
+using the B<-set_serial> option, a large random number will be used for
 the serial number.
 
 If existing request is specified with the B<-in> option, it is converted
@@ -258,7 +258,7 @@ to the self signed certificate otherwise new request is created.
 =item B<-days> I<n>
 
 When the B<-x509> option is being used this specifies the number of
-days to certify the certificate for, otherwise it is ignored. B<n> should
+days to certify the certificate for, otherwise it is ignored. I<n> should
 be a positive integer. The default is 30 days.
 
 =item B<-set_serial> I<n>
@@ -304,13 +304,13 @@ configuration file, must be valid UTF8 strings.
 =item B<-nameopt> I<option>
 
 Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
 
-=item B<-reqopt>
+=item B<-reqopt> I<option>
 
-Customise the output format used with B<-text>. The B<option> argument can be
+Customise the output format used with B<-text>. The I<option> argument can be
 a single option or multiple options separated by commas.
 
 See discussion of the  B<-certopt> parameter in the L<x509(1)>
@@ -331,14 +331,14 @@ Print extra details about the operations being performed.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<req>
+Specifying an engine (by its unique I<id> string) will cause B<req>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-keygen_engine> I<id>
 
-Specifies an engine (by its unique B<id> string) which would be used
+Specifies an engine (by its unique I<id> string) which would be used
 for key generation operations.
 
 =item B<-sm2-id>

doc/man1/openssl-rsa.pod

@@ -75,7 +75,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -85,9 +85,9 @@ option is not specified. If any encryption options are set then a pass phrase
 will be prompted for. The output filename should B<not> be the same as the input
 filename.
 
-=item B<-passout> I<password>
+=item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
@@ -134,7 +134,7 @@ Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<rsa>
+Specifying an engine (by its unique I<id> string) will cause B<rsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-s_client.pod

@@ -283,7 +283,7 @@ Extra certificate and private key format respectively.
 
 =item B<-pass> I<arg>
 
-the private key password source. For more information about the format of B<arg>
+the private key password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-verify> I<depth>
@@ -302,7 +302,7 @@ abort the handshake with a fatal error.
 =item B<-nameopt> I<option>
 
 Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
 
@@ -360,7 +360,7 @@ at a positive depth or else "matched EE certificate" at depth 0.
 =item B<-dane_tlsa_rrdata> I<rrdata>
 
 Use one or more times to specify the RRDATA fields of the DANE TLSA
-RRset associated with the target service.  The B<rrdata> value is
+RRset associated with the target service.  The I<rrdata> value is
 specied in "presentation form", that is four whitespace separated
 fields that specify the usage, selector, matching type and associated
 data, with the last of these encoded in hexadecimal.  Optional
@@ -481,19 +481,19 @@ Can be used to override the implicit B<-ign_eof> after B<-quiet>.
 
 =item B<-psk_identity> I<identity>
 
-Use the PSK identity B<identity> when using a PSK cipher suite.
+Use the PSK identity I<identity> when using a PSK cipher suite.
 The default value is "Client_identity" (without the quotes).
 
 =item B<-psk> I<key>
 
-Use the PSK key B<key> when using a PSK cipher suite. The key is
+Use the PSK key I<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 This option must be provided in order to use a PSK cipher.
 
 =item B<-psk_session> I<file>
 
-Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
+Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
 Note that this will only work if TLSv1.3 is negotiated.
 
 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
@@ -622,7 +622,7 @@ colon (":") separated list of TLSv1.3 ciphersuite names.
 =item B<-starttls> I<protocol>
 
 Send the protocol-specific message(s) to switch to TLS for communication.
-B<protocol> is a keyword for the intended protocol.  Currently, the only
+I<protocol> is a keyword for the intended protocol.  Currently, the only
 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
 "irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
 
@@ -659,16 +659,16 @@ Disable RFC4507bis session ticket support.
 
 =item B<-sess_out> I<filename>
 
-Output SSL session to B<filename>.
+Output SSL session to I<filename>.
 
-=item B<-sess_in> I<sess.pem>
+=item B<-sess_in> I<filename>
 
-Load SSL session from B<filename>. The client will attempt to resume a
+Load SSL session from I<filename>. The client will attempt to resume a
 connection from this session.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<s_client>
+Specifying an engine (by its unique I<id> string) will cause B<s_client>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -702,7 +702,7 @@ response (if any) is printed out.
 These flags enable the Enable the Application-Layer Protocol Negotiation
 or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
 IETF standard and replaces NPN.
-The B<protocols> list is a comma-separated list of protocol names that
+The I<protocols> list is a comma-separated list of protocol names that
 the client should advertise support for. The list should contain the most
 desirable protocols first.  Protocol names are printable ASCII strings,
 for example "http/1.1" or "spdy/3".

doc/man1/openssl-s_server.pod

@@ -274,7 +274,7 @@ provided to the client.
 =item B<-nameopt> I<val>
 
 Option which determines how the subject or issuer names are displayed. The
-B<val> argument can be a single option or multiple options separated by
+I<val> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
 
@@ -441,7 +441,7 @@ used in conjunction with B<-early_data>.
 
 =item B<-id_prefix> I<val>
 
-Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
+Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
 for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
 servers, when each of which might be generating a unique range of session
 IDs (eg. with a certain prefix).
@@ -475,7 +475,7 @@ a verbose printout of the OCSP response.
 
 =item B<-status_timeout> I<int>
 
-Sets the timeout for OCSP response to B<int> seconds.
+Sets the timeout for OCSP response to I<int> seconds.
 
 =item B<-status_url> I<val>
 
@@ -652,24 +652,24 @@ Turns on non blocking I/O.
 
 =item B<-psk_identity> I<val>
 
-Expect the client to send PSK identity B<val> when using a PSK
+Expect the client to send PSK identity I<val> when using a PSK
 cipher suite, and warn if they do not.  By default, the expected PSK
 identity is the string "Client_identity".
 
 =item B<-psk_hint> I<val>
 
-Use the PSK identity hint B<val> when using a PSK cipher suite.
+Use the PSK identity hint I<val> when using a PSK cipher suite.
 
 =item B<-psk> I<val>
 
-Use the PSK key B<val> when using a PSK cipher suite. The key is
+Use the PSK key I<val> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 This option must be provided in order to use a PSK cipher.
 
 =item B<-psk_session> I<file>
 
-Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
+Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
 Note that this will only work if TLSv1.3 is negotiated.
 
 =item B<-listen>
@@ -713,7 +713,7 @@ disabling the ephemeral DH cipher suites.
 These flags enable the Enable the Application-Layer Protocol Negotiation
 or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
 IETF standard and replaces NPN.
-The B<val> list is a comma-separated list of supported protocol
+The I<val> list is a comma-separated list of supported protocol
 names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
@@ -721,7 +721,7 @@ The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 
 =item B<-engine> I<val>
 
-Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
+Specifying an engine (by its unique id string in I<val>) will cause B<s_server>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-s_time.pod

@@ -8,7 +8,7 @@ openssl-s_time - SSL/TLS performance timing program
 
 B<openssl> B<s_time>
 [B<-help>]
-[B<-connect> I<host:port>]
+[B<-connect> I<host>:I<port>]
 [B<-www> I<page>]
 [B<-cert> I<filename>]
 [B<-key> I<filename>]
@@ -48,7 +48,7 @@ transferred (if any), and calculates the average time spent for one connection.
 
 Print out a usage message.
 
-=item B<-connect> I<host:port>
+=item B<-connect> I<host>:I<port>
 
 This specifies the host and optional port to connect to.
 
@@ -80,7 +80,7 @@ will never fail due to a server certificate verify failure.
 =item B<-nameopt> I<option>
 
 Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
 
@@ -161,7 +161,7 @@ To connect to an SSL HTTP server and get the default page the command
 
  openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
 
-would typically be used (https uses port 443). 'commoncipher' is a cipher to
+would typically be used (https uses port 443). I<commoncipher> is a cipher to
 which both client and server can agree, see the L<ciphers(1)> command
 for details.
 

doc/man1/openssl-sess_id.pod

@@ -9,7 +9,7 @@ openssl-sess_id - SSL/TLS session handling utility
 B<openssl> B<sess_id>
 [B<-help>]
 [B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>|B<MSS>]
+[B<-outform> B<DER>|B<PEM>|B<NSS>]
 [B<-in> I<filename>]
 [B<-out> I<filename>]
 [B<-text>]
@@ -41,9 +41,9 @@ format base64 encoded with additional header and footer lines.
 
 =item B<-outform> B<DER>|B<PEM>|B<NSS>
 
-This specifies the output format. The B<PEM> and B<DER> options have the same meaning
-and default as the B<-inform> option. The B<NSS> option outputs the session id and
-the master key in NSS keylog format.
+This specifies the output format. The B<PEM> and B<DER> options have the same
+meaning and default as the B<-inform> option. The B<NSS> option outputs the
+session id and the master key in NSS keylog format.
 
 =item B<-in> I<filename>
 

doc/man1/openssl-smime.pod

@@ -295,7 +295,7 @@ specified, the argument is given to the engine as a key identifier.
 
 =item B<-passin> I<arg>
 
-The private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-rand> I<files>

doc/man1/openssl-speed.pod

@@ -28,7 +28,7 @@ B<openssl speed>
 This command is used to test the performance of cryptographic algorithms.
 To see the list of supported algorithms, use the I<list --digest-commands>
 or I<list --cipher-commands> command. The global CSPRNG is denoted by
-the I<rand> algorithm name.
+the B<rand> algorithm name.
 
 =head1 OPTIONS
 
@@ -40,7 +40,7 @@ Print out a usage message.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<speed>
+Specifying an engine (by its unique I<id> string) will cause B<speed>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -54,8 +54,8 @@ of hardware engines.
 =item B<-evp> I<algo>
 
 Use the specified cipher or message digest algorithm via the EVP interface.
-If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a
-TLS-like sequence. And if B<algo> is a multi-buffer capable cipher, e.g.
+If I<algo> is an AEAD cipher, then you can pass B<-aead> to benchmark a
+TLS-like sequence. And if I<algo> is a multi-buffer capable cipher, e.g.
 aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
 
 =item B<-hmac> I<digest>
@@ -84,16 +84,16 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-primes> I<num>
 
-Generate a B<num>-prime RSA key and use it to run the benchmarks. This option
+Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
 is only effective if RSA algorithm is specified to test.
 
 =item B<-seconds> I<num>
 
-Run benchmarks for B<num> seconds.
+Run benchmarks for I<num> seconds.
 
 =item B<-bytes> I<num>
 
-Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
+Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
 
 =item I<algorithm> ...
 

doc/man1/openssl-spkac.pod

@@ -49,7 +49,7 @@ default.
 
 =item B<-key> I<keyfile>
 
-Create an SPKAC file using the private key in B<keyfile>. The
+Create an SPKAC file using the private key in I<keyfile>. The
 B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
 present.
 
@@ -58,9 +58,9 @@ present.
 Whether the key format is PEM, DER, or an engine-backed key.
 The default is PEM.
 
-=item B<-passin> I<password>
+=item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-challenge> I<string>
@@ -94,7 +94,7 @@ Verifies the digital signature on the supplied SPKAC.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<spkac>
+Specifying an engine (by its unique I<id> string) will cause B<spkac>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-srp.pod

@@ -32,7 +32,7 @@ At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
 can be specified.
 These options take zero or more usernames as parameters and perform the
 appropriate operation on the SRP file.
-For B<-list>, if no B<user> is given then all users are displayed.
+For B<-list>, if no I<user> is given then all users are displayed.
 
 The configuration file to use, and the section within the file, can be
 specified with the B<-config> and B<-name> flags, respectively.
@@ -42,7 +42,7 @@ just specify the file to operate on.
 The B<-userinfo> option specifies additional information to add when
 adding or modifying a user.
 
-The B<-gn> flag specifies the B<g> and B<N> values, using one of
+The B<-gn> flag specifies the I<g> and I<N> values, using one of
 the strengths defined in IETF RFC 5054.
 
 The B<-passin> and B<-passout> arguments are parsed as described in

doc/man1/openssl-storeutl.pod

@@ -49,7 +49,7 @@ this option prevents output of the PEM data.
 
 =item B<-passin> I<arg>
 
-the key password source. For more information about the format of B<arg>
+the key password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-text>
@@ -59,7 +59,7 @@ B<openssl x509>, B<openssl pkey>, etc.
 
 =item B<-engine> I<id>
 
-specifying an engine (by its unique B<id> string) will cause B<storeutl>
+specifying an engine (by its unique I<id> string) will cause B<storeutl>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed.
 The engine will then be set as the default for all available algorithms.
@@ -80,7 +80,7 @@ returned.
 
 =item B<-subject> I<arg>
 
-Search for an object having the subject name B<arg>.
+Search for an object having the subject name I<arg>.
 The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
 Keyword characters may be escaped by \ (backslash), and whitespace is retained.
 Empty values are permitted but are ignored for the search.  That is,

doc/man1/openssl-ts.pod

@@ -314,7 +314,7 @@ instead of DER. (Optional)
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<ts>
+Specifying an engine (by its unique I<id> string) will cause B<ts>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. Default is built-in. (Optional)

doc/man1/openssl-verify.pod

@@ -52,7 +52,7 @@ B<openssl> B<verify>
 [B<-sm2-id> I<string>]
 [B<-sm2-hex-id> I<hex-string>]
 [B<-->]
-[certificates]
+[I<certificate> ...]
 
 =for comment ifdef engine sm2-id sm2-hex-id
 
@@ -70,14 +70,14 @@ Print out a usage message.
 
 =item B<-CAfile> I<file>
 
-A B<file> of trusted certificates.
+A I<file> of trusted certificates.
 The file should contain one or more certificates in PEM format.
 
 =item B<-CApath> I<directory>
 
 A directory of trusted certificates. The certificates should have names
-of the form: hash.0 or have symbolic links to them of this
-form ("hash" is the hashed certificate subject name: see the B<-hash> option
+of the form: F<I<hash>.0> or have symbolic links to them of this
+form (I<hash> is the hashed certificate subject name: see the B<-hash> option
 of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
 create symbolic links to a directory of certificates.
 
@@ -95,8 +95,8 @@ Allow the verification of proxy certificates.
 
 =item B<-attime> I<timestamp>
 
-Perform validation checks using time specified by B<timestamp> and not
-current system time. B<timestamp> is the number of seconds since
+Perform validation checks using time specified by I<timestamp> and not
+current system time. I<timestamp> is the number of seconds since
 01.01.1970 (UNIX time).
 
 =item B<-check_ss_sig>
@@ -106,9 +106,9 @@ because it doesn't add any security.
 
 =item B<-CRLfile> I<file>
 
-The B<file> should contain one or more CRLs in PEM format.
+The I<file> should contain one or more CRLs in PEM format.
 This option can be specified more than once to include CRLs from multiple
-B<files>.
+I<file>s.
 
 =item B<-crl_download>
 
@@ -126,7 +126,7 @@ to look up valid CRLs.
 
 =item B<-engine> I<id>
 
-Specifying an engine B<id> will cause L<verify(1)> to attempt to load the
+Specifying an engine I<id> will cause L<verify(1)> to attempt to load the
 specified engine.
 The engine will then be set as the default for all its supported algorithms.
 If you want to load certificates or CRLs that require engine support via any of
@@ -159,7 +159,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
 =item B<-nameopt> I<option>
 
 Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
 
@@ -177,8 +177,8 @@ trusted certificate that might not be self-signed.
 
 =item B<-policy> I<arg>
 
-Enable policy processing and add B<arg> to the user-initial-policy-set (see
-RFC5280). The policy B<arg> can be an object name an OID in numeric form.
+Enable policy processing and add I<arg> to the user-initial-policy-set (see
+RFC5280). The policy I<arg> can be an object name an OID in numeric form.
 This argument can appear more than once.
 
 =item B<-policy_check>
@@ -224,22 +224,22 @@ effect.
 
 =item B<-untrusted> I<file>
 
-A B<file> of additional untrusted certificates (intermediate issuer CAs) used
+A I<file> of additional untrusted certificates (intermediate issuer CAs) used
 to construct a certificate chain from the subject certificate to a trust-anchor.
-The B<file> should contain one or more certificates in PEM format.
+The I<file> should contain one or more certificates in PEM format.
 This option can be specified more than once to include untrusted certificates
-from multiple B<files>.
+from multiple I<file>s.
 
 =item B<-trusted> I<file>
 
-A B<file> of trusted certificates, which must be self-signed, unless the
+A I<file> of trusted certificates, which must be self-signed, unless the
 B<-partial_chain> option is specified.
-The B<file> contains one or more certificates in PEM format.
+The I<file> contains one or more certificates in PEM format.
 With this option, no additional (e.g., default) certificate lists are
 consulted.
-That is, the only trust-anchors are those listed in B<file>.
+That is, the only trust-anchors are those listed in I<file>.
 This option can be specified more than once to include trusted certificates
-from multiple B<files>.
+from multiple I<file>s.
 This option implies the B<-no-CAfile> and B<-no-CApath> options.
 This option cannot be used in combination with either of the B<-CAfile> or
 B<-CApath> options.
@@ -254,11 +254,11 @@ Print extra information about the operations being performed.
 
 =item B<-auth_level> I<level>
 
-Set the certificate chain authentication security level to B<level>.
+Set the certificate chain authentication security level to I<level>.
 The authentication security level determines the acceptable signature and
 public key strength when verifying certificate chains.
 For a certificate chain to validate, the public keys of all the certificates
-must meet the specified security B<level>.
+must meet the specified security I<level>.
 The signature algorithm security level is enforced for all the certificates in
 the chain except for the chain's I<trust anchor>, which is either directly
 trusted or validated by means other than its signature.
@@ -272,30 +272,30 @@ shorter than 1024 bits.
 
 =item B<-verify_depth> I<num>
 
-Limit the certificate chain to B<num> intermediate CA certificates.
-A maximal depth chain can have up to B<num+2> certificates, since neither the
+Limit the certificate chain to I<num> intermediate CA certificates.
+A maximal depth chain can have up to I<num>+2 certificates, since neither the
 end-entity certificate nor the trust-anchor certificate count against the
 B<-verify_depth> limit.
 
 =item B<-verify_email> I<email>
 
-Verify if the B<email> matches the email address in Subject Alternative Name or
+Verify if I<email> matches the email address in Subject Alternative Name or
 the email in the subject Distinguished Name.
 
 =item B<-verify_hostname> I<hostname>
 
-Verify if the B<hostname> matches DNS name in Subject Alternative Name or
+Verify if I<hostname> matches DNS name in Subject Alternative Name or
 Common Name in the subject certificate.
 
 =item B<-verify_ip> I<ip>
 
-Verify if the B<ip> matches the IP address in Subject Alternative Name of
+Verify if I<ip> matches the IP address in Subject Alternative Name of
 the subject certificate.
 
 =item B<-verify_name> I<name>
 
 Use default verification policies like trust model and required certificate
-policies identified by B<name>.
+policies identified by I<name>.
 The trust model determines which auxiliary trust or reject OIDs are applicable
 to verifying the given certificate chain.
 See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line
@@ -335,7 +335,7 @@ Indicates the last option. All arguments following this are assumed to be
 certificate files. This is useful if the first certificate filename begins
 with a B<->.
 
-=item B<certificates>
+=item I<certificate> ...
 
 One or more certificates to verify. If no certificates are given, B<verify>
 will attempt to read a certificate from standard input. Certificates must be

doc/man1/openssl-x509.pod

@@ -136,7 +136,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<x509>
+Specifying an engine (by its unique I<id> string) will cause B<x509>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -170,7 +170,7 @@ See the L<x509v3_config(5)> manual page for the extension names.
 
 =item B<-certopt> I<option>
 
-Customise the output format used with B<-text>. The B<option> argument
+Customise the output format used with B<-text>. The I<option> argument
 can be a single option or multiple options separated by commas. The
 B<-certopt> switch may be also be used more than once to set multiple
 options. See the B<TEXT OPTIONS> section for more information.
@@ -231,7 +231,7 @@ Outputs the issuer name.
 =item B<-nameopt> I<option>
 
 Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the B<NAME OPTIONS> section for more information.
 
@@ -257,7 +257,7 @@ Prints out the start and expiry dates of a certificate.
 
 =item B<-checkend> I<arg>
 
-Checks if the certificate expires within the next B<arg> seconds and exits
+Checks if the certificate expires within the next I<arg> seconds and exits
 nonzero if yes it will expire or zero if not.
 
 =item B<-fingerprint>
@@ -372,7 +372,7 @@ Names and values of these options are algorithm-specific.
 
 =item B<-passin> I<arg>
 
-The key password source. For more information about the format of B<arg>
+The key password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-clrext>
@@ -470,7 +470,7 @@ Instead, the B<-subj> and <-force_pubkey> options need to be given.
 
 =item B<-force_pubkey> I<filename>
 
-When a certificate is created set its public key to the key in B<filename>
+When a certificate is created set its public key to the key in I<filename>
 instead of the key contained in the input or given with the B<-signkey> option.
 
 This option is useful for creating self-issued certificates that are not
@@ -499,8 +499,8 @@ or certificate request.
 
 =head2 Name Options
 
-The B<nameopt> command line switch determines how the subject and issuer
-names are displayed. If no B<nameopt> switch is present the default "oneline"
+The B<-nameopt> command line switch determines how the subject and issuer
+names are displayed. If no B<-nameopt> switch is present the default "oneline"
 format is used which is compatible with previous versions of OpenSSL.
 Each option is described in detail below, all options can be preceded by
 a B<-> to turn the option off. Only the first four will normally be used.

doc/man1/openssl.pod

@@ -8,10 +8,10 @@ openssl - OpenSSL command line tool
 
 B<openssl>
 I<command>
-[ I<command_opts> ]
-[ I<command_args> ]
+[ I<command_opts> ... ]
+[ I<command_args> ... ]
 
-B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<mac-algorithms> | B<public-key-algorithms>]
+B<openssl> B<list> [ B<-standard-commands> | B<-digest-commands> | B<-cipher-commands> | B<-cipher-algorithms> | B<-digest-algorithms> | B<-mac-algorithms> | B<-public-key-algorithms>]
 
 B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
 
@@ -52,18 +52,18 @@ B<openssl.cnf> in the default certificate storage area, whose value
 depends on the configuration flags specified when the OpenSSL
 was built.
 
-The list parameters B<standard-commands>, B<digest-commands>,
-and B<cipher-commands> output a list (one entry per line) of the names
+The list options B<-standard-commands>, B<-digest-commands>,
+and B<-cipher-commands> output a list (one entry per line) of the names
 of all standard commands, message digest commands, or cipher commands,
 respectively, that are available in the present B<openssl> utility.
 
-The list parameters B<cipher-algorithms>, B<digest-algorithms>,
-and B<mac-algorithms> list all cipher, message digest, and message
+The list parameters B<-cipher-algorithms>, B<-digest-algorithms>,
+and B<-mac-algorithms> list all cipher, message digest, and message
 authentication code names, one entry per line. Aliases are listed as:
 
  from => to
 
-The list parameter B<public-key-algorithms> lists all supported public
+The list parameter B<-public-key-algorithms> lists all supported public
 key algorithms.
 
 The command B<no->I<XXX> tests whether a command of the
@@ -514,29 +514,29 @@ L<passphrase-encoding(7)>.
 
 =over 4
 
-=item B<pass:password>
+=item B<pass:>I<password>
 
-The actual password is B<password>. Since the password is visible
+The actual password is I<password>. Since the password is visible
 to utilities (like 'ps' under Unix) this form should only be used
 where security is not important.
 
-=item B<env:var>
+=item B<env:>I<var>
 
-Obtain the password from the environment variable B<var>. Since
+Obtain the password from the environment variable I<var>. Since
 the environment of other processes is visible on certain platforms
 (e.g. ps under certain Unix OSes) this option should be used with caution.
 
-=item B<file:pathname>
+=item B<file:>I<pathname>
 
-The first line of B<pathname> is the password. If the same B<pathname>
+The first line of I<pathname> is the password. If the same I<pathname>
 argument is supplied to B<-passin> and B<-passout> arguments then the first
 line will be used for the input password and the next line for the output
-password. B<pathname> need not refer to a regular file: it could for example
+password. I<pathname> need not refer to a regular file: it could for example
 refer to a device or named pipe.
 
-=item B<fd:number>
+=item B<fd:>I<number>
 
-Read the password from the file descriptor B<number>. This can be used to
+Read the password from the file descriptor I<number>. This can be used to
 send the data via a pipe for example.
 
 =item B<stdin>
@@ -671,7 +671,7 @@ L<x509v3_config(5)>
 
 =head1 HISTORY
 
-The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
+The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0;
 For notes on the availability of other commands, see their individual
 manual pages.