[B<-secretkey> I<key>]
[B<-secretkeyid> I<id>]
[B<-econtent_type> I<type>]
-[B<-inkey> I<file>]
+[B<-inkey> I<filename>|I<uri>]
[B<-keyopt> I<name>:I<parameter>]
[B<-passin> I<arg>]
[B<-to> I<addr>]
{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}
-{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_config_synopsis -}
[I<recipient-cert> ...]
=for openssl ifdef des-wrap engine
The input format of the CMS structure (if one is being read);
the default is B<SMIME>.
-See L<openssl(1)/Format Options> for details.
+See L<openssl-format-options(1)> for details.
=item B<-outform> B<DER>|B<PEM>|B<SMIME>
The output format of the CMS structure (if one is being written);
the default is B<SMIME>.
-See L<openssl(1)/Format Options> for details.
+See L<openssl-format-options(1)> for details.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The format of the private key file; the default is B<PEM>.
The only value with effect is B<ENGINE>; all others have become obsolete.
-See L<openssl(1)/Format Options> for details.
+See L<openssl-format-options(1)> for details.
=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
The signed receipt format for use with the B<-receipt_verify>; the default
is B<SMIME>.
-See L<openssl(1)/Format Options> for details.
+See L<openssl-format-options(1)> for details.
=item B<-stream>, B<-indef>
For the B<-cmsout> operation when B<-print> option is in use, specifies
printing options for string fields. For most cases B<utf8> is reasonable value.
-See L<openssl(1)/Name Format Options> for details.
+See L<openssl-namedisplay-options(1)> for details.
=item B<-md> I<digest>
example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
supported by your version of OpenSSL.
+Currently the AES variants with GCM mode are the only supported AEAD
+algorithms.
+
If not specified triple DES is used. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates.
+The input can be in PEM, DER, or PKCS#12 format.
=item B<-certsout> I<file>
is used. The I<type> argument can be any valid OID name in either text or
numerical format.
-=item B<-inkey> I<file>
+=item B<-inkey> I<filename>|I<uri>
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see L<openssl(1)/Pass Phrase Options>.
+see L<openssl-passphrase-options(1)>.
=item B<-to>, B<-from>, B<-subject>
{- $OpenSSL::safe::opt_provider_item -}
+{- $OpenSSL::safe::opt_config_item -}
+
=item I<recipient-cert> ...
One or more certificates of message recipients: used when encrypting
The B<-nameopt> option was added in OpenSSL 3.0.0.
+The B<-engine> option was deprecated in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.