1 files changed, 60 insertions, 18 deletions

diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod
index 74f45ca2f90e..5618c2dc9d2e 100644
--- a/crypto/openssl/doc/apps/ca.pod
+++ b/crypto/openssl/doc/apps/ca.pod
@@ -17,7 +17,6 @@ B<openssl> B<ca>
 [B<-crl_hold instruction>]
 [B<-crl_compromise time>]
 [B<-crl_CA_compromise time>]
-[B<-subj arg>]
 [B<-crldays days>]
 [B<-crlhours hours>]
 [B<-crlexts section>]
@@ -30,6 +29,7 @@ B<openssl> B<ca>
 [B<-key arg>]
 [B<-passin arg>]
 [B<-cert file>]
+[B<-selfsign>]
 [B<-in file>]
 [B<-out file>]
 [B<-notext>]
@@ -44,6 +44,9 @@ B<openssl> B<ca>
 [B<-extensions section>]
 [B<-extfile section>]
 [B<-engine id>]
+[B<-subj arg>]
+[B<-utf8>]
+[B<-multivalue-rdn>]
 
 =head1 DESCRIPTION
 
@@ -113,6 +116,20 @@ the password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.
 
+=item B<-selfsign>
+
+indicates the issued certificates are to be signed with the key
+the certificate requests were signed with (given with B<-keyfile>).
+Cerificate requests signed with a different key are ignored.  If
+B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
+ignored.
+
+A consequence of using B<-selfsign> is that the self-signed
+certificate appears among the entries in the certificate database
+(see the configuration option B<database>), and uses the same
+serial number counter as all other certificates sign with the
+self-signed certificate.
+
 =item B<-passin arg>
 
 the key password source. For more information about the format of B<arg>
@@ -203,6 +220,28 @@ to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
+=item B<-subj arg>
+
+supersedes subject name given in the request.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+
+=item B<-utf8>
+
+this option causes field values to be interpreted as UTF8 strings, by 
+default they are interpreted as ASCII. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
+=item B<-multivalue-rdn>
+
+this option causes the -subj argument to be interpretedt with full
+support for multivalued RDNs. Example:
+
+I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
+If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+
 =back
 
 =head1 CRL OPTIONS
@@ -253,12 +292,6 @@ B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
 This is the same as B<crl_compromise> except the revocation reason is set to
 B<CACompromise>.
 
-=item B<-subj arg>
-
-supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
-
 =item B<-crlexts section>
 
 the section of the configuration file containing CRL extensions to
@@ -359,11 +392,27 @@ the same as the B<-md> option. The message digest to use. Mandatory.
 the text database file to use. Mandatory. This file must be present
 though initially it will be empty.
 
+=item B<unique_subject>
+
+if the value B<yes> is given, the valid certificate entries in the
+database must have unique subjects.  if the value B<no> is given,
+several valid certificate entries may have the exact same subject.
+The default value is B<yes>, to be compatible with older (pre 0.9.8)
+versions of OpenSSL.  However, to make CA certificate roll-over easier,
+it's recommended to use the value B<no>, especially if combined with
+the B<-selfsign> command line option.
+
 =item B<serial>
 
 a text file containing the next serial number to use in hex. Mandatory.
 This file must be present and contain a valid serial number.
 
+=item B<crlnumber>
+
+a text file containing the next CRL number to use in hex. The crl number
+will be inserted in the CRLs only if this file exists. If this file is
+present, it must contain a valid CRL number.
+
 =item B<x509_extensions>
 
 the same as B<-extensions>.
@@ -391,7 +440,7 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
-=item B<nameopt>, B<certopt>
+=item B<name_opt>, B<cert_opt>
 
 these options allow the format used to display the certificate details
 when asking the user to confirm signing. All the options supported by
@@ -513,8 +562,8 @@ A sample configuration file with the relevant sections for B<ca>:
  policy         = policy_any            # default policy
  email_in_dn    = no                    # Don't add the email into cert DN
 
- nameopt	= ca_default		# Subject name display option
- certopt	= ca_default		# Certificate display option
+ name_opt	= ca_default		# Subject name display option
+ cert_opt	= ca_default		# Certificate display option
  copy_extensions = none			# Don't copy extensions from request
 
  [ policy_any ]
@@ -554,8 +603,7 @@ if corrupted it can be difficult to fix. It is theoretically possible
 to rebuild the index file from all the issued certificates and a current
 CRL: however there is no option to do this.
 
-V2 CRL features like delta CRL support and CRL numbers are not currently
-supported.
+V2 CRL features like delta CRLs are not currently supported.
 
 Although several requests can be input and handled at once it is only
 possible to include one SPKAC or self signed certificate.
@@ -566,12 +614,6 @@ The use of an in memory text database can cause problems when large
 numbers of certificates are present because, as the name implies
 the database has to be kept in memory.
 
-It is not possible to certify two certificates with the same DN: this
-is a side effect of how the text database is indexed and it cannot easily
-be fixed without introducing other problems. Some S/MIME clients can use
-two certificates with the same DN for separate signing and encryption
-keys.
-
 The B<ca> command really needs rewriting or the required functionality
 exposed at either a command or interface level so a more friendly utility
 (perl script or GUI) can handle things properly. The scripts B<CA.sh> and