Documentation for the -precert flag for "openssl req"

Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/843)
author: Rob Percival <robpercival@google.com> 2016-03-10 20:32:16 +0000
committer: Rich Salz <rsalz@openssl.org> 2017-02-22 10:40:30 -0500
commit: 7bb89f094de0fb544df77e5afca82ade9b413f7d (patch)
tree: f2ac6b9c3882898b1291da9f6a9cbb8af7c2a0df /doc/man1
parent: caee75d2c66221a5c519f881ba216af9bd240c35 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 83b5704bd9..5ac629aa44 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -37,6 +37,7 @@ B<openssl> B<req>
 [B<-newhdr>]
 [B<-extensions section>]
 [B<-reqexts section>]
+[B<-precert>]
 [B<-utf8>]
 [B<-nameopt>]
 [B<-reqopt>]
@@ -253,6 +254,14 @@ request extensions. This allows several different sections to
 be used in the same configuration file to specify requests for
 a variety of purposes.
 
+=item B<-precert>
+
+a poison extension will be added to the certificate, making it a
+"pre-certificate" (see RFC6962). This can be submitted to Certificate
+Transparency logs in order to obtain signed certificate timestamps (SCTs).
+These SCTs can then be embedded into the pre-certificate as an extension, before
+removing the poison and signing the certificate.
+
 =item B<-utf8>
 
 this option causes field values to be interpreted as UTF8 strings, by
author	Rob Percival <robpercival@google.com>	2016-03-10 20:32:16 +0000
committer	Rich Salz <rsalz@openssl.org>	2017-02-22 10:40:30 -0500
commit	7bb89f094de0fb544df77e5afca82ade9b413f7d (patch)
tree	f2ac6b9c3882898b1291da9f6a9cbb8af7c2a0df /doc/man1
parent	caee75d2c66221a5c519f881ba216af9bd240c35 (diff)