Add info about the header and footer lines used in PEM formats

and add an nseq manpage.

7 files changed, 123 insertions, 5 deletions

diff --git a/doc/man/dsa.pod b/doc/man/dsa.pod
index 576731f92c..4187ef4b49 100644
--- a/doc/man/dsa.pod
+++ b/doc/man/dsa.pod
@@ -117,6 +117,13 @@ a public key.
 
 =back
 
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN DSA PRIVATE KEY-----
+ -----END DSA PRIVATE KEY-----
+
 =head1 EXAMPLES
 
 To remove the pass phrase on a DSA private key:
diff --git a/doc/man/dsaparam.pod b/doc/man/dsaparam.pod
index 13a049ec67..6f05629b74 100644
--- a/doc/man/dsaparam.pod
+++ b/doc/man/dsaparam.pod
@@ -82,6 +82,11 @@ the input file (if any) is ignored.
 
 =head1 NOTES
 
+PEM format DSA parameters use the header and footer lines:
+
+ -----BEGIN DSA PARAMETERS-----
+ -----END DSA PARAMETERS-----
+
 DSA parameter generation is a slow process and as a result the same set of
 DSA parameters is often used to generate several distinct keys.
 
diff --git a/doc/man/nseq.pod b/doc/man/nseq.pod
new file mode 100644
index 0000000000..a9af25b53d
--- /dev/null
+++ b/doc/man/nseq.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+nseq - create or examine a netscape certificate sequence
+
+=head1 SYNOPSIS
+
+B<openssl> B<nseq>
+[B<-in filename>]
+[B<-out filename>]
+[B<-toseq>]
+
+=head1 DESCRIPTION
+
+The B<nseq> command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-in filename>
+
+This specifies the input filename to read or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename or standard output by default.
+
+=item B<-toseq>
+
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the B<-toseq> option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+
+=back
+
+=head1 EXAMPLES
+
+Output the certificates in a Netscape certificate sequence
+
+ openssl nseq -in nseq.pem -out certs.pem
+
+Create a Netscape certificate sequence
+
+ openssl nseq -in certs.pem -toseq -out nseq.pem
+
+=head1 NOTES
+
+The B<PEM> encoded form uses the same headers and footers as a certificate:
+
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate erollment.
+It is used by Netscape certificate server for example.
+
+=head1 BUGS
+
+This program needs a few more options: like allowing DER or PEM input and
+output files and allowing multiple certificate files to be used.
+
+=cut
diff --git a/doc/man/pkcs8.pod b/doc/man/pkcs8.pod
index 64cf65a78c..eadfe31fbb 100644
--- a/doc/man/pkcs8.pod
+++ b/doc/man/pkcs8.pod
@@ -93,6 +93,17 @@ B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
 
 =head1 NOTES
 
+The encrypted form of a PEM encode PKCS#8 files uses the following
+headers and footers:
+
+ -----BEGIN ENCRYPTED PRIVATE KEY-----
+ -----END ENCRYPTED PRIVATE KEY-----
+
+The unencrypted form uses:
+
+ -----BEGIN PRIVATE KEY-----
+ -----END PRIVATE KEY-----
+
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
diff --git a/doc/man/req.pod b/doc/man/req.pod
index 5840013f06..9ca102579d 100644
--- a/doc/man/req.pod
+++ b/doc/man/req.pod
@@ -371,11 +371,17 @@ Sample configuration file:
 
 =head1 NOTES
 
-The header and footer lines in the B<PEM> format contain the words
-B<BEGIN CERTIFICATE REQUEST> and B<END CERTIFICATE REQUEST> some software
-(for example some versions of Netscape certificate server) requires the
-words B<BEGIN NEW CERTIFICATE REQUEST> and B<END NEW CERTIFICATE REQUEST>
-instead.
+The header and footer lines in the B<PEM> format are respectively:
+
+ -----BEGIN CERTIFICATE REQUEST----
+ -----END CERTIFICATE REQUEST----
+
+some software (some versions of Netscape certificate server) instead needs:
+
+ -----BEGIN NEW CERTIFICATE REQUEST----
+ -----END NEW CERTIFICATE REQUEST----
+
+but is otherwise compatible. Either form is accepted on input.
 
 The certificate requests generated by B<Xenroll> with MSIE have extensions
 added. It includes the B<keyUsage> extension which determines the type of
diff --git a/doc/man/rsa.pod b/doc/man/rsa.pod
index eea8539b61..9834eb395f 100644
--- a/doc/man/rsa.pod
+++ b/doc/man/rsa.pod
@@ -123,6 +123,13 @@ a public key.
 
 =back
 
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+
 =head1 EXAMPLES
 
 To remove the pass phrase on an RSA private key:
diff --git a/doc/man/x509.pod b/doc/man/x509.pod
index 9068070b04..7e2036e65a 100644
--- a/doc/man/x509.pod
+++ b/doc/man/x509.pod
@@ -371,6 +371,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to
 	openssl x509 -in cert.pem -addtrust sslclient \
 		-alias "Steve's Class 1 CA" -out trust.pem
 
+=head1 NOTES
+
+The PEM format uses the header and footer lines:
+
+ -----BEGIN CERTIFICATE----
+ -----END CERTIFICATE----
+
+it will also handle files containing:
+
+ -----BEGIN X509 CERTIFICATE----
+ -----END X509 CERTIFICATE----
+
 =head1 BUGS
 
 The way DNs are printed is in a "historical SSLeay" format which doesn't