diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-28 13:28:24 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-11 12:17:58 +0200 |
| commit | ef2d3588e8d4dea8910ab1f7dfec768403efb265 (patch) | |
| tree | 66a2871f6535fc8dab443a1ccd0b06d56ab9918a /doc | |
| parent | 82bdd6419361136e7be533d31a990ba0476fced3 (diff) | |
apps/cmp.c: Improve documentation of -secret, -cert, and -key options
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/openssl-cmp.pod.in | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 44f71b8358..2d484805b3 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -610,10 +610,11 @@ is typically used when authenticating with pre-shared key (password-based MAC). =item B<-secret> I<arg> -Source of secret value to use for creating PBM-based protection of outgoing -messages and for verifying any PBM-based protection of incoming messages. +Prefer PBM-based message protection with given source of a secret value. +The secret is used for creating PBM-based protection of outgoing messages +and (as far as needed) for verifying PBM-based protection of incoming messages. PBM stands for Password-Based Message Authentication Code. -This takes precedence over the B<-cert> option. +This takes precedence over the B<-cert> and B<-key> options. For more information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. @@ -624,13 +625,17 @@ The client's current CMP signer certificate. Requires the corresponding key to be given with B<-key>. The subject of this certificate will be used as sender of outgoing CMP messages, while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. +The issuer of this certificate is used as one of the recipient fallback values. When using signature-based message protection, this "protection certificate" -will be included first in the extraCerts field of outgoing messages. +will be included first in the extraCerts field of outgoing messages +and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating using an external entity certificate as defined in appendix E.7 of RFC 4210. For Key Update Request (KUR) messages this is also used as the certificate to be updated if the B<-oldcert> option is not given. -If the file includes further certs, they are appended to the untrusted certs. +If the file includes further certs, they are appended to the untrusted certs +because they typically constitute the chain of the client certificate, which +is included in the extraCerts field in signature-protected request messages. =item B<-own_trusted> I<filenames> |