From: Dr. David von Oheimb Date: Wed, 25 Aug 2021 10:30:09 +0000 (+0200) Subject: openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option X-Git-Tag: openssl-3.2.0-alpha1~3573 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821;p=thirdparty%2Fopenssl.git openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16440) --- diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index a20f605e031..b86f409ce81 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -120,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate or certificate request. So the B<-in> option must not be used in this case. Instead, the B<-subj> option needs to be given. The public key to include can be given with the B<-force_pubkey> option -and defaults to the key given with the B<-key> option, +and defaults to the key given with the B<-key> (or B<-signkey>) option, which implies self-signature. =item B<-x509toreq> Output a PKCS#10 certificate request (rather than a certificate). -The B<-key> option must be used to provide the private key for self-signing; -the corresponding public key is placed in the subjectPKInfo field. +The B<-key> (or B<-signkey>) option must be used to provide the private key for +self-signing; the corresponding public key is placed in the subjectPKInfo field. X.509 extensions included in a certificate input are not copied by default. X.509 extensions to be added can be specified using the B<-extfile> option. @@ -360,8 +360,9 @@ Check that the certificate matches the specified IP address. =item B<-set_serial> I -Specifies the serial number to use. This option can be used with either -the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option +Specifies the serial number to use. +This option can be used with the B<-key>, B<-signkey>, or B<-CA> options. +If used in conjunction with the B<-CA> option the serial number file (as specified by the B<-CAserial> option) is not used. The serial number can be decimal or hex (if preceded by C<0x>). @@ -405,7 +406,8 @@ or certificate request. =item B<-force_pubkey> I When a certificate is created set its public key to the key in I -instead of the key contained in the input or given with the B<-key> option. +instead of the key contained in the input +or given with the B<-key> (or B<-signkey>) option. This option is useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. @@ -451,7 +453,7 @@ for testing. The digest to use. This affects any signing or printing option that uses a message -digest, such as the B<-fingerprint>, B<-key> and B<-CA> options. +digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options. Any digest supported by the L command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. @@ -469,7 +471,7 @@ When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as detailed below. -This option cannot be used in conjunction with the B<-key> option. +This option cannot be used in conjunction with B<-key> (or B<-signkey>). This option is normally combined with the B<-req> option referencing a CSR. Without the B<-req> option the input must be an existing certificate unless the B<-new> option is given, which generates a certificate from scratch.