More docs and corrections/updates

4 files changed, 233 insertions, 7 deletions

diff --git a/doc/man/ca.pod b/doc/man/ca.pod
index 93baab13ab..fbc4cbac9a 100644
--- a/doc/man/ca.pod
+++ b/doc/man/ca.pod
@@ -202,6 +202,20 @@ any) used.
 
 =over 4
 
+=item B<oid_file>
+
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+
+=item B<oid_section>
+
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used.
+
 =item B<new_certs_dir>
 
 the same as the B<-outdir> command line option. It specifies
diff --git a/doc/man/crl2pkcs7.pod b/doc/man/crl2pkcs7.pod
new file mode 100644
index 0000000000..ad749ed0c3
--- /dev/null
+++ b/doc/man/crl2pkcs7.pod
@@ -0,0 +1,90 @@
+=pod
+
+=head1 NAME
+
+crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-print_certs>]
+
+=head1 DESCRIPTION
+
+The B<crl2pkcs7> command takes an optional CRL and one or more
+certificates and converts them into a PKCS#7 degenerate "certificates
+only" structure.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the CRL input format. B<DER> format is DER encoded CRL
+structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the PKCS#7 structure output format. B<DER> format is DER
+encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-in filename>
+
+This specifies the input filename to read a CRL from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write the PKCS#7 structure to or standard
+output by default.
+
+=item B<-certfile filename>
+
+specifies a filename containing one or more certificates in B<PEM> format.
+All certificates in the file will be added to the PKCS#7 structure. This
+option can be used more than once to read certificates form multiple
+files.
+
+=item B<-nocrl>
+
+normally a CRL is included in the output file. With this option no CRL is
+included in the output file and a CRL is not read from the input file.
+
+=back
+
+=head1 EXAMPLES
+
+Create a PKCS#7 structure from a certificate and CRL:
+
+ openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
+
+Creates a PKCS#7 structure in DER format with no CRL from several
+different certificates:
+
+ openssl crl2pkcs7 -nocrl -certfile newcert.pem 
+	-certfile demoCA/cacert.pem -outform DER -out p7.der
+
+=head1 NOTES
+
+The output file is a PKCS#7 signed data structure containing no signers and
+just certificates and an optional CRL.
+
+This utility can be used to send certificates and CAs to Netscape as part of
+the certificate enrollment process. This involves sending the DER encoded output
+as MIME type application/x-x509-user-cert.
+
+The B<PEM> encoded form with the header and footer lines removed can be used to
+install user certificates and CAs in MSIE using the Xenroll control.
+
+=head1 SEE ALSO
+
+pkcs7(1)
+
+=cut
diff --git a/doc/man/pkcs7.pod b/doc/man/pkcs7.pod
new file mode 100644
index 0000000000..bacd05efe1
--- /dev/null
+++ b/doc/man/pkcs7.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+pkcs7 - PKCS#7 utility
+
+=head1 SYNOPSIS
+
+B<openssl> B<pkcs7>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-print_certs>]
+
+=head1 DESCRIPTION
+
+The B<pkcs7> command processes PKCS#7 files in DER or PEM format.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. B<DER> format is DER encoded PKCS#7
+v1.5 structure.B<PEM> (the default) is a base64 encoded version of
+the DER form with header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read from or standard input if this
+option is not specified.
+
+=item B<-out filename>
+
+specifies the output filename to write to or standard output by
+default.
+
+=item B<-print_certs>
+
+prints out any certificates or CRLs contained in the file. They are
+preceded by their subject and issuer names in one line format.
+
+=back
+
+=head1 EXAMPLES
+
+Convert a PKCS#7 file from PEM to DER:
+
+ openssl pkcs7 -in file.pem -outform DER -out file.der
+
+Output all certificates in a file:
+
+ openssl pkcs7 -in file.pem -print_certs -out certs.pem
+
+=head1 RESTRICTIONS
+
+There is no option to print out all the fields of a PKCS#7 file.
+
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they 
+cannot currently parse, for example, the new CMS as described in RFCXXXX.
+
+=head1 SEE ALSO
+
+crl2pkcs7(1)
+
+=cut
diff --git a/doc/man/req.pod b/doc/man/req.pod
index c9e7111aaf..5840013f06 100644
--- a/doc/man/req.pod
+++ b/doc/man/req.pod
@@ -203,8 +203,8 @@ by white space and finally the long name.
 =item B<oid_section>
 
 This specifies a section in the configuration file containing extra
-object identifiers. Each line should consist of the numerical form
-of the object identifier followed by B<=> and its name. The short
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
 and long names are the same when this option is used.
 
 =item B<RANDFILE>
@@ -305,20 +305,69 @@ will be treated as though they were a DirectoryString.
 
 Examine and verify certificate request:
 
-openssl req -in req.pem -text -verify -noout
+ openssl req -in req.pem -text -verify -noout
 
 Create a private key and then generate a certificate request from it:
 
-openssl genrsa -out key.pem 1024
-openssl req -new -key key.pem -out req.pem
+ openssl genrsa -out key.pem 1024
+ openssl req -new -key key.pem -out req.pem
 
 The same but just using req:
 
-openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+ openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
 
 Generate a self signed root certificate:
 
-openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+ openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+
+Example of a file pointed to by the B<oid_file> option:
+
+ 1.2.3.4	shortName	A longer Name
+ 1.2.3.6	otherName	Other longer Name
+
+Example of a section pointed to by B<oid_section> making use of variable
+expansion:
+
+ testoid1=1.2.3.5
+ testoid2=${testoid1}.6
+
+Sample configuration file:
+
+ [ req ]
+ default_bits		= 1024
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+ x509_extensions	= v3_ca
+
+ dirstring_type = nobmp
+
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+ countryName_default		= AU
+ countryName_min			= 2
+ countryName_max			= 2
+
+ localityName			= Locality Name (eg, city)
+
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+
+ commonName			= Common Name (eg, YOUR name)
+ commonName_max			= 64
+
+ emailAddress			= Email Address
+ emailAddress_max		= 40
+
+ [ req_attributes ]
+ challengePassword		= A challenge password
+ challengePassword_min		= 4
+ challengePassword_max		= 20
+
+ [ v3_ca ]
+
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid:always,issuer:always
+ basicConstraints = CA:true
 
 =head1 NOTES