Update for OpenSSL 0.9.7. No assembler code at the moment. This

will follow.

34 files changed, 11305 insertions, 0 deletions

diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
new file mode 100644
index 0000000..a20c295
--- /dev/null
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -0,0 +1,302 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:04:57 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "CA.pl 3"
+.TH CA.pl 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+\&\s-1CA\s0.pl \- friendlier interface for OpenSSL certificate programs
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fB\s-1CA\s0.pl\fR
+[\fB\-?\fR]
+[\fB\-h\fR]
+[\fB\-help\fR]
+[\fB\-newcert\fR]
+[\fB\-newreq\fR]
+[\fB\-newreq-nodes\fR]
+[\fB\-newca\fR]
+[\fB\-xsign\fR]
+[\fB\-sign\fR]
+[\fB\-signreq\fR]
+[\fB\-signcert\fR]
+[\fB\-verify\fR]
+[\fBfiles\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line
+arguments to the \fBopenssl\fR command for some common certificate operations.
+It is intended to simplify the process of certificate creation and management
+by the use of some simple options.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
+.IX Item "?, -h, -help"
+prints a usage message.
+.Ip "\fB\-newcert\fR" 4
+.IX Item "-newcert"
+creates a new self signed certificate. The private key and certificate are
+written to the file \*(L"newreq.pem\*(R".
+.Ip "\fB\-newreq\fR" 4
+.IX Item "-newreq"
+creates a new certificate request. The private key and request are
+written to the file \*(L"newreq.pem\*(R".
+.Ip "\fB\-newreq-nowdes\fR" 4
+.IX Item "-newreq-nowdes"
+is like \fB\-newreq\fR except that the private key will not be encrypted.
+.Ip "\fB\-newca\fR" 4
+.IX Item "-newca"
+creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
+and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
+certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
+details of the \s-1CA\s0 will be prompted for. The relevant files and directories
+are created in a directory called \*(L"demoCA\*(R" in the current directory.
+.Ip "\fB\-pkcs12\fR" 4
+.IX Item "-pkcs12"
+create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
+certificate. It expects the user certificate and private key to be in the
+file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem,
+it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the
+\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser.
+If there is an additional argument on the command line it will be used as the
+\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
+list box), otherwise the name \*(L"My Certificate\*(R" is used.
+.Ip "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4
+.IX Item "-sign, -signreq, -xsign"
+calls the \fBca\fR program to sign a certificate request. It expects the request
+to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file
+\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written
+to standard output.
+.Ip "\fB\-signCA\fR" 4
+.IX Item "-signCA"
+this option is the same as the \fB\-signreq\fR option except it uses the configuration
+file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This
+is useful when creating intermediate \s-1CA\s0 from a root \s-1CA\s0.
+.Ip "\fB\-signcert\fR" 4
+.IX Item "-signcert"
+this option is the same as \fB\-sign\fR except it expects a self signed certificate
+to be present in the file \*(L"newreq.pem\*(R".
+.Ip "\fB\-verify\fR" 4
+.IX Item "-verify"
+verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates
+are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R". 
+.Ip "\fBfiles\fR" 4
+.IX Item "files"
+one or more optional certificate file names for use with the \fB\-verify\fR command.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Create a \s-1CA\s0 hierarchy:
+.PP
+.Vb 1
+\& CA.pl -newca
+.Ve
+Complete certificate creation example: create a \s-1CA\s0, create a request, sign
+the request and finally create a PKCS#12 file containing it.
+.PP
+.Vb 4
+\& CA.pl -newca
+\& CA.pl -newreq
+\& CA.pl -signreq
+\& CA.pl -pkcs12 "My Test Certificate"
+.Ve
+.SH "DSA CERTIFICATES"
+.IX Header "DSA CERTIFICATES"
+Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to
+use it with \s-1DSA\s0 certificates and requests using the req(1) command
+directly. The following example shows the steps that would typically be taken.
+.PP
+Create some \s-1DSA\s0 parameters:
+.PP
+.Vb 1
+\& openssl dsaparam -out dsap.pem 1024
+.Ve
+Create a \s-1DSA\s0 \s-1CA\s0 certificate and private key:
+.PP
+.Vb 1
+\& openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
+.Ve
+Create the \s-1CA\s0 directories and files:
+.PP
+.Vb 1
+\& CA.pl -newca
+.Ve
+enter cacert.pem when prompted for the \s-1CA\s0 file name.
+.PP
+Create a \s-1DSA\s0 certificate request and private key (a different set of parameters
+can optionally be created first):
+.PP
+.Vb 1
+\& openssl req -out newreq.pem -newkey dsa:dsap.pem
+.Ve
+Sign the request:
+.PP
+.Vb 1
+\& CA.pl -signreq
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script.
+.PP
+If the demoCA directory already exists then the \fB\-newca\fR command will not
+overwrite it and will do nothing. This can happen if a previous call using
+the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
+delete the demoCA directory if it already exists.
+.PP
+Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
+directly (for example Win32) and the default configuration file location may
+be wrong. In this case the command:
+.PP
+.Vb 1
+\& perl -S CA.pl
+.Ve
+can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to 
+the correct path of the configuration file \*(L"openssl.cnf\*(R".
+.PP
+The script is intended as a simple front end for the \fBopenssl\fR program for use
+by a beginner. Its behaviour isn't always what is wanted. For more control over the
+behaviour of the certificate commands call the \fBopenssl\fR command directly.
+.SH "ENVIRONMENT VARIABLES"
+.IX Header "ENVIRONMENT VARIABLES"
+The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration
+file location to be specified, it should contain the full path to the
+configuration file, not just its directory.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+x509(1), ca(1), req(1), pkcs12(1),
+config(5)
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
new file mode 100644
index 0000000..76eadb2
--- /dev/null
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -0,0 +1,251 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:04:58 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "asn1parse 3"
+.TH asn1parse 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+asn1parse \- \s-1ASN\s0.1 parsing tool
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBasn1parse\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-noout\fR]
+[\fB\-offset number\fR]
+[\fB\-length number\fR]
+[\fB\-i\fR]
+[\fB\-oid filename\fR]
+[\fB\-strparse offset\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN\s0.1
+structures. It can also be used to extract data from \s-1ASN\s0.1 formatted data.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-inform\fR \fBDER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+the input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64
+encoded.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+the input file, default is standard input
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+output file to place the \s-1DER\s0 encoded data into. If this
+option is not present then no data will be output. This is most useful when
+combined with the \fB\-strparse\fR option.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+don't output the parsed version of the input file.
+.Ip "\fB\-offset number\fR" 4
+.IX Item "-offset number"
+starting offset to begin parsing, default is start of file.
+.Ip "\fB\-length number\fR" 4
+.IX Item "-length number"
+number of bytes to parse, default is until end of file.
+.Ip "\fB\-i\fR" 4
+.IX Item "-i"
+indents the output according to the \*(L"depth\*(R" of the structures.
+.Ip "\fB\-oid filename\fR" 4
+.IX Item "-oid filename"
+a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this
+file is described in the \s-1NOTES\s0 section below.
+.Ip "\fB\-strparse offset\fR" 4
+.IX Item "-strparse offset"
+parse the contents octets of the \s-1ASN\s0.1 object starting at \fBoffset\fR. This
+option can be used multiple times to \*(L"drill down\*(R" into a nested structure.
+.Sh "\s-1OUTPUT\s0"
+.IX Subsection "OUTPUT"
+The output will typically contain lines like this:
+.PP
+.Vb 1
+\&  0:d=0  hl=4 l= 681 cons: SEQUENCE
+.Ve
+\&.....
+.PP
+.Vb 10
+\&  229:d=3  hl=3 l= 141 prim: BIT STRING        
+\&  373:d=2  hl=3 l= 162 cons: cont [ 3 ]        
+\&  376:d=3  hl=3 l= 159 cons: SEQUENCE          
+\&  379:d=4  hl=2 l=  29 cons: SEQUENCE          
+\&  381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
+\&  386:d=5  hl=2 l=  22 prim: OCTET STRING      
+\&  410:d=4  hl=2 l= 112 cons: SEQUENCE          
+\&  412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
+\&  417:d=5  hl=2 l= 105 prim: OCTET STRING      
+\&  524:d=4  hl=2 l=  12 cons: SEQUENCE
+.Ve
+\&.....
+.PP
+This example is part of a self signed certificate. Each line starts with the
+offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased
+within the scope of any \s-1SET\s0 or \s-1SEQUENCE\s0. \fBhl=XX\fR gives the header length
+(tag and length octets) of the current type. \fBl=XX\fR gives the length of
+the contents octets.
+.PP
+The \fB\-i\fR option can be used to make the output more readable.
+.PP
+Some knowledge of the \s-1ASN\s0.1 structure is needed to interpret the output. 
+.PP
+In this example the \s-1BIT\s0 \s-1STRING\s0 at offset 229 is the certificate public key.
+The contents octets of this will contain the public key information. This can
+be examined using the option \fB\-strparse 229\fR to yield:
+.PP
+.Vb 3
+\&    0:d=0  hl=3 l= 137 cons: SEQUENCE          
+\&    3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
+\&  135:d=1  hl=2 l=   3 prim: INTEGER           :010001
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in
+numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option 
+allows additional OIDs to be included. Each line consists of three columns,
+the first column is the \s-1OID\s0 in numerical format and should be followed by white
+space. The second column is the \*(L"short name\*(R" which is a single word followed
+by white space. The final column is the rest of the line and is the
+\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example:
+.PP
+\&\f(CW\*(C`1.2.3.4	shortName	A long name\*(C'\fR
+.SH "BUGS"
+.IX Header "BUGS"
+There should be options to change the format of input lines. The output of some
+\&\s-1ASN\s0.1 types is not well handled (if at all).
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
new file mode 100644
index 0000000..bccbbc4
--- /dev/null
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -0,0 +1,694 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:04:59 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "ca 3"
+.TH ca 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+ca \- sample minimal \s-1CA\s0 application
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBca\fR
+[\fB\-verbose\fR]
+[\fB\-config filename\fR]
+[\fB\-name section\fR]
+[\fB\-gencrl\fR]
+[\fB\-revoke file\fR]
+[\fB\-crl_reason reason\fR]
+[\fB\-crl_hold instruction\fR]
+[\fB\-crl_compromise time\fR]
+[\fB\-crl_CA_compromise time\fR]
+[\fB\-subj arg\fR]
+[\fB\-crldays days\fR]
+[\fB\-crlhours hours\fR]
+[\fB\-crlexts section\fR]
+[\fB\-startdate date\fR]
+[\fB\-enddate date\fR]
+[\fB\-days arg\fR]
+[\fB\-md arg\fR]
+[\fB\-policy arg\fR]
+[\fB\-keyfile arg\fR]
+[\fB\-key arg\fR]
+[\fB\-passin arg\fR]
+[\fB\-cert file\fR]
+[\fB\-in file\fR]
+[\fB\-out file\fR]
+[\fB\-notext\fR]
+[\fB\-outdir dir\fR]
+[\fB\-infiles\fR]
+[\fB\-spkac file\fR]
+[\fB\-ss_cert file\fR]
+[\fB\-preserveDN\fR]
+[\fB\-noemailDN\fR]
+[\fB\-batch\fR]
+[\fB\-msie_hack\fR]
+[\fB\-extensions section\fR]
+[\fB\-extfile section\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used
+to sign certificate requests in a variety of forms and generate
+CRLs it also maintains a text database of issued certificates
+and their status.
+.PP
+The options descriptions will be divided into each purpose.
+.SH "CA OPTIONS"
+.IX Header "CA OPTIONS"
+.Ip "\fB\-config filename\fR" 4
+.IX Item "-config filename"
+specifies the configuration file to use.
+.Ip "\fB\-name section\fR" 4
+.IX Item "-name section"
+specifies the configuration file section to use (overrides
+\&\fBdefault_ca\fR in the \fBca\fR section).
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+an input filename containing a single certificate request to be
+signed by the \s-1CA\s0.
+.Ip "\fB\-ss_cert filename\fR" 4
+.IX Item "-ss_cert filename"
+a single self signed certificate to be signed by the \s-1CA\s0.
+.Ip "\fB\-spkac filename\fR" 4
+.IX Item "-spkac filename"
+a file containing a single Netscape signed public key and challenge
+and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR
+section for information on the required format.
+.Ip "\fB\-infiles\fR" 4
+.IX Item "-infiles"
+if present this should be the last option, all subsequent arguments
+are assumed to the the names of files containing certificate requests. 
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+the output file to output certificates to. The default is standard
+output. The certificate details will also be printed out to this
+file.
+.Ip "\fB\-outdir directory\fR" 4
+.IX Item "-outdir directory"
+the directory to output certificates to. The certificate will be
+written to a filename consisting of the serial number in hex with
+\&\*(L".pem\*(R" appended.
+.Ip "\fB\-cert\fR" 4
+.IX Item "-cert"
+the \s-1CA\s0 certificate file.
+.Ip "\fB\-keyfile filename\fR" 4
+.IX Item "-keyfile filename"
+the private key to sign requests with.
+.Ip "\fB\-key password\fR" 4
+.IX Item "-key password"
+the password used to encrypt the private key. Since on some
+systems the command line arguments are visible (e.g. Unix with
+the 'ps' utility) this option should be used with caution.
+.Ip "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the key password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+this prints extra details about the operations being performed.
+.Ip "\fB\-notext\fR" 4
+.IX Item "-notext"
+don't output the text form of a certificate to the output file.
+.Ip "\fB\-startdate date\fR" 4
+.IX Item "-startdate date"
+this allows the start date to be explicitly set. The format of the
+date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
+.Ip "\fB\-enddate date\fR" 4
+.IX Item "-enddate date"
+this allows the expiry date to be explicitly set. The format of the
+date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
+.Ip "\fB\-days arg\fR" 4
+.IX Item "-days arg"
+the number of days to certify the certificate for.
+.Ip "\fB\-md alg\fR" 4
+.IX Item "-md alg"
+the message digest to use. Possible values include md5, sha1 and mdc2.
+This option also applies to CRLs.
+.Ip "\fB\-policy arg\fR" 4
+.IX Item "-policy arg"
+this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
+the configuration file which decides which fields should be mandatory
+or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
+for more information.
+.Ip "\fB\-msie_hack\fR" 4
+.IX Item "-msie_hack"
+this is a legacy option to make \fBca\fR work with very old versions of
+the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
+for almost everything. Since the old control has various security bugs
+its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not
+need this option.
+.Ip "\fB\-preserveDN\fR" 4
+.IX Item "-preserveDN"
+Normally the \s-1DN\s0 order of a certificate is the same as the order of the
+fields in the relevant policy section. When this option is set the order 
+is the same as the request. This is largely for compatibility with the
+older \s-1IE\s0 enrollment control which would only accept certificates if their
+DNs match the order of the request. This is not needed for Xenroll.
+.Ip "\fB\-noemailDN\fR" 4
+.IX Item "-noemailDN"
+The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
+request \s-1DN\s0, however it is good policy just having the e-mail set into
+the altName extension of the certificate. When this option is set the
+\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
+the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be
+used in the configuration file to enable this behaviour.
+.Ip "\fB\-batch\fR" 4
+.IX Item "-batch"
+this sets the batch mode. In this mode no questions will be asked
+and all certificates will be certified automatically.
+.Ip "\fB\-extensions section\fR" 4
+.IX Item "-extensions section"
+the section of the configuration file containing certificate extensions
+to be added when a certificate is issued (defaults to \fBx509_extensions\fR
+unless the \fB\-extfile\fR option is used). If no extension section is
+present then, a V1 certificate is created. If the extension section
+is present (even if it is empty), then a V3 certificate is created.
+.Ip "\fB\-extfile file\fR" 4
+.IX Item "-extfile file"
+an additional configuration file to read certificate extensions from
+(using the default section unless the \fB\-extensions\fR option is also
+used).
+.SH "CRL OPTIONS"
+.IX Header "CRL OPTIONS"
+.Ip "\fB\-gencrl\fR" 4
+.IX Item "-gencrl"
+this option generates a \s-1CRL\s0 based on information in the index file.
+.Ip "\fB\-crldays num\fR" 4
+.IX Item "-crldays num"
+the number of days before the next \s-1CRL\s0 is due. That is the days from
+now to place in the \s-1CRL\s0 nextUpdate field.
+.Ip "\fB\-crlhours num\fR" 4
+.IX Item "-crlhours num"
+the number of hours before the next \s-1CRL\s0 is due.
+.Ip "\fB\-revoke filename\fR" 4
+.IX Item "-revoke filename"
+a filename containing a certificate to revoke.
+.Ip "\fB\-crl_reason reason\fR" 4
+.IX Item "-crl_reason reason"
+revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
+\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR,
+\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case
+insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
+.Sp
+In practive \fBremoveFromCRL\fR is not particularly useful because it is only used
+in delta CRLs which are not currently implemented.
+.Ip "\fB\-crl_hold instruction\fR" 4
+.IX Item "-crl_hold instruction"
+This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
+instruction to \fBinstruction\fR which must be an \s-1OID\s0. Although any \s-1OID\s0 can be
+used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
+\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
+.Ip "\fB\-crl_compromise time\fR" 4
+.IX Item "-crl_compromise time"
+This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to
+\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
+.Ip "\fB\-crl_CA_compromise time\fR" 4
+.IX Item "-crl_CA_compromise time"
+This is the same as \fBcrl_compromise\fR except the revocation reason is set to
+\&\fBCACompromise\fR.
+.Ip "\fB\-subj arg\fR" 4
+.IX Item "-subj arg"
+supersedes subject name given in the request.
+The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
+characters may be escaped by \e (backslash), no spaces are skipped.
+.Ip "\fB\-crlexts section\fR" 4
+.IX Item "-crlexts section"
+the section of the configuration file containing \s-1CRL\s0 extensions to
+include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
+created, if the \s-1CRL\s0 extension section is present (even if it is
+empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
+\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions.  It should be noted
+that some software (for example Netscape) can't handle V2 CRLs. 
+.SH "CONFIGURATION FILE OPTIONS"
+.IX Header "CONFIGURATION FILE OPTIONS"
+The section of the configuration file containing options for \fBca\fR
+is found as follows: If the \fB\-name\fR command line option is used,
+then it names the section to be used. Otherwise the section to
+be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
+of the configuration file (or in the default section of the
+configuration file). Besides \fBdefault_ca\fR, the following options are
+read directly from the \fBca\fR section:
+ \s-1RANDFILE\s0
+ preserve
+ msie_hack
+With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
+change in future releases.
+.PP
+Many of the configuration file options are identical to command line
+options. Where the option is present in the configuration file
+and the command line the command line value is used. Where an
+option is described as mandatory then it must be present in
+the configuration file or the command line equivalent (if
+any) used.
+.Ip "\fBoid_file\fR" 4
+.IX Item "oid_file"
+This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+.Ip "\fBoid_section\fR" 4
+.IX Item "oid_section"
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by \fB=\fR and the numerical form. The short
+and long names are the same when this option is used.
+.Ip "\fBnew_certs_dir\fR" 4
+.IX Item "new_certs_dir"
+the same as the \fB\-outdir\fR command line option. It specifies
+the directory where new certificates will be placed. Mandatory.
+.Ip "\fBcertificate\fR" 4
+.IX Item "certificate"
+the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
+certificate. Mandatory.
+.Ip "\fBprivate_key\fR" 4
+.IX Item "private_key"
+same as the \fB\-keyfile\fR option. The file containing the
+\&\s-1CA\s0 private key. Mandatory.
+.Ip "\fB\s-1RANDFILE\s0\fR" 4
+.IX Item "RANDFILE"
+a file used to read and write random number seed information, or
+an \s-1EGD\s0 socket (see RAND_egd(3)).
+.Ip "\fBdefault_days\fR" 4
+.IX Item "default_days"
+the same as the \fB\-days\fR option. The number of days to certify
+a certificate for. 
+.Ip "\fBdefault_startdate\fR" 4
+.IX Item "default_startdate"
+the same as the \fB\-startdate\fR option. The start date to certify
+a certificate for. If not set the current time is used.
+.Ip "\fBdefault_enddate\fR" 4
+.IX Item "default_enddate"
+the same as the \fB\-enddate\fR option. Either this option or
+\&\fBdefault_days\fR (or the command line equivalents) must be
+present.
+.Ip "\fBdefault_crl_hours default_crl_days\fR" 4
+.IX Item "default_crl_hours default_crl_days"
+the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
+will only be used if neither command line option is present. At
+least one of these must be present to generate a \s-1CRL\s0.
+.Ip "\fBdefault_md\fR" 4
+.IX Item "default_md"
+the same as the \fB\-md\fR option. The message digest to use. Mandatory.
+.Ip "\fBdatabase\fR" 4
+.IX Item "database"
+the text database file to use. Mandatory. This file must be present
+though initially it will be empty.
+.Ip "\fBserialfile\fR" 4
+.IX Item "serialfile"
+a text file containing the next serial number to use in hex. Mandatory.
+This file must be present and contain a valid serial number.
+.Ip "\fBx509_extensions\fR" 4
+.IX Item "x509_extensions"
+the same as \fB\-extensions\fR.
+.Ip "\fBcrl_extensions\fR" 4
+.IX Item "crl_extensions"
+the same as \fB\-crlexts\fR.
+.Ip "\fBpreserve\fR" 4
+.IX Item "preserve"
+the same as \fB\-preserveDN\fR
+.Ip "\fBemail_in_dn\fR" 4
+.IX Item "email_in_dn"
+the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
+from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
+the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN\s0.
+.Ip "\fBmsie_hack\fR" 4
+.IX Item "msie_hack"
+the same as \fB\-msie_hack\fR
+.Ip "\fBpolicy\fR" 4
+.IX Item "policy"
+the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
+for more information.
+.Ip "\fBnameopt\fR, \fBcertopt\fR" 4
+.IX Item "nameopt, certopt"
+these options allow the format used to display the certificate details
+when asking the user to confirm signing. All the options supported by
+the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
+here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set
+and cannot be disabled (this is because the certificate signature cannot
+be displayed because the certificate has not been signed at this point).
+.Sp
+For convenience the values \fBdefault_ca\fR are accepted by both to produce
+a reasonable output.
+.Sp
+If neither option is present the format used in earlier versions of
+OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because
+it only displays fields mentioned in the \fBpolicy\fR section, mishandles
+multicharacter string types and does not display extensions.
+.Ip "\fBcopy_extensions\fR" 4
+.IX Item "copy_extensions"
+determines how extensions in certificate requests should be handled.
+If set to \fBnone\fR or this option is not present then extensions are
+ignored and not copied to the certificate. If set to \fBcopy\fR then any
+extensions present in the request that are not already present are copied
+to the certificate. If set to \fBcopyall\fR then all extensions in the
+request are copied to the certificate: if the extension is already present
+in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before
+using this option.
+.Sp
+The main use of this option is to allow a certificate request to supply
+values for certain extensions such as subjectAltName.
+.SH "POLICY FORMAT"
+.IX Header "POLICY FORMAT"
+The policy section consists of a set of variables corresponding to
+certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value
+must match the same field in the \s-1CA\s0 certificate. If the value is
+\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then
+it may be present. Any fields not mentioned in the policy section
+are silently deleted, unless the \fB\-preserveDN\fR option is set but
+this can be regarded more of a quirk than intended behaviour.
+.SH "SPKAC FORMAT"
+.IX Header "SPKAC FORMAT"
+The input to the \fB\-spkac\fR command line option is a Netscape
+signed public key and challenge. This will usually come from
+the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. 
+It is however possible to create SPKACs using the \fBspkac\fR utility.
+.PP
+The file should contain the variable \s-1SPKAC\s0 set to the value of
+the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
+If you need to include the same component twice then it can be
+preceded by a number and a '.'.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Note: these examples assume that the \fBca\fR directory structure is
+already set up and the relevant files already exist. This usually
+involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a
+serial number file and an empty index file and placing them in
+the relevant directories.
+.PP
+To use the sample configuration file below the directories demoCA,
+demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0
+certificate would be copied to demoCA/cacert.pem and its private
+key to demoCA/private/cakey.pem. A file demoCA/serial would be
+created containing for example \*(L"01\*(R" and the empty index file
+demoCA/index.txt.
+.PP
+Sign a certificate request:
+.PP
+.Vb 1
+\& openssl ca -in req.pem -out newcert.pem
+.Ve
+Sign a certificate request, using \s-1CA\s0 extensions:
+.PP
+.Vb 1
+\& openssl ca -in req.pem -extensions v3_ca -out newcert.pem
+.Ve
+Generate a \s-1CRL\s0
+.PP
+.Vb 1
+\& openssl ca -gencrl -out crl.pem
+.Ve
+Sign several requests:
+.PP
+.Vb 1
+\& openssl ca -infiles req1.pem req2.pem req3.pem
+.Ve
+Certify a Netscape \s-1SPKAC:\s0
+.PP
+.Vb 1
+\& openssl ca -spkac spkac.txt
+.Ve
+A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
+.PP
+.Vb 5
+\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
+\& CN=Steve Test
+\& emailAddress=steve@openssl.org
+\& 0.OU=OpenSSL Group
+\& 1.OU=Another Group
+.Ve
+A sample configuration file with the relevant sections for \fBca\fR:
+.PP
+.Vb 2
+\& [ ca ]
+\& default_ca      = CA_default            # The default ca section
+.Ve
+.Vb 1
+\& [ CA_default ]
+.Ve
+.Vb 3
+\& dir            = ./demoCA              # top dir
+\& database       = $dir/index.txt        # index file.
+\& new_certs_dir  = $dir/newcerts         # new certs dir
+.Ve
+.Vb 4
+\& certificate    = $dir/cacert.pem       # The CA cert
+\& serial         = $dir/serial           # serial no file
+\& private_key    = $dir/private/cakey.pem# CA private key
+\& RANDFILE       = $dir/private/.rand    # random number file
+.Ve
+.Vb 3
+\& default_days   = 365                   # how long to certify for
+\& default_crl_days= 30                   # how long before next CRL
+\& default_md     = md5                   # md to use
+.Ve
+.Vb 2
+\& policy         = policy_any            # default policy
+\& email_in_dn    = no                    # Don't add the email into cert DN
+.Ve
+.Vb 3
+\& nameopt        = default_ca            # Subject name display option
+\& certopt        = default_ca            # Certificate display option
+\& copy_extensions = none                 # Don't copy extensions from request
+.Ve
+.Vb 7
+\& [ policy_any ]
+\& countryName            = supplied
+\& stateOrProvinceName    = optional
+\& organizationName       = optional
+\& organizationalUnitName = optional
+\& commonName             = supplied
+\& emailAddress           = optional
+.Ve
+.SH "FILES"
+.IX Header "FILES"
+Note: the location of all files can change either by compile time options,
+configuration file entries, environment variables or command line options.
+The values below reflect the default values.
+.PP
+.Vb 10
+\& /usr/local/ssl/lib/openssl.cnf - master configuration file
+\& ./demoCA                       - main CA directory
+\& ./demoCA/cacert.pem            - CA certificate
+\& ./demoCA/private/cakey.pem     - CA private key
+\& ./demoCA/serial                - CA serial number file
+\& ./demoCA/serial.old            - CA serial number backup file
+\& ./demoCA/index.txt             - CA text database file
+\& ./demoCA/index.txt.old         - CA text database backup file
+\& ./demoCA/certs                 - certificate output file
+\& ./demoCA/.rnd                  - CA random seed information
+.Ve
+.SH "ENVIRONMENT VARIABLES"
+.IX Header "ENVIRONMENT VARIABLES"
+\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can
+be overridden by the \fB\-config\fR command line option.
+.SH "RESTRICTIONS"
+.IX Header "RESTRICTIONS"
+The text database index file is a critical part of the process and 
+if corrupted it can be difficult to fix. It is theoretically possible
+to rebuild the index file from all the issued certificates and a current
+\&\s-1CRL:\s0 however there is no option to do this.
+.PP
+V2 \s-1CRL\s0 features like delta \s-1CRL\s0 support and \s-1CRL\s0 numbers are not currently
+supported.
+.PP
+Although several requests can be input and handled at once it is only
+possible to include one \s-1SPKAC\s0 or self signed certificate.
+.SH "BUGS"
+.IX Header "BUGS"
+The use of an in memory text database can cause problems when large
+numbers of certificates are present because, as the name implies
+the database has to be kept in memory.
+.PP
+It is not possible to certify two certificates with the same \s-1DN:\s0 this
+is a side effect of how the text database is indexed and it cannot easily
+be fixed without introducing other problems. Some S/MIME clients can use
+two certificates with the same \s-1DN\s0 for separate signing and encryption
+keys.
+.PP
+The \fBca\fR command really needs rewriting or the required functionality
+exposed at either a command or interface level so a more friendly utility
+(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and
+\&\fB\s-1CA\s0.pl\fR help a little but not very much.
+.PP
+Any fields in a request that are not present in a policy are silently
+deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
+enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN\s0, as suggested by
+RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
+option can be used. The behaviour should be more friendly and
+configurable.
+.PP
+Cancelling some commands by refusing to certify a certificate can
+create an empty file.
+.SH "WARNINGS"
+.IX Header "WARNINGS"
+The \fBca\fR command is quirky and at times downright unfriendly.
+.PP
+The \fBca\fR utility was originally meant as an example of how to do things
+in a \s-1CA\s0. It was not supposed to be used as a full blown \s-1CA\s0 itself:
+nevertheless some people are using it for this purpose.
+.PP
+The \fBca\fR command is effectively a single user command: no locking is
+done on the various files and attempts to run more than one \fBca\fR command
+on the same database can have unpredictable results.
+.PP
+The \fBcopy_extensions\fR option should be used with caution. If care is
+not taken then it can be a security risk. For example if a certificate
+request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
+\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot
+this when the certificate is displayed then this will hand the requestor
+a valid \s-1CA\s0 certificate.
+.PP
+This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR
+and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
+Then if the request contains a basicConstraints extension it will be
+ignored.
+.PP
+It is advisable to also include values for other extensions such
+as \fBkeyUsage\fR to prevent a request supplying its own values.
+.PP
+Additional restrictions can be placed on the \s-1CA\s0 certificate itself.
+For example if the \s-1CA\s0 certificate has:
+.PP
+.Vb 1
+\& basicConstraints = CA:TRUE, pathlen:0
+.Ve
+then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+req(1), spkac(1), x509(1), CA.pl(1),
+config(5)
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
new file mode 100644
index 0000000..1083d22
--- /dev/null
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -0,0 +1,497 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:01 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "ciphers 3"
+.TH ciphers 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+ciphers \- \s-1SSL\s0 cipher display and cipher list tool.
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBciphers\fR
+[\fB\-v\fR]
+[\fB\-ssl2\fR]
+[\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fBcipherlist\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered
+\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine
+the appropriate cipherlist.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-v\fR" 4
+.IX Item "-v"
+verbose option. List ciphers with a complete description of
+protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange,
+authentication, encryption and mac algorithms used along with any key size
+restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher.
+Note that without the \fB\-v\fR option, ciphers may seem to appear twice
+in a cipher list; this is when similar ciphers are available for
+\&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1.
+.Ip "\fB\-ssl3\fR" 4
+.IX Item "-ssl3"
+only include \s-1SSL\s0 v3 ciphers.
+.Ip "\fB\-ssl2\fR" 4
+.IX Item "-ssl2"
+only include \s-1SSL\s0 v2 ciphers.
+.Ip "\fB\-tls1\fR" 4
+.IX Item "-tls1"
+only include \s-1TLS\s0 v1 ciphers.
+.Ip "\fB\-h\fR, \fB\-?\fR" 4
+.IX Item "-h, -?"
+print a brief usage message.
+.Ip "\fBcipherlist\fR" 4
+.IX Item "cipherlist"
+a cipher list to convert to a cipher preference list. If it is not included
+then the default cipher list will be used. The format is described below.
+.SH "CIPHER LIST FORMAT"
+.IX Header "CIPHER LIST FORMAT"
+The cipher list consists of one or more \fIcipher strings\fR separated by colons.
+Commas or spaces are also acceptable separators but colons are normally used.
+.PP
+The actual cipher string can take several different forms.
+.PP
+It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR.
+.PP
+It can represent a list of cipher suites containing a certain algorithm, or
+cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers
+suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3
+algorithms.
+.PP
+Lists of cipher suites can be combined in a single cipher string using the
+\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example
+\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0
+algorithms.
+.PP
+Each cipher string can be optionally preceded by the characters \fB!\fR,
+\&\fB-\fR or \fB+\fR.
+.PP
+If \fB!\fR is used then the ciphers are permanently deleted from the list.
+The ciphers deleted can never reappear in the list even if they are
+explicitly stated.
+.PP
+If \fB-\fR is used then the ciphers are deleted from the list, but some or
+all of the ciphers can be added again by later options.
+.PP
+If \fB+\fR is used then the ciphers are moved to the end of the list. This
+option doesn't add any new ciphers it just moves matching existing ones.
+.PP
+If none of these characters is present then the string is just interpreted
+as a list of ciphers to be appended to the current preference list. If the
+list includes any ciphers already present they will be ignored: that is they
+will not moved to the end of the list.
+.PP
+Additionally the cipher string \fB@STRENGTH\fR can be used at any point to sort
+the current cipher list in order of encryption algorithm key length.
+.SH "CIPHER STRINGS"
+.IX Header "CIPHER STRINGS"
+The following is a list of all permitted cipher strings and their meanings.
+.Ip "\fB\s-1DEFAULT\s0\fR" 4
+.IX Item "DEFAULT"
+the default cipher list. This is determined at compile time and is normally
+\&\fB\s-1ALL:\s0!ADH:RC4+RSA:+SSLv2:@STRENGTH\fR. This must be the first cipher string
+specified.
+.Ip "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
+.IX Item "COMPLEMENTOFDEFAULT"
+the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
+this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is
+not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
+.Ip "\fB\s-1ALL\s0\fR" 4
+.IX Item "ALL"
+all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled.
+.Ip "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
+.IX Item "COMPLEMENTOFALL"
+the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR.
+.Ip "\fB\s-1HIGH\s0\fR" 4
+.IX Item "HIGH"
+\&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger
+than 128 bits.
+.Ip "\fB\s-1MEDIUM\s0\fR" 4
+.IX Item "MEDIUM"
+\&\*(L"medium\*(R" encryption cipher suites, currently those using 128 bit encryption.
+.Ip "\fB\s-1LOW\s0\fR" 4
+.IX Item "LOW"
+\&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
+but excluding export cipher suites.
+.Ip "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
+.IX Item "EXP, EXPORT"
+export encryption algorithms. Including 40 and 56 bits algorithms.
+.Ip "\fB\s-1EXPORT40\s0\fR" 4
+.IX Item "EXPORT40"
+40 bit export encryption algorithms
+.Ip "\fB\s-1EXPORT56\s0\fR" 4
+.IX Item "EXPORT56"
+56 bit export encryption algorithms.
+.Ip "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
+.IX Item "eNULL, NULL"
+the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no
+encryption at all and are a security risk they are disabled unless explicitly
+included.
+.Ip "\fBaNULL\fR" 4
+.IX Item "aNULL"
+the cipher suites offering no authentication. This is currently the anonymous
+\&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R"
+attack and so their use is normally discouraged.
+.Ip "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
+.IX Item "kRSA, RSA"
+cipher suites using \s-1RSA\s0 key exchange.
+.Ip "\fBkEDH\fR" 4
+.IX Item "kEDH"
+cipher suites using ephemeral \s-1DH\s0 key agreement.
+.Ip "\fBkDHr\fR, \fBkDHd\fR" 4
+.IX Item "kDHr, kDHd"
+cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
+and \s-1DSS\s0 keys respectively. Not implemented.
+.Ip "\fBaRSA\fR" 4
+.IX Item "aRSA"
+cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys.
+.Ip "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
+.IX Item "aDSS, DSS"
+cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys.
+.Ip "\fBaDH\fR" 4
+.IX Item "aDH"
+cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
+\&\s-1DH\s0 keys.  Not implemented.
+.Ip "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
+.IX Item "kFZA, aFZA, eFZA, FZA"
+ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all
+\&\s-1FORTEZZA\s0 algorithms. Not implemented.
+.Ip "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
+.IX Item "TLSv1, SSLv3, SSLv2"
+\&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively.
+.Ip "\fB\s-1DH\s0\fR" 4
+.IX Item "DH"
+cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0.
+.Ip "\fB\s-1ADH\s0\fR" 4
+.IX Item "ADH"
+anonymous \s-1DH\s0 cipher suites.
+.Ip "\fB\s-1AES\s0\fR" 4
+.IX Item "AES"
+cipher suites using \s-1AES\s0.
+.Ip "\fB3DES\fR" 4
+.IX Item "3DES"
+cipher suites using triple \s-1DES\s0.
+.Ip "\fB\s-1DES\s0\fR" 4
+.IX Item "DES"
+cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
+.Ip "\fB\s-1RC4\s0\fR" 4
+.IX Item "RC4"
+cipher suites using \s-1RC4\s0.
+.Ip "\fB\s-1RC2\s0\fR" 4
+.IX Item "RC2"
+cipher suites using \s-1RC2\s0.
+.Ip "\fB\s-1IDEA\s0\fR" 4
+.IX Item "IDEA"
+cipher suites using \s-1IDEA\s0.
+.Ip "\fB\s-1MD5\s0\fR" 4
+.IX Item "MD5"
+cipher suites using \s-1MD5\s0.
+.Ip "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
+.IX Item "SHA1, SHA"
+cipher suites using \s-1SHA1\s0.
+.SH "CIPHER SUITE NAMES"
+.IX Header "CIPHER SUITE NAMES"
+The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
+relevant specification and their OpenSSL equivalents. It should be noted,
+that several cipher suite names do not include the authentication used,
+e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
+.Sh "\s-1SSL\s0 v3.0 cipher suites."
+.IX Subsection "SSL v3.0 cipher suites."
+.Vb 10
+\& SSL_RSA_WITH_NULL_MD5                   NULL-MD5
+\& SSL_RSA_WITH_NULL_SHA                   NULL-SHA
+\& SSL_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+\& SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
+\& SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
+\& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+\& SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+\& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+\& SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+\& SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+.Ve
+.Vb 12
+\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& SSL_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& SSL_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+\& SSL_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+\& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+\& SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+.Ve
+.Vb 5
+\& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+\& SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+\& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+\& SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+.Ve
+.Vb 3
+\& SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
+\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
+\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.
+.Ve
+.Sh "\s-1TLS\s0 v1.0 cipher suites."
+.IX Subsection "TLS v1.0 cipher suites."
+.Vb 10
+\& TLS_RSA_WITH_NULL_MD5                   NULL-MD5
+\& TLS_RSA_WITH_NULL_SHA                   NULL-SHA
+\& TLS_RSA_EXPORT_WITH_RC4_40_MD5          EXP-RC4-MD5
+\& TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
+\& TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+\& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5      EXP-RC2-CBC-MD5
+\& TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
+\& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA       EXP-DES-CBC-SHA
+\& TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
+\& TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
+.Ve
+.Vb 12
+\& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
+\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
+\& TLS_DH_RSA_WITH_DES_CBC_SHA             Not implemented.
+\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
+\& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-DSS-DES-CBC-SHA
+\& TLS_DHE_DSS_WITH_DES_CBC_SHA            EDH-DSS-CBC-SHA
+\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       EDH-DSS-DES-CBC3-SHA
+\& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   EXP-EDH-RSA-DES-CBC-SHA
+\& TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
+\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
+.Ve
+.Vb 5
+\& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
+\& TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
+\& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA   EXP-ADH-DES-CBC-SHA
+\& TLS_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
+\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
+.Ve
+.Sh "\s-1AES\s0 ciphersuites from \s-1RFC3268\s0, extending \s-1TLS\s0 v1.0"
+.IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0"
+.Vb 2
+\& TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
+\& TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
+.Ve
+.Vb 4
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
+.Ve
+.Vb 4
+\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
+\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
+\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
+\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
+.Ve
+.Vb 2
+\& TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
+\& TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
+.Ve
+.Sh "Additional Export 1024 and other cipher suites"
+.IX Subsection "Additional Export 1024 and other cipher suites"
+Note: these ciphers can also be used in \s-1SSL\s0 v3.
+.PP
+.Vb 5
+\& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     EXP1024-DES-CBC-SHA
+\& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      EXP1024-RC4-SHA
+\& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
+\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
+\& TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+.Ve
+.Sh "\s-1SSL\s0 v2.0 cipher suites."
+.IX Subsection "SSL v2.0 cipher suites."
+.Vb 7
+\& SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
+\& SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+\& SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
+\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+\& SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
+\& SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL
+because there is no support for \s-1DH\s0 certificates.
+.PP
+Some compiled versions of OpenSSL may not include all the ciphers
+listed here because some ciphers were excluded at compile time.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers:
+.PP
+.Vb 1
+\& openssl ciphers -v 'ALL:eNULL'
+.Ve
+Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by
+strength:
+.PP
+.Vb 1
+\& openssl ciphers -v 'ALL:!ADH:@STRENGTH'
+.Ve
+Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
+.PP
+.Vb 1
+\& openssl ciphers -v '3DES:+RSA'
+.Ve
+Include all \s-1RC4\s0 ciphers but leave out those without authentication:
+.PP
+.Vb 1
+\& openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
+.Ve
+Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without
+encryption.
+.PP
+.Vb 1
+\& openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+s_client(1), s_server(1), ssl(3)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were
+added in version 0.9.7.
diff --git a/secure/usr.bin/openssl/man/config.1 b/secure/usr.bin/openssl/man/config.1
new file mode 100644
index 0000000..b6d8584
--- /dev/null
+++ b/secure/usr.bin/openssl/man/config.1
@@ -0,0 +1,282 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:02 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "config 3"
+.TH config 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+config \- OpenSSL \s-1CONF\s0 library configuration files
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The OpenSSL \s-1CONF\s0 library can be used to read configuration files.
+It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR
+and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension
+files for the \fBx509\fR utility.
+.PP
+A configuration file is divided into a number of sections. Each section
+starts with a line \fB[ section_name ]\fR and ends when a new section is
+started or end of file is reached. A section name can consist of
+alphanumeric characters and underscores.
+.PP
+The first section of a configuration file is special and is referred
+to as the \fBdefault\fR section this is usually unnamed and is from the
+start of file until the first named section. When a name is being looked up
+it is first looked up in a named section (if any) and then the
+default section.
+.PP
+The environment is mapped onto a section called \fB\s-1ENV\s0\fR.
+.PP
+Comments can be included by preceding them with the \fB#\fR character
+.PP
+Each section in a configuration file consists of a number of name and
+value pairs of the form \fBname=value\fR
+.PP
+The \fBname\fR string can contain any alphanumeric characters as well as
+a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR.
+.PP
+The \fBvalue\fR string consists of the string following the \fB=\fR character
+until end of line with any leading and trailing white space removed.
+.PP
+The value string undergoes variable expansion. This can be done by
+including the form \fB$var\fR or \fB${var}\fR: this will substitute the value
+of the named variable in the current section. It is also possible to
+substitute a value from another section using the syntax \fB$section::name\fR
+or \fB${section::name}\fR. By using the form \fB$ENV::name\fR environment
+variables can be substituted. It is also possible to assign values to
+environment variables by using the name \fB\s-1ENV:\s0:name\fR, this will work
+if the program looks up environment variables using the \fB\s-1CONF\s0\fR library
+instead of calling \fB\f(BIgetenv()\fB\fR directly.
+.PP
+It is possible to escape certain characters by using any kind of quote
+or the \fB\e\fR character. By making the last character of a line a \fB\e\fR
+a \fBvalue\fR string can be spread across multiple lines. In addition
+the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized.
+.SH "NOTES"
+.IX Header "NOTES"
+If a configuration file attempts to expand a variable that doesn't exist
+then an error is flagged and the file will not load. This can happen
+if an attempt is made to expand an environment variable that doesn't
+exist. For example the default OpenSSL master configuration file used
+the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems.
+.PP
+This can be worked around by including a \fBdefault\fR section to provide
+a default value: then if the environment lookup fails the default value
+will be used instead. For this to work properly the default value must
+be defined earlier in the configuration file than the expansion. See
+the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this.
+.PP
+If the same variable exists in the same section then all but the last
+value will be silently ignored. In certain circumstances such as with
+DNs the same field may occur multiple times. This is usually worked
+around by ignoring any characters before an initial \fB.\fR e.g.
+.PP
+.Vb 2
+\& 1.OU="My first OU"
+\& 2.OU="My Second OU"
+.Ve
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Here is a sample configuration file using some of the features
+mentioned above.
+.PP
+.Vb 1
+\& # This is the default section.
+.Ve
+.Vb 3
+\& HOME=/temp
+\& RANDFILE= ${ENV::HOME}/.rnd
+\& configdir=$ENV::HOME/config
+.Ve
+.Vb 1
+\& [ section_one ]
+.Ve
+.Vb 1
+\& # We are now in section one.
+.Ve
+.Vb 2
+\& # Quotes permit leading and trailing whitespace
+\& any = " any variable name "
+.Ve
+.Vb 3
+\& other = A string that can \e
+\& cover several lines \e
+\& by including \e\e characters
+.Ve
+.Vb 1
+\& message = Hello World\en
+.Ve
+.Vb 1
+\& [ section_two ]
+.Ve
+.Vb 1
+\& greeting = $section_one::message
+.Ve
+This next example shows how to expand environment variables safely.
+.PP
+Suppose you want a variable called \fBtmpfile\fR to refer to a
+temporary filename. The directory it is placed in can determined by
+the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be
+set to any value at all. If you just include the environment variable
+names and the variable doesn't exist then this will cause an error when
+an attempt is made to load the configuration file. By making use of the
+default section both values can be looked up with \fB\s-1TEMP\s0\fR taking 
+priority and \fB/tmp\fR used if neither is defined:
+.PP
+.Vb 5
+\& TMP=/tmp
+\& # The above value is used if TMP isn't in the environment
+\& TEMP=$ENV::TMP
+\& # The above value is used if TEMP isn't in the environment
+\& tmpfile=${ENV::TEMP}/tmp.filename
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+Currently there is no way to include characters using the octal \fB\ennn\fR
+form. Strings are all null terminated so nulls cannot form part of
+the value.
+.PP
+The escaping isn't quite right: if you want to use sequences like \fB\en\fR
+you can't use any quote escaping on the same line.
+.PP
+Files are loaded in a single pass. This means that an variable expansion
+will only work if the variables referenced are defined earlier in the
+file.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+x509(1), req(1), ca(1)
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
new file mode 100644
index 0000000..c3103ff
--- /dev/null
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -0,0 +1,237 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:03 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "crl 3"
+.TH crl 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+crl \- \s-1CRL\s0 utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBcrl\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-text\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-noout\fR]
+[\fB\-hash\fR]
+[\fB\-issuer\fR]
+[\fB\-lastupdate\fR]
+[\fB\-nextupdate\fR]
+[\fB\-CAfile file\fR]
+[\fB\-CApath dir\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
+structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
+the \s-1DER\s0 form with header and footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read from or standard input if this
+option is not specified.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename to write to or standard output by
+default.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+print out the \s-1CRL\s0 in text form.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+don't output the encoded version of the \s-1CRL\s0.
+.Ip "\fB\-hash\fR" 4
+.IX Item "-hash"
+output a hash of the issuer name. This can be use to lookup CRLs in
+a directory by issuer name.
+.Ip "\fB\-issuer\fR" 4
+.IX Item "-issuer"
+output the issuer name.
+.Ip "\fB\-lastupdate\fR" 4
+.IX Item "-lastupdate"
+output the lastUpdate field.
+.Ip "\fB\-nextupdate\fR" 4
+.IX Item "-nextupdate"
+output the nextUpdate field.
+.Ip "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
+\&\fBfile\fR
+.Ip "\fB\-CApath dir\fR" 4
+.IX Item "-CApath dir"
+verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
+\&\fBdir\fR. This directory must be a standard certificate directory: that
+is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
+to each certificate.
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1PEM\s0 \s-1CRL\s0 format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN X509 CRL-----
+\& -----END X509 CRL-----
+.Ve
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0
+.PP
+.Vb 1
+\& openssl crl -in crl.pem -outform DER -out crl.der
+.Ve
+Output the text form of a \s-1DER\s0 encoded certificate:
+.PP
+.Vb 1
+\& openssl crl -in crl.der -text -noout
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+Ideally it should be possible to create a \s-1CRL\s0 using appropriate options
+and files too.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+crl2pkcs7(1), ca(1), x509(1)
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
new file mode 100644
index 0000000..3f879f4
--- /dev/null
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -0,0 +1,216 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:04 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "crl2pkcs7 3"
+.TH crl2pkcs7 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+crl2pkcs7 \- Create a PKCS#7 structure from a \s-1CRL\s0 and certificates.
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBcrl2pkcs7\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-certfile filename\fR]
+[\fB\-nocrl\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more
+certificates and converts them into a PKCS#7 degenerate \*(L"certificates
+only\*(R" structure.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
+structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
+the \s-1DER\s0 form with header and footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0
+encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
+the \s-1DER\s0 form with header and footer lines.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a \s-1CRL\s0 from or standard input if this
+option is not specified.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename to write the PKCS#7 structure to or standard
+output by default.
+.Ip "\fB\-certfile filename\fR" 4
+.IX Item "-certfile filename"
+specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format.
+All certificates in the file will be added to the PKCS#7 structure. This
+option can be used more than once to read certificates form multiple
+files.
+.Ip "\fB\-nocrl\fR" 4
+.IX Item "-nocrl"
+normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is
+included in the output file and a \s-1CRL\s0 is not read from the input file.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Create a PKCS#7 structure from a certificate and \s-1CRL:\s0
+.PP
+.Vb 1
+\& openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
+.Ve
+Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several
+different certificates:
+.PP
+.Vb 2
+\& openssl crl2pkcs7 -nocrl -certfile newcert.pem 
+\&        -certfile demoCA/cacert.pem -outform DER -out p7.der
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The output file is a PKCS#7 signed data structure containing no signers and
+just certificates and an optional \s-1CRL\s0.
+.PP
+This utility can be used to send certificates and CAs to Netscape as part of
+the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output
+as \s-1MIME\s0 type application/x-x509\-user-cert.
+.PP
+The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to
+install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+pkcs7(1)
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
new file mode 100644
index 0000000..c9a9096
--- /dev/null
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -0,0 +1,223 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:05 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "dgst 3"
+.TH dgst 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBdgst\fR 
+[\fB\-md5|\-md4|\-md2|\-sha1|\-sha|\-mdc2|\-ripemd160|\-dss1\fR]
+[\fB\-c\fR]
+[\fB\-d\fR]
+[\fB\-hex\fR]
+[\fB\-binary\fR]
+[\fB\-out filename\fR]
+[\fB\-sign filename\fR]
+[\fB\-verify filename\fR]
+[\fB\-prverify filename\fR]
+[\fB\-signature filename\fR]
+[\fBfile...\fR]
+.PP
+[\fBmd5|md4|md2|sha1|sha|mdc2|ripemd160\fR]
+[\fB\-c\fR]
+[\fB\-d\fR]
+[\fBfile...\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The digest functions output the message digest of a supplied file or files
+in hexadecimal form. They can also be used for digital signing and verification.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-c\fR" 4
+.IX Item "-c"
+print out the digest in two digit groups separated by colons, only relevant if
+\&\fBhex\fR format output is used.
+.Ip "\fB\-d\fR" 4
+.IX Item "-d"
+print out \s-1BIO\s0 debugging information.
+.Ip "\fB\-hex\fR" 4
+.IX Item "-hex"
+digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R"
+digest as opposed to a digital signature.
+.Ip "\fB\-binary\fR" 4
+.IX Item "-binary"
+output the digest or signature in binary form.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+filename to output to, or standard output by default.
+.Ip "\fB\-sign filename\fR" 4
+.IX Item "-sign filename"
+digitally sign the digest using the private key in \*(L"filename\*(R".
+.Ip "\fB\-verify filename\fR" 4
+.IX Item "-verify filename"
+verify the signature using the the public key in \*(L"filename\*(R".
+The output is either \*(L"Verification \s-1OK\s0\*(R" or \*(L"Verification Failure\*(R".
+.Ip "\fB\-prverify filename\fR" 4
+.IX Item "-prverify filename"
+verify the signature using the  the private key in \*(L"filename\*(R".
+.Ip "\fB\-signature filename\fR" 4
+.IX Item "-signature filename"
+the actual signature to verify.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others. 
+.Ip "\fBfile...\fR" 4
+.IX Item "file..."
+file or files to digest. If no files are specified then standard input is
+used.
+.SH "NOTES"
+.IX Header "NOTES"
+The digest of choice for all new applications is \s-1SHA1\s0. Other digests are
+however still widely used.
+.PP
+If you wish to sign or verify data using the \s-1DSA\s0 algorithm then the dss1
+digest must be used.
+.PP
+A source of random numbers is required for certain signing algorithms, in
+particular \s-1DSA\s0.
+.PP
+The signing and verify options should only be used if a single file is
+being signed or verified.
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
new file mode 100644
index 0000000..755b3a2
--- /dev/null
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -0,0 +1,249 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:06 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "dhparam 3"
+.TH dhparam 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+dhparam \- \s-1DH\s0 parameter manipulation and generation
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl dhparam\fR
+[\fB\-inform DER|PEM\fR]
+[\fB\-outform DER|PEM\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-dsaparam\fR]
+[\fB\-noout\fR]
+[\fB\-text\fR]
+[\fB\-C\fR]
+[\fB\-2\fR]
+[\fB\-5\fR]
+[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR]
+[\fInumbits\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is used to manipulate \s-1DH\s0 parameter files.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the
+default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with
+additional header and footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in\fR \fIfilename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+.Ip "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should \fBnot\fR be the same
+as the input filename.
+.Ip "\fB\-dsaparam\fR" 4
+.IX Item "-dsaparam"
+If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created;
+they are converted to \s-1DH\s0 format.  Otherwise, \*(L"strong\*(R" primes (such
+that (p-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation.
+.Sp
+\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster,
+and the recommended exponent length is shorter, which makes \s-1DH\s0 key
+exchange more efficient.  Beware that with such DSA-style \s-1DH\s0
+parameters, a fresh \s-1DH\s0 key should be created for each use to
+avoid small-subgroup attacks that may be possible otherwise.
+.Ip "\fB\-2\fR, \fB\-5\fR" 4
+.IX Item "-2, -5"
+The generator to use, either 2 or 5. 2 is the default. If present then the
+input file is ignored and parameters are generated instead.
+.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fInumbits\fR" 4
+.IX Item "numbits"
+this option specifies that a parameter set should be generated of size
+\&\fInumbits\fR. It must be the last option. If not present then a value of 512
+is used. If this option is present then the input file is ignored and 
+parameters are generated instead.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option inhibits the output of the encoded version of the parameters.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+this option prints out the \s-1DH\s0 parameters in human readable form.
+.Ip "\fB\-C\fR" 4
+.IX Item "-C"
+this option converts the parameters into C code. The parameters can then
+be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function.
+.SH "WARNINGS"
+.IX Header "WARNINGS"
+The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and
+\&\fBgendh\fR in previous versions of OpenSSL and SSLeay. The \fBdh\fR and \fBgendh\fR
+programs are retained for now but may have different purposes in future 
+versions of OpenSSL.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN DH PARAMETERS-----
+\& -----END DH PARAMETERS-----
+.Ve
+OpenSSL currently only supports the older PKCS#3 \s-1DH\s0, not the newer X9.42
+\&\s-1DH\s0.
+.PP
+This program manipulates \s-1DH\s0 parameters not keys.
+.SH "BUGS"
+.IX Header "BUGS"
+There should be a way to generate and manipulate \s-1DH\s0 keys.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+dsaparam(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fBdhparam\fR command was added in OpenSSL 0.9.5.
+The \fB\-dsaparam\fR option was added in OpenSSL 0.9.6.
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
new file mode 100644
index 0000000..8abfe40
--- /dev/null
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -0,0 +1,275 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:07 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "dsa 3"
+.TH dsa 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+dsa \- \s-1DSA\s0 key processing
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBdsa\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-passin arg\fR]
+[\fB\-out filename\fR]
+[\fB\-passout arg\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-idea\fR]
+[\fB\-text\fR]
+[\fB\-noout\fR]
+[\fB\-modulus\fR]
+[\fB\-pubin\fR]
+[\fB\-pubout\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various
+forms and their components printed out. \fBNote\fR This command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
+an \s-1ASN1\s0 \s-1DER\s0 encoded form of an \s-1ASN\s0.1 \s-1SEQUENCE\s0 consisting of the values of
+version (currently zero), p, q, g, the public and private key components
+respectively as \s-1ASN\s0.1 INTEGERs. When used with a public key it uses a
+SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA\s0.
+.Sp
+The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
+encoded with additional header and footer lines. In the case of a private key
+PKCS#8 format is also accepted.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+.Ip "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the input file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should \fBnot\fR be the same as the input
+filename.
+.Ip "\fB\-passout arg\fR" 4
+.IX Item "-passout arg"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-des|\-des3|\-idea\fR" 4
+.IX Item "-des|-des3|-idea"
+These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
+\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the \fBdsa\fR utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with \s-1PEM\s0 format output files.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the public, private key components and parameters.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option prevents output of the encoded version of the key.
+.Ip "\fB\-modulus\fR" 4
+.IX Item "-modulus"
+this option prints out the value of the public key component of the key.
+.Ip "\fB\-pubin\fR" 4
+.IX Item "-pubin"
+by default a private key is read from the input file: with this option a
+public key is read instead.
+.Ip "\fB\-pubout\fR" 4
+.IX Item "-pubout"
+by default a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1PEM\s0 private key format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN DSA PRIVATE KEY-----
+\& -----END DSA PRIVATE KEY-----
+.Ve
+The \s-1PEM\s0 public key format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN PUBLIC KEY-----
+\& -----END PUBLIC KEY-----
+.Ve
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+To remove the pass phrase on a \s-1DSA\s0 private key:
+.PP
+.Vb 1
+\& openssl dsa -in key.pem -out keyout.pem
+.Ve
+To encrypt a private key using triple \s-1DES:\s0
+.PP
+.Vb 1
+\& openssl dsa -in key.pem -des3 -out keyout.pem
+.Ve
+To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: 
+.PP
+.Vb 1
+\& openssl dsa -in key.pem -outform DER -out keyout.der
+.Ve
+To print out the components of a private key to standard output:
+.PP
+.Vb 1
+\& openssl dsa -in key.pem -text -noout
+.Ve
+To just output the public part of a private key:
+.PP
+.Vb 1
+\& openssl dsa -in key.pem -pubout -out pubkey.pem
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+dsaparam(1), gendsa(1), rsa(1),
+genrsa(1)
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
new file mode 100644
index 0000000..ae4b089
--- /dev/null
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -0,0 +1,222 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:08 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "dsaparam 3"
+.TH dsaparam 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+dsaparam \- \s-1DSA\s0 parameter manipulation and generation
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl dsaparam\fR
+[\fB\-inform DER|PEM\fR]
+[\fB\-outform DER|PEM\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-noout\fR]
+[\fB\-text\fR]
+[\fB\-C\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-genkey\fR]
+[\fBnumbits\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is used to manipulate or generate \s-1DSA\s0 parameter files.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
+of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists
+of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read parameters from or standard input if
+this option is not specified. If the \fBnumbits\fR parameter is included then
+this option will be ignored.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should \fBnot\fR be the same
+as the input filename.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option inhibits the output of the encoded version of the parameters.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+this option prints out the \s-1DSA\s0 parameters in human readable form.
+.Ip "\fB\-C\fR" 4
+.IX Item "-C"
+this option converts the parameters into C code. The parameters can then
+be loaded by calling the \fB\f(BIget_dsaXXX()\fB\fR function.
+.Ip "\fB\-genkey\fR" 4
+.IX Item "-genkey"
+this option will generate a \s-1DSA\s0 either using the specified or generated
+parameters.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fBnumbits\fR" 4
+.IX Item "numbits"
+this option specifies that a parameter set should be generated of size
+\&\fBnumbits\fR. It must be the last option. If this option is included then
+the input file (if any) is ignored.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN DSA PARAMETERS-----
+\& -----END DSA PARAMETERS-----
+.Ve
+\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of
+\&\s-1DSA\s0 parameters is often used to generate several distinct keys.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+gendsa(1), dsa(1), genrsa(1),
+rsa(1)
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
new file mode 100644
index 0000000..dc372f2
--- /dev/null
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -0,0 +1,399 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:09 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "enc 3"
+.TH enc 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+enc \- symmetric cipher routines
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl enc \-ciphername\fR
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-pass arg\fR]
+[\fB\-e\fR]
+[\fB\-d\fR]
+[\fB\-a\fR]
+[\fB\-A\fR]
+[\fB\-k password\fR]
+[\fB\-kfile filename\fR]
+[\fB\-K key\fR]
+[\fB\-iv \s-1IV\s0\fR]
+[\fB\-p\fR]
+[\fB\-P\fR]
+[\fB\-bufsize number\fR]
+[\fB\-nopad\fR]
+[\fB\-debug\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The symmetric cipher commands allow data to be encrypted or decrypted
+using various block and stream ciphers using keys based on passwords
+or explicitly provided. Base64 encoding or decoding can also be performed
+either by itself or in addition to the encryption or decryption.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+the input filename, standard input by default.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+the output filename, standard output by default.
+.Ip "\fB\-pass arg\fR" 4
+.IX Item "-pass arg"
+the password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-salt\fR" 4
+.IX Item "-salt"
+use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR
+be used unless compatibility with previous versions of OpenSSL or SSLeay
+is required. This option is only present on OpenSSL versions 0.9.5 or
+above.
+.Ip "\fB\-nosalt\fR" 4
+.IX Item "-nosalt"
+don't use a salt in the key derivation routines. This is the default for
+compatibility with previous versions of OpenSSL and SSLeay.
+.Ip "\fB\-e\fR" 4
+.IX Item "-e"
+encrypt the input data: this is the default.
+.Ip "\fB\-d\fR" 4
+.IX Item "-d"
+decrypt the input data.
+.Ip "\fB\-a\fR" 4
+.IX Item "-a"
+base64 process the data. This means that if encryption is taking place
+the data is base64 encoded after encryption. If decryption is set then
+the input data is base64 decoded before being decrypted.
+.Ip "\fB\-A\fR" 4
+.IX Item "-A"
+if the \fB\-a\fR option is set then base64 process the data on one line.
+.Ip "\fB\-k password\fR" 4
+.IX Item "-k password"
+the password to derive the key from. This is for compatibility with previous
+versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
+.Ip "\fB\-kfile filename\fR" 4
+.IX Item "-kfile filename"
+read the password to derive the key from the first line of \fBfilename\fR.
+This is for computability with previous versions of OpenSSL. Superseded by
+the \fB\-pass\fR argument.
+.Ip "\fB\-S salt\fR" 4
+.IX Item "-S salt"
+the actual salt to use: this must be represented as a string comprised only
+of hex digits.
+.Ip "\fB\-K key\fR" 4
+.IX Item "-K key"
+the actual key to use: this must be represented as a string comprised only
+of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
+using the \fB\-iv\fR option. When both a key and a password are specified, the
+key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
+password will be taken. It probably does not make much sense to specify
+both key and password.
+.Ip "\fB\-iv \s-1IV\s0\fR" 4
+.IX Item "-iv IV"
+the actual \s-1IV\s0 to use: this must be represented as a string comprised only
+of hex digits. When only the key is specified using the \fB\-K\fR option, the
+\&\s-1IV\s0 must explicitly be defined. When a password is being specified using
+one of the other options, the \s-1IV\s0 is generated from this password.
+.Ip "\fB\-p\fR" 4
+.IX Item "-p"
+print out the key and \s-1IV\s0 used.
+.Ip "\fB\-P\fR" 4
+.IX Item "-P"
+print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
+or decryption.
+.Ip "\fB\-bufsize number\fR" 4
+.IX Item "-bufsize number"
+set the buffer size for I/O
+.Ip "\fB\-nopad\fR" 4
+.IX Item "-nopad"
+disable standard block padding
+.Ip "\fB\-debug\fR" 4
+.IX Item "-debug"
+debug the BIOs used for I/O.
+.SH "NOTES"
+.IX Header "NOTES"
+The program can be called either as \fBopenssl ciphername\fR or
+\&\fBopenssl enc \-ciphername\fR.
+.PP
+A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
+.PP
+The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
+from a password unless you want compatibility with previous versions of
+OpenSSL and SSLeay.
+.PP
+Without the \fB\-salt\fR option it is possible to perform efficient dictionary
+attacks on the password and to attack stream cipher encrypted data. The reason
+for this is that without the salt the same password always generates the same
+encryption key. When the salt is being used the first eight bytes of the
+encrypted data are reserved for the salt: it is generated at random when
+encrypting a file and read from the encrypted file when it is decrypted.
+.PP
+Some of the ciphers do not have large keys and others have security
+implications if not used correctly. A beginner is advised to just use
+a strong block cipher in \s-1CBC\s0 mode such as bf or des3.
+.PP
+All the block ciphers normally use PKCS#5 padding also known as standard block
+padding: this allows a rudimentary integrity or password check to be
+performed. However since the chance of random data passing the test is
+better than 1 in 256 it isn't a very good test.
+.PP
+If padding is disabled then the input data must be a multiple of the cipher
+block length.
+.PP
+All \s-1RC2\s0 ciphers have the same key and effective key length.
+.PP
+Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
+.SH "SUPPORTED CIPHERS"
+.IX Header "SUPPORTED CIPHERS"
+.Vb 1
+\& base64             Base 64
+.Ve
+.Vb 5
+\& bf-cbc             Blowfish in CBC mode
+\& bf                 Alias for bf-cbc
+\& bf-cfb             Blowfish in CFB mode
+\& bf-ecb             Blowfish in ECB mode
+\& bf-ofb             Blowfish in OFB mode
+.Ve
+.Vb 6
+\& cast-cbc           CAST in CBC mode
+\& cast               Alias for cast-cbc
+\& cast5-cbc          CAST5 in CBC mode
+\& cast5-cfb          CAST5 in CFB mode
+\& cast5-ecb          CAST5 in ECB mode
+\& cast5-ofb          CAST5 in OFB mode
+.Ve
+.Vb 5
+\& des-cbc            DES in CBC mode
+\& des                Alias for des-cbc
+\& des-cfb            DES in CBC mode
+\& des-ofb            DES in OFB mode
+\& des-ecb            DES in ECB mode
+.Ve
+.Vb 4
+\& des-ede-cbc        Two key triple DES EDE in CBC mode
+\& des-ede            Alias for des-ede
+\& des-ede-cfb        Two key triple DES EDE in CFB mode
+\& des-ede-ofb        Two key triple DES EDE in OFB mode
+.Ve
+.Vb 5
+\& des-ede3-cbc       Three key triple DES EDE in CBC mode
+\& des-ede3           Alias for des-ede3-cbc
+\& des3               Alias for des-ede3-cbc
+\& des-ede3-cfb       Three key triple DES EDE CFB mode
+\& des-ede3-ofb       Three key triple DES EDE in OFB mode
+.Ve
+.Vb 1
+\& desx               DESX algorithm.
+.Ve
+.Vb 5
+\& idea-cbc           IDEA algorithm in CBC mode
+\& idea               same as idea-cbc
+\& idea-cfb           IDEA in CFB mode
+\& idea-ecb           IDEA in ECB mode
+\& idea-ofb           IDEA in OFB mode
+.Ve
+.Vb 7
+\& rc2-cbc            128 bit RC2 in CBC mode
+\& rc2                Alias for rc2-cbc
+\& rc2-cfb            128 bit RC2 in CBC mode
+\& rc2-ecb            128 bit RC2 in CBC mode
+\& rc2-ofb            128 bit RC2 in CBC mode
+\& rc2-64-cbc         64 bit RC2 in CBC mode
+\& rc2-40-cbc         40 bit RC2 in CBC mode
+.Ve
+.Vb 3
+\& rc4                128 bit RC4
+\& rc4-64             64 bit RC4
+\& rc4-40             40 bit RC4
+.Ve
+.Vb 5
+\& rc5-cbc            RC5 cipher in CBC mode
+\& rc5                Alias for rc5-cbc
+\& rc5-cfb            RC5 cipher in CBC mode
+\& rc5-ecb            RC5 cipher in CBC mode
+\& rc5-ofb            RC5 cipher in CBC mode
+.Ve
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Just base64 encode a binary file:
+.PP
+.Vb 1
+\& openssl base64 -in file.bin -out file.b64
+.Ve
+Decode the same file
+.PP
+.Vb 1
+\& openssl base64 -d -in file.b64 -out file.bin
+.Ve
+Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
+.PP
+.Vb 1
+\& openssl des3 -salt -in file.txt -out file.des3
+.Ve
+Decrypt a file using a supplied password:
+.PP
+.Vb 1
+\& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
+.Ve
+Encrypt a file then base64 encode it (so it can be sent via mail for example)
+using Blowfish in \s-1CBC\s0 mode:
+.PP
+.Vb 1
+\& openssl bf -a -salt -in file.txt -out file.bf
+.Ve
+Base64 decode a file then decrypt it:
+.PP
+.Vb 1
+\& openssl bf -d -salt -a -in file.bf -out file.txt
+.Ve
+Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
+.PP
+.Vb 1
+\& openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+The \fB\-A\fR option when used with large files doesn't work properly.
+.PP
+There should be an option to allow an iteration count to be included.
+.PP
+The \fBenc\fR program only supports a fixed number of algorithms with
+certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
+76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
new file mode 100644
index 0000000..6ec8233
--- /dev/null
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -0,0 +1,184 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:10 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "gendsa 3"
+.TH gendsa 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+gendsa \- generate a \s-1DSA\s0 private key from a set of parameters
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBgendsa\fR
+[\fB\-out filename\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-idea\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fBparamfile\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file
+(which will be typically generated by the \fBopenssl dsaparam\fR command).
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-des|\-des3|\-idea\fR" 4
+.IX Item "-des|-des3|-idea"
+These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
+\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified no encryption is used.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fBparamfile\fR" 4
+.IX Item "paramfile"
+This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this
+file determine the size of the private key. \s-1DSA\s0 parameters can be generated
+and examined using the \fBopenssl dsaparam\fR command.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\s-1DSA\s0 key generation is little more than random number generation so it is
+much quicker that \s-1RSA\s0 key generation for example.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+dsaparam(1), dsa(1), genrsa(1),
+rsa(1)
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
new file mode 100644
index 0000000..dfe2627
--- /dev/null
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -0,0 +1,209 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:11 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "genrsa 3"
+.TH genrsa 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+genrsa \- generate an \s-1RSA\s0 private key
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBgenrsa\fR
+[\fB\-out filename\fR]
+[\fB\-passout arg\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-idea\fR]
+[\fB\-f4\fR]
+[\fB\-3\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fBnumbits\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBgenrsa\fR command generates an \s-1RSA\s0 private key.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+the output filename. If this argument is not specified then standard output is
+used.  
+.Ip "\fB\-passout arg\fR" 4
+.IX Item "-passout arg"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-des|\-des3|\-idea\fR" 4
+.IX Item "-des|-des3|-idea"
+These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
+\&\s-1IDEA\s0 ciphers respectively before outputting it. If none of these options is
+specified no encryption is used. If encryption is used a pass phrase is prompted
+for if it is not supplied via the \fB\-passout\fR argument.
+.Ip "\fB\-F4|\-3\fR" 4
+.IX Item "-F4|-3"
+the public exponent to use, either 65537 or 3. The default is 65537.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fBnumbits\fR" 4
+.IX Item "numbits"
+the size of the private key to generate in bits. This must be the last option
+specified. The default is 512.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\s-1RSA\s0 private key generation essentially involves the generation of two prime
+numbers. When generating a private key various symbols will be output to
+indicate the progress of the generation. A \fB.\fR represents each number which
+has passed an initial sieve test, \fB+\fR means a number has passed a single
+round of the Miller-Rabin primality test. A newline means that the number has
+passed all the prime tests (the actual number depends on the key size).
+.PP
+Because key generation is a random process the time taken to generate a key
+may vary somewhat.
+.SH "BUGS"
+.IX Header "BUGS"
+A quirk of the prime generation algorithm is that it cannot generate small
+primes. Therefore the number of bits should not be less that 64. For typical
+private keys this will not matter because for security reasons they will
+be much larger (typically 1024 bits).
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+gendsa(1)
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
new file mode 100644
index 0000000..a47412b
--- /dev/null
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -0,0 +1,199 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:12 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "nseq 3"
+.TH nseq 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+nseq \- create or examine a netscape certificate sequence
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBnseq\fR
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-toseq\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBnseq\fR command takes a file containing a Netscape certificate
+sequence and prints out the certificates contained in it or takes a
+file of certificates and converts it into a Netscape certificate
+sequence.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read or standard input if this
+option is not specified.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename or standard output by default.
+.Ip "\fB\-toseq\fR" 4
+.IX Item "-toseq"
+normally a Netscape certificate sequence will be input and the output
+is the certificates contained in it. With the \fB\-toseq\fR option the
+situation is reversed: a Netscape certificate sequence is created from
+a file of certificates.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Output the certificates in a Netscape certificate sequence
+.PP
+.Vb 1
+\& openssl nseq -in nseq.pem -out certs.pem
+.Ve
+Create a Netscape certificate sequence
+.PP
+.Vb 1
+\& openssl nseq -in certs.pem -toseq -out nseq.pem
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate:
+.PP
+.Vb 2
+\& -----BEGIN CERTIFICATE-----
+\& -----END CERTIFICATE-----
+.Ve
+A Netscape certificate sequence is a Netscape specific form that can be sent
+to browsers as an alternative to the standard PKCS#7 format when several
+certificates are sent to the browser: for example during certificate enrollment.
+It is used by Netscape certificate server for example.
+.SH "BUGS"
+.IX Header "BUGS"
+This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and
+output files and allowing multiple certificate files to be used.
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
new file mode 100644
index 0000000..c312ec6
--- /dev/null
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -0,0 +1,451 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:13 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "ocsp 3"
+.TH ocsp 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+ocsp \- Online Certificate Status Protocol utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBocsp\fR
+[\fB\-out file\fR]
+[\fB\-issuer file\fR]
+[\fB\-cert file\fR]
+[\fB\-serial n\fR]
+[\fB\-req_text\fR]
+[\fB\-resp_text\fR]
+[\fB\-text\fR]
+[\fB\-reqout file\fR]
+[\fB\-respout file\fR]
+[\fB\-reqin file\fR]
+[\fB\-respin file\fR]
+[\fB\-nonce\fR]
+[\fB\-no_nonce\fR]
+[\fB\-url responder_url\fR]
+[\fB\-host host:n\fR]
+[\fB\-path\fR]
+[\fB\-CApath file\fR]
+[\fB\-CAfile file\fR]
+[\fB\-VAfile file\fR]
+[\fB\-verify_certs file\fR]
+[\fB\-noverify\fR]
+[\fB\-trust_other\fR]
+[\fB\-no_intern\fR]
+[\fB\-no_sig_verify\fR]
+[\fB\-no_cert_verify\fR]
+[\fB\-no_chain\fR]
+[\fB\-no_cert_checks\fR]
+[\fB\-validity_period nsec\fR]
+[\fB\-status_age nsec\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fB\s-1WARNING:\s0 this documentation is preliminary and subject to change.\fR
+.PP
+The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
+determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560).
+.PP
+The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used
+to print out requests and responses, create requests and send queries
+to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
+.SH "OCSP CLIENT OPTIONS"
+.IX Header "OCSP CLIENT OPTIONS"
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specify output filename, default is standard output.
+.Ip "\fB\-issuer filename\fR" 4
+.IX Item "-issuer filename"
+This specifies the current issuer certificate. This option can be used
+multiple times. The certificate specified in \fBfilename\fR must be in
+\&\s-1PEM\s0 format.
+.Ip "\fB\-cert filename\fR" 4
+.IX Item "-cert filename"
+Add the certificate \fBfilename\fR to the request. The issuer certificate
+is taken from the previous \fBissuer\fR option, or an error occurs if no
+issuer certificate is specified.
+.Ip "\fB\-serial num\fR" 4
+.IX Item "-serial num"
+Same as the \fBcert\fR option except the certificate with serial number
+\&\fBnum\fR is added to the request. The serial number is interpreted as a
+decimal integer unless preceded by \fB0x\fR. Negative integers can also
+be specified by preceding the value by a \fB-\fR sign.
+.Ip "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
+.IX Item "-signer filename, -signkey filename"
+Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR
+option and the private key specified by the \fBsignkey\fR option. If
+the \fBsignkey\fR option is not present then the private key is read
+from the same file as the certificate. If neither option is specified then
+the \s-1OCSP\s0 request is not signed.
+.Ip "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
+.IX Item "-nonce, -no_nonce"
+Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
+Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no
+nonce is added: using the \fBnonce\fR option will force addition of a nonce.
+If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options)
+a nonce is automatically added specifying \fBno_nonce\fR overrides this.
+.Ip "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
+.IX Item "-req_text, -resp_text, -text"
+print out the text form of the \s-1OCSP\s0 request, response or both respectively.
+.Ip "\fB\-reqout file\fR, \fB\-respout file\fR" 4
+.IX Item "-reqout file, -respout file"
+write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR.
+.Ip "\fB\-reqin file\fR, \fB\-respin file\fR" 4
+.IX Item "-reqin file, -respin file"
+read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored
+if \s-1OCSP\s0 request or response creation is implied by other options (for example
+with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
+.Ip "\fB\-url responder_url\fR" 4
+.IX Item "-url responder_url"
+specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
+.Ip "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
+.IX Item "-host hostname:port, -path pathname"
+if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
+\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use
+or \*(L"/\*(R" by default.
+.Ip "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
+.IX Item "-CAfile file, -CApath pathname"
+file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
+the signature on the \s-1OCSP\s0 response.
+.Ip "\fB\-verify_certs file\fR" 4
+.IX Item "-verify_certs file"
+file containing additional certificates to search when attempting to locate
+the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
+certificate from the response: this option can be used to supply the necessary
+certificate in such cases.
+.Ip "\fB\-trust_other\fR" 4
+.IX Item "-trust_other"
+the certificates specified by the \fB\-verify_certs\fR option should be explicitly
+trusted and no additional checks will be performed on them. This is useful
+when the complete responder certificate chain is not available or trusting a
+root \s-1CA\s0 is not appropriate.
+.Ip "\fB\-VAfile file\fR" 4
+.IX Item "-VAfile file"
+file containing explicitly trusted responder certificates. Equivalent to the
+\&\fB\-verify_certs\fR and \fB\-trust_other\fR options.
+.Ip "\fB\-noverify\fR" 4
+.IX Item "-noverify"
+don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This
+option will normally only be used for debugging since it disables all verification
+of the responders certificate.
+.Ip "\fB\-no_intern\fR" 4
+.IX Item "-no_intern"
+ignore certificates contained in the \s-1OCSP\s0 response when searching for the
+signers certificate. With this option the signers certificate must be specified
+with either the \fB\-verify_certs\fR or \fB\-VAfile\fR options.
+.Ip "\fB\-no_sig_verify\fR" 4
+.IX Item "-no_sig_verify"
+don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid
+signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes.
+.Ip "\fB\-no_cert_verify\fR" 4
+.IX Item "-no_cert_verify"
+don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows
+the \s-1OCSP\s0 response to be signed by any certificate it should only be used for
+testing purposes.
+.Ip "\fB\-no_chain\fR" 4
+.IX Item "-no_chain"
+do not use certificates in the response as additional untrusted \s-1CA\s0
+certificates.
+.Ip "\fB\-no_cert_checks\fR" 4
+.IX Item "-no_cert_checks"
+don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
+That is do not make any checks to see if the signers certificate is authorised
+to provide the necessary status information: as a result this option should
+only be used for testing purposes.
+.Ip "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
+.IX Item "-validity_period nsec, -status_age age"
+these options specify the range of times, in seconds, which will be tolerated
+in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and
+an optional \fBnotAfter\fR time. The current time should fall between these two values, but
+the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0
+responder and clients clocks may not be precisely synchronised and so such a check
+may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an
+acceptable error range in seconds, the default value is 5 minutes.
+.Sp
+If the \fBnotAfter\fR time is omitted from a response then this means that new status
+information is immediately available. In this case the age of the \fBnotBefore\fR field
+is checked to see it is not older than \fBage\fR seconds old. By default this additional
+check is not performed.
+.SH "OCSP SERVER OPTIONS"
+.IX Header "OCSP SERVER OPTIONS"
+.Ip "\fB\-index indexfile\fR" 4
+.IX Item "-index indexfile"
+\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation
+information.
+.Sp
+If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise
+it is in client mode. The \fIrequest\fR\|(s) the responder processes can be either specified on
+the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the
+\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified).
+.Sp
+If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be
+present.
+.Ip "\fB\-CA file\fR" 4
+.IX Item "-CA file"
+\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR.
+.Ip "\fB\-rsigner file\fR" 4
+.IX Item "-rsigner file"
+The certificate to sign \s-1OCSP\s0 responses with.
+.Ip "\fB\-rother file\fR" 4
+.IX Item "-rother file"
+Additional certificates to include in the \s-1OCSP\s0 response.
+.Ip "\fB\-resp_no_certs\fR" 4
+.IX Item "-resp_no_certs"
+Don't include any certificates in the \s-1OCSP\s0 response.
+.Ip "\fB\-resp_key_id\fR" 4
+.IX Item "-resp_key_id"
+Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name.
+.Ip "\fB\-rkey file\fR" 4
+.IX Item "-rkey file"
+The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the
+\&\fBrsigner\fR option is used.
+.Ip "\fB\-port portnum\fR" 4
+.IX Item "-port portnum"
+Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR
+option.
+.Ip "\fB\-nrequest number\fR" 4
+.IX Item "-nrequest number"
+The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. 
+.Ip "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
+.IX Item "-nmin minutes, -ndays days"
+Number of minutes or days when fresh revocation information is available: used in the
+\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is 
+omitted meaning fresh revocation information is immediately available.
+.SH "OCSP Response verification."
+.IX Header "OCSP Response verification."
+\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0.
+.PP
+Initially the \s-1OCSP\s0 responder certificate is located and the signature on
+the \s-1OCSP\s0 request checked using the responder certificate's public key.
+.PP
+Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
+building up a certificate chain in the process. The locations of the trusted
+certificates used to build the chain can be specified by the \fBCAfile\fR
+and \fBCApath\fR options or they will be looked for in the standard OpenSSL
+certificates directory.
+.PP
+If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
+error.
+.PP
+Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0
+responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds.
+.PP
+Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing
+\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning
+extended key usage is present in the \s-1OCSP\s0 responder certificate then the
+\&\s-1OCSP\s0 verify succeeds.
+.PP
+Otherwise the root \s-1CA\s0 of the \s-1OCSP\s0 responders \s-1CA\s0 is checked to see if it
+is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 verify succeeds.
+.PP
+If none of these checks is successful then the \s-1OCSP\s0 verify fails.
+.PP
+What this effectively means if that if the \s-1OCSP\s0 responder certificate is
+authorised directly by the \s-1CA\s0 it is issuing revocation information about
+(and it is correctly configured) then verification will succeed.
+.PP
+If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about
+multiple CAs and has its own separate certificate chain then its root
+\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example:
+.PP
+.Vb 1
+\& openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
+.Ve
+Alternatively the responder certificate itself can be explicitly trusted
+with the \fB\-VAfile\fR option.
+.SH "NOTES"
+.IX Header "NOTES"
+As noted, most of the verify options are for testing or debugging purposes.
+Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global
+\&\s-1VA\s0') \fB\-VAfile\fR options need to be used.
+.PP
+The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
+not really usable as a full \s-1OCSP\s0 responder. It contains only a very
+simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0
+queries. It also handles requests serially meaning it cannot respond to
+new requests until it has processed the current one. The text index file
+format of revocation is also inefficient for large quantities of revocation
+data.
+.PP
+It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0
+script using the \fBrespin\fR and \fBrespout\fR options.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Create an \s-1OCSP\s0 request and write it to a file:
+.PP
+.Vb 1
+\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
+.Ve
+Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the 
+response to a file and print it out in text form
+.PP
+.Vb 2
+\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e
+\&     -url http://ocsp.myhost.com/ -resp_text -respout resp.der
+.Ve
+Read in an \s-1OCSP\s0 response and print out text form:
+.PP
+.Vb 1
+\& openssl ocsp -respin resp.der -text
+.Ve
+\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
+responder certificate. All requests and responses are printed to a file.
+.PP
+.Vb 2
+\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
+\&        -text -out log.txt
+.Ve
+As above but exit after processing one request:
+.PP
+.Vb 2
+\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
+\&     -nrequest 1
+.Ve
+Query status information using internally generated request:
+.PP
+.Vb 2
+\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
+\&     -issuer demoCA/cacert.pem -serial 1
+.Ve
+Query status information using request read from a file, write response to a
+second file.
+.PP
+.Vb 2
+\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
+\&     -reqin req.der -respout resp.der
+.Ve
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
new file mode 100644
index 0000000..c88e763
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -0,0 +1,407 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:15 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "openssl 3"
+.TH openssl 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+openssl \- OpenSSL command line tool
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR
+\&\fIcommand\fR
+[ \fIcommand_opts\fR ]
+[ \fIcommand_args\fR ]
+.PP
+\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR ]
+.PP
+\&\fBopenssl\fR \fBno-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0
+v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related
+cryptography standards required by them.
+.PP
+The \fBopenssl\fR program is a command line tool for using the various
+cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. 
+It can be used for 
+.PP
+.Vb 6
+\& o  Creation of RSA, DH and DSA key parameters
+\& o  Creation of X.509 certificates, CSRs and CRLs 
+\& o  Calculation of Message Digests
+\& o  Encryption and Decryption with Ciphers
+\& o  SSL/TLS Client and Server Tests
+\& o  Handling of S/MIME signed or encrypted mail
+.Ve
+.SH "COMMAND SUMMARY"
+.IX Header "COMMAND SUMMARY"
+The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the
+\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments
+(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0).
+.PP
+The pseudo-commands \fBlist-standard-commands\fR, \fBlist-message-digest-commands\fR,
+and \fBlist-cipher-commands\fR output a list (one entry per line) of the names
+of all standard commands, message digest commands, or cipher commands,
+respectively, that are available in the present \fBopenssl\fR utility.
+.PP
+The pseudo-command \fBno-\fR\fI\s-1XXX\s0\fR tests whether a command of the
+specified name is available.  If no command named \fI\s-1XXX\s0\fR exists, it
+returns 0 (success) and prints \fBno-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
+and prints \fI\s-1XXX\s0\fR.  In both cases, the output goes to \fBstdout\fR and
+nothing is printed to \fBstderr\fR.  Additional command line arguments
+are always ignored.  Since for each cipher there is a command of the
+same name, this provides an easy way for shell scripts to test for the
+availability of ciphers in the \fBopenssl\fR program.  (\fBno-\fR\fI\s-1XXX\s0\fR is
+not able to detect pseudo-commands such as \fBquit\fR,
+\&\fBlist-\fR\fI...\fR\fB\-commands\fR, or \fBno-\fR\fI\s-1XXX\s0\fR itself.)
+.Sh "\s-1STANDARD\s0 \s-1COMMANDS\s0"
+.IX Subsection "STANDARD COMMANDS"
+.Ip "\fBasn1parse\fR" 10
+.IX Item "asn1parse"
+Parse an \s-1ASN\s0.1 sequence.
+.Ip "\fBca\fR" 10
+.IX Item "ca"
+Certificate Authority (\s-1CA\s0) Management.  
+.Ip "\fBciphers\fR" 10
+.IX Item "ciphers"
+Cipher Suite Description Determination.
+.Ip "\fBcrl\fR" 10
+.IX Item "crl"
+Certificate Revocation List (\s-1CRL\s0) Management.
+.Ip "\fBcrl2pkcs7\fR" 10
+.IX Item "crl2pkcs7"
+\&\s-1CRL\s0 to PKCS#7 Conversion.
+.Ip "\fBdgst\fR" 10
+.IX Item "dgst"
+Message Digest Calculation.
+.Ip "\fBdh\fR" 10
+.IX Item "dh"
+Diffie-Hellman Parameter Management.
+Obsoleted by \fBdhparam\fR.
+.Ip "\fBdsa\fR" 10
+.IX Item "dsa"
+\&\s-1DSA\s0 Data Management.
+.Ip "\fBdsaparam\fR" 10
+.IX Item "dsaparam"
+\&\s-1DSA\s0 Parameter Generation.
+.Ip "\fBenc\fR" 10
+.IX Item "enc"
+Encoding with Ciphers.
+.Ip "\fBerrstr\fR" 10
+.IX Item "errstr"
+Error Number to Error String Conversion.
+.Ip "\fBdhparam\fR" 10
+.IX Item "dhparam"
+Generation and Management of Diffie-Hellman Parameters.
+.Ip "\fBgendh\fR" 10
+.IX Item "gendh"
+Generation of Diffie-Hellman Parameters.
+Obsoleted by \fBdhparam\fR.
+.Ip "\fBgendsa\fR" 10
+.IX Item "gendsa"
+Generation of \s-1DSA\s0 Parameters.
+.Ip "\fBgenrsa\fR" 10
+.IX Item "genrsa"
+Generation of \s-1RSA\s0 Parameters.
+.Ip "\fBocsp\fR" 10
+.IX Item "ocsp"
+Online Certificate Status Protocol utility.
+.Ip "\fBpasswd\fR" 10
+.IX Item "passwd"
+Generation of hashed passwords.
+.Ip "\fBpkcs12\fR" 10
+.IX Item "pkcs12"
+PKCS#12 Data Management.
+.Ip "\fBpkcs7\fR" 10
+.IX Item "pkcs7"
+PKCS#7 Data Management.
+.Ip "\fBrand\fR" 10
+.IX Item "rand"
+Generate pseudo-random bytes.
+.Ip "\fBreq\fR" 10
+.IX Item "req"
+X.509 Certificate Signing Request (\s-1CSR\s0) Management.
+.Ip "\fBrsa\fR" 10
+.IX Item "rsa"
+\&\s-1RSA\s0 Data Management.
+.Ip "\fBrsautl\fR" 10
+.IX Item "rsautl"
+\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption.
+.Ip "\fBs_client\fR" 10
+.IX Item "s_client"
+This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
+connection to a remote server speaking \s-1SSL/TLS\s0. It's intended for testing
+purposes only and provides only rudimentary interface functionality but
+internally uses mostly all functionality of the OpenSSL \fBssl\fR library.
+.Ip "\fBs_server\fR" 10
+.IX Item "s_server"
+This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote
+clients speaking \s-1SSL/TLS\s0. It's intended for testing purposes only and provides
+only rudimentary interface functionality but internally uses mostly all
+functionality of the OpenSSL \fBssl\fR library.  It provides both an own command
+line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response
+facility to emulate an SSL/TLS-aware webserver.
+.Ip "\fBs_time\fR" 10
+.IX Item "s_time"
+\&\s-1SSL\s0 Connection Timer.
+.Ip "\fBsess_id\fR" 10
+.IX Item "sess_id"
+\&\s-1SSL\s0 Session Data Management.
+.Ip "\fBsmime\fR" 10
+.IX Item "smime"
+S/MIME mail processing.
+.Ip "\fBspeed\fR" 10
+.IX Item "speed"
+Algorithm Speed Measurement.
+.Ip "\fBverify\fR" 10
+.IX Item "verify"
+X.509 Certificate Verification.
+.Ip "\fBversion\fR" 10
+.IX Item "version"
+OpenSSL Version Information.
+.Ip "\fBx509\fR" 10
+.IX Item "x509"
+X.509 Certificate Data Management.
+.Sh "\s-1MESSAGE\s0 \s-1DIGEST\s0 \s-1COMMANDS\s0"
+.IX Subsection "MESSAGE DIGEST COMMANDS"
+.Ip "\fBmd2\fR" 10
+.IX Item "md2"
+\&\s-1MD2\s0 Digest
+.Ip "\fBmd5\fR" 10
+.IX Item "md5"
+\&\s-1MD5\s0 Digest
+.Ip "\fBmdc2\fR" 10
+.IX Item "mdc2"
+\&\s-1MDC2\s0 Digest
+.Ip "\fBrmd160\fR" 10
+.IX Item "rmd160"
+\&\s-1RMD-160\s0 Digest
+.Ip "\fBsha\fR" 10
+.IX Item "sha"
+\&\s-1SHA\s0 Digest
+.Ip "\fBsha1\fR" 10
+.IX Item "sha1"
+\&\s-1SHA-1\s0 Digest
+.Sh "\s-1ENCODING\s0 \s-1AND\s0 \s-1CIPHER\s0 \s-1COMMANDS\s0"
+.IX Subsection "ENCODING AND CIPHER COMMANDS"
+.Ip "\fBbase64\fR" 10
+.IX Item "base64"
+Base64 Encoding
+.Ip "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10
+.IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb"
+Blowfish Cipher
+.Ip "\fBcast cast-cbc\fR" 10
+.IX Item "cast cast-cbc"
+\&\s-1CAST\s0 Cipher
+.Ip "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10
+.IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb"
+\&\s-1CAST5\s0 Cipher
+.Ip "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10
+.IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb"
+\&\s-1DES\s0 Cipher
+.Ip "\fBdes3 desx des-ede3 des-ede3\-cbc des-ede3\-cfb des-ede3\-ofb\fR" 10
+.IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb"
+Triple-DES Cipher
+.Ip "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10
+.IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb"
+\&\s-1IDEA\s0 Cipher
+.Ip "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10
+.IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb"
+\&\s-1RC2\s0 Cipher
+.Ip "\fBrc4\fR" 10
+.IX Item "rc4"
+\&\s-1RC4\s0 Cipher
+.Ip "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10
+.IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb"
+\&\s-1RC5\s0 Cipher
+.SH "PASS PHRASE ARGUMENTS"
+.IX Header "PASS PHRASE ARGUMENTS"
+Several commands accept password arguments, typically using \fB\-passin\fR
+and \fB\-passout\fR for input and output passwords respectively. These allow
+the password to be obtained from a variety of sources. Both of these
+options take a single argument whose format is described below. If no
+password argument is given and a password is required then the user is
+prompted to enter one: this will typically be read from the current
+terminal with echoing turned off.
+.Ip "\fBpass:password\fR" 10
+.IX Item "pass:password"
+the actual password is \fBpassword\fR. Since the password is visible
+to utilities (like 'ps' under Unix) this form should only be used
+where security is not important.
+.Ip "\fBenv:var\fR" 10
+.IX Item "env:var"
+obtain the password from the environment variable \fBvar\fR. Since
+the environment of other processes is visible on certain platforms
+(e.g. ps under certain Unix OSes) this option should be used with caution.
+.Ip "\fBfile:pathname\fR" 10
+.IX Item "file:pathname"
+the first line of \fBpathname\fR is the password. If the same \fBpathname\fR
+argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first
+line will be used for the input password and the next line for the output
+password. \fBpathname\fR need not refer to a regular file: it could for example
+refer to a device or named pipe.
+.Ip "\fBfd:number\fR" 10
+.IX Item "fd:number"
+read the password from the file descriptor \fBnumber\fR. This can be used to
+send the data via a pipe for example.
+.Ip "\fBstdin\fR" 10
+.IX Item "stdin"
+read the password from standard input.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+asn1parse(1), ca(1), config(5),
+crl(1), crl2pkcs7(1), dgst(1),
+dhparam(1), dsa(1), dsaparam(1),
+enc(1), gendsa(1),
+genrsa(1), nseq(1), openssl(1),
+passwd(1),
+pkcs12(1), pkcs7(1), pkcs8(1),
+rand(1), req(1), rsa(1),
+rsautl(1), s_client(1),
+s_server(1), smime(1), spkac(1),
+verify(1), version(1), x509(1),
+crypto(3), ssl(3) 
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2.
+The \fBlist-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3;
+the \fBno-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a.
+For notes on the availability of other commands, see their individual
+manual pages.
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
new file mode 100644
index 0000000..67e5dee
--- /dev/null
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -0,0 +1,203 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:16 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "passwd 3"
+.TH passwd 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+passwd \- compute password hashes
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl passwd\fR
+[\fB\-crypt\fR]
+[\fB\-1\fR]
+[\fB\-apr1\fR]
+[\fB\-salt\fR \fIstring\fR]
+[\fB\-in\fR \fIfile\fR]
+[\fB\-stdin\fR]
+[\fB\-noverify\fR]
+[\fB\-quiet\fR]
+[\fB\-table\fR]
+{\fIpassword\fR}
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpasswd\fR command computes the hash of a password typed at
+run-time or the hash of each password in a list.  The password list is
+taken from the named file for option \fB\-in file\fR, from stdin for
+option \fB\-stdin\fR, or from the command line, or from the terminal otherwise.
+The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password
+algorithm \fB1\fR and its Apache variant \fBapr1\fR are available.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-crypt\fR" 4
+.IX Item "-crypt"
+Use the \fBcrypt\fR algorithm (default).
+.Ip "\fB\-1\fR" 4
+.IX Item "-1"
+Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR.
+.Ip "\fB\-apr1\fR" 4
+.IX Item "-apr1"
+Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm).
+.Ip "\fB\-salt\fR \fIstring\fR" 4
+.IX Item "-salt string"
+Use the specified salt.
+When reading a password from the terminal, this implies \fB\-noverify\fR.
+.Ip "\fB\-in\fR \fIfile\fR" 4
+.IX Item "-in file"
+Read passwords from \fIfile\fR.
+.Ip "\fB\-stdin\fR" 4
+.IX Item "-stdin"
+Read passwords from \fBstdin\fR.
+.Ip "\fB\-noverify\fR" 4
+.IX Item "-noverify"
+Don't verify when reading a password from the terminal.
+.Ip "\fB\-quiet\fR" 4
+.IX Item "-quiet"
+Don't output warnings when passwords given at the command line are truncated.
+.Ip "\fB\-table\fR" 4
+.IX Item "-table"
+In the output list, prepend the cleartext password and a \s-1TAB\s0 character
+to each password hash.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+\&\fBopenssl passwd \-crypt \-salt xx password\fR prints \fBxxj31ZMTZzkVA\fR.
+.PP
+\&\fBopenssl passwd \-1 \-salt xxxxxxxx password\fR prints \fB$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.\fR.
+.PP
+\&\fBopenssl passwd \-apr1 \-salt xxxxxxxx password\fR prints \fB$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0\fR.
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
new file mode 100644
index 0000000..89e23c5
--- /dev/null
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -0,0 +1,429 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:17 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "pkcs12 3"
+.TH pkcs12 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+pkcs12 \- PKCS#12 file utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBpkcs12\fR
+[\fB\-export\fR]
+[\fB\-chain\fR]
+[\fB\-inkey filename\fR]
+[\fB\-certfile filename\fR]
+[\fB\-name name\fR]
+[\fB\-caname name\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-noout\fR]
+[\fB\-nomacver\fR]
+[\fB\-nocerts\fR]
+[\fB\-clcerts\fR]
+[\fB\-cacerts\fR]
+[\fB\-nokeys\fR]
+[\fB\-info\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-idea\fR]
+[\fB\-nodes\fR]
+[\fB\-noiter\fR]
+[\fB\-maciter\fR]
+[\fB\-twopass\fR]
+[\fB\-descert\fR]
+[\fB\-certpbe\fR]
+[\fB\-keypbe\fR]
+[\fB\-keyex\fR]
+[\fB\-keysig\fR]
+[\fB\-password arg\fR]
+[\fB\-passin arg\fR]
+[\fB\-passout arg\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
+\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
+programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+There are a lot of options the meaning of some depends of whether a PKCS#12 file
+is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
+file can be created by using the \fB\-export\fR option (see below).
+.SH "PARSING OPTIONS"
+.IX Header "PARSING OPTIONS"
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies filename of the PKCS#12 file to be parsed. Standard input is used
+by default.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+The filename to write certificates and private keys to, standard output by default.
+They are all written in \s-1PEM\s0 format.
+.Ip "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
+.IX Item "-pass arg, -passin arg"
+the PKCS#12 file (i.e. input file) password source. For more information about the
+format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+openssl(1).
+.Ip "\fB\-passout arg\fR" 4
+.IX Item "-passout arg"
+pass phrase source to encrypt any outputed private keys with. For more information
+about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+openssl(1).
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option inhibits output of the keys and certificates to the output file version
+of the PKCS#12 file.
+.Ip "\fB\-clcerts\fR" 4
+.IX Item "-clcerts"
+only output client certificates (not \s-1CA\s0 certificates).
+.Ip "\fB\-cacerts\fR" 4
+.IX Item "-cacerts"
+only output \s-1CA\s0 certificates (not client certificates).
+.Ip "\fB\-nocerts\fR" 4
+.IX Item "-nocerts"
+no certificates at all will be output.
+.Ip "\fB\-nokeys\fR" 4
+.IX Item "-nokeys"
+no private keys will be output.
+.Ip "\fB\-info\fR" 4
+.IX Item "-info"
+output additional information about the PKCS#12 file structure, algorithms used and
+iteration counts.
+.Ip "\fB\-des\fR" 4
+.IX Item "-des"
+use \s-1DES\s0 to encrypt private keys before outputting.
+.Ip "\fB\-des3\fR" 4
+.IX Item "-des3"
+use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default.
+.Ip "\fB\-idea\fR" 4
+.IX Item "-idea"
+use \s-1IDEA\s0 to encrypt private keys before outputting.
+.Ip "\fB\-nodes\fR" 4
+.IX Item "-nodes"
+don't encrypt the private keys at all.
+.Ip "\fB\-nomacver\fR" 4
+.IX Item "-nomacver"
+don't attempt to verify the integrity \s-1MAC\s0 before reading the file.
+.Ip "\fB\-twopass\fR" 4
+.IX Item "-twopass"
+prompt for separate integrity and encryption passwords: most software
+always assumes these are the same so this option will render such
+PKCS#12 files unreadable.
+.SH "FILE CREATION OPTIONS"
+.IX Header "FILE CREATION OPTIONS"
+.Ip "\fB\-export\fR" 4
+.IX Item "-export"
+This option specifies that a PKCS#12 file will be created rather than
+parsed.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies filename to write the PKCS#12 file to. Standard output is used
+by default.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+The filename to read certificates and private keys from, standard input by default.
+They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and
+its corresponding certificate should be present. If additional certificates are
+present they will also be included in the PKCS#12 file.
+.Ip "\fB\-inkey filename\fR" 4
+.IX Item "-inkey filename"
+file to read private key from. If not present then a private key must be present
+in the input file.
+.Ip "\fB\-name friendlyname\fR" 4
+.IX Item "-name friendlyname"
+This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name
+is typically displayed in list boxes by software importing the file.
+.Ip "\fB\-certfile filename\fR" 4
+.IX Item "-certfile filename"
+A filename to read additional certificates from.
+.Ip "\fB\-caname friendlyname\fR" 4
+.IX Item "-caname friendlyname"
+This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
+used multiple times to specify names for all certificates in the order they
+appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
+displays them.
+.Ip "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
+.IX Item "-pass arg, -passout arg"
+the PKCS#12 file (i.e. output file) password source. For more information about
+the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+openssl(1).
+.Ip "\fB\-passin password\fR" 4
+.IX Item "-passin password"
+pass phrase source to decrypt any input private keys with. For more information
+about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+openssl(1).
+.Ip "\fB\-chain\fR" 4
+.IX Item "-chain"
+if this option is present then an attempt is made to include the entire
+certificate chain of the user certificate. The standard \s-1CA\s0 store is used
+for this search. If the search fails it is considered a fatal error.
+.Ip "\fB\-descert\fR" 4
+.IX Item "-descert"
+encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12
+file unreadable by some \*(L"export grade\*(R" software. By default the private
+key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0.
+.Ip "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
+.IX Item "-keypbe alg, -certpbe alg"
+these options allow the algorithm used to encrypt the private key and
+certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
+can be selected it is advisable only to use PKCS#12 algorithms. See the list
+in the \fB\s-1NOTES\s0\fR section for more information.
+.Ip "\fB\-keyex|\-keysig\fR" 4
+.IX Item "-keyex|-keysig"
+specifies that the private key is to be used for key exchange or just signing.
+This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
+\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for
+encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
+option marks the key for signing only. Signing only keys can be used for
+S/MIME signing, authenticode (ActiveX control signing)  and \s-1SSL\s0 client
+authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support
+the use of signing only keys for \s-1SSL\s0 client authentication.
+.Ip "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
+.IX Item "-nomaciter, -noiter"
+these options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
+Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave
+these options alone.
+.Sp
+To discourage attacks by using large dictionaries of common passwords the
+algorithm that derives keys from passwords can have an iteration count applied
+to it: this causes a certain part of the algorithm to be repeated and slows it
+down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
+have the same password as the keys and certificates it could also be attacked.
+By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using
+these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
+this reduces the file security you should not use these options unless you
+really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
+\&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
+option.
+.Ip "\fB\-maciter\fR" 4
+.IX Item "-maciter"
+This option is included for compatibility with previous versions, it used
+to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.SH "NOTES"
+.IX Header "NOTES"
+Although there are a large number of options most of them are very rarely
+used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
+for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
+.PP
+If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
+then all certificates will be output in the order they appear in the input
+PKCS#12 files. There is no guarantee that the first certificate present is
+the one corresponding to the private key. Certain software which requires
+a private key and certificate and assumes the first certificate in the
+file is the one corresponding to the private key: this may not always
+be the case. Using the \fB\-clcerts\fR option will solve this problem by only
+outputting the certificate corresponding to the private key. If the \s-1CA\s0
+certificates are required then they can be output to a separate file using
+the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates.
+.PP
+The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
+algorithms for private keys and certificates to be specified. Normally
+the defaults are fine but occasionally software can't handle triple \s-1DES\s0
+encrypted private keys, then the option \fB\-keypbe \s-1PBE-SHA1\-RC2\-40\s0\fR can
+be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete
+description of all algorithms is contained in the \fBpkcs8\fR manual page.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Parse a PKCS#12 file and output it to a file:
+.PP
+.Vb 1
+\& openssl pkcs12 -in file.p12 -out file.pem
+.Ve
+Output only client certificates to a file:
+.PP
+.Vb 1
+\& openssl pkcs12 -in file.p12 -clcerts -out file.pem
+.Ve
+Don't encrypt the private key:
+.PP
+.Vb 1
+\& openssl pkcs12 -in file.p12 -out file.pem -nodes
+.Ve
+Print some info about a PKCS#12 file:
+.PP
+.Vb 1
+\& openssl pkcs12 -in file.p12 -info -noout
+.Ve
+Create a PKCS#12 file:
+.PP
+.Vb 1
+\& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
+.Ve
+Include some extra certificates:
+.PP
+.Vb 2
+\& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \e
+\&  -certfile othercerts.pem
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+Some would argue that the PKCS#12 standard is one big bug :\-)
+.PP
+Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation
+routines. Under rare circumstances this could produce a PKCS#12 file encrypted
+with an invalid key. As a result some PKCS#12 files which triggered this bug
+from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted
+by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could
+not be decrypted by other implementations. The chances of producing such
+a file are relatively small: less than 1 in 256.
+.PP
+A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
+files cannot no longer be parsed by the fixed version. Under such circumstances
+the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption
+error when extracting private keys.
+.PP
+This problem can be resolved by extracting the private keys and certificates
+from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12
+file from the keys and certificates using a newer version of OpenSSL. For example:
+.PP
+.Vb 2
+\& old-openssl -in bad.p12 -out keycerts.pem
+\& openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+pkcs8(1)
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
new file mode 100644
index 0000000..539985d
--- /dev/null
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -0,0 +1,223 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:19 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "pkcs7 3"
+.TH pkcs7 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+pkcs7 \- PKCS#7 utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBpkcs7\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-print_certs\fR]
+[\fB\-text\fR]
+[\fB\-noout\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7
+v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
+the \s-1DER\s0 form with header and footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read from or standard input if this
+option is not specified.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename to write to or standard output by
+default.
+.Ip "\fB\-print_certs\fR" 4
+.IX Item "-print_certs"
+prints out any certificates or CRLs contained in the file. They are
+preceded by their subject and issuer names in one line format.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+prints out certificates details in full rather than just subject and
+issuer names.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+don't output the encoded version of the PKCS#7 structure (or certificates
+is \fB\-print_certs\fR is set).
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0
+.PP
+.Vb 1
+\& openssl pkcs7 -in file.pem -outform DER -out file.der
+.Ve
+Output all certificates in a file:
+.PP
+.Vb 1
+\& openssl pkcs7 -in file.pem -print_certs -out certs.pem
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1PEM\s0 PKCS#7 format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN PKCS7-----
+\& -----END PKCS7-----
+.Ve
+For compatibility with some CAs it will also accept:
+.PP
+.Vb 2
+\& -----BEGIN CERTIFICATE-----
+\& -----END CERTIFICATE-----
+.Ve
+.SH "RESTRICTIONS"
+.IX Header "RESTRICTIONS"
+There is no option to print out all the fields of a PKCS#7 file.
+.PP
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they 
+cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630\s0.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+crl2pkcs7(1)
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
new file mode 100644
index 0000000..ff9883a
--- /dev/null
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -0,0 +1,348 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:20 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "pkcs8 3"
+.TH pkcs8 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+pkcs8 \- PKCS#8 format private key conversion tool
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBpkcs8\fR
+[\fB\-topk8\fR]
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-passin arg\fR]
+[\fB\-out filename\fR]
+[\fB\-passout arg\fR]
+[\fB\-noiter\fR]
+[\fB\-nocrypt\fR]
+[\fB\-nooct\fR]
+[\fB\-embed\fR]
+[\fB\-nsdb\fR]
+[\fB\-v2 alg\fR]
+[\fB\-v1 alg\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle
+both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
+format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-topk8\fR" 4
+.IX Item "-topk8"
+Normally a PKCS#8 private key is expected on input and a traditional format
+private key will be written. With the \fB\-topk8\fR option the situation is
+reversed: it reads a traditional format private key and writes a PKCS#8
+format key.
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. If a PKCS#8 format key is expected on input
+then either a \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR encoded version of a PKCS#8 key will be
+expected. Otherwise the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR format of the traditional format
+private key is used.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+.Ip "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the input file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write a key to or standard output by
+default. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should \fBnot\fR be the same as the input
+filename.
+.Ip "\fB\-passout arg\fR" 4
+.IX Item "-passout arg"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-nocrypt\fR" 4
+.IX Item "-nocrypt"
+PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
+structures using an appropriate password based encryption algorithm. With
+this option an unencrypted PrivateKeyInfo structure is expected or output.
+This option does not encrypt private keys at all and should only be used
+when absolutely necessary. Certain software such as some versions of Java
+code signing software used unencrypted private keys.
+.Ip "\fB\-nooct\fR" 4
+.IX Item "-nooct"
+This option generates \s-1RSA\s0 private keys in a broken format that some software
+uses. Specifically the private key should be enclosed in a \s-1OCTET\s0 \s-1STRING\s0
+but some software just includes the structure itself without the
+surrounding \s-1OCTET\s0 \s-1STRING\s0.
+.Ip "\fB\-embed\fR" 4
+.IX Item "-embed"
+This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are
+embedded inside the PrivateKey structure. In this form the \s-1OCTET\s0 \s-1STRING\s0
+contains an \s-1ASN1\s0 \s-1SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing
+the parameters and an \s-1ASN1\s0 \s-1INTEGER\s0 containing the private key.
+.Ip "\fB\-nsdb\fR" 4
+.IX Item "-nsdb"
+This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape
+private key databases. The PrivateKey contains a \s-1SEQUENCE\s0 consisting of
+the public and private keys respectively.
+.Ip "\fB\-v2 alg\fR" 4
+.IX Item "-v2 alg"
+This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
+private keys are encrypted with the password based encryption algorithm
+called \fBpbeWithMD5AndDES-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it
+was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
+the \fB\-v2\fR option PKCS#5 v2.0 algorithms are used which can use any
+encryption algorithm such as 168 bit triple \s-1DES\s0 or 128 bit \s-1RC2\s0 however
+not many implementations support PKCS#5 v2.0 yet. If you are just using
+private keys with OpenSSL then this doesn't matter.
+.Sp
+The \fBalg\fR argument is the encryption algorithm to use, valid values include
+\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used.
+.Ip "\fB\-v1 alg\fR" 4
+.IX Item "-v1 alg"
+This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
+list of possible algorithms is included below.
+.SH "NOTES"
+.IX Header "NOTES"
+The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following
+headers and footers:
+.PP
+.Vb 2
+\& -----BEGIN ENCRYPTED PRIVATE KEY-----
+\& -----END ENCRYPTED PRIVATE KEY-----
+.Ve
+The unencrypted form uses:
+.PP
+.Vb 2
+\& -----BEGIN PRIVATE KEY-----
+\& -----END PRIVATE KEY-----
+.Ve
+Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
+counts are more secure that those encrypted using the traditional
+SSLeay compatible formats. So if additional security is considered
+important the keys should be converted.
+.PP
+The default encryption is only 56 bits because this is the encryption
+that most current implementations of PKCS#8 will support.
+.PP
+Some software may use PKCS#12 password based encryption algorithms
+with PKCS#8 format private keys: these are handled automatically
+but there is no option to produce them.
+.PP
+It is possible to write out \s-1DER\s0 encoded encrypted private keys in
+PKCS#8 format because the encryption details are included at an \s-1ASN1\s0
+level whereas the traditional format includes them at a \s-1PEM\s0 level.
+.SH "PKCS#5 v1.5 and PKCS#12 algorithms."
+.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms."
+Various algorithms can be used with the \fB\-v1\fR command line option,
+including PKCS#5 v1.5 and PKCS#12. These are described in more detail
+below.
+.Ip "\fB\s-1PBE-MD2\-DES\s0 \s-1PBE-MD5\-DES\s0\fR" 4
+.IX Item "PBE-MD2-DES PBE-MD5-DES"
+These algorithms were included in the original PKCS#5 v1.5 specification.
+They only offer 56 bits of protection since they both use \s-1DES\s0.
+.Ip "\fB\s-1PBE-SHA1\-RC2\-64\s0 \s-1PBE-MD2\-RC2\-64\s0 \s-1PBE-MD5\-RC2\-64\s0 \s-1PBE-SHA1\-DES\s0\fR" 4
+.IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES"
+These algorithms are not mentioned in the original PKCS#5 v1.5 specification
+but they use the same key derivation algorithm and are supported by some
+software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or
+56 bit \s-1DES\s0.
+.Ip "\fB\s-1PBE-SHA1\-RC4\-128\s0 \s-1PBE-SHA1\-RC4\-40\s0 \s-1PBE-SHA1\-3DES\s0 \s-1PBE-SHA1\-2DES\s0 \s-1PBE-SHA1\-RC2\-128\s0 \s-1PBE-SHA1\-RC2\-40\s0\fR" 4
+.IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40"
+These algorithms use the PKCS#12 password based encryption algorithm and
+allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Convert a private from traditional to PKCS#5 v2.0 format using triple
+\&\s-1DES:\s0
+.PP
+.Vb 1
+\& openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
+.Ve
+Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
+(\s-1DES\s0):
+.PP
+.Vb 1
+\& openssl pkcs8 -in key.pem -topk8 -out enckey.pem
+.Ve
+Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
+(3DES):
+.PP
+.Vb 1
+\& openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
+.Ve
+Read a \s-1DER\s0 unencrypted PKCS#8 format private key:
+.PP
+.Vb 1
+\& openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
+.Ve
+Convert a private key from any PKCS#8 format to traditional format:
+.PP
+.Vb 1
+\& openssl pkcs8 -in pk8.pem -out key.pem
+.Ve
+.SH "STANDARDS"
+.IX Header "STANDARDS"
+Test vectors from this PKCS#5 v2.0 implementation were posted to the
+pkcs-tng mailing list using triple \s-1DES\s0, \s-1DES\s0 and \s-1RC2\s0 with high iteration
+counts, several people confirmed that they could decrypt the private
+keys produced and Therefore it can be assumed that the PKCS#5 v2.0
+implementation is reasonably accurate at least as far as these
+algorithms are concerned.
+.PP
+The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented:
+it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0
+PKCS#8 private key format complies with this standard.
+.SH "BUGS"
+.IX Header "BUGS"
+There should be an option that prints out the encryption algorithm
+in use and other details such as the iteration count.
+.PP
+PKCS#8 using triple \s-1DES\s0 and PKCS#5 v2.0 should be the default private
+key format for OpenSSL: for compatibility several of the utilities use
+the old format at present.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+dsa(1), rsa(1), genrsa(1),
+gendsa(1) 
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
new file mode 100644
index 0000000..37c5c07
--- /dev/null
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -0,0 +1,177 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:21 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "rand 3"
+.TH rand 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+rand \- generate pseudo-random bytes
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl rand\fR
+[\fB\-out\fR \fIfile\fR]
+[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR]
+[\fB\-base64\fR]
+\&\fInum\fR
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding
+the random number generator once.  As in other \fBopenssl\fR command
+line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR
+in addition to the files given in the \fB\-rand\fR option.  A new
+\&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough
+seeding was obtained from these sources.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-out\fR \fIfile\fR" 4
+.IX Item "-out file"
+Write to \fIfile\fR instead of standard output.
+.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4
+.IX Item "-rand file"
+Use specified file or files or \s-1EGD\s0 socket (see RAND_egd(3))
+for seeding the random number generator.
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fB\-base64\fR" 4
+.IX Item "-base64"
+Perform base64 encoding on the output.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+RAND_bytes(3)
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
new file mode 100644
index 0000000..1ae330e
--- /dev/null
+++ b/secure/usr.bin/openssl/man/req.1
@@ -0,0 +1,693 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:22 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "req 3"
+.TH req 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+req \- PKCS#10 certificate request and certificate generating utility.
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBreq\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-passin arg\fR]
+[\fB\-out filename\fR]
+[\fB\-passout arg\fR]
+[\fB\-text\fR]
+[\fB\-pubkey\fR]
+[\fB\-noout\fR]
+[\fB\-verify\fR]
+[\fB\-modulus\fR]
+[\fB\-new\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-newkey rsa:bits\fR]
+[\fB\-newkey dsa:file\fR]
+[\fB\-nodes\fR]
+[\fB\-key filename\fR]
+[\fB\-keyform PEM|DER\fR]
+[\fB\-keyout filename\fR]
+[\fB\-[md5|sha1|md2|mdc2]\fR]
+[\fB\-config filename\fR]
+[\fB\-subj arg\fR]
+[\fB\-x509\fR]
+[\fB\-days n\fR]
+[\fB\-set_serial n\fR]
+[\fB\-asn1\-kludge\fR]
+[\fB\-newhdr\fR]
+[\fB\-extensions section\fR]
+[\fB\-reqexts section\fR]
+[\fB\-utf8\fR]
+[\fB\-nameopt\fR]
+[\fB\-batch\fR]
+[\fB\-verbose\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBreq\fR command primarily creates and processes certificate requests
+in PKCS#10 format. It can additionally create self signed certificates
+for use as root CAs for example.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it
+consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and
+footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a request from or standard input
+if this option is not specified. A request is only read if the creation
+options (\fB\-new\fR and \fB\-newkey\fR) are not specified.
+.Ip "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the input file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write to or standard output by
+default.
+.Ip "\fB\-passout arg\fR" 4
+.IX Item "-passout arg"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the certificate request in text form.
+.Ip "\fB\-pubkey\fR" 4
+.IX Item "-pubkey"
+outputs the public key.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option prevents output of the encoded version of the request.
+.Ip "\fB\-modulus\fR" 4
+.IX Item "-modulus"
+this option prints out the value of the modulus of the public key
+contained in the request.
+.Ip "\fB\-verify\fR" 4
+.IX Item "-verify"
+verifies the signature on the request.
+.Ip "\fB\-new\fR" 4
+.IX Item "-new"
+this option generates a new certificate request. It will prompt
+the user for the relevant field values. The actual fields
+prompted for and their maximum and minimum sizes are specified
+in the configuration file and any requested extensions.
+.Sp
+If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private
+key using information specified in the configuration file.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fB\-newkey arg\fR" 4
+.IX Item "-newkey arg"
+this option creates a new certificate request and a new private
+key. The argument takes one of two forms. \fBrsa:nbits\fR, where
+\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR
+in size. \fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
+in the file \fBfilename\fR.
+.Ip "\fB\-key filename\fR" 4
+.IX Item "-key filename"
+This specifies the file to read the private key from. It also
+accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
+.Ip "\fB\-keyform PEM|DER\fR" 4
+.IX Item "-keyform PEM|DER"
+the format of the private key file specified in the \fB\-key\fR
+argument. \s-1PEM\s0 is the default.
+.Ip "\fB\-keyout filename\fR" 4
+.IX Item "-keyout filename"
+this gives the filename to write the newly created private key to.
+If this option is not specified then the filename present in the
+configuration file is used.
+.Ip "\fB\-nodes\fR" 4
+.IX Item "-nodes"
+if this option is specified then if a private key is created it
+will not be encrypted.
+.Ip "\fB\-[md5|sha1|md2|mdc2]\fR" 4
+.IX Item "-[md5|sha1|md2|mdc2]"
+this specifies the message digest to sign the request with. This
+overrides the digest algorithm specified in the configuration file.
+This option is ignored for \s-1DSA\s0 requests: they always use \s-1SHA1\s0.
+.Ip "\fB\-config filename\fR" 4
+.IX Item "-config filename"
+this allows an alternative configuration file to be specified,
+this overrides the compile time filename or any specified in
+the \fB\s-1OPENSSL_CONF\s0\fR environment variable.
+.Ip "\fB\-subj arg\fR" 4
+.IX Item "-subj arg"
+sets subject name for new request or supersedes the subject name
+when processing a request.
+The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
+characters may be escaped by \e (backslash), no spaces are skipped.
+.Ip "\fB\-x509\fR" 4
+.IX Item "-x509"
+this option outputs a self signed certificate instead of a certificate
+request. This is typically used to generate a test certificate or
+a self signed root \s-1CA\s0. The extensions added to the certificate
+(if any) are specified in the configuration file. Unless specified
+using the \fBset_serial\fR option \fB0\fR will be used for the serial
+number.
+.Ip "\fB\-days n\fR" 4
+.IX Item "-days n"
+when the \fB\-x509\fR option is being used this specifies the number of
+days to certify the certificate for. The default is 30 days.
+.Ip "\fB\-set_serial n\fR" 4
+.IX Item "-set_serial n"
+serial number to use when outputting a self signed certificate. This
+may be specified as a decimal value or a hex value if preceded by \fB0x\fR.
+It is possible to use negative serial numbers but this is not recommended.
+.Ip "\fB\-extensions section\fR" 4
+.IX Item "-extensions section"
+.PD 0
+.Ip "\fB\-reqexts section\fR" 4
+.IX Item "-reqexts section"
+.PD
+these options specify alternative sections to include certificate
+extensions (if the \fB\-x509\fR option is present) or certificate
+request extensions. This allows several different sections to
+be used in the same configuration file to specify requests for
+a variety of purposes.
+.Ip "\fB\-utf8\fR" 4
+.IX Item "-utf8"
+this option causes field values to be interpreted as \s-1UTF8\s0 strings, by 
+default they are interpreted as \s-1ASCII\s0. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid \s-1UTF8\s0 strings.
+.Ip "\fB\-nameopt option\fR" 4
+.IX Item "-nameopt option"
+option which determines how the subject or issuer names are displayed. The
+\&\fBoption\fR argument can be a single option or multiple options separated by
+commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
+set multiple options. See the x509(1) manual page for details.
+.Ip "\fB\-asn1\-kludge\fR" 4
+.IX Item "-asn1-kludge"
+by default the \fBreq\fR command outputs certificate requests containing
+no attributes in the correct PKCS#10 format. However certain CAs will only
+accept requests containing no attributes in an invalid form: this
+option produces this invalid format.
+.Sp
+More precisely the \fBAttributes\fR in a PKCS#10 certificate request
+are defined as a \fB\s-1SET\s0 \s-1OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so
+if no attributes are present then they should be encoded as an
+empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty
+\&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does.
+.Sp
+It should be noted that very few CAs still require the use of this option.
+.Ip "\fB\-newhdr\fR" 4
+.IX Item "-newhdr"
+Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed
+request. Some software (Netscape certificate server) and some CAs need this.
+.Ip "\fB\-batch\fR" 4
+.IX Item "-batch"
+non-interactive mode.
+.Ip "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+print extra details about the operations being performed.
+.SH "CONFIGURATION FILE FORMAT"
+.IX Header "CONFIGURATION FILE FORMAT"
+The configuration options are specified in the \fBreq\fR section of
+the configuration file. As with all configuration files if no
+value is specified in the specific section (i.e. \fBreq\fR) then
+the initial unnamed or \fBdefault\fR section is searched too.
+.PP
+The options available are described in detail below.
+.Ip "\fBinput_password output_password\fR" 4
+.IX Item "input_password output_password"
+The passwords for the input private key file (if present) and
+the output private key file (if one will be created). The
+command line options \fBpassin\fR and \fBpassout\fR override the
+configuration file values.
+.Ip "\fBdefault_bits\fR" 4
+.IX Item "default_bits"
+This specifies the default key size in bits. If not specified then
+512 is used. It is used if the \fB\-new\fR option is used. It can be
+overridden by using the \fB\-newkey\fR option.
+.Ip "\fBdefault_keyfile\fR" 4
+.IX Item "default_keyfile"
+This is the default filename to write a private key to. If not
+specified the key is written to standard output. This can be
+overridden by the \fB\-keyout\fR option.
+.Ip "\fBoid_file\fR" 4
+.IX Item "oid_file"
+This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. 
+.Ip "\fBoid_section\fR" 4
+.IX Item "oid_section"
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by \fB=\fR and the numerical form. The short
+and long names are the same when this option is used.
+.Ip "\fB\s-1RANDFILE\s0\fR" 4
+.IX Item "RANDFILE"
+This specifies a filename in which random number seed information is
+placed and read from, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+It is used for private key generation.
+.Ip "\fBencrypt_key\fR" 4
+.IX Item "encrypt_key"
+If this is set to \fBno\fR then if a private key is generated it is
+\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line
+option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option.
+.Ip "\fBdefault_md\fR" 4
+.IX Item "default_md"
+This option specifies the digest algorithm to use. Possible values
+include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This
+option can be overridden on the command line.
+.Ip "\fBstring_mask\fR" 4
+.IX Item "string_mask"
+This option masks out the use of certain string types in certain
+fields. Most users will not need to change this option.
+.Sp
+It can be set to several values \fBdefault\fR which is also the default
+option uses PrintableStrings, T61Strings and BMPStrings if the 
+\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will
+be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the
+\&\fButf8only\fR option is used then only UTF8Strings will be used: this
+is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR
+option just uses PrintableStrings and T61Strings: certain software has
+problems with BMPStrings and UTF8Strings: in particular Netscape.
+.Ip "\fBreq_extensions\fR" 4
+.IX Item "req_extensions"
+this specifies the configuration file section containing a list of
+extensions to add to the certificate request. It can be overridden
+by the \fB\-reqexts\fR command line switch.
+.Ip "\fBx509_extensions\fR" 4
+.IX Item "x509_extensions"
+this specifies the configuration file section containing a list of
+extensions to add to certificate generated when the \fB\-x509\fR switch
+is used. It can be overridden by the \fB\-extensions\fR command line switch.
+.Ip "\fBprompt\fR" 4
+.IX Item "prompt"
+if set to the value \fBno\fR this disables prompting of certificate fields
+and just takes values from the config file directly. It also changes the
+expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections.
+.Ip "\fButf8\fR" 4
+.IX Item "utf8"
+if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0
+strings, by default they are interpreted as \s-1ASCII\s0. This means that
+the field values, whether prompted from a terminal or obtained from a
+configuration file, must be valid \s-1UTF8\s0 strings.
+.Ip "\fBattributes\fR" 4
+.IX Item "attributes"
+this specifies the section containing any request attributes: its format
+is the same as \fBdistinguished_name\fR. Typically these may contain the
+challengePassword or unstructuredName types. They are currently ignored
+by OpenSSL's request signing utilities but some CAs might want them.
+.Ip "\fBdistinguished_name\fR" 4
+.IX Item "distinguished_name"
+This specifies the section containing the distinguished name fields to
+prompt for when generating a certificate or certificate request. The format
+is described in the next section.
+.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
+.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
+There are two separate formats for the distinguished name and attribute
+sections. If the \fBprompt\fR option is set to \fBno\fR then these sections
+just consist of field names and values: for example,
+.PP
+.Vb 3
+\& CN=My Name
+\& OU=My Organization
+\& emailAddress=someone@somewhere.org
+.Ve
+This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file
+with all the field names and values and just pass it to \fBreq\fR. An example
+of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section.
+.PP
+Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the
+file contains field prompting information. It consists of lines of the form:
+.PP
+.Vb 4
+\& fieldName="prompt"
+\& fieldName_default="default field value"
+\& fieldName_min= 2
+\& fieldName_max= 4
+.Ve
+\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0).
+The \*(L"prompt\*(R" string is used to ask the user to enter the relevant
+details. If the user enters nothing then the default value is used if no
+default value is present then the field is omitted. A field can
+still be omitted if a default value is present if the user just
+enters the '.' character.
+.PP
+The number of characters entered must be between the fieldName_min and
+fieldName_max limits: there may be additional restrictions based
+on the field being used (for example countryName can only ever be
+two characters long and must fit in a PrintableString).
+.PP
+Some fields (such as organizationName) can be used more than once
+in a \s-1DN\s0. This presents a problem because configuration files will
+not recognize the same name occurring twice. To avoid this problem
+if the fieldName contains some characters followed by a full stop
+they will be ignored. So for example a second organizationName can
+be input by calling it \*(L"1.organizationName\*(R".
+.PP
+The actual permitted field names are any object identifier short or
+long names. These are compiled into OpenSSL and include the usual
+values such as commonName, countryName, localityName, organizationName,
+organizationUnitName, stateOrPrivinceName. Additionally emailAddress
+is include as well as name, surname, givenName initials and dnQualifier.
+.PP
+Additional object identifiers can be defined with the \fBoid_file\fR or
+\&\fBoid_section\fR options in the configuration file. Any additional fields
+will be treated as though they were a DirectoryString.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Examine and verify certificate request:
+.PP
+.Vb 1
+\& openssl req -in req.pem -text -verify -noout
+.Ve
+Create a private key and then generate a certificate request from it:
+.PP
+.Vb 2
+\& openssl genrsa -out key.pem 1024
+\& openssl req -new -key key.pem -out req.pem
+.Ve
+The same but just using req:
+.PP
+.Vb 1
+\& openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+.Ve
+Generate a self signed root certificate:
+.PP
+.Vb 1
+\& openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+.Ve
+Example of a file pointed to by the \fBoid_file\fR option:
+.PP
+.Vb 2
+\& 1.2.3.4        shortName       A longer Name
+\& 1.2.3.6        otherName       Other longer Name
+.Ve
+Example of a section pointed to by \fBoid_section\fR making use of variable
+expansion:
+.PP
+.Vb 2
+\& testoid1=1.2.3.5
+\& testoid2=${testoid1}.6
+.Ve
+Sample configuration file prompting for field values:
+.PP
+.Vb 6
+\& [ req ]
+\& default_bits           = 1024
+\& default_keyfile        = privkey.pem
+\& distinguished_name     = req_distinguished_name
+\& attributes             = req_attributes
+\& x509_extensions        = v3_ca
+.Ve
+.Vb 1
+\& dirstring_type = nobmp
+.Ve
+.Vb 5
+\& [ req_distinguished_name ]
+\& countryName                    = Country Name (2 letter code)
+\& countryName_default            = AU
+\& countryName_min                = 2
+\& countryName_max                = 2
+.Ve
+.Vb 1
+\& localityName                   = Locality Name (eg, city)
+.Ve
+.Vb 1
+\& organizationalUnitName         = Organizational Unit Name (eg, section)
+.Ve
+.Vb 2
+\& commonName                     = Common Name (eg, YOUR name)
+\& commonName_max                 = 64
+.Ve
+.Vb 2
+\& emailAddress                   = Email Address
+\& emailAddress_max               = 40
+.Ve
+.Vb 4
+\& [ req_attributes ]
+\& challengePassword              = A challenge password
+\& challengePassword_min          = 4
+\& challengePassword_max          = 20
+.Ve
+.Vb 1
+\& [ v3_ca ]
+.Ve
+.Vb 3
+\& subjectKeyIdentifier=hash
+\& authorityKeyIdentifier=keyid:always,issuer:always
+\& basicConstraints = CA:true
+.Ve
+Sample configuration containing all field values:
+.PP
+.Vb 1
+\& RANDFILE               = $ENV::HOME/.rnd
+.Ve
+.Vb 7
+\& [ req ]
+\& default_bits           = 1024
+\& default_keyfile        = keyfile.pem
+\& distinguished_name     = req_distinguished_name
+\& attributes             = req_attributes
+\& prompt                 = no
+\& output_password        = mypass
+.Ve
+.Vb 8
+\& [ req_distinguished_name ]
+\& C                      = GB
+\& ST                     = Test State or Province
+\& L                      = Test Locality
+\& O                      = Organization Name
+\& OU                     = Organizational Unit Name
+\& CN                     = Common Name
+\& emailAddress           = test@email.address
+.Ve
+.Vb 2
+\& [ req_attributes ]
+\& challengePassword              = A challenge password
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The header and footer lines in the \fB\s-1PEM\s0\fR format are normally:
+.PP
+.Vb 2
+\& -----BEGIN CERTIFICATE REQUEST-----
+\& -----END CERTIFICATE REQUEST-----
+.Ve
+some software (some versions of Netscape certificate server) instead needs:
+.PP
+.Vb 2
+\& -----BEGIN NEW CERTIFICATE REQUEST-----
+\& -----END NEW CERTIFICATE REQUEST-----
+.Ve
+which is produced with the \fB\-newhdr\fR option but is otherwise compatible.
+Either form is accepted transparently on input.
+.PP
+The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions
+added. It includes the \fBkeyUsage\fR extension which determines the type of
+key (signature only or general purpose) and any additional OIDs entered
+by the script in an extendedKeyUsage extension.
+.SH "DIAGNOSTICS"
+.IX Header "DIAGNOSTICS"
+The following messages are frequently asked about:
+.PP
+.Vb 2
+\&        Using configuration from /some/path/openssl.cnf
+\&        Unable to load config info
+.Ve
+This is followed some time later by...
+.PP
+.Vb 2
+\&        unable to find 'distinguished_name' in config
+\&        problems making Certificate Request
+.Ve
+The first error message is the clue: it can't find the configuration
+file! Certain operations (like examining a certificate request) don't
+need a configuration file so its use isn't enforced. Generation of
+certificates or requests however does need a configuration file. This
+could be regarded as a bug.
+.PP
+Another puzzling message is this:
+.PP
+.Vb 2
+\&        Attributes:
+\&            a0:00
+.Ve
+this is displayed when no attributes are present and the request includes
+the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
+0x00). If you just see:
+.PP
+.Vb 1
+\&        Attributes:
+.Ve
+then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but
+it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR
+for more information.
+.SH "ENVIRONMENT VARIABLES"
+.IX Header "ENVIRONMENT VARIABLES"
+The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration
+file location to be specified, it will be overridden by the \fB\-config\fR command
+line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR
+environment variable serves the same purpose but its use is discouraged.
+.SH "BUGS"
+.IX Header "BUGS"
+OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
+treats them as \s-1ISO-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
+This can cause problems if you need characters that aren't available in
+PrintableStrings and you don't want to or can't use BMPStrings.
+.PP
+As a consequence of the T61String handling the only correct way to represent
+accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
+currently chokes on these. If you have to use accented characters with Netscape
+and \s-1MSIE\s0 then you currently need to use the invalid T61String form.
+.PP
+The current prompting is not very friendly. It doesn't allow you to confirm what
+you've just entered. Other things like extensions in certificate requests are
+statically defined in the configuration file. Some of these: like an email
+address in subjectAltName should be input by the user.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+x509(1), ca(1), genrsa(1),
+gendsa(1), config(5)
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
new file mode 100644
index 0000000..ea57b93
--- /dev/null
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -0,0 +1,301 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:23 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "rsa 3"
+.TH rsa 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+rsa \- \s-1RSA\s0 key processing tool
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBrsa\fR
+[\fB\-inform PEM|NET|DER\fR]
+[\fB\-outform PEM|NET|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-passin arg\fR]
+[\fB\-out filename\fR]
+[\fB\-passout arg\fR]
+[\fB\-sgckey\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-idea\fR]
+[\fB\-text\fR]
+[\fB\-noout\fR]
+[\fB\-modulus\fR]
+[\fB\-check\fR]
+[\fB\-pubin\fR]
+[\fB\-pubout\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various
+forms and their components printed out. \fBNote\fR this command uses the
+traditional SSLeay compatible format for private key encryption: newer
+applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
+utility.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-inform DER|NET|PEM\fR" 4
+.IX Item "-inform DER|NET|PEM"
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
+The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
+encoded with additional header and footer lines. On input PKCS#8 format private
+keys are also accepted. The \fB\s-1NET\s0\fR form is a format is described in the \fB\s-1NOTES\s0\fR
+section.
+.Ip "\fB\-outform DER|NET|PEM\fR" 4
+.IX Item "-outform DER|NET|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+.Ip "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the input file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should \fBnot\fR be the same as the input
+filename.
+.Ip "\fB\-passout password\fR" 4
+.IX Item "-passout password"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-sgckey\fR" 4
+.IX Item "-sgckey"
+use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0
+keys.
+.Ip "\fB\-des|\-des3|\-idea\fR" 4
+.IX Item "-des|-des3|-idea"
+These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
+\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the \fBrsa\fR utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with \s-1PEM\s0 format output files.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the various public or private key components in
+plain text in addition to the encoded version. 
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option prevents output of the encoded version of the key.
+.Ip "\fB\-modulus\fR" 4
+.IX Item "-modulus"
+this option prints out the value of the modulus of the key.
+.Ip "\fB\-check\fR" 4
+.IX Item "-check"
+this option checks the consistency of an \s-1RSA\s0 private key.
+.Ip "\fB\-pubin\fR" 4
+.IX Item "-pubin"
+by default a private key is read from the input file: with this
+option a public key is read instead.
+.Ip "\fB\-pubout\fR" 4
+.IX Item "-pubout"
+by default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1PEM\s0 private key format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN RSA PRIVATE KEY-----
+\& -----END RSA PRIVATE KEY-----
+.Ve
+The \s-1PEM\s0 public key format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN PUBLIC KEY-----
+\& -----END PUBLIC KEY-----
+.Ve
+The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers
+and Microsoft \s-1IIS\s0 .key files, this uses unsalted \s-1RC4\s0 for its encryption.
+It is not very secure and so should only be used when necessary.
+.PP
+Some newer version of \s-1IIS\s0 have additional data in the exported .key
+files. To use these with the utility, view the file with a binary editor
+and look for the string \*(L"private-key\*(R", then trace back to the byte
+sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data
+from this point onwards to another file and use that as the input
+to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get
+an error after entering the password try the \fB\-sgckey\fR option.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+To remove the pass phrase on an \s-1RSA\s0 private key:
+.PP
+.Vb 1
+\& openssl rsa -in key.pem -out keyout.pem
+.Ve
+To encrypt a private key using triple \s-1DES:\s0
+.PP
+.Vb 1
+\& openssl rsa -in key.pem -des3 -out keyout.pem
+.Ve
+To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: 
+.PP
+.Vb 1
+\& openssl rsa -in key.pem -outform DER -out keyout.der
+.Ve
+To print out the components of a private key to standard output:
+.PP
+.Vb 1
+\& openssl rsa -in key.pem -text -noout
+.Ve
+To just output the public part of a private key:
+.PP
+.Vb 1
+\& openssl rsa -in key.pem -pubout -out pubkey.pem
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+The command line password arguments don't currently work with
+\&\fB\s-1NET\s0\fR format.
+.PP
+There should be an option that automatically handles .key files,
+without having to manually edit them.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+pkcs8(1), dsa(1), genrsa(1),
+gendsa(1) 
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
new file mode 100644
index 0000000..67e3f3e
--- /dev/null
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -0,0 +1,312 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:25 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "rsautl 3"
+.TH rsautl 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+rsautl \- \s-1RSA\s0 utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBrsautl\fR
+[\fB\-in file\fR]
+[\fB\-out file\fR]
+[\fB\-inkey file\fR]
+[\fB\-pubin\fR]
+[\fB\-certin\fR]
+[\fB\-sign\fR]
+[\fB\-verify\fR]
+[\fB\-encrypt\fR]
+[\fB\-decrypt\fR]
+[\fB\-pkcs\fR]
+[\fB\-ssl\fR]
+[\fB\-raw\fR]
+[\fB\-hexdump\fR]
+[\fB\-asn1parse\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt
+data using the \s-1RSA\s0 algorithm.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read data from or standard input
+if this option is not specified.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename to write to or standard output by
+default.
+.Ip "\fB\-inkey file\fR" 4
+.IX Item "-inkey file"
+the input key file, by default it should be an \s-1RSA\s0 private key.
+.Ip "\fB\-pubin\fR" 4
+.IX Item "-pubin"
+the input file is an \s-1RSA\s0 public key. 
+.Ip "\fB\-certin\fR" 4
+.IX Item "-certin"
+the input is a certificate containing an \s-1RSA\s0 public key. 
+.Ip "\fB\-sign\fR" 4
+.IX Item "-sign"
+sign the input data and output the signed result. This requires
+and \s-1RSA\s0 private key.
+.Ip "\fB\-verify\fR" 4
+.IX Item "-verify"
+verify the input data and output the recovered data.
+.Ip "\fB\-encrypt\fR" 4
+.IX Item "-encrypt"
+encrypt the input data using an \s-1RSA\s0 public key.
+.Ip "\fB\-decrypt\fR" 4
+.IX Item "-decrypt"
+decrypt the input data using an \s-1RSA\s0 private key.
+.Ip "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
+.IX Item "-pkcs, -oaep, -ssl, -raw"
+the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP\s0,
+special padding used in \s-1SSL\s0 v2 backwards compatible handshakes,
+or no padding, respectively.
+For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
+.Ip "\fB\-hexdump\fR" 4
+.IX Item "-hexdump"
+hex dump the output data.
+.Ip "\fB\-asn1parse\fR" 4
+.IX Item "-asn1parse"
+asn1parse the output data, this is useful when combined with the
+\&\fB\-verify\fR option.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be
+used to sign or verify small pieces of data.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Sign some data using a private key:
+.PP
+.Vb 1
+\& openssl rsautl -sign -in file -inkey key.pem -out sig
+.Ve
+Recover the signed data
+.PP
+.Vb 1
+\& openssl rsautl -verify -in sig -inkey key.pem
+.Ve
+Examine the raw signed data:
+.PP
+.Vb 1
+\& openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
+.Ve
+.Vb 8
+\& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
+\& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64   .....hello world
+.Ve
+The PKCS#1 block formatting is evident from this. If this was done using
+encrypt and decrypt the block would have been of type 2 (the second byte)
+and random padding data visible instead of the 0xff bytes.
+.PP
+It is possible to analyse the signature of certificates using this
+utility in conjunction with \fBasn1parse\fR. Consider the self signed
+example in certs/pca-cert.pem . Running \fBasn1parse\fR as follows yields:
+.PP
+.Vb 1
+\& openssl asn1parse -in pca-cert.pem
+.Ve
+.Vb 18
+\&    0:d=0  hl=4 l= 742 cons: SEQUENCE          
+\&    4:d=1  hl=4 l= 591 cons:  SEQUENCE          
+\&    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]        
+\&   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
+\&   13:d=2  hl=2 l=   1 prim:   INTEGER           :00
+\&   16:d=2  hl=2 l=  13 cons:   SEQUENCE          
+\&   18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
+\&   29:d=3  hl=2 l=   0 prim:    NULL              
+\&   31:d=2  hl=2 l=  92 cons:   SEQUENCE          
+\&   33:d=3  hl=2 l=  11 cons:    SET               
+\&   35:d=4  hl=2 l=   9 cons:     SEQUENCE          
+\&   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+\&   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
+\&  ....
+\&  599:d=1  hl=2 l=  13 cons:  SEQUENCE          
+\&  601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
+\&  612:d=2  hl=2 l=   0 prim:   NULL              
+\&  614:d=1  hl=3 l= 129 prim:  BIT STRING
+.Ve
+The final \s-1BIT\s0 \s-1STRING\s0 contains the actual signature. It can be extracted with:
+.PP
+.Vb 1
+\& openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
+.Ve
+The certificate public key can be extracted with:
+.PP
+.Vb 1
+\& openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem
+.Ve
+The signature can be analysed with:
+.PP
+.Vb 1
+\& openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
+.Ve
+.Vb 6
+\&    0:d=0  hl=2 l=  32 cons: SEQUENCE          
+\&    2:d=1  hl=2 l=  12 cons:  SEQUENCE          
+\&    4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
+\&   14:d=2  hl=2 l=   0 prim:   NULL              
+\&   16:d=1  hl=2 l=  16 prim:  OCTET STRING      
+\&      0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
+.Ve
+This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that
+the digest used was md5. The actual part of the certificate that was signed can
+be extracted with:
+.PP
+.Vb 1
+\& openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
+.Ve
+and its digest computed with:
+.PP
+.Vb 2
+\& openssl md5 -c tbs
+\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
+.Ve
+which it can be seen agrees with the recovered value above.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+dgst(1), rsa(1), genrsa(1)
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
new file mode 100644
index 0000000..c0c0d0b
--- /dev/null
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -0,0 +1,347 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:26 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "s_client 3"
+.TH s_client 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+s_client \- \s-1SSL/TLS\s0 client program
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBs_client\fR
+[\fB\-connect\fR host:port>]
+[\fB\-verify depth\fR]
+[\fB\-cert filename\fR]
+[\fB\-key filename\fR]
+[\fB\-CApath directory\fR]
+[\fB\-CAfile filename\fR]
+[\fB\-reconnect\fR]
+[\fB\-pause\fR]
+[\fB\-showcerts\fR]
+[\fB\-debug\fR]
+[\fB\-msg\fR]
+[\fB\-nbio_test\fR]
+[\fB\-state\fR]
+[\fB\-nbio\fR]
+[\fB\-crlf\fR]
+[\fB\-ign_eof\fR]
+[\fB\-quiet\fR]
+[\fB\-ssl2\fR]
+[\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fB\-no_ssl2\fR]
+[\fB\-no_ssl3\fR]
+[\fB\-no_tls1\fR]
+[\fB\-bugs\fR]
+[\fB\-cipher cipherlist\fR]
+[\fB\-engine id\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
+to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for
+\&\s-1SSL\s0 servers.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-connect host:port\fR" 4
+.IX Item "-connect host:port"
+This specifies the host and optional port to connect to. If not specified
+then an attempt is made to connect to the local host on port 4433.
+.Ip "\fB\-cert certname\fR" 4
+.IX Item "-cert certname"
+The certificate to use, if one is requested by the server. The default is
+not to use a certificate.
+.Ip "\fB\-key keyfile\fR" 4
+.IX Item "-key keyfile"
+The private key to use. If not specified then the certificate file will
+be used.
+.Ip "\fB\-verify depth\fR" 4
+.IX Item "-verify depth"
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+.Ip "\fB\-CApath directory\fR" 4
+.IX Item "-CApath directory"
+The directory to use for server certificate verification. This directory
+must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
+also used when building the client certificate chain.
+.Ip "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+A file containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+.Ip "\fB\-reconnect\fR" 4
+.IX Item "-reconnect"
+reconnects to the same server 5 times using the same session \s-1ID\s0, this can
+be used as a test that session caching is working.
+.Ip "\fB\-pause\fR" 4
+.IX Item "-pause"
+pauses 1 second between each read and write call.
+.Ip "\fB\-showcerts\fR" 4
+.IX Item "-showcerts"
+display the whole server certificate chain: normally only the server
+certificate itself is displayed.
+.Ip "\fB\-prexit\fR" 4
+.IX Item "-prexit"
+print session information when the program exits. This will always attempt
+to print out information even if the connection fails. Normally information
+will only be printed out once if the connection succeeds. This option is useful
+because the cipher in use may be renegotiated or the connection may fail
+because a client certificate is required or is requested only after an
+attempt is made to access a certain \s-1URL\s0. Note: the output produced by this
+option is not always accurate because a connection might never have been
+established.
+.Ip "\fB\-state\fR" 4
+.IX Item "-state"
+prints out the \s-1SSL\s0 session states.
+.Ip "\fB\-debug\fR" 4
+.IX Item "-debug"
+print extensive debugging information including a hex dump of all traffic.
+.Ip "\fB\-msg\fR" 4
+.IX Item "-msg"
+show all protocol messages with hex dump.
+.Ip "\fB\-nbio_test\fR" 4
+.IX Item "-nbio_test"
+tests non-blocking I/O
+.Ip "\fB\-nbio\fR" 4
+.IX Item "-nbio"
+turns on non-blocking I/O
+.Ip "\fB\-crlf\fR" 4
+.IX Item "-crlf"
+this option translated a line feed from the terminal into \s-1CR+LF\s0 as required
+by some servers.
+.Ip "\fB\-ign_eof\fR" 4
+.IX Item "-ign_eof"
+inhibit shutting down the connection when end of file is reached in the
+input.
+.Ip "\fB\-quiet\fR" 4
+.IX Item "-quiet"
+inhibit printing of session and certificate information.  This implicitly
+turns on \fB\-ign_eof\fR as well.
+.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
+.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
+these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
+.Sp
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect. Some servers only
+work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only
+support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
+.Ip "\fB\-bugs\fR" 4
+.IX Item "-bugs"
+there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
+option enables various workarounds.
+.Ip "\fB\-cipher cipherlist\fR" 4
+.IX Item "-cipher cipherlist"
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client. See the \fBciphers\fR
+command for more information.
+.Ip "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.SH "CONNECTED COMMANDS"
+.IX Header "CONNECTED COMMANDS"
+If a connection is established with an \s-1SSL\s0 server then any data received
+from the server is displayed and any key presses will be sent to the
+server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR
+have been given), the session will be renegotiated if the line begins with an
+\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the
+connection will be closed down.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0
+server the command:
+.PP
+.Vb 1
+\& openssl s_client -connect servername:443
+.Ve
+would typically be used (https uses port 443). If the connection succeeds
+then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page.
+.PP
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
+\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR can be tried
+in case it is a buggy server. In particular you should play with these
+options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
+.PP
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
+requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed
+and checked. However some servers only request client authentication
+after a specific \s-1URL\s0 is requested. To obtain the list in this case it
+is necessary to use the \fB\-prexit\fR command and send an \s-1HTTP\s0 request
+for an appropriate page.
+.PP
+If a certificate is specified on the command line using the \fB\-cert\fR
+option it will not be used unless the server specifically requests
+a client certificate. Therefor merely including a client certificate
+on the command line is no guarantee that the certificate works.
+.PP
+If there are problems verifying a server certificate then the
+\&\fB\-showcerts\fR option can be used to show the whole chain.
+.SH "BUGS"
+.IX Header "BUGS"
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of s_client is rather
+hard to read and not a model of how things should be done. A typical
+\&\s-1SSL\s0 client program would be much simpler.
+.PP
+The \fB\-verify\fR option should really exit if the server verification
+fails.
+.PP
+The \fB\-prexit\fR option is a bit of a hack. We should really report
+information whenever a session is renegotiated.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+sess_id(1), s_server(1), ciphers(1)
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
new file mode 100644
index 0000000..e2fd3e7
--- /dev/null
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -0,0 +1,385 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:27 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "s_server 3"
+.TH s_server 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+s_server \- \s-1SSL/TLS\s0 server program
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBs_server\fR
+[\fB\-accept port\fR]
+[\fB\-context id\fR]
+[\fB\-verify depth\fR]
+[\fB\-Verify depth\fR]
+[\fB\-cert filename\fR]
+[\fB\-key keyfile\fR]
+[\fB\-dcert filename\fR]
+[\fB\-dkey keyfile\fR]
+[\fB\-dhparam filename\fR]
+[\fB\-nbio\fR]
+[\fB\-nbio_test\fR]
+[\fB\-crlf\fR]
+[\fB\-debug\fR]
+[\fB\-msg\fR]
+[\fB\-state\fR]
+[\fB\-CApath directory\fR]
+[\fB\-CAfile filename\fR]
+[\fB\-nocert\fR]
+[\fB\-cipher cipherlist\fR]
+[\fB\-quiet\fR]
+[\fB\-no_tmp_rsa\fR]
+[\fB\-ssl2\fR]
+[\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fB\-no_ssl2\fR]
+[\fB\-no_ssl3\fR]
+[\fB\-no_tls1\fR]
+[\fB\-no_dhe\fR]
+[\fB\-bugs\fR]
+[\fB\-hack\fR]
+[\fB\-www\fR]
+[\fB\-WWW\fR]
+[\fB\-HTTP\fR]
+[\fB\-engine id\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens
+for connections on a given port using \s-1SSL/TLS\s0.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-accept port\fR" 4
+.IX Item "-accept port"
+the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
+.Ip "\fB\-context id\fR" 4
+.IX Item "-context id"
+sets the \s-1SSL\s0 context id. It can be given any string value. If this option
+is not present a default value will be used.
+.Ip "\fB\-cert certname\fR" 4
+.IX Item "-cert certname"
+The certificate to use, most servers cipher suites require the use of a
+certificate and some require a certificate with a certain public key type:
+for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
+(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
+.Ip "\fB\-key keyfile\fR" 4
+.IX Item "-key keyfile"
+The private key to use. If not specified then the certificate file will
+be used.
+.Ip "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4
+.IX Item "-dcert filename, -dkey keyname"
+specify an additional certificate and private key, these behave in the
+same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
+if they are not specified (no additional certificate and key is used). As
+noted above some cipher suites require a certificate containing a key of
+a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
+and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
+a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
+by using an appropriate certificate.
+.Ip "\fB\-nocert\fR" 4
+.IX Item "-nocert"
+if this option is set then no certificate is used. This restricts the
+cipher suites available to the anonymous ones (currently just anonymous
+\&\s-1DH\s0).
+.Ip "\fB\-dhparam filename\fR" 4
+.IX Item "-dhparam filename"
+the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
+using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
+load the parameters from the server certificate file. If this fails then
+a static set of parameters hard coded into the s_server program will be used.
+.Ip "\fB\-no_dhe\fR" 4
+.IX Item "-no_dhe"
+if this option is set then no \s-1DH\s0 parameters will be loaded effectively
+disabling the ephemeral \s-1DH\s0 cipher suites.
+.Ip "\fB\-no_tmp_rsa\fR" 4
+.IX Item "-no_tmp_rsa"
+certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option
+disables temporary \s-1RSA\s0 key generation.
+.Ip "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4
+.IX Item "-verify depth, -Verify depth"
+The verify depth to use. This specifies the maximum length of the
+client certificate chain and makes the server request a certificate from
+the client. With the \fB\-verify\fR option a certificate is requested but the
+client does not have to send one, with the \fB\-Verify\fR option the client
+must supply a certificate or an error occurs.
+.Ip "\fB\-CApath directory\fR" 4
+.IX Item "-CApath directory"
+The directory to use for client certificate verification. This directory
+must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
+also used when building the server certificate chain.
+.Ip "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+A file containing trusted certificates to use during client authentication
+and to use when attempting to build the server certificate chain. The list
+is also used in the list of acceptable client CAs passed to the client when
+a certificate is requested.
+.Ip "\fB\-state\fR" 4
+.IX Item "-state"
+prints out the \s-1SSL\s0 session states.
+.Ip "\fB\-debug\fR" 4
+.IX Item "-debug"
+print extensive debugging information including a hex dump of all traffic.
+.Ip "\fB\-msg\fR" 4
+.IX Item "-msg"
+show all protocol messages with hex dump.
+.Ip "\fB\-nbio_test\fR" 4
+.IX Item "-nbio_test"
+tests non blocking I/O
+.Ip "\fB\-nbio\fR" 4
+.IX Item "-nbio"
+turns on non blocking I/O
+.Ip "\fB\-crlf\fR" 4
+.IX Item "-crlf"
+this option translated a line feed from the terminal into \s-1CR+LF\s0.
+.Ip "\fB\-quiet\fR" 4
+.IX Item "-quiet"
+inhibit printing of session and certificate information.
+.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
+.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
+these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
+.Ip "\fB\-bugs\fR" 4
+.IX Item "-bugs"
+there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
+option enables various workarounds.
+.Ip "\fB\-hack\fR" 4
+.IX Item "-hack"
+this option enables a further workaround for some some early Netscape
+\&\s-1SSL\s0 code (?).
+.Ip "\fB\-cipher cipherlist\fR" 4
+.IX Item "-cipher cipherlist"
+this allows the cipher list used by the server to be modified.  When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the \fBciphers\fR command for more information.
+.Ip "\fB\-www\fR" 4
+.IX Item "-www"
+sends a status message back to the client when it connects. This includes
+lots of information about the ciphers used and various session parameters.
+The output is in \s-1HTML\s0 format so this option will normally be used with a
+web browser.
+.Ip "\fB\-WWW\fR" 4
+.IX Item "-WWW"
+emulates a simple web server. Pages will be resolved relative to the
+current directory, for example if the \s-1URL\s0 https://myhost/page.html is
+requested the file ./page.html will be loaded.
+.Ip "\fB\-HTTP\fR" 4
+.IX Item "-HTTP"
+emulates a simple web server. Pages will be resolved relative to the
+current directory, for example if the \s-1URL\s0 https://myhost/page.html is
+requested the file ./page.html will be loaded. The files loaded are
+assumed to contain a complete and correct \s-1HTTP\s0 response (lines that
+are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0).
+.Ip "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by it's unique \fBid\fR string) will cause \fBs_server\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.SH "CONNECTED COMMANDS"
+.IX Header "CONNECTED COMMANDS"
+If a connection request is established with an \s-1SSL\s0 client and neither the
+\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received
+from the client is displayed and any key presses will be sent to the client. 
+.PP
+Certain single letter commands are also recognized which perform special
+operations: these are listed below.
+.Ip "\fBq\fR" 4
+.IX Item "q"
+end the current \s-1SSL\s0 connection but still accept new connections.
+.Ip "\fBQ\fR" 4
+.IX Item "Q"
+end the current \s-1SSL\s0 connection and exit.
+.Ip "\fBr\fR" 4
+.IX Item "r"
+renegotiate the \s-1SSL\s0 session.
+.Ip "\fBR\fR" 4
+.IX Item "R"
+renegotiate the \s-1SSL\s0 session and request a client certificate.
+.Ip "\fBP\fR" 4
+.IX Item "P"
+send some plain text down the underlying \s-1TCP\s0 connection: this should
+cause the client to disconnect due to a protocol violation.
+.Ip "\fBS\fR" 4
+.IX Item "S"
+print out some session cache status information.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from
+a web browser the command:
+.PP
+.Vb 1
+\& openssl s_server -accept 443 -www
+.Ve
+can be used for example.
+.PP
+Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher
+suites, so they cannot connect to servers which don't use a certificate
+carrying an \s-1RSA\s0 key or a version of OpenSSL with \s-1RSA\s0 disabled.
+.PP
+Although specifying an empty list of CAs when requesting a client certificate
+is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
+mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
+.PP
+The session parameters can printed out using the \fBsess_id\fR program.
+.SH "BUGS"
+.IX Header "BUGS"
+Because this program has a lot of options and also because some of
+the techniques used are rather old, the C source of s_server is rather
+hard to read and not a model of how things should be done. A typical
+\&\s-1SSL\s0 server program would be much simpler.
+.PP
+The output of common ciphers is wrong: it just gives the list of ciphers that
+OpenSSL recognizes and the client supports.
+.PP
+There should be a way for the \fBs_server\fR program to print out details of any
+unknown cipher suites a client says it supports.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+sess_id(1), s_client(1), ciphers(1)
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
new file mode 100644
index 0000000..9a42c14
--- /dev/null
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -0,0 +1,258 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:28 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "sess_id 3"
+.TH sess_id 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+sess_id \- \s-1SSL/TLS\s0 session handling utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBsess_id\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-text\fR]
+[\fB\-noout\fR]
+[\fB\-context \s-1ID\s0\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure
+and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session
+master key) in human readable format. Since this is a diagnostic tool that
+needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will
+not need to use it.
+.Ip "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+format containing session details. The precise format can vary from one version
+to the next.  The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR
+format base64 encoded with additional header and footer lines.
+.Ip "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read session information from or standard
+input by default.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write session information to or standard
+output if this option is not specified.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the various public or private key components in
+plain text in addition to the encoded version. 
+.Ip "\fB\-cert\fR" 4
+.IX Item "-cert"
+if a certificate is present in the session it will be output using this option,
+if the \fB\-text\fR option is also present then it will be printed out in text form.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option prevents output of the encoded version of the session.
+.Ip "\fB\-context \s-1ID\s0\fR" 4
+.IX Item "-context ID"
+this option can set the session id so the output session information uses the
+supplied \s-1ID\s0. The \s-1ID\s0 can be any string of characters. This option wont normally
+be used.
+.SH "OUTPUT"
+.IX Header "OUTPUT"
+Typical output:
+.PP
+.Vb 10
+\& SSL-Session:
+\&     Protocol  : TLSv1
+\&     Cipher    : 0016
+\&     Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
+\&     Session-ID-ctx: 01000000
+\&     Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
+\&     Key-Arg   : None
+\&     Start Time: 948459261
+\&     Timeout   : 300 (sec)
+\&     Verify return code 0 (ok)
+.Ve
+Theses are described below in more detail.
+.Ip "\fBProtocol\fR" 4
+.IX Item "Protocol"
+this is the protocol in use TLSv1, SSLv3 or SSLv2.
+.Ip "\fBCipher\fR" 4
+.IX Item "Cipher"
+the cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0
+or \s-1TLS\s0 specifications for more information.
+.Ip "\fBSession-ID\fR" 4
+.IX Item "Session-ID"
+the \s-1SSL\s0 session \s-1ID\s0 in hex format.
+.Ip "\fBSession-ID-ctx\fR" 4
+.IX Item "Session-ID-ctx"
+the session \s-1ID\s0 context in hex format.
+.Ip "\fBMaster-Key\fR" 4
+.IX Item "Master-Key"
+this is the \s-1SSL\s0 session master key.
+.Ip "\fBKey-Arg\fR" 4
+.IX Item "Key-Arg"
+the key argument, this is only used in \s-1SSL\s0 v2.
+.Ip "\fBStart Time\fR" 4
+.IX Item "Start Time"
+this is the session start time represented as an integer in standard Unix format.
+.Ip "\fBTimeout\fR" 4
+.IX Item "Timeout"
+the timeout in seconds.
+.Ip "\fBVerify return code\fR" 4
+.IX Item "Verify return code"
+this is the return code when an \s-1SSL\s0 client certificate is verified.
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1PEM\s0 encoded session format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN SSL SESSION PARAMETERS-----
+\& -----END SSL SESSION PARAMETERS-----
+.Ve
+Since the \s-1SSL\s0 session output contains the master key it is possible to read the contents
+of an encrypted session using this information. Therefore appropriate security precautions
+should be taken if the information is being output by a \*(L"real\*(R" application. This is
+however strongly discouraged and should only be used for debugging purposes.
+.SH "BUGS"
+.IX Header "BUGS"
+The cipher and start time should be printed out in human readable form.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+ciphers(1), s_server(1)
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
new file mode 100644
index 0000000..1934b8c
--- /dev/null
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -0,0 +1,473 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:29 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "smime 3"
+.TH smime 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+smime \- S/MIME utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBsmime\fR
+[\fB\-encrypt\fR]
+[\fB\-decrypt\fR]
+[\fB\-sign\fR]
+[\fB\-verify\fR]
+[\fB\-pk7out\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-rc2\-40\fR]
+[\fB\-rc2\-64\fR]
+[\fB\-rc2\-128\fR]
+[\fB\-in file\fR]
+[\fB\-certfile file\fR]
+[\fB\-signer file\fR]
+[\fB\-recip  file\fR]
+[\fB\-inform SMIME|PEM|DER\fR]
+[\fB\-passin arg\fR]
+[\fB\-inkey file\fR]
+[\fB\-out file\fR]
+[\fB\-outform SMIME|PEM|DER\fR]
+[\fB\-content file\fR]
+[\fB\-to addr\fR]
+[\fB\-from ad\fR]
+[\fB\-subject s\fR]
+[\fB\-text\fR]
+[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[cert.pem]...
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
+verify S/MIME messages.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+There are five operation options that set the type of operation to be performed.
+The meaning of the other options varies according to the operation type.
+.Ip "\fB\-encrypt\fR" 4
+.IX Item "-encrypt"
+encrypt mail for the given recipient certificates. Input file is the message
+to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
+.Ip "\fB\-decrypt\fR" 4
+.IX Item "-decrypt"
+decrypt mail using the supplied certificate and private key. Expects an
+encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
+is written to the output file.
+.Ip "\fB\-sign\fR" 4
+.IX Item "-sign"
+sign mail using the supplied certificate and private key. Input file is
+the message to be signed. The signed message in \s-1MIME\s0 format is written
+to the output file.
+.Ip "\fB\-verify\fR" 4
+.IX Item "-verify"
+verify signed mail. Expects a signed mail message on input and outputs
+the signed data. Both clear text and opaque signing is supported.
+.Ip "\fB\-pk7out\fR" 4
+.IX Item "-pk7out"
+takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+the input message to be encrypted or signed or the \s-1MIME\s0 message to
+be decrypted or verified.
+.Ip "\fB\-inform SMIME|PEM|DER\fR" 4
+.IX Item "-inform SMIME|PEM|DER"
+this specifies the input format for the PKCS#7 structure. The default
+is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
+format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
+instead. This currently only affects the input format of the PKCS#7
+structure, if no PKCS#7 structure is being input (for example with
+\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+the message text that has been decrypted or verified or the output \s-1MIME\s0
+format message that has been signed or verified.
+.Ip "\fB\-outform SMIME|PEM|DER\fR" 4
+.IX Item "-outform SMIME|PEM|DER"
+this specifies the output format for the PKCS#7 structure. The default
+is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
+format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
+instead. This currently only affects the output format of the PKCS#7
+structure, if no PKCS#7 structure is being output (for example with
+\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
+.Ip "\fB\-content filename\fR" 4
+.IX Item "-content filename"
+This specifies a file containing the detached content, this is only
+useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
+message if encrypting or signing. If decrypting or verifying it strips
+off text headers: if the decrypted or verified message is not of \s-1MIME\s0 
+type text/plain then an error occurs.
+.Ip "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
+.Ip "\fB\-CApath dir\fR" 4
+.IX Item "-CApath dir"
+a directory containing trusted \s-1CA\s0 certificates, only used with
+\&\fB\-verify\fR. This directory must be a standard certificate directory: that
+is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
+to each certificate.
+.Ip "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128\fR" 4
+.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128"
+the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits)
+or 40, 64 or 128 bit \s-1RC2\s0 respectively if not specified 40 bit \s-1RC2\s0 is
+used. Only used with \fB\-encrypt\fR.
+.Ip "\fB\-nointern\fR" 4
+.IX Item "-nointern"
+when verifying a message normally certificates (if any) included in
+the message are searched for the signing certificate. With this option
+only the certificates specified in the \fB\-certfile\fR option are used.
+The supplied certificates can still be used as untrusted CAs however.
+.Ip "\fB\-noverify\fR" 4
+.IX Item "-noverify"
+do not verify the signers certificate of a signed message.
+.Ip "\fB\-nochain\fR" 4
+.IX Item "-nochain"
+do not do chain verification of signers certificates: that is don't
+use the certificates in the signed message as untrusted CAs.
+.Ip "\fB\-nosigs\fR" 4
+.IX Item "-nosigs"
+don't try to verify the signatures on the message.
+.Ip "\fB\-nocerts\fR" 4
+.IX Item "-nocerts"
+when signing a message the signer's certificate is normally included
+with this option it is excluded. This will reduce the size of the
+signed message but the verifier must have a copy of the signers certificate
+available locally (passed using the \fB\-certfile\fR option for example).
+.Ip "\fB\-noattr\fR" 4
+.IX Item "-noattr"
+normally when a message is signed a set of attributes are included which
+include the signing time and supported symmetric algorithms. With this
+option they are not included.
+.Ip "\fB\-binary\fR" 4
+.IX Item "-binary"
+normally the input message is converted to \*(L"canonical\*(R" format which is
+effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
+specification. When this option is present no translation occurs. This
+is useful when handling binary data which may not be in \s-1MIME\s0 format.
+.Ip "\fB\-nodetach\fR" 4
+.IX Item "-nodetach"
+when signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the \s-1MIME\s0 type multipart/signed is used.
+.Ip "\fB\-certfile file\fR" 4
+.IX Item "-certfile file"
+allows additional certificates to be specified. When signing these will
+be included with the message. When verifying these will be searched for
+the signers certificates. The certificates should be in \s-1PEM\s0 format.
+.Ip "\fB\-signer file\fR" 4
+.IX Item "-signer file"
+the signers certificate when signing a message. If a message is
+being verified then the signers certificates will be written to this
+file if the verification was successful.
+.Ip "\fB\-recip file\fR" 4
+.IX Item "-recip file"
+the recipients certificate when decrypting a message. This certificate
+must match one of the recipients of the message or an error occurs.
+.Ip "\fB\-inkey file\fR" 4
+.IX Item "-inkey file"
+the private key to use when signing or decrypting. This must match the
+corresponding certificate. If this option is not specified then the
+private key must be included in the certificate file specified with
+the \fB\-recip\fR or \fB\-signer\fR file.
+.Ip "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the private key password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
+.IX Item "-rand file"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.Ip "\fBcert.pem...\fR" 4
+.IX Item "cert.pem..."
+one or more certificates of message recipients: used when encrypting
+a message. 
+.Ip "\fB\-to, \-from, \-subject\fR" 4
+.IX Item "-to, -from, -subject"
+the relevant mail headers. These are included outside the signed
+portion of a message so they may be included manually. If signing
+then many S/MIME mail clients check the signers certificate's email
+address matches that specified in the From: address.
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1MIME\s0 message must be sent without any blank lines between the
+headers and the output. Some mail programs will automatically add
+a blank line. Piping the mail directly to sendmail is one way to
+achieve the correct format.
+.PP
+The supplied message to be signed or encrypted must include the
+necessary \s-1MIME\s0 headers or many S/MIME clients wont display it
+properly (if at all). You can use the \fB\-text\fR option to automatically
+add plain text headers.
+.PP
+A \*(L"signed and encrypted\*(R" message is one where a signed message is
+then encrypted. This can be produced by encrypting an already signed
+message: see the examples section.
+.PP
+This version of the program only allows one signer per message but it
+will verify multiple signers on received messages. Some S/MIME clients
+choke if a message contains multiple signers. It is possible to sign
+messages \*(L"in parallel\*(R" by signing an already signed message.
+.PP
+The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
+clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
+encrypted data is used for other purposes.
+.SH "EXIT CODES"
+.IX Header "EXIT CODES"
+.Ip "0" 4
+the operation was completely successfully.
+.Ip "1" 4
+.IX Item "1"
+an error occurred parsing the command options.
+.Ip "2" 4
+.IX Item "2"
+one of the input files could not be read.
+.Ip "3" 4
+.IX Item "3"
+an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
+message.
+.Ip "4" 4
+.IX Item "4"
+an error occurred decrypting or verifying the message.
+.Ip "5" 4
+.IX Item "5"
+the message was verified correctly but an error occurred writing out
+the signers certificates.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Create a cleartext signed message:
+.PP
+.Vb 2
+\& openssl smime -sign -in message.txt -text -out mail.msg \e
+\&        -signer mycert.pem
+.Ve
+Create and opaque signed message
+.PP
+.Vb 2
+\& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e
+\&        -signer mycert.pem
+.Ve
+Create a signed message, include some additional certificates and
+read the private key from another file:
+.PP
+.Vb 2
+\& openssl smime -sign -in in.txt -text -out mail.msg \e
+\&        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+.Ve
+Send a signed message under Unix directly to sendmail, including headers:
+.PP
+.Vb 3
+\& openssl smime -sign -in in.txt -text -signer mycert.pem \e
+\&        -from steve@openssl.org -to someone@somewhere \e
+\&        -subject "Signed message" | sendmail someone@somewhere
+.Ve
+Verify a message and extract the signer's certificate if successful:
+.PP
+.Vb 1
+\& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
+.Ve
+Send encrypted mail using triple \s-1DES:\s0
+.PP
+.Vb 3
+\& openssl smime -encrypt -in in.txt -from steve@openssl.org \e
+\&        -to someone@somewhere -subject "Encrypted message" \e
+\&        -des3 user.pem -out mail.msg
+.Ve
+Sign and encrypt mail:
+.PP
+.Vb 4
+\& openssl smime -sign -in ml.txt -signer my.pem -text \e
+\&        | openssl smime -encrypt -out mail.msg \e
+\&        -from steve@openssl.org -to someone@somewhere \e
+\&        -subject "Signed and Encrypted message" -des3 user.pem
+.Ve
+Note: the encryption command does not include the \fB\-text\fR option because the message
+being encrypted already has \s-1MIME\s0 headers.
+.PP
+Decrypt mail:
+.PP
+.Vb 1
+\& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
+.Ve
+The output from Netscape form signing is a PKCS#7 structure with the
+detached signature format. You can use this program to verify the
+signature by line wrapping the base64 encoded structure and surrounding
+it with:
+.PP
+.Vb 2
+\& -----BEGIN PKCS7-----
+\& -----END PKCS7-----
+.Ve
+and using the command, 
+.PP
+.Vb 1
+\& openssl smime -verify -inform PEM -in signature.pem -content content.txt
+.Ve
+alternatively you can base64 decode the signature and use
+.PP
+.Vb 1
+\& openssl smime -verify -inform DER -in signature.der -content content.txt
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown
+at it but it may choke on others.
+.PP
+The code currently will only write out the signer's certificate to a file: if the
+signer has a separate encryption certificate this must be manually extracted. There
+should be some heuristic that determines the correct encryption certificate.
+.PP
+Ideally a database should be maintained of a certificates for each email address.
+.PP
+The code doesn't currently take note of the permitted symmetric encryption
+algorithms as supplied in the SMIMECapabilities signed attribute. this means the
+user has to manually include the correct encryption algorithm. It should store
+the list of permitted ciphers in a database and only use those.
+.PP
+No revocation checking is done on the signer's certificate.
+.PP
+The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
+structures may cause parsing errors.
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
new file mode 100644
index 0000000..db174ab
--- /dev/null
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -0,0 +1,188 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:31 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "speed 3"
+.TH speed 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+speed \- test library performance
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl speed\fR
+[\fB\-engine id\fR]
+[\fBmd2\fR]
+[\fBmdc2\fR]
+[\fBmd5\fR]
+[\fBhmac\fR]
+[\fBsha1\fR]
+[\fBrmd160\fR]
+[\fBidea-cbc\fR]
+[\fBrc2\-cbc\fR]
+[\fBrc5\-cbc\fR]
+[\fBbf-cbc\fR]
+[\fBdes-cbc\fR]
+[\fBdes-ede3\fR]
+[\fBrc4\fR]
+[\fBrsa512\fR]
+[\fBrsa1024\fR]
+[\fBrsa2048\fR]
+[\fBrsa4096\fR]
+[\fBdsa512\fR]
+[\fBdsa1024\fR]
+[\fBdsa2048\fR]
+[\fBidea\fR]
+[\fBrc2\fR]
+[\fBdes\fR]
+[\fBrsa\fR]
+[\fBblowfish\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is used to test the performance of cryptographic algorithms.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by it's unique \fBid\fR string) will cause \fBspeed\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+.Ip "\fB[zero or more test algorithms]\fR" 4
+.IX Item "[zero or more test algorithms]"
+If any options are given, \fBspeed\fR tests those algorithms, otherwise all of
+the above are tested.
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
new file mode 100644
index 0000000..96a7211
--- /dev/null
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -0,0 +1,248 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:32 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "spkac 3"
+.TH spkac 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+spkac \- \s-1SPKAC\s0 printing and generating utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBspkac\fR
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-key keyfile\fR]
+[\fB\-passin arg\fR]
+[\fB\-challenge string\fR]
+[\fB\-pubkey\fR]
+[\fB\-spkac spkacname\fR]
+[\fB\-spksect section\fR]
+[\fB\-noout\fR]
+[\fB\-verify\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBspkac\fR command processes Netscape signed public key and challenge
+(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
+produce its own SPKACs from a supplied private key.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read from or standard input if this
+option is not specified. Ignored if the \fB\-key\fR option is used.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename to write to or standard output by
+default.
+.Ip "\fB\-key keyfile\fR" 4
+.IX Item "-key keyfile"
+create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
+\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
+present.
+.Ip "\fB\-passin password\fR" 4
+.IX Item "-passin password"
+the input file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
+.Ip "\fB\-challenge string\fR" 4
+.IX Item "-challenge string"
+specifies the challenge string if an \s-1SPKAC\s0 is being created.
+.Ip "\fB\-spkac spkacname\fR" 4
+.IX Item "-spkac spkacname"
+allows an alternative name form the variable containing the
+\&\s-1SPKAC\s0. The default is \*(L"\s-1SPKAC\s0\*(R". This option affects both
+generated and input \s-1SPKAC\s0 files.
+.Ip "\fB\-spksect section\fR" 4
+.IX Item "-spksect section"
+allows an alternative name form the section containing the
+\&\s-1SPKAC\s0. The default is the default section.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+don't output the text version of the \s-1SPKAC\s0 (not used if an
+\&\s-1SPKAC\s0 is being created).
+.Ip "\fB\-pubkey\fR" 4
+.IX Item "-pubkey"
+output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is
+being created).
+.Ip "\fB\-verify\fR" 4
+.IX Item "-verify"
+verifies the digital signature on the supplied \s-1SPKAC\s0.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Print out the contents of an \s-1SPKAC:\s0
+.PP
+.Vb 1
+\& openssl spkac -in spkac.cnf
+.Ve
+Verify the signature of an \s-1SPKAC:\s0
+.PP
+.Vb 1
+\& openssl spkac -in spkac.cnf -noout -verify
+.Ve
+Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
+.PP
+.Vb 1
+\& openssl spkac -key key.pem -challenge hello -out spkac.cnf
+.Ve
+Example of an \s-1SPKAC\s0, (long lines split up for clarity):
+.PP
+.Vb 5
+\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
+\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
+\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
+\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
+\& 4=
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into
+the \fBca\fR utility.
+.PP
+SPKACs are typically generated by Netscape when a form is submitted
+containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
+process.
+.PP
+The challenge string permits a primitive form of proof of possession
+of private key. By checking the \s-1SPKAC\s0 signature and a random challenge
+string some guarantee is given that the user knows the private key
+corresponding to the public key being certified. This is important in
+some applications. Without this it is possible for a previous \s-1SPKAC\s0
+to be used in a \*(L"replay attack\*(R".
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+ca(1)
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
new file mode 100644
index 0000000..f9b7d6a
--- /dev/null
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -0,0 +1,408 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:33 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "verify 3"
+.TH verify 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+verify \- Utility to verify certificates.
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBverify\fR
+[\fB\-CApath directory\fR]
+[\fB\-CAfile file\fR]
+[\fB\-purpose purpose\fR]
+[\fB\-untrusted file\fR]
+[\fB\-help\fR]
+[\fB\-issuer_checks\fR]
+[\fB\-verbose\fR]
+[\fB-\fR]
+[certificates]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBverify\fR command verifies certificate chains.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.Ip "\fB\-CApath directory\fR" 4
+.IX Item "-CApath directory"
+A directory of trusted certificates. The certificates should have names
+of the form: hash.0 or have symbolic links to them of this
+form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
+of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
+create symbolic links to a directory of certificates.
+.Ip "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+A file of trusted certificates. The file should contain multiple certificates
+in \s-1PEM\s0 format concatenated together.
+.Ip "\fB\-untrusted file\fR" 4
+.IX Item "-untrusted file"
+A file of untrusted certificates. The file should contain multiple certificates
+.Ip "\fB\-purpose purpose\fR" 4
+.IX Item "-purpose purpose"
+the intended use for the certificate. Without this option no chain verification
+will be done. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR,
+\&\fBnssslserver\fR, \fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR
+section for more information.
+.Ip "\fB\-help\fR" 4
+.IX Item "-help"
+prints out a usage message.
+.Ip "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+print extra information about the operations being performed.
+.Ip "\fB\-issuer_checks\fR" 4
+.IX Item "-issuer_checks"
+print out diagnostics relating to searches for the issuer certificate
+of the current certificate. This shows why each candidate issuer
+certificate was rejected. However the presence of rejection messages
+does not itself imply that anything is wrong: during the normal
+verify process several rejections may take place.
+.Ip "\fB-\fR" 4
+.IX Item "-"
+marks the last option. All arguments following this are assumed to be
+certificate files. This is useful if the first certificate filename begins
+with a \fB-\fR.
+.Ip "\fBcertificates\fR" 4
+.IX Item "certificates"
+one or more certificates to verify. If no certificate filenames are included
+then an attempt is made to read a certificate from standard input. They should
+all be in \s-1PEM\s0 format.
+.SH "VERIFY OPERATION"
+.IX Header "VERIFY OPERATION"
+The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME
+verification, therefore this description applies to these verify operations
+too.
+.PP
+There is one crucial difference between the verify operations performed
+by the \fBverify\fR program: wherever possible an attempt is made to continue
+after an error whereas normally the verify operation would halt on the
+first error. This allows all the problems with a certificate chain to be
+determined.
+.PP
+The verify operation consists of a number of separate steps.
+.PP
+Firstly a certificate chain is built up starting from the supplied certificate
+and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built
+up. The chain is built up by looking up the issuers certificate of the current
+certificate. If a certificate is found which is its own issuer it is assumed 
+to be the root \s-1CA\s0.
+.PP
+The process of 'looking up the issuers certificate' itself involves a number
+of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
+subject name matched the issuer of the current certificate was assumed to be
+the issuers certificate. In OpenSSL 0.9.6 and later all certificates
+whose subject name matches the issuer name of the current certificate are 
+subject to further tests. The relevant authority key identifier components
+of the current certificate (if present) must match the subject key identifier
+(if present) and issuer and serial number of the candidate issuer, in addition
+the keyUsage extension of the candidate issuer (if present) must permit
+certificate signing.
+.PP
+The lookup first looks in the list of untrusted certificates and if no match
+is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0
+is always looked up in the trusted certificate list: if the certificate to
+verify is a root certificate then an exact match must be found in the trusted
+list.
+.PP
+The second operation is to check every untrusted certificate's extensions for
+consistency with the supplied purpose. If the \fB\-purpose\fR option is not included
+then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
+compatible with the supplied purpose and all other certificates must also be valid
+\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
+the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility.
+.PP
+The third operation is to check the trust settings on the root \s-1CA\s0. The root
+\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous
+versions of SSLeay and OpenSSL a certificate with no trust settings is considered
+to be valid for all purposes. 
+.PP
+The final operation is to check the validity of the certificate chain. The validity
+period is checked against the current system time and the notBefore and notAfter
+dates in the certificate. The certificate signatures are also checked at this
+point.
+.PP
+If all operations complete successfully then certificate is considered valid. If
+any operation fails then the certificate is not valid.
+.SH "DIAGNOSTICS"
+.IX Header "DIAGNOSTICS"
+When a verify operation fails the output messages can be somewhat cryptic. The
+general form of the error message is:
+.PP
+.Vb 2
+\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+\& error 24 at 1 depth lookup:invalid CA certificate
+.Ve
+The first line contains the name of the certificate being verified followed by
+the subject name of the certificate. The second line contains the error number
+and the depth. The depth is number of the certificate being verified when a
+problem was detected starting with zero for the certificate being verified itself
+then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version
+of the error number is presented.
+.PP
+An exhaustive list of the error codes and messages is shown below, this also
+includes the name of the error code as defined in the header file x509_vfy.h
+Some of the error codes are defined but never returned: these are described
+as \*(L"unused\*(R".
+.Ip "\fB0 X509_V_OK: ok\fR" 4
+.IX Item "0 X509_V_OK: ok"
+the operation was successful.
+.Ip "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
+.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate"
+the issuer certificate could not be found: this occurs if the issuer certificate
+of an untrusted certificate cannot be found.
+.Ip "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR" 4
+.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL"
+the \s-1CRL\s0 of a certificate could not be found. Unused.
+.Ip "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
+.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
+the certificate signature could not be decrypted. This means that the actual signature value
+could not be determined rather than it not matching the expected value, this is only
+meaningful for \s-1RSA\s0 keys.
+.Ip "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
+.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature"
+the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value
+could not be determined rather than it not matching the expected value. Unused.
+.Ip "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
+.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key"
+the public key in the certificate SubjectPublicKeyInfo could not be read.
+.Ip "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
+.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure"
+the signature of the certificate is invalid.
+.Ip "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
+.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
+the signature of the certificate is invalid. Unused.
+.Ip "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
+.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
+the certificate is not yet valid: the notBefore date is after the current time.
+.Ip "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
+.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
+the certificate has expired: that is the notAfter date is before the current time.
+.Ip "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
+.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
+the \s-1CRL\s0 is not yet valid. Unused.
+.Ip "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
+.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
+the \s-1CRL\s0 has expired. Unused.
+.Ip "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
+.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
+the certificate notBefore field contains an invalid time.
+.Ip "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
+.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field"
+the certificate notAfter field contains an invalid time.
+.Ip "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
+.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
+the \s-1CRL\s0 lastUpdate field contains an invalid time. Unused.
+.Ip "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
+.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
+the \s-1CRL\s0 nextUpdate field contains an invalid time. Unused.
+.Ip "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
+.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory"
+an error occurred trying to allocate memory. This should never happen.
+.Ip "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
+.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate"
+the passed certificate is self signed and the same certificate cannot be found in the list of
+trusted certificates.
+.Ip "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
+.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain"
+the certificate chain could be built up using the untrusted certificates but the root could not
+be found locally.
+.Ip "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
+.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate"
+the issuer certificate of a locally looked up certificate could not be found. This normally means
+the list of trusted certificates is not complete.
+.Ip "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
+.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate"
+no signatures could be verified because the chain contains only one certificate and it is not
+self signed.
+.Ip "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
+.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long"
+the certificate chain length is greater than the supplied maximum depth. Unused.
+.Ip "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
+.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked"
+the certificate has been revoked. Unused.
+.Ip "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
+.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate"
+a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent
+with the supplied purpose.
+.Ip "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
+.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded"
+the basicConstraints pathlength parameter has been exceeded.
+.Ip "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
+.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose"
+the supplied certificate cannot be used for the specified purpose.
+.Ip "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
+.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted"
+the root \s-1CA\s0 is not marked as trusted for the specified purpose.
+.Ip "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
+.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected"
+the root \s-1CA\s0 is marked to reject the specified purpose.
+.Ip "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
+.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch"
+the current candidate issuer certificate was rejected because its subject name
+did not match the issuer name of the current certificate. Only displayed when
+the \fB\-issuer_checks\fR option is set.
+.Ip "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
+.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch"
+the current candidate issuer certificate was rejected because its subject key
+identifier was present and did not match the authority key identifier current
+certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
+.Ip "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
+.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch"
+the current candidate issuer certificate was rejected because its issuer name
+and serial number was present and did not match the authority key identifier
+of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
+.Ip "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
+.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing"
+the current candidate issuer certificate was rejected because its keyUsage extension
+does not permit certificate signing.
+.Ip "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
+.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure"
+an application specific error. Unused.
+.SH "BUGS"
+.IX Header "BUGS"
+Although the issuer checks are a considerably improvement over the old technique they still
+suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that
+trusted certificates with matching subject name must either appear in a file (as specified by the
+\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only
+the certificates in the file will be recognised.
+.PP
+Previous versions of OpenSSL assume certificates with matching subject name are identical and
+mishandled them.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+x509(1)
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
new file mode 100644
index 0000000..6337fe9
--- /dev/null
+++ b/secure/usr.bin/openssl/man/version.1
@@ -0,0 +1,186 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:34 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "version 3"
+.TH version 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+version \- print OpenSSL version information
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl version\fR
+[\fB\-a\fR]
+[\fB\-v\fR]
+[\fB\-b\fR]
+[\fB\-o\fR]
+[\fB\-f\fR]
+[\fB\-p\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is used to print out version information about OpenSSL.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Ip "\fB\-a\fR" 4
+.IX Item "-a"
+all information, this is the same as setting all the other flags.
+.Ip "\fB\-v\fR" 4
+.IX Item "-v"
+the current OpenSSL version.
+.Ip "\fB\-b\fR" 4
+.IX Item "-b"
+the date the current version of OpenSSL was built.
+.Ip "\fB\-o\fR" 4
+.IX Item "-o"
+option information: various options set when the library was built.
+.Ip "\fB\-c\fR" 4
+.IX Item "-c"
+compilation flags.
+.Ip "\fB\-p\fR" 4
+.IX Item "-p"
+platform setting.
+.Ip "\fB\-d\fR" 4
+.IX Item "-d"
+\&\s-1OPENSSLDIR\s0 setting.
+.SH "NOTES"
+.IX Header "NOTES"
+The output of \fBopenssl version \-a\fR would typically be used when sending
+in a bug report.
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-d\fR option was added in OpenSSL 0.9.7.
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
new file mode 100644
index 0000000..d1530c5
--- /dev/null
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -0,0 +1,829 @@
+.\" Automatically generated by Pod::Man version 1.15
+.\" Sun Jan 12 18:05:35 2003
+.\"
+.\" Standard preamble:
+.\" ======================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
+.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
+.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr
+.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
+.\" index entries marked with X<> in POD.  Of course, you'll have to process
+.\" the output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it
+.\" makes way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.bd B 3
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ======================================================================
+.\"
+.IX Title "x509 3"
+.TH x509 3 "0.9.7" "2003-01-12" "OpenSSL"
+.UC
+.SH "NAME"
+x509 \- Certificate display and signing utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBx509\fR
+[\fB\-inform DER|PEM|NET\fR]
+[\fB\-outform DER|PEM|NET\fR]
+[\fB\-keyform DER|PEM\fR]
+[\fB\-CAform DER|PEM\fR]
+[\fB\-CAkeyform DER|PEM\fR]
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-serial\fR]
+[\fB\-hash\fR]
+[\fB\-subject\fR]
+[\fB\-issuer\fR]
+[\fB\-nameopt option\fR]
+[\fB\-email\fR]
+[\fB\-startdate\fR]
+[\fB\-enddate\fR]
+[\fB\-purpose\fR]
+[\fB\-dates\fR]
+[\fB\-modulus\fR]
+[\fB\-fingerprint\fR]
+[\fB\-alias\fR]
+[\fB\-noout\fR]
+[\fB\-trustout\fR]
+[\fB\-clrtrust\fR]
+[\fB\-clrreject\fR]
+[\fB\-addtrust arg\fR]
+[\fB\-addreject arg\fR]
+[\fB\-setalias arg\fR]
+[\fB\-days arg\fR]
+[\fB\-set_serial n\fR]
+[\fB\-signkey filename\fR]
+[\fB\-x509toreq\fR]
+[\fB\-req\fR]
+[\fB\-CA filename\fR]
+[\fB\-CAkey filename\fR]
+[\fB\-CAcreateserial\fR]
+[\fB\-CAserial filename\fR]
+[\fB\-text\fR]
+[\fB\-C\fR]
+[\fB\-md2|\-md5|\-sha1|\-mdc2\fR]
+[\fB\-clrext\fR]
+[\fB\-extfile filename\fR]
+[\fB\-extensions section\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBx509\fR command is a multi purpose certificate utility. It can be
+used to display certificate information, convert certificates to
+various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit
+certificate trust settings.
+.PP
+Since there are a large number of options they will split up into
+various sections.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.Sh "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0"
+.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS"
+.Ip "\fB\-inform DER|PEM|NET\fR" 4
+.IX Item "-inform DER|PEM|NET"
+This specifies the input format normally the command will expect an X509
+certificate but this can change if other options such as \fB\-req\fR are
+present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0
+is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
+added. The \s-1NET\s0 option is an obscure Netscape server format that is now
+obsolete.
+.Ip "\fB\-outform DER|PEM|NET\fR" 4
+.IX Item "-outform DER|PEM|NET"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.Ip "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a certificate from or standard input
+if this option is not specified.
+.Ip "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write to or standard output by
+default.
+.Ip "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4
+.IX Item "-md2|-md5|-sha1|-mdc2"
+the digest to use. This affects any signing or display option that uses a message
+digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not
+specified then \s-1MD5\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key then
+this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys.
+.Sh "\s-1DISPLAY\s0 \s-1OPTIONS\s0"
+.IX Subsection "DISPLAY OPTIONS"
+Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
+but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section.
+.Ip "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the certificate in text form. Full details are output including the
+public key, signature algorithms, issuer and subject names, serial number
+any extensions present and any trust settings.
+.Ip "\fB\-certopt option\fR" 4
+.IX Item "-certopt option"
+customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
+a single option or multiple options separated by commas. The \fB\-certopt\fR switch
+may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR
+section for more information.
+.Ip "\fB\-noout\fR" 4
+.IX Item "-noout"
+this option prevents output of the encoded version of the request.
+.Ip "\fB\-modulus\fR" 4
+.IX Item "-modulus"
+this option prints out the value of the modulus of the public key
+contained in the certificate.
+.Ip "\fB\-serial\fR" 4
+.IX Item "-serial"
+outputs the certificate serial number.
+.Ip "\fB\-hash\fR" 4
+.IX Item "-hash"
+outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
+form an index to allow certificates in a directory to be looked up by subject
+name.
+.Ip "\fB\-subject\fR" 4
+.IX Item "-subject"
+outputs the subject name.
+.Ip "\fB\-issuer\fR" 4
+.IX Item "-issuer"
+outputs the issuer name.
+.Ip "\fB\-nameopt option\fR" 4
+.IX Item "-nameopt option"
+option which determines how the subject or issuer names are displayed. The
+\&\fBoption\fR argument can be a single option or multiple options separated by
+commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
+set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information.
+.Ip "\fB\-email\fR" 4
+.IX Item "-email"
+outputs the email address(es) if any.
+.Ip "\fB\-startdate\fR" 4
+.IX Item "-startdate"
+prints out the start date of the certificate, that is the notBefore date.
+.Ip "\fB\-enddate\fR" 4
+.IX Item "-enddate"
+prints out the expiry date of the certificate, that is the notAfter date.
+.Ip "\fB\-dates\fR" 4
+.IX Item "-dates"
+prints out the start and expiry dates of a certificate.
+.Ip "\fB\-fingerprint\fR" 4
+.IX Item "-fingerprint"
+prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
+(see digest options).
+.Ip "\fB\-C\fR" 4
+.IX Item "-C"
+this outputs the certificate in the form of a C source file.
+.Sh "\s-1TRUST\s0 \s-1SETTINGS\s0"
+.IX Subsection "TRUST SETTINGS"
+Please note these options are currently experimental and may well change.
+.PP
+A \fBtrusted certificate\fR is an ordinary certificate which has several
+additional pieces of information attached to it such as the permitted
+and prohibited uses of the certificate and an \*(L"alias\*(R".
+.PP
+Normally when a certificate is being verified at least one certificate
+must be \*(L"trusted\*(R". By default a trusted certificate must be stored
+locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
+is then usable for any purpose.
+.PP
+Trust settings currently are only used with a root \s-1CA\s0. They allow a finer
+control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0
+may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
+.PP
+See the description of the \fBverify\fR utility for more information on the
+meaning of trust settings.
+.PP
+Future versions of OpenSSL will recognize trust settings on any
+certificate: not just root CAs.
+.Ip "\fB\-trustout\fR" 4
+.IX Item "-trustout"
+this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
+or trusted certificate can be input but by default an ordinary
+certificate is output and any trust settings are discarded. With the
+\&\fB\-trustout\fR option a trusted certificate is output. A trusted
+certificate is automatically output if any trust settings are modified.
+.Ip "\fB\-setalias arg\fR" 4
+.IX Item "-setalias arg"
+sets the alias of the certificate. This will allow the certificate
+to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
+.Ip "\fB\-alias\fR" 4
+.IX Item "-alias"
+outputs the certificate alias, if any.
+.Ip "\fB\-clrtrust\fR" 4
+.IX Item "-clrtrust"
+clears all the permitted or trusted uses of the certificate.
+.Ip "\fB\-clrreject\fR" 4
+.IX Item "-clrreject"
+clears all the prohibited or rejected uses of the certificate.
+.Ip "\fB\-addtrust arg\fR" 4
+.IX Item "-addtrust arg"
+adds a trusted certificate use. Any object name can be used here
+but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR
+(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used.
+Other OpenSSL applications may define additional uses.
+.Ip "\fB\-addreject arg\fR" 4
+.IX Item "-addreject arg"
+adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
+option.
+.Ip "\fB\-purpose\fR" 4
+.IX Item "-purpose"
+this option performs tests on the certificate extensions and outputs
+the results. For a more complete description see the \fB\s-1CERTIFICATE\s0
+\&\s-1EXTENSIONS\s0\fR section.
+.Sh "\s-1SIGNING\s0 \s-1OPTIONS\s0"
+.IX Subsection "SIGNING OPTIONS"
+The \fBx509\fR utility can be used to sign certificates and requests: it
+can thus behave like a \*(L"mini \s-1CA\s0\*(R".
+.Ip "\fB\-signkey filename\fR" 4
+.IX Item "-signkey filename"
+this option causes the input file to be self signed using the supplied
+private key. 
+.Sp
+If the input file is a certificate it sets the issuer name to the
+subject name (i.e.  makes it self signed) changes the public key to the
+supplied value and changes the start and end dates. The start date is
+set to the current time and the end date is set to a value determined
+by the \fB\-days\fR option. Any certificate extensions are retained unless
+the \fB\-clrext\fR option is supplied.
+.Sp
+If the input is a certificate request then a self signed certificate
+is created using the supplied private key using the subject name in
+the request.
+.Ip "\fB\-clrext\fR" 4
+.IX Item "-clrext"
+delete any extensions from a certificate. This option is used when a
+certificate is being created from another certificate (for example with
+the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
+retained.
+.Ip "\fB\-keyform PEM|DER\fR" 4
+.IX Item "-keyform PEM|DER"
+specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
+\&\fB\-signkey\fR option.
+.Ip "\fB\-days arg\fR" 4
+.IX Item "-days arg"
+specifies the number of days to make a certificate valid for. The default
+is 30 days.
+.Ip "\fB\-x509toreq\fR" 4
+.IX Item "-x509toreq"
+converts a certificate into a certificate request. The \fB\-signkey\fR option
+is used to pass the required private key.
+.Ip "\fB\-req\fR" 4
+.IX Item "-req"
+by default a certificate is expected on input. With this option a
+certificate request is expected instead.
+.Ip "\fB\-set_serial n\fR" 4
+.IX Item "-set_serial n"
+specifies the serial number to use. This option can be used with either
+the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
+option the serial number file (as specified by the \fB\-CAserial\fR or
+\&\fB\-CAcreateserial\fR options) is not used.
+.Sp
+The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative
+serial numbers can also be specified but their use is not recommended.
+.Ip "\fB\-CA filename\fR" 4
+.IX Item "-CA filename"
+specifies the \s-1CA\s0 certificate to be used for signing. When this option is
+present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this
+\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
+of the \s-1CA\s0 and it is digitally signed using the CAs private key.
+.Sp
+This option is normally combined with the \fB\-req\fR option. Without the
+\&\fB\-req\fR option the input is a certificate which must be self signed.
+.Ip "\fB\-CAkey filename\fR" 4
+.IX Item "-CAkey filename"
+sets the \s-1CA\s0 private key to sign a certificate with. If this option is
+not specified then it is assumed that the \s-1CA\s0 private key is present in
+the \s-1CA\s0 certificate file.
+.Ip "\fB\-CAserial filename\fR" 4
+.IX Item "-CAserial filename"
+sets the \s-1CA\s0 serial number file to use.
+.Sp
+When the \fB\-CA\fR option is used to sign a certificate it uses a serial
+number specified in a file. This file consist of one line containing
+an even number of hex digits with the serial number to use. After each
+use the serial number is incremented and written out to the file again.
+.Sp
+The default filename consists of the \s-1CA\s0 certificate file base name with
+\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called 
+\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
+.Ip "\fB\-CAcreateserial\fR" 4
+.IX Item "-CAcreateserial"
+with this option the \s-1CA\s0 serial number file is created if it does not exist:
+it will contain the serial number \*(L"02\*(R" and the certificate being signed will
+have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified
+and the serial number file does not exist it is an error.
+.Ip "\fB\-extfile filename\fR" 4
+.IX Item "-extfile filename"
+file containing certificate extensions to use. If not specified then
+no extensions are added to the certificate.
+.Ip "\fB\-extensions section\fR" 4
+.IX Item "-extensions section"
+the section to add certificate extensions from. If this option is not
+specified then the extensions should either be contained in the unnamed
+(default) section or the default section should contain a variable called
+\&\*(L"extensions\*(R" which contains the section to use.
+.Sh "\s-1NAME\s0 \s-1OPTIONS\s0"
+.IX Subsection "NAME OPTIONS"
+The \fBnameopt\fR command line switch determines how the subject and issuer
+names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
+format is used which is compatible with previous versions of OpenSSL.
+Each option is described in detail below, all options can be preceded by
+a \fB-\fR to turn the option off. Only the first four will normally be used.
+.Ip "\fBcompat\fR" 4
+.IX Item "compat"
+use the old format. This is equivalent to specifying no name options at all.
+.Ip "\fB\s-1RFC2253\s0\fR" 4
+.IX Item "RFC2253"
+displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
+\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
+\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
+.Ip "\fBoneline\fR" 4
+.IX Item "oneline"
+a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to
+specifying the  \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
+\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_spc\fR, \fBspc_eq\fR and \fBsname\fR
+options.
+.Ip "\fBmultiline\fR" 4
+.IX Item "multiline"
+a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
+\&\fBspc_eq\fR, \fBlname\fR and \fBalign\fR.
+.Ip "\fBesc_2253\fR" 4
+.IX Item "esc_2253"
+escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is
+\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
+and a space character at the beginning or end of a string.
+.Ip "\fBesc_ctrl\fR" 4
+.IX Item "esc_ctrl"
+escape control characters. That is those with \s-1ASCII\s0 values less than
+0x20 (space) and the delete (0x7f) character. They are escaped using the
+\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
+character value).
+.Ip "\fBesc_msb\fR" 4
+.IX Item "esc_msb"
+escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
+127.
+.Ip "\fBuse_quote\fR" 4
+.IX Item "use_quote"
+escapes some characters by surrounding the whole string with \fB"\fR characters,
+without the option all escaping is done with the \fB\e\fR character.
+.Ip "\fButf8\fR" 4
+.IX Item "utf8"
+convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If
+you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
+of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
+display of multibyte (international) characters. Is this option is not
+present then multibyte characters larger than 0xff will be represented
+using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
+Also if this option is off any UTF8Strings will be converted to their
+character form first.
+.Ip "\fBno_type\fR" 4
+.IX Item "no_type"
+this option does not attempt to interpret multibyte characters in any
+way. That is their content octets are merely dumped as though one octet
+represents each character. This is useful for diagnostic purposes but
+will result in rather odd looking output.
+.Ip "\fBshow_type\fR" 4
+.IX Item "show_type"
+show the type of the \s-1ASN1\s0 character string. The type precedes the
+field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
+.Ip "\fBdump_der\fR" 4
+.IX Item "dump_der"
+when this option is set any fields that need to be hexdumped will
+be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
+content octets will be displayed. Both options use the \s-1RFC2253\s0
+\&\fB#XXXX...\fR format.
+.Ip "\fBdump_nostr\fR" 4
+.IX Item "dump_nostr"
+dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this
+option is not set then non character string types will be displayed
+as though each content octet represents a single character.
+.Ip "\fBdump_all\fR" 4
+.IX Item "dump_all"
+dump all fields. This option when used with \fBdump_der\fR allows the
+\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
+.Ip "\fBdump_unknown\fR" 4
+.IX Item "dump_unknown"
+dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
+.Ip "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
+.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
+these options determine the field separators. The first character is
+between RDNs and the second between multiple AVAs (multiple AVAs are
+very rare and their use is discouraged). The options ending in
+\&\*(L"space\*(R" additionally place a space after the separator to make it
+more readable. The \fBsep_multiline\fR uses a linefeed character for
+the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also
+indents the fields by four characters.
+.Ip "\fBdn_rev\fR" 4
+.IX Item "dn_rev"
+reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side
+effect this also reverses the order of multiple AVAs but this is
+permissible.
+.Ip "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
+.IX Item "nofname, sname, lname, oid"
+these options alter how the field name is displayed. \fBnofname\fR does
+not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
+(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
+\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
+diagnostic purpose.
+.Ip "\fBalign\fR" 4
+.IX Item "align"
+align field values for a more readable output. Only usable with
+\&\fBsep_multiline\fR.
+.Ip "\fBspc_eq\fR" 4
+.IX Item "spc_eq"
+places spaces round the \fB=\fR character which follows the field
+name.
+.Sh "\s-1TEXT\s0 \s-1OPTIONS\s0"
+.IX Subsection "TEXT OPTIONS"
+As well as customising the name output format, it is also possible to
+customise the actual fields printed using the \fBcertopt\fR options when
+the \fBtext\fR option is present. The default behaviour is to print all fields.
+.Ip "\fBcompatible\fR" 4
+.IX Item "compatible"
+use the old format. This is equivalent to specifying no output options at all.
+.Ip "\fBno_header\fR" 4
+.IX Item "no_header"
+don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R".
+.Ip "\fBno_version\fR" 4
+.IX Item "no_version"
+don't print out the version number.
+.Ip "\fBno_serial\fR" 4
+.IX Item "no_serial"
+don't print out the serial number.
+.Ip "\fBno_signame\fR" 4
+.IX Item "no_signame"
+don't print out the signature algorithm used.
+.Ip "\fBno_validity\fR" 4
+.IX Item "no_validity"
+don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
+.Ip "\fBno_subject\fR" 4
+.IX Item "no_subject"
+don't print out the subject name.
+.Ip "\fBno_issuer\fR" 4
+.IX Item "no_issuer"
+don't print out the issuer name.
+.Ip "\fBno_pubkey\fR" 4
+.IX Item "no_pubkey"
+don't print out the public key.
+.Ip "\fBno_sigdump\fR" 4
+.IX Item "no_sigdump"
+don't give a hexadecimal dump of the certificate signature.
+.Ip "\fBno_aux\fR" 4
+.IX Item "no_aux"
+don't print out certificate trust information.
+.Ip "\fBno_extensions\fR" 4
+.IX Item "no_extensions"
+don't print out any X509V3 extensions.
+.Ip "\fBext_default\fR" 4
+.IX Item "ext_default"
+retain default extension behaviour: attempt to print out unsupported certificate extensions.
+.Ip "\fBext_error\fR" 4
+.IX Item "ext_error"
+print an error message for unsupported certificate extensions.
+.Ip "\fBext_parse\fR" 4
+.IX Item "ext_parse"
+\&\s-1ASN1\s0 parse unsupported extensions.
+.Ip "\fBext_dump\fR" 4
+.IX Item "ext_dump"
+hex dump unsupported extensions.
+.Ip "\fBca_default\fR" 4
+.IX Item "ca_default"
+the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR,
+\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Note: in these examples the '\e' means the example should be all on one
+line.
+.PP
+Display the contents of a certificate:
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -noout -text
+.Ve
+Display the certificate serial number:
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -noout -serial
+.Ve
+Display the certificate subject name:
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -noout -subject
+.Ve
+Display the certificate subject name in \s-1RFC2253\s0 form:
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
+.Ve
+Display the certificate subject name in oneline form on a terminal
+supporting \s-1UTF8:\s0
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb
+.Ve
+Display the certificate \s-1MD5\s0 fingerprint:
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -noout -fingerprint
+.Ve
+Display the certificate \s-1SHA1\s0 fingerprint:
+.PP
+.Vb 1
+\& openssl x509 -sha1 -in cert.pem -noout -fingerprint
+.Ve
+Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
+.PP
+.Vb 1
+\& openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
+.Ve
+Convert a certificate to a certificate request:
+.PP
+.Vb 1
+\& openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
+.Ve
+Convert a certificate request into a self signed certificate using
+extensions for a \s-1CA:\s0
+.PP
+.Vb 2
+\& openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \e
+\&        -signkey key.pem -out cacert.pem
+.Ve
+Sign a certificate request using the \s-1CA\s0 certificate above and add user
+certificate extensions:
+.PP
+.Vb 2
+\& openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \e
+\&        -CA cacert.pem -CAkey key.pem -CAcreateserial
+.Ve
+Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
+\&\*(L"Steve's Class 1 \s-1CA\s0\*(R"
+.PP
+.Vb 2
+\& openssl x509 -in cert.pem -addtrust sslclient \e
+\&        -alias "Steve's Class 1 CA" -out trust.pem
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1PEM\s0 format uses the header and footer lines:
+.PP
+.Vb 2
+\& -----BEGIN CERTIFICATE-----
+\& -----END CERTIFICATE-----
+.Ve
+it will also handle files containing:
+.PP
+.Vb 2
+\& -----BEGIN X509 CERTIFICATE-----
+\& -----END X509 CERTIFICATE-----
+.Ve
+Trusted certificates have the lines
+.PP
+.Vb 2
+\& -----BEGIN TRUSTED CERTIFICATE-----
+\& -----END TRUSTED CERTIFICATE-----
+.Ve
+The conversion to \s-1UTF8\s0 format used with the name options assumes that
+T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
+and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
+it is more likely to display the majority of certificates correctly.
+.PP
+The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate.
+This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
+digests the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
+.PP
+The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0.
+.PP
+The \fB\-email\fR option searches the subject name and the subject alternative
+name extension. Only unique email addresses will be printed out: it will
+not print the same address more than once.
+.SH "CERTIFICATE EXTENSIONS"
+.IX Header "CERTIFICATE EXTENSIONS"
+The \fB\-purpose\fR option checks the certificate extensions and determines
+what the certificate can be used for. The actual checks done are rather
+complex and include various hacks and workarounds to handle broken
+certificates and software.
+.PP
+The same code is used when verifying untrusted certificates in chains
+so this section is useful if a chain is rejected by the verify code.
+.PP
+The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
+certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0,
+if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the
+\&\s-1CA\s0 flag set to true.
+.PP
+If the basicConstraints extension is absent then the certificate is
+considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according
+to the intended use of the certificate. A warning is given in this case
+because the certificate should really not be regarded as a \s-1CA:\s0 however
+it is allowed to be a \s-1CA\s0 to work around some broken software.
+.PP
+If the certificate is a V1 certificate (and thus has no extensions) and
+it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again
+given: this is to work around the problem of Verisign roots which are V1
+self signed certificates.
+.PP
+If the keyUsage extension is present then additional restraints are
+made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
+keyCertSign bit set if the keyUsage extension is present.
+.PP
+The extended key usage extension places additional restrictions on the
+certificate uses. If this extension is present (whether critical or not)
+the key can only be used for the purposes specified.
+.PP
+A complete description of each test is given below. The comments about
+basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
+\&\s-1CA\s0 certificates.
+.Ip "\fB\s-1SSL\s0 Client\fR" 4
+.IX Item "SSL Client"
+The extended key usage extension must be absent or include the \*(L"web client
+authentication\*(R" \s-1OID\s0.  keyUsage must be absent or it must have the
+digitalSignature bit set. Netscape certificate type must be absent or it must
+have the \s-1SSL\s0 client bit set.
+.Ip "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
+.IX Item "SSL Client CA"
+The extended key usage extension must be absent or include the \*(L"web client
+authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have
+the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
+extension is absent.
+.Ip "\fB\s-1SSL\s0 Server\fR" 4
+.IX Item "SSL Server"
+The extended key usage extension must be absent or include the \*(L"web server
+authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  keyUsage must be absent or it
+must have the digitalSignature, the keyEncipherment set or both bits set.
+Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
+.Ip "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
+.IX Item "SSL Server CA"
+The extended key usage extension must be absent or include the \*(L"web server
+authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  Netscape certificate type must
+be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the
+basicConstraints extension is absent.
+.Ip "\fBNetscape \s-1SSL\s0 Server\fR" 4
+.IX Item "Netscape SSL Server"
+For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
+keyEncipherment bit set if the keyUsage extension is present. This isn't
+always valid because some cipher suites use the key for digital signing.
+Otherwise it is the same as a normal \s-1SSL\s0 server.
+.Ip "\fBCommon S/MIME Client Tests\fR" 4
+.IX Item "Common S/MIME Client Tests"
+The extended key usage extension must be absent or include the \*(L"email
+protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the
+S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
+then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
+this is because some Verisign certificates don't set the S/MIME bit.
+.Ip "\fBS/MIME Signing\fR" 4
+.IX Item "S/MIME Signing"
+In addition to the common S/MIME client tests the digitalSignature bit must
+be set if the keyUsage extension is present.
+.Ip "\fBS/MIME Encryption\fR" 4
+.IX Item "S/MIME Encryption"
+In addition to the common S/MIME tests the keyEncipherment bit must be set
+if the keyUsage extension is present.
+.Ip "\fBS/MIME \s-1CA\s0\fR" 4
+.IX Item "S/MIME CA"
+The extended key usage extension must be absent or include the \*(L"email
+protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the
+S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
+extension is absent. 
+.Ip "\fB\s-1CRL\s0 Signing\fR" 4
+.IX Item "CRL Signing"
+The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
+set.
+.Ip "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
+.IX Item "CRL Signing CA"
+The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
+must be present.
+.SH "BUGS"
+.IX Header "BUGS"
+Extensions in certificates are not transferred to certificate requests and
+vice versa.
+.PP
+It is possible to produce invalid certificates or requests by specifying the
+wrong private key or using inconsistent options in some cases: these should
+be checked.
+.PP
+There should be options to explicitly set such things as start and end
+dates rather than an offset from the current time.
+.PP
+The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR
+is currently being developed. It thus describes the intended behaviour rather
+than the current behaviour. It is hoped that it will represent reality in
+OpenSSL 0.9.5 and later.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+req(1), ca(1), genrsa(1),
+gendsa(1), verify(1)