Close a whole bunch of documentation-related tickets:

[B<-length number>]

[B<-i>]

[B<-oid filename>]

[B<-dump>]

[B<-dlimit num>]

[B<-strparse offset>]

[B<-genstr string>]

[B<-genconf file>]

a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this

file is described in the NOTES section below.

=item B<-dump>

dump unknown data in hex format.

=item B<-dlimit num>

like B<-dump>, but only the first B<num> bytes are output.

=item B<-strparse offset>

parse the contents octets of the ASN.1 object starting at B<offset>. This

[B<-name section>]

[B<-gencrl>]

[B<-revoke file>]

[B<-status serial>]

[B<-updatedb>]

[B<-crl_reason reason>]

[B<-crl_hold instruction>]

[B<-crl_compromise time>]

[B<-md arg>]

[B<-policy arg>]

[B<-keyfile arg>]

[B<-keyform PEM|DER>]

[B<-key arg>]

[B<-passin arg>]

[B<-cert file>]

a file containing a single Netscape signed public key and challenge

and additional field values to be signed by the CA. See the B<SPKAC FORMAT>

section for information on the required format.

section for information on the required input and output format.

=item B<-infiles>

the output file to output certificates to. The default is standard

output. The certificate details will also be printed out to this

file.

file in PEM format (except that B<-spkac> outputs DER format).

=item B<-outdir directory>

the private key to sign requests with.

=item B<-keyform PEM|DER>

the format of the data in the private key file.

The default is PEM.

=item B<-key password>

the password used to encrypt the private key. Since on some

a filename containing a certificate to revoke.

=item B<-status serial>

displays the revocation status of the certificate with the specified

serial number and exits.

=item B<-updatedb>

Updates the database index to purge expired certificates.

=item B<-crl_reason reason>

revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,

If you need to include the same component twice then it can be

preceded by a number and a '.'.

When processing SPKAC format, the output is DER if the B<-out>

flag is used, but PEM format if sending to stdout or the B<-outdir>

flag is used.

=head1 EXAMPLES

Note: these examples assume that the B<ca> directory structure is

[B<-text>]

[B<-in filename>]

[B<-out filename>]

[B<-nameopt option>]

[B<-noout>]

[B<-hash>]

[B<-issuer>]

print out the CRL in text form.

=item B<-nameopt option>

option which determines how the subject or issuer names are displayed. See

the description of B<-nameopt> in L<x509(1)|x509(1)>.

=item B<-noout>

don't output the encoded version of the CRL.

[B<-in> I<filename>]

[B<-out> I<filename>]

[B<-dsaparam>]

[B<-check>]

[B<-noout>]

[B<-text>]

[B<-C>]

parameters, a fresh DH key should be created for each use to

avoid small-subgroup attacks that may be possible otherwise.

=item B<-check>

check if the parameters are valid primes and generator.

=item B<-2>, B<-5>

The generator to use, either 2 or 5. 2 is the default. If present then the

[B<-passin arg>]

[B<-out filename>]

[B<-passout arg>]

[B<-aes128>]

[B<-aes192>]

[B<-aes256>]

[B<-camellia128>]

[B<-camellia192>]

[B<-camellia256>]

[B<-des>]

[B<-des3>]

[B<-idea>]

the output file password source. For more information about the format of B<arg>

see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-des|-des3|-idea>

=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>

These options encrypt the private key with the DES, triple DES, or the 

IDEA ciphers respectively before outputting it. A pass phrase is prompted for.

These options encrypt the private key with the specified

cipher before outputting it. A pass phrase is prompted for.

If none of these options is specified the key is written in plain text. This

means that using the B<dsa> utility to read in an encrypted key with no

encryption option can be used to remove the pass phrase from a key, or by