67 files changed, 12502 insertions, 6592 deletions

diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile
index 5f3bf395a149..464189e79821 100644
--- a/secure/usr.bin/openssl/Makefile
+++ b/secure/usr.bin/openssl/Makefile
@@ -1,4 +1,3 @@
-# $FreeBSD$
 
 CONFS=	openssl.cnf
 CONFSDIR=	/etc/ssl
@@ -12,16 +11,24 @@ LIBADD=	ssl crypto
 .endif
 .include "../../lib/libcrypto/Makefile.inc"
 
-CFLAGS+=	-I${LCRYPTO_SRC}/apps
+CFLAGS+=	-I${LCRYPTO_SRC}/apps/include
 CFLAGS+=	-I${OBJTOP}/secure/lib/libcrypto
 
-SRCS=	app_rand.c apps.c asn1pars.c bf_prefix.c ca.c ciphers.c cms.c crl.c
-SRCS+=	crl2p7.c dgst.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c
-SRCS+=	engine.c errstr.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c
-SRCS+=	openssl.c opt.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c
-SRCS+=	pkeyutl.c prime.c rand.c rehash.c req.c rsa.c rsautl.c s_cb.c
-SRCS+=	s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c
-SRCS+=	spkac.c srp.c storeutl.c ts.c verify.c version.c x509.c
+SRCS=	asn1parse.c ca.c ciphers.c cmp.c cms.c crl.c crl2pkcs7.c dgst.c
+SRCS+=	dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c
+SRCS+=	fipsinstall.c gendsa.c genpkey.c genrsa.c info.c kdf.c
+SRCS+=	lib/cmp_mock_srv.c list.c mac.c nseq.c ocsp.c openssl.c passwd.c
+SRCS+=	pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c progs.c
+SRCS+=	rand.c rehash.c req.c rsa.c rsautl.c s_client.c s_server.c s_time.c
+SRCS+=	sess_id.c smime.c speed.c spkac.c srp.c storeutl.c ts.c verify.c
+SRCS+=	version.c x509.c
+
+# libapps
+SRCS+=	lib/apps.c lib/apps_ui.c lib/opt.c lib/fmt.c lib/s_cb.c lib/s_socket.c
+SRCS+=	lib/app_rand.c
+SRCS+=	lib/columns.c lib/app_params.c lib/names.c lib/app_provider.c
+SRCS+=	lib/app_x509.c lib/http_server.c
+SRCS+=	lib/engine.c lib/engine_loader.c lib/app_libctx.c lib/tlssrp_depr.c
 
 .include <bsd.prog.mk>
 
diff --git a/secure/usr.bin/openssl/Makefile.depend b/secure/usr.bin/openssl/Makefile.depend
index e383274b1a46..7f663f7f4954 100644
--- a/secure/usr.bin/openssl/Makefile.depend
+++ b/secure/usr.bin/openssl/Makefile.depend
@@ -1,8 +1,6 @@
-# $FreeBSD$
 # Autogenerated - do NOT edit!
 
 DIRDEPS = \
-	gnu/lib/csu \
 	include \
 	include/arpa \
 	include/xlocale \
@@ -11,6 +9,7 @@ DIRDEPS = \
 	lib/libcompiler_rt \
 	lib/msun \
 	secure/lib/libcrypto \
+	secure/lib/libcrypto/openssl.amd64 \
 	secure/lib/libssl \
 
 
diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man
index bc500c3733cd..2e1dbf3c5f17 100644
--- a/secure/usr.bin/openssl/Makefile.man
+++ b/secure/usr.bin/openssl/Makefile.man
@@ -1,101 +1,60 @@
-# $FreeBSD$
 MAN+= CA.pl.1
-MAN+= asn1parse.1
-MAN+= ca.1
-MAN+= ciphers.1
-MAN+= cms.1
-MAN+= crl.1
-MAN+= crl2pkcs7.1
-MAN+= dgst.1
-MAN+= dhparam.1
-MAN+= dsa.1
-MAN+= dsaparam.1
-MAN+= ec.1
-MAN+= ecparam.1
-MAN+= enc.1
-MAN+= engine.1
-MAN+= errstr.1
-MAN+= gendsa.1
-MAN+= genpkey.1
-MAN+= genrsa.1
-MAN+= list.1
-MAN+= nseq.1
-MAN+= ocsp.1
+MAN+= openssl-asn1parse.1
+MAN+= openssl-ca.1
+MAN+= openssl-ciphers.1
+MAN+= openssl-cmds.1
+MAN+= openssl-cmp.1
+MAN+= openssl-cms.1
+MAN+= openssl-crl.1
+MAN+= openssl-crl2pkcs7.1
+MAN+= openssl-dgst.1
+MAN+= openssl-dhparam.1
+MAN+= openssl-dsa.1
+MAN+= openssl-dsaparam.1
+MAN+= openssl-ec.1
+MAN+= openssl-ecparam.1
+MAN+= openssl-enc.1
+MAN+= openssl-engine.1
+MAN+= openssl-errstr.1
+MAN+= openssl-fipsinstall.1
+MAN+= openssl-format-options.1
+MAN+= openssl-gendsa.1
+MAN+= openssl-genpkey.1
+MAN+= openssl-genrsa.1
+MAN+= openssl-info.1
+MAN+= openssl-kdf.1
+MAN+= openssl-list.1
+MAN+= openssl-mac.1
+MAN+= openssl-namedisplay-options.1
+MAN+= openssl-nseq.1
+MAN+= openssl-ocsp.1
+MAN+= openssl-passphrase-options.1
+MAN+= openssl-passwd.1
+MAN+= openssl-pkcs12.1
+MAN+= openssl-pkcs7.1
+MAN+= openssl-pkcs8.1
+MAN+= openssl-pkey.1
+MAN+= openssl-pkeyparam.1
+MAN+= openssl-pkeyutl.1
+MAN+= openssl-prime.1
+MAN+= openssl-rand.1
+MAN+= openssl-rehash.1
+MAN+= openssl-req.1
+MAN+= openssl-rsa.1
+MAN+= openssl-rsautl.1
+MAN+= openssl-s_client.1
+MAN+= openssl-s_server.1
+MAN+= openssl-s_time.1
+MAN+= openssl-sess_id.1
+MAN+= openssl-smime.1
+MAN+= openssl-speed.1
+MAN+= openssl-spkac.1
+MAN+= openssl-srp.1
+MAN+= openssl-storeutl.1
+MAN+= openssl-ts.1
+MAN+= openssl-verification-options.1
+MAN+= openssl-verify.1
+MAN+= openssl-version.1
+MAN+= openssl-x509.1
 MAN+= openssl.1
-MAN+= passwd.1
-MAN+= pkcs12.1
-MAN+= pkcs7.1
-MAN+= pkcs8.1
-MAN+= pkey.1
-MAN+= pkeyparam.1
-MAN+= pkeyutl.1
-MAN+= prime.1
-MAN+= rand.1
-# MAN+= rehash.1
-MAN+= req.1
-MAN+= rsa.1
-MAN+= rsautl.1
-MAN+= s_client.1
-MAN+= s_server.1
-MAN+= s_time.1
-MAN+= sess_id.1
-MAN+= smime.1
-MAN+= speed.1
-MAN+= spkac.1
-MAN+= srp.1
-MAN+= storeutl.1
-MAN+= ts.1
 MAN+= tsget.1
-MAN+= verify.1
-MAN+= version.1
-MAN+= x509.1
-MLINKS+= asn1parse.1 openssl-asn1parse.1
-MLINKS+= ca.1 openssl-ca.1
-MLINKS+= ciphers.1 openssl-ciphers.1
-MLINKS+= cms.1 openssl-cms.1
-MLINKS+= crl.1 openssl-crl.1
-MLINKS+= crl2pkcs7.1 openssl-crl2pkcs7.1
-MLINKS+= dgst.1 openssl-dgst.1
-MLINKS+= dhparam.1 openssl-dhparam.1
-MLINKS+= dsa.1 openssl-dsa.1
-MLINKS+= dsaparam.1 openssl-dsaparam.1
-MLINKS+= ec.1 openssl-ec.1
-MLINKS+= ecparam.1 openssl-ecparam.1
-MLINKS+= enc.1 openssl-enc.1
-MLINKS+= engine.1 openssl-engine.1
-MLINKS+= errstr.1 openssl-errstr.1
-MLINKS+= gendsa.1 openssl-gendsa.1
-MLINKS+= genpkey.1 openssl-genpkey.1
-MLINKS+= genrsa.1 openssl-genrsa.1
-MLINKS+= list.1 openssl-list.1
-MLINKS+= nseq.1 openssl-nseq.1
-MLINKS+= ocsp.1 openssl-ocsp.1
-MLINKS+= passwd.1 openssl-passwd.1
-MLINKS+= pkcs12.1 openssl-pkcs12.1
-MLINKS+= pkcs7.1 openssl-pkcs7.1
-MLINKS+= pkcs8.1 openssl-pkcs8.1
-MLINKS+= pkey.1 openssl-pkey.1
-MLINKS+= pkeyparam.1 openssl-pkeyparam.1
-MLINKS+= pkeyutl.1 openssl-pkeyutl.1
-MLINKS+= prime.1 openssl-prime.1
-MLINKS+= rand.1 openssl-rand.1
-# MLINKS+= rehash.1 c_rehash.1
-# MLINKS+= rehash.1 openssl-c_rehash.1
-# MLINKS+= rehash.1 openssl-rehash.1
-MLINKS+= req.1 openssl-req.1
-MLINKS+= rsa.1 openssl-rsa.1
-MLINKS+= rsautl.1 openssl-rsautl.1
-MLINKS+= s_client.1 openssl-s_client.1
-MLINKS+= s_server.1 openssl-s_server.1
-MLINKS+= s_time.1 openssl-s_time.1
-MLINKS+= sess_id.1 openssl-sess_id.1
-MLINKS+= smime.1 openssl-smime.1
-MLINKS+= speed.1 openssl-speed.1
-MLINKS+= spkac.1 openssl-spkac.1
-MLINKS+= srp.1 openssl-srp.1
-MLINKS+= storeutl.1 openssl-storeutl.1
-MLINKS+= ts.1 openssl-ts.1
-MLINKS+= tsget.1 openssl-tsget.1
-MLINKS+= verify.1 openssl-verify.1
-MLINKS+= version.1 openssl-version.1
-MLINKS+= x509.1 openssl-x509.1
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index ea1ea268c5dd..5677090ae41d 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,8 +130,8 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "CA.PL 1"
-.TH CA.PL 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "CA.PL 1ossl"
+.TH CA.PL 1ossl "2023-09-19" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -157,98 +155,122 @@ CA.pl \- friendlier interface for OpenSSL certificate programs
 \&\fB\-signcert\fR |
 \&\fB\-crl\fR |
 \&\fB\-newca\fR
-[\fB\-extra\-cmd\fR extra\-params]
+[\fB\-extra\-\f(BIcmd\fB\fR \fIparameter\fR]
 .PP
-\&\fB\s-1CA\s0.pl\fR \fB\-pkcs12\fR [\fB\-extra\-pkcs12\fR extra\-params] [\fBcertname\fR]
+\&\fB\s-1CA\s0.pl\fR \fB\-pkcs12\fR [\fIcertname\fR]
 .PP
-\&\fB\s-1CA\s0.pl\fR \fB\-verify\fR [\fB\-extra\-verify\fR extra\-params] \fBcertfile\fR...
+\&\fB\s-1CA\s0.pl\fR \fB\-verify\fR \fIcertfile\fR ...
 .PP
-\&\fB\s-1CA\s0.pl\fR \fB\-revoke\fR [\fB\-extra\-ca\fR extra\-params] \fBcertfile\fR [\fBreason\fR]
+\&\fB\s-1CA\s0.pl\fR \fB\-revoke\fR \fIcertfile\fR [\fIreason\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line
-arguments to the \fBopenssl\fR command for some common certificate operations.
+arguments to the \fBopenssl\fR\|(1) command for some common certificate operations.
 It is intended to simplify the process of certificate creation and management
 by the use of some simple options.
+.PP
+The script is intended as a simple front end for the \fBopenssl\fR\|(1) program for
+use by a beginner. Its behaviour isn't always what is wanted. For more control
+over the behaviour of the certificate commands call the \fBopenssl\fR\|(1) command
+directly.
+.PP
+Most of the filenames mentioned below can be modified by editing the
+\&\fB\s-1CA\s0.pl\fR script.
+.PP
+Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
+directly (for example Win32) and the default configuration file location may
+be wrong. In this case the command:
+.PP
+.Vb 1
+\& perl \-S CA.pl
+.Ve
+.PP
+can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable can be set to point to
+the correct path of the configuration file.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
-.IX Item "?, -h, -help"
+.IP "\fB\-?\fR, \fB\-h\fR, \fB\-help\fR" 4
+.IX Item "-?, -h, -help"
 Prints a usage message.
 .IP "\fB\-newcert\fR" 4
 .IX Item "-newcert"
 Creates a new self signed certificate. The private key is written to the file
-\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R".
-This argument invokes \fBopenssl req\fR command.
+\&\fInewkey.pem\fR and the request written to the file \fInewreq.pem\fR.
+Invokes \fBopenssl\-req\fR\|(1).
 .IP "\fB\-newreq\fR" 4
 .IX Item "-newreq"
 Creates a new certificate request. The private key is written to the file
-\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R".
-Executes \fBopenssl req\fR command below the hood.
+\&\fInewkey.pem\fR and the request written to the file \fInewreq.pem\fR.
+Executes \fBopenssl\-req\fR\|(1) under the hood.
 .IP "\fB\-newreq\-nodes\fR" 4
 .IX Item "-newreq-nodes"
 Is like \fB\-newreq\fR except that the private key will not be encrypted.
-Uses \fBopenssl req\fR command.
+Uses \fBopenssl\-req\fR\|(1).
 .IP "\fB\-newca\fR" 4
 .IX Item "-newca"
 Creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
 and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
 certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
 details of the \s-1CA\s0 will be prompted for. The relevant files and directories
-are created in a directory called \*(L"demoCA\*(R" in the current directory.
-\&\fBopenssl req\fR and \fBopenssl ca\fR commands are get invoked.
+are created in a directory called \fIdemoCA\fR in the current directory.
+Uses \fBopenssl\-req\fR\|(1) and \fBopenssl\-ca\fR\|(1).
+.Sp
+If the \fIdemoCA\fR directory already exists then the \fB\-newca\fR command will not
+overwrite it and will do nothing. This can happen if a previous call using
+the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
+delete the directory if it already exists.
 .IP "\fB\-pkcs12\fR" 4
 .IX Item "-pkcs12"
 Create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
 certificate. It expects the user certificate and private key to be in the
-file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem,
-it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the
+file \fInewcert.pem\fR and the \s-1CA\s0 certificate to be in the file \fIdemoCA/cacert.pem\fR,
+it creates a file \fInewcert.p12\fR. This command can thus be called after the
 \&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser.
 If there is an additional argument on the command line it will be used as the
 \&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
 list box), otherwise the name \*(L"My Certificate\*(R" is used.
-Delegates work to \fBopenssl pkcs12\fR command.
+Delegates work to \fBopenssl\-pkcs12\fR\|(1).
 .IP "\fB\-sign\fR, \fB\-signcert\fR, \fB\-xsign\fR" 4
 .IX Item "-sign, -signcert, -xsign"
-Calls the \fBca\fR program to sign a certificate request. It expects the request
-to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file
-\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written
-to standard output. Leverages \fBopenssl ca\fR command.
+Calls the \fBopenssl\-ca\fR\|(1) command to sign a certificate request. It expects the
+request to be in the file \fInewreq.pem\fR. The new certificate is written to the
+file \fInewcert.pem\fR except in the case of the \fB\-xsign\fR option when it is
+written to standard output.
 .IP "\fB\-signCA\fR" 4
 .IX Item "-signCA"
 This option is the same as the \fB\-sign\fR option except it uses the
 configuration file section \fBv3_ca\fR and so makes the signed request a
 valid \s-1CA\s0 certificate. This is useful when creating intermediate \s-1CA\s0 from
-a root \s-1CA.\s0  Extra params are passed on to \fBopenssl ca\fR command.
+a root \s-1CA.\s0  Extra params are passed to \fBopenssl\-ca\fR\|(1).
 .IP "\fB\-signcert\fR" 4
 .IX Item "-signcert"
 This option is the same as \fB\-sign\fR except it expects a self signed certificate
-to be present in the file \*(L"newreq.pem\*(R".
-Extra params are passed on to \fBopenssl x509\fR and \fBopenssl ca\fR commands.
+to be present in the file \fInewreq.pem\fR.
+Extra params are passed to \fBopenssl\-x509\fR\|(1) and \fBopenssl\-ca\fR\|(1).
 .IP "\fB\-crl\fR" 4
 .IX Item "-crl"
-Generate a \s-1CRL.\s0 Executes \fBopenssl ca\fR command.
-.IP "\fB\-revoke certfile [reason]\fR" 4
+Generate a \s-1CRL.\s0 Executes \fBopenssl\-ca\fR\|(1).
+.IP "\fB\-revoke\fR \fIcertfile\fR [\fIreason\fR]" 4
 .IX Item "-revoke certfile [reason]"
 Revoke the certificate contained in the specified \fBcertfile\fR. An optional
 reason may be specified, and must be one of: \fBunspecified\fR,
 \&\fBkeyCompromise\fR, \fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR,
 \&\fBcessationOfOperation\fR, \fBcertificateHold\fR, or \fBremoveFromCRL\fR.
-Leverages \fBopenssl ca\fR command.
+Leverages \fBopenssl\-ca\fR\|(1).
 .IP "\fB\-verify\fR" 4
 .IX Item "-verify"
-Verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no
+Verifies certificates against the \s-1CA\s0 certificate for \fIdemoCA\fR. If no
 certificates are specified on the command line it tries to verify the file
-\&\*(L"newcert.pem\*(R".  Invokes \fBopenssl verify\fR command.
-.IP "\fB\-extra\-req\fR | \fB\-extra\-ca\fR | \fB\-extra\-pkcs12\fR | \fB\-extra\-x509\fR | \fB\-extra\-verify\fR <extra\-params>" 4
-.IX Item "-extra-req | -extra-ca | -extra-pkcs12 | -extra-x509 | -extra-verify <extra-params>"
-The purpose of these parameters is to allow optional parameters to be supplied
-to \fBopenssl\fR that this command executes. The \fB\-extra\-cmd\fR are specific to the
-option being used and the \fBopenssl\fR command getting invoked. For example
-when this command invokes \fBopenssl req\fR extra parameters can be passed on
-with the \fB\-extra\-req\fR parameter. The
-\&\fBopenssl\fR commands being invoked per option are documented below.
-Users should consult \fBopenssl\fR command documentation for more information.
+\&\fInewcert.pem\fR.  Invokes \fBopenssl\-verify\fR\|(1).
+.IP "\fB\-extra\-\f(BIcmd\fB\fR \fIparameter\fR" 4
+.IX Item "-extra-cmd parameter"
+For each option \fBextra\-\f(BIcmd\fB\fR, pass \fIparameter\fR to the \fBopenssl\fR\|(1)
+sub-command with the same name as \fIcmd\fR, if that sub-command is invoked.
+For example, if \fBopenssl\-req\fR\|(1) is invoked, the \fIparameter\fR given with
+\&\fB\-extra\-req\fR will be passed to it.
+For multi-word parameters, either repeat the option or quote the \fIparameters\fR
+so it looks like one word to your shell.
+See the individual command documentation for more information.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Create a \s-1CA\s0 hierarchy:
@@ -266,76 +288,28 @@ the request and finally create a PKCS#12 file containing it.
 \& CA.pl \-sign
 \& CA.pl \-pkcs12 "My Test Certificate"
 .Ve
-.SH "DSA CERTIFICATES"
-.IX Header "DSA CERTIFICATES"
-Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to
-use it with \s-1DSA\s0 certificates and requests using the \fBreq\fR\|(1) command
-directly. The following example shows the steps that would typically be taken.
-.PP
-Create some \s-1DSA\s0 parameters:
-.PP
-.Vb 1
-\& openssl dsaparam \-out dsap.pem 1024
-.Ve
-.PP
-Create a \s-1DSA CA\s0 certificate and private key:
-.PP
-.Vb 1
-\& openssl req \-x509 \-newkey dsa:dsap.pem \-keyout cacert.pem \-out cacert.pem
-.Ve
-.PP
-Create the \s-1CA\s0 directories and files:
-.PP
-.Vb 1
-\& CA.pl \-newca
-.Ve
-.PP
-enter cacert.pem when prompted for the \s-1CA\s0 filename.
-.PP
-Create a \s-1DSA\s0 certificate request and private key (a different set of parameters
-can optionally be created first):
-.PP
-.Vb 1
-\& openssl req \-out newreq.pem \-newkey dsa:dsap.pem
-.Ve
-.PP
-Sign the request:
-.PP
-.Vb 1
-\& CA.pl \-sign
-.Ve
-.SH "NOTES"
-.IX Header "NOTES"
-Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script.
-.PP
-If the demoCA directory already exists then the \fB\-newca\fR command will not
-overwrite it and will do nothing. This can happen if a previous call using
-the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
-delete the demoCA directory if it already exists.
-.PP
-Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
-directly (for example Win32) and the default configuration file location may
-be wrong. In this case the command:
-.PP
-.Vb 1
-\& perl \-S CA.pl
-.Ve
-.PP
-can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to
-the correct path of the configuration file.
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+The environment variable \fB\s-1OPENSSL\s0\fR may be used to specify the name of
+the OpenSSL program. It can be a full pathname, or a relative one.
 .PP
-The script is intended as a simple front end for the \fBopenssl\fR program for use
-by a beginner. Its behaviour isn't always what is wanted. For more control over the
-behaviour of the certificate commands call the \fBopenssl\fR command directly.
+The environment variable \fB\s-1OPENSSL_CONFIG\s0\fR may be used to specify a
+configuration option and value to the \fBreq\fR and \fBca\fR commands invoked by
+this script. It's value should be the option and pathname, as in
+\&\f(CW\*(C`\-config /path/to/conf\-file\*(C'\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBreq\fR\|(1), \fBpkcs12\fR\|(1),
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-req\fR\|(1),
+\&\fBopenssl\-pkcs12\fR\|(1),
 \&\fBconfig\fR\|(5)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/list.1 b/secure/usr.bin/openssl/man/list.1
deleted file mode 100644
index 6e44f9fc8963..000000000000
--- a/secure/usr.bin/openssl/man/list.1
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "LIST 1"
-.TH LIST 1 "2022-06-21" "1.1.1p" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-openssl\-list, list \- list algorithms and features
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBopenssl list\fR
-[\fB\-help\fR]
-[\fB\-1\fR]
-[\fB\-commands\fR]
-[\fB\-digest\-commands\fR]
-[\fB\-digest\-algorithms\fR]
-[\fB\-cipher\-commands\fR]
-[\fB\-cipher\-algorithms\fR]
-[\fB\-public\-key\-algorithms\fR]
-[\fB\-public\-key\-methods\fR]
-[\fB\-disabled\fR]
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-This command is used to generate list of algorithms or disabled
-features.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-.IP "\fB\-help\fR" 4
-.IX Item "-help"
-Display a usage message.
-.IP "\fB\-1\fR" 4
-.IX Item "-1"
-List the commands, digest-commands, or cipher-commands in a single column.
-If used, this option must be given first.
-.IP "\fB\-commands\fR" 4
-.IX Item "-commands"
-Display a list of standard commands.
-.IP "\fB\-digest\-commands\fR" 4
-.IX Item "-digest-commands"
-Display a list of message digest commands, which are typically used
-as input to the \fBdgst\fR\|(1) or \fBspeed\fR\|(1) commands.
-.IP "\fB\-digest\-algorithms\fR" 4
-.IX Item "-digest-algorithms"
-Display a list of message digest algorithms.
-If a line is of the form
-  foo => bar
-then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR.
-.IP "\fB\-cipher\-commands\fR" 4
-.IX Item "-cipher-commands"
-Display a list of cipher commands, which are typically used as input
-to the \fBdgst\fR\|(1) or \fBspeed\fR\|(1) commands.
-.IP "\fB\-cipher\-algorithms\fR" 4
-.IX Item "-cipher-algorithms"
-Display a list of cipher algorithms.
-If a line is of the form
-  foo => bar
-then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR.
-.IP "\fB\-public\-key\-algorithms\fR" 4
-.IX Item "-public-key-algorithms"
-Display a list of public key algorithms, with each algorithm as
-a block of multiple lines, all but the first are indented.
-.IP "\fB\-public\-key\-methods\fR" 4
-.IX Item "-public-key-methods"
-Display a list of public key method OIDs: this also includes public key methods
-without an associated \s-1ASN.1\s0 method, for example, \s-1KDF\s0 algorithms.
-.IP "\fB\-disabled\fR" 4
-.IX Item "-disabled"
-Display a list of disabled features, those that were compiled out
-of the installation.
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/openssl-asn1parse.1
index 57394e4f2e3c..721babe00447 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/openssl-asn1parse.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,50 +130,50 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-ASN1PARSE 1ossl"
+.TH OPENSSL-ASN1PARSE 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-asn1parse, asn1parse \- ASN.1 parsing tool
+openssl\-asn1parse \- ASN.1 parsing command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBasn1parse\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
 [\fB\-noout\fR]
-[\fB\-offset number\fR]
-[\fB\-length number\fR]
+[\fB\-offset\fR \fInumber\fR]
+[\fB\-length\fR \fInumber\fR]
 [\fB\-i\fR]
-[\fB\-oid filename\fR]
+[\fB\-oid\fR \fIfilename\fR]
 [\fB\-dump\fR]
-[\fB\-dlimit num\fR]
-[\fB\-strparse offset\fR]
-[\fB\-genstr string\fR]
-[\fB\-genconf file\fR]
+[\fB\-dlimit\fR \fInum\fR]
+[\fB\-strparse\fR \fIoffset\fR]
+[\fB\-genstr\fR \fIstring\fR]
+[\fB\-genconf\fR \fIfile\fR]
 [\fB\-strictpem\fR]
-[\fB\-item name\fR]
+[\fB\-item\fR \fIname\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN.1\s0
-structures. It can also be used to extract data from \s-1ASN.1\s0 formatted data.
+This command is a diagnostic utility that can parse \s-1ASN.1\s0 structures.
+It can also be used to extract data from \s-1ASN.1\s0 formatted data.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform\fR \fBDER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-inform DER|PEM"
-The input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64
-encoded.
-.IP "\fB\-in filename\fR" 4
+The input format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 The input file, default is standard input.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Output file to place the \s-1DER\s0 encoded data into. If this
 option is not present then no data will be output. This is most useful when
@@ -183,37 +181,37 @@ combined with the \fB\-strparse\fR option.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 Don't output the parsed version of the input file.
-.IP "\fB\-offset number\fR" 4
+.IP "\fB\-offset\fR \fInumber\fR" 4
 .IX Item "-offset number"
 Starting offset to begin parsing, default is start of file.
-.IP "\fB\-length number\fR" 4
+.IP "\fB\-length\fR \fInumber\fR" 4
 .IX Item "-length number"
 Number of bytes to parse, default is until end of file.
 .IP "\fB\-i\fR" 4
 .IX Item "-i"
 Indents the output according to the \*(L"depth\*(R" of the structures.
-.IP "\fB\-oid filename\fR" 4
+.IP "\fB\-oid\fR \fIfilename\fR" 4
 .IX Item "-oid filename"
 A file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this
 file is described in the \s-1NOTES\s0 section below.
 .IP "\fB\-dump\fR" 4
 .IX Item "-dump"
 Dump unknown data in hex format.
-.IP "\fB\-dlimit num\fR" 4
+.IP "\fB\-dlimit\fR \fInum\fR" 4
 .IX Item "-dlimit num"
 Like \fB\-dump\fR, but only the first \fBnum\fR bytes are output.
-.IP "\fB\-strparse offset\fR" 4
+.IP "\fB\-strparse\fR \fIoffset\fR" 4
 .IX Item "-strparse offset"
 Parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This
 option can be used multiple times to \*(L"drill down\*(R" into a nested structure.
-.IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4
+.IP "\fB\-genstr\fR \fIstring\fR, \fB\-genconf\fR \fIfile\fR" 4
 .IX Item "-genstr string, -genconf file"
-Generate encoded data based on \fBstring\fR, \fBfile\fR or both using
-\&\fBASN1_generate_nconf\fR\|(3) format. If \fBfile\fR only is
+Generate encoded data based on \fIstring\fR, \fIfile\fR or both using
+\&\fBASN1_generate_nconf\fR\|(3) format. If \fIfile\fR only is
 present then the string is obtained from the default section using the name
 \&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as
 though it came from a file, the contents can thus be examined and written to a
-file using the \fBout\fR option.
+file using the \fB\-out\fR option.
 .IP "\fB\-strictpem\fR" 4
 .IX Item "-strictpem"
 If this option is used then \fB\-inform\fR will be ignored. Without this option any
@@ -221,10 +219,11 @@ data in a \s-1PEM\s0 format input file will be treated as being base64 encoded a
 processed whether it has the normal \s-1PEM BEGIN\s0 and \s-1END\s0 markers or not. This
 option will ignore any data prior to the start of the \s-1BEGIN\s0 marker, or after an
 \&\s-1END\s0 marker in a \s-1PEM\s0 file.
-.IP "\fB\-item name\fR" 4
+.IP "\fB\-item\fR \fIname\fR" 4
 .IX Item "-item name"
-Attempt to decode and print the data as \fB\s-1ASN1_ITEM\s0 name\fR. This can be used to
-print out the fields of any supported \s-1ASN.1\s0 structure if the type is known.
+Attempt to decode and print the data as an \fB\s-1ASN1_ITEM\s0\fR \fIname\fR. This can be
+used to print out the fields of any supported \s-1ASN.1\s0 structure if the type is
+known.
 .SS "Output"
 .IX Subsection "Output"
 The output will typically contain lines like this:
@@ -251,9 +250,9 @@ The output will typically contain lines like this:
 \&.....
 .PP
 This example is part of a self-signed certificate. Each line starts with the
-offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased
-within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \fBhl=XX\fR gives the header length
-(tag and length octets) of the current type. \fBl=XX\fR gives the length of
+offset in decimal. \f(CW\*(C`d=XX\*(C'\fR specifies the current depth. The depth is increased
+within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \f(CW\*(C`hl=XX\*(C'\fR gives the header length
+(tag and length octets) of the current type. \f(CW\*(C`l=XX\*(C'\fR gives the length of
 the contents octets.
 .PP
 The \fB\-i\fR option can be used to make the output more readable.
@@ -262,7 +261,7 @@ Some knowledge of the \s-1ASN.1\s0 structure is needed to interpret the output.
 .PP
 In this example the \s-1BIT STRING\s0 at offset 229 is the certificate public key.
 The contents octets of this will contain the public key information. This can
-be examined using the option \fB\-strparse 229\fR to yield:
+be examined using the option \f(CW\*(C`\-strparse 229\*(C'\fR to yield:
 .PP
 .Vb 3
 \&    0:d=0  hl=3 l= 137 cons: SEQUENCE
@@ -276,10 +275,13 @@ numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option
 allows additional OIDs to be included. Each line consists of three columns,
 the first column is the \s-1OID\s0 in numerical format and should be followed by white
 space. The second column is the \*(L"short name\*(R" which is a single word followed
-by white space. The final column is the rest of the line and is the
-\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example:
+by whitespace. The final column is the rest of the line and is the
+\&\*(L"long name\*(R". Example:
 .PP
 \&\f(CW\*(C`1.2.3.4       shortName       A long name\*(C'\fR
+.PP
+For any \s-1OID\s0 with an associated short and long name, this command will display
+the long name.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Parse a file:
@@ -328,12 +330,13 @@ There should be options to change the format of output lines. The output of some
 \&\s-1ASN.1\s0 types is not well handled (if at all).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
 \&\fBASN1_generate_nconf\fR\|(3)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/openssl-ca.1
index b863ad84eb6e..28ba9c626e74 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/openssl-ca.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,74 +130,94 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "CA 1"
-.TH CA 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-CA 1ossl"
+.TH OPENSSL-CA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-ca, ca \- sample minimal CA application
+openssl\-ca \- sample minimal CA application
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBca\fR
 [\fB\-help\fR]
 [\fB\-verbose\fR]
-[\fB\-config filename\fR]
-[\fB\-name section\fR]
+[\fB\-config\fR \fIfilename\fR]
+[\fB\-name\fR \fIsection\fR]
+[\fB\-section\fR \fIsection\fR]
 [\fB\-gencrl\fR]
-[\fB\-revoke file\fR]
-[\fB\-valid file\fR]
-[\fB\-status serial\fR]
+[\fB\-revoke\fR \fIfile\fR]
+[\fB\-valid\fR \fIfile\fR]
+[\fB\-status\fR \fIserial\fR]
 [\fB\-updatedb\fR]
-[\fB\-crl_reason reason\fR]
-[\fB\-crl_hold instruction\fR]
-[\fB\-crl_compromise time\fR]
-[\fB\-crl_CA_compromise time\fR]
-[\fB\-crldays days\fR]
-[\fB\-crlhours hours\fR]
-[\fB\-crlexts section\fR]
-[\fB\-startdate date\fR]
-[\fB\-enddate date\fR]
-[\fB\-days arg\fR]
-[\fB\-md arg\fR]
-[\fB\-policy arg\fR]
-[\fB\-keyfile arg\fR]
-[\fB\-keyform PEM|DER\fR]
-[\fB\-key arg\fR]
-[\fB\-passin arg\fR]
-[\fB\-cert file\fR]
+[\fB\-crl_reason\fR \fIreason\fR]
+[\fB\-crl_hold\fR \fIinstruction\fR]
+[\fB\-crl_compromise\fR \fItime\fR]
+[\fB\-crl_CA_compromise\fR \fItime\fR]
+[\fB\-crl_lastupdate\fR \fIdate\fR]
+[\fB\-crl_nextupdate\fR \fIdate\fR]
+[\fB\-crldays\fR \fIdays\fR]
+[\fB\-crlhours\fR \fIhours\fR]
+[\fB\-crlsec\fR \fIseconds\fR]
+[\fB\-crlexts\fR \fIsection\fR]
+[\fB\-startdate\fR \fIdate\fR]
+[\fB\-enddate\fR \fIdate\fR]
+[\fB\-days\fR \fIarg\fR]
+[\fB\-md\fR \fIarg\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-key\fR \fIarg\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-cert\fR \fIfile\fR]
+[\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
 [\fB\-selfsign\fR]
-[\fB\-in file\fR]
-[\fB\-out file\fR]
+[\fB\-in\fR \fIfile\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|<\s-1PEM\s0>]
+[\fB\-out\fR \fIfile\fR]
 [\fB\-notext\fR]
-[\fB\-outdir dir\fR]
+[\fB\-dateopt\fR]
+[\fB\-outdir\fR \fIdir\fR]
 [\fB\-infiles\fR]
-[\fB\-spkac file\fR]
-[\fB\-ss_cert file\fR]
+[\fB\-spkac\fR \fIfile\fR]
+[\fB\-ss_cert\fR \fIfile\fR]
 [\fB\-preserveDN\fR]
 [\fB\-noemailDN\fR]
 [\fB\-batch\fR]
 [\fB\-msie_hack\fR]
-[\fB\-extensions section\fR]
-[\fB\-extfile section\fR]
-[\fB\-engine id\fR]
-[\fB\-subj arg\fR]
+[\fB\-extensions\fR \fIsection\fR]
+[\fB\-extfile\fR \fIsection\fR]
+[\fB\-subj\fR \fIarg\fR]
 [\fB\-utf8\fR]
-[\fB\-sigopt nm:v\fR]
+[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
+[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
 [\fB\-create_serial\fR]
 [\fB\-rand_serial\fR]
 [\fB\-multivalue\-rdn\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIcertreq\fR...]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used
-to sign certificate requests in a variety of forms and generate
-CRLs it also maintains a text database of issued certificates
-and their status.
-.PP
-The options descriptions will be divided into each purpose.
+This command emulates a \s-1CA\s0 application.
+See the \fB\s-1WARNINGS\s0\fR especially when considering to use it productively.
+It can be used to sign certificate requests (CSRs) in a variety of forms
+and generate certificate revocation lists (CRLs).
+It also maintains a text database of issued certificates and their status.
+When signing certificates, a single request can be specified
+with the \fB\-in\fR option, or multiple requests can be processed by
+specifying a set of \fBcertreq\fR files after all options.
+.PP
+Note that there are also very lean ways of generating certificates:
+the \fBreq\fR and \fBx509\fR commands can be used for directly creating certificates.
+See \fBopenssl\-req\fR\|(1) and \fBopenssl\-x509\fR\|(1) for details.
+.PP
+The descriptions of the \fBca\fR command options are divided into each purpose.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
@@ -208,23 +226,28 @@ Print out a usage message.
 .IP "\fB\-verbose\fR" 4
 .IX Item "-verbose"
 This prints extra details about the operations being performed.
-.IP "\fB\-config filename\fR" 4
+.IP "\fB\-config\fR \fIfilename\fR" 4
 .IX Item "-config filename"
 Specifies the configuration file to use.
 Optional; for a description of the default value,
 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
-.IP "\fB\-name section\fR" 4
-.IX Item "-name section"
+.IP "\fB\-name\fR \fIsection\fR, \fB\-section\fR \fIsection\fR" 4
+.IX Item "-name section, -section section"
 Specifies the configuration file section to use (overrides
 \&\fBdefault_ca\fR in the \fBca\fR section).
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
-An input filename containing a single certificate request to be
+An input filename containing a single certificate request (\s-1CSR\s0) to be
 signed by the \s-1CA.\s0
-.IP "\fB\-ss_cert filename\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-inform DER|PEM"
+The format of the data in certificate request input files;
+unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-ss_cert\fR \fIfilename\fR" 4
 .IX Item "-ss_cert filename"
 A single self-signed certificate to be signed by the \s-1CA.\s0
-.IP "\fB\-spkac filename\fR" 4
+.IP "\fB\-spkac\fR \fIfilename\fR" 4
 .IX Item "-spkac filename"
 A file containing a single Netscape signed public key and challenge
 and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR
@@ -233,77 +256,96 @@ section for information on the required input and output format.
 .IX Item "-infiles"
 If present this should be the last option, all subsequent arguments
 are taken as the names of files containing certificate requests.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 The output file to output certificates to. The default is standard
 output. The certificate details will also be printed out to this
 file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format).
-.IP "\fB\-outdir directory\fR" 4
+.IP "\fB\-outdir\fR \fIdirectory\fR" 4
 .IX Item "-outdir directory"
 The directory to output certificates to. The certificate will be
 written to a filename consisting of the serial number in hex with
-\&\*(L".pem\*(R" appended.
-.IP "\fB\-cert\fR" 4
-.IX Item "-cert"
-The \s-1CA\s0 certificate file.
-.IP "\fB\-keyfile filename\fR" 4
-.IX Item "-keyfile filename"
-The private key to sign requests with.
-.IP "\fB\-keyform PEM|DER\fR" 4
-.IX Item "-keyform PEM|DER"
-The format of the data in the private key file.
-The default is \s-1PEM.\s0
-.IP "\fB\-sigopt nm:v\fR" 4
+\&\fI.pem\fR appended.
+.IP "\fB\-cert\fR \fIfilename\fR" 4
+.IX Item "-cert filename"
+The \s-1CA\s0 certificate, which must match with \fB\-keyfile\fR.
+.IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-certform DER|PEM|P12"
+The format of the data in certificate input files; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-keyfile filename|uri"
+The \s-1CA\s0 private key to sign certificate requests with.
+This must match with \fB\-cert\fR.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The format of the private key input file; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
 .IX Item "-sigopt nm:v"
-Pass options to the signature algorithm during sign or verify operations.
+Pass options to the signature algorithm during sign operations.
 Names and values of these options are algorithm-specific.
-.IP "\fB\-key password\fR" 4
+.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-vfyopt nm:v"
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+.Sp
+This often needs to be given while signing too, because the self-signature of
+a certificate signing request (\s-1CSR\s0) is verified against the included public key,
+and that verification may need its own set of options.
+.IP "\fB\-key\fR \fIpassword\fR" 4
 .IX Item "-key password"
 The password used to encrypt the private key. Since on some
-systems the command line arguments are visible (e.g. Unix with
-the 'ps' utility) this option should be used with caution.
+systems the command line arguments are visible (e.g., when using
+\&\fBps\fR\|(1) on Unix),
+this option should be used with caution.
+Better use \fB\-passin\fR.
+.IP "\fB\-passin\fR \fIarg\fR" 4
+.IX Item "-passin arg"
+The key password source for key files and certificate PKCS#12 files.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-selfsign\fR" 4
 .IX Item "-selfsign"
 Indicates the issued certificates are to be signed with the key
 the certificate requests were signed with (given with \fB\-keyfile\fR).
-Certificate requests signed with a different key are ignored.  If
-\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is
-ignored.
+Certificate requests signed with a different key are ignored.
+If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored.
 .Sp
 A consequence of using \fB\-selfsign\fR is that the self-signed
 certificate appears among the entries in the certificate database
 (see the configuration option \fBdatabase\fR), and uses the same
 serial number counter as all other certificates sign with the
 self-signed certificate.
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
 .IP "\fB\-notext\fR" 4
 .IX Item "-notext"
 Don't output the text form of a certificate to the output file.
-.IP "\fB\-startdate date\fR" 4
+.IP "\fB\-dateopt\fR" 4
+.IX Item "-dateopt"
+Specify the date output format. Values are: rfc_822 and iso_8601.
+Defaults to rfc_822.
+.IP "\fB\-startdate\fR \fIdate\fR" 4
 .IX Item "-startdate date"
 This allows the start date to be explicitly set. The format of the
 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
 \&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
 both formats, seconds \s-1SS\s0 and timezone Z must be present.
-.IP "\fB\-enddate date\fR" 4
+.IP "\fB\-enddate\fR \fIdate\fR" 4
 .IX Item "-enddate date"
 This allows the expiry date to be explicitly set. The format of the
 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
 \&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
 both formats, seconds \s-1SS\s0 and timezone Z must be present.
-.IP "\fB\-days arg\fR" 4
+.IP "\fB\-days\fR \fIarg\fR" 4
 .IX Item "-days arg"
 The number of days to certify the certificate for.
-.IP "\fB\-md alg\fR" 4
+.IP "\fB\-md\fR \fIalg\fR" 4
 .IX Item "-md alg"
 The message digest to use.
-Any digest supported by the OpenSSL \fBdgst\fR command can be used. For signing
+Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used. For signing
 algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
 digest that is set is ignored. This option also applies to CRLs.
-.IP "\fB\-policy arg\fR" 4
+.IP "\fB\-policy\fR \fIarg\fR" 4
 .IX Item "-policy arg"
 This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
 the configuration file which decides which fields should be mandatory
@@ -311,8 +353,8 @@ or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR sec
 for more information.
 .IP "\fB\-msie_hack\fR" 4
 .IX Item "-msie_hack"
-This is a deprecated option to make \fBca\fR work with very old versions of
-the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
+This is a deprecated option to make this command work with very old versions
+of the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
 for almost everything. Since the old control has various security bugs
 its use is strongly discouraged.
 .IP "\fB\-preserveDN\fR" 4
@@ -334,33 +376,34 @@ used in the configuration file to enable this behaviour.
 .IX Item "-batch"
 This sets the batch mode. In this mode no questions will be asked
 and all certificates will be certified automatically.
-.IP "\fB\-extensions section\fR" 4
+.IP "\fB\-extensions\fR \fIsection\fR" 4
 .IX Item "-extensions section"
 The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to \fBx509_extensions\fR
-unless the \fB\-extfile\fR option is used). If no extension section is
-present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created. See the
-\&\fBx509v3_config\fR\|(5) manual page for details of the
+unless the \fB\-extfile\fR option is used).
+If no X.509 extensions are specified then a V1 certificate is created,
+else a V3 certificate is created.
+See the \fBx509v3_config\fR\|(5) manual page for details of the
 extension section format.
-.IP "\fB\-extfile file\fR" 4
+.IP "\fB\-extfile\fR \fIfile\fR" 4
 .IX Item "-extfile file"
 An additional configuration file to read certificate extensions from
 (using the default section unless the \fB\-extensions\fR option is also
 used).
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-subj arg\fR" 4
+.IP "\fB\-subj\fR \fIarg\fR" 4
 .IX Item "-subj arg"
 Supersedes subject name given in the request.
-The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
-Keyword characters may be escaped by \e (backslash), and whitespace is retained.
+.Sp
+The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
+Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
 Empty values are permitted, but the corresponding type will not be included
 in the resulting certificate.
+Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+.Sp
+\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
 .IP "\fB\-utf8\fR" 4
 .IX Item "-utf8"
 This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
@@ -380,72 +423,87 @@ Generate a large random number to use as the serial number.
 This overrides any option or configuration to use a serial number file.
 .IP "\fB\-multivalue\-rdn\fR" 4
 .IX Item "-multivalue-rdn"
-This option causes the \-subj argument to be interpreted with full
-support for multivalued RDNs. Example:
-.Sp
-\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR
-.Sp
-If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
+This option has been deprecated and has no effect.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "CRL OPTIONS"
 .IX Header "CRL OPTIONS"
 .IP "\fB\-gencrl\fR" 4
 .IX Item "-gencrl"
 This option generates a \s-1CRL\s0 based on information in the index file.
-.IP "\fB\-crldays num\fR" 4
+.IP "\fB\-crl_lastupdate\fR \fItime\fR" 4
+.IX Item "-crl_lastupdate time"
+Allows the value of the \s-1CRL\s0's lastUpdate field to be explicitly set; if
+this option is not present, the current time is used. Accepts times in
+\&\s-1YYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 UTCTime structure) or
+\&\s-1YYYYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 GeneralizedTime structure).
+.IP "\fB\-crl_nextupdate\fR \fItime\fR" 4
+.IX Item "-crl_nextupdate time"
+Allows the value of the \s-1CRL\s0's nextUpdate field to be explicitly set; if
+this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR
+and \fB\-crlsec\fR are ignored. Accepts times in the same formats as
+\&\fB\-crl_lastupdate\fR.
+.IP "\fB\-crldays\fR \fInum\fR" 4
 .IX Item "-crldays num"
 The number of days before the next \s-1CRL\s0 is due. That is the days from
 now to place in the \s-1CRL\s0 nextUpdate field.
-.IP "\fB\-crlhours num\fR" 4
+.IP "\fB\-crlhours\fR \fInum\fR" 4
 .IX Item "-crlhours num"
 The number of hours before the next \s-1CRL\s0 is due.
-.IP "\fB\-revoke filename\fR" 4
+.IP "\fB\-crlsec\fR \fInum\fR" 4
+.IX Item "-crlsec num"
+The number of seconds before the next \s-1CRL\s0 is due.
+.IP "\fB\-revoke\fR \fIfilename\fR" 4
 .IX Item "-revoke filename"
 A filename containing a certificate to revoke.
-.IP "\fB\-valid filename\fR" 4
+.IP "\fB\-valid\fR \fIfilename\fR" 4
 .IX Item "-valid filename"
 A filename containing a certificate to add a Valid certificate entry.
-.IP "\fB\-status serial\fR" 4
+.IP "\fB\-status\fR \fIserial\fR" 4
 .IX Item "-status serial"
 Displays the revocation status of the certificate with the specified
 serial number and exits.
 .IP "\fB\-updatedb\fR" 4
 .IX Item "-updatedb"
 Updates the database index to purge expired certificates.
-.IP "\fB\-crl_reason reason\fR" 4
+.IP "\fB\-crl_reason\fR \fIreason\fR" 4
 .IX Item "-crl_reason reason"
-Revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
+Revocation reason, where \fIreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
 \&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR,
-\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case
+\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fIreason\fR is case
 insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
 .Sp
 In practice \fBremoveFromCRL\fR is not particularly useful because it is only used
 in delta CRLs which are not currently implemented.
-.IP "\fB\-crl_hold instruction\fR" 4
+.IP "\fB\-crl_hold\fR \fIinstruction\fR" 4
 .IX Item "-crl_hold instruction"
 This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
-instruction to \fBinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
+instruction to \fIinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
 used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
 \&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
-.IP "\fB\-crl_compromise time\fR" 4
+.IP "\fB\-crl_compromise\fR \fItime\fR" 4
 .IX Item "-crl_compromise time"
 This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to
-\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
-.IP "\fB\-crl_CA_compromise time\fR" 4
+\&\fItime\fR. \fItime\fR should be in GeneralizedTime format that is \fI\s-1YYYYMMDDHHMMSSZ\s0\fR.
+.IP "\fB\-crl_CA_compromise\fR \fItime\fR" 4
 .IX Item "-crl_CA_compromise time"
 This is the same as \fBcrl_compromise\fR except the revocation reason is set to
 \&\fBCACompromise\fR.
-.IP "\fB\-crlexts section\fR" 4
+.IP "\fB\-crlexts\fR \fIsection\fR" 4
 .IX Item "-crlexts section"
 The section of the configuration file containing \s-1CRL\s0 extensions to
 include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
@@ -457,7 +515,7 @@ that some software (for example Netscape) can't handle V2 CRLs. See
 extension section format.
 .SH "CONFIGURATION FILE OPTIONS"
 .IX Header "CONFIGURATION FILE OPTIONS"
-The section of the configuration file containing options for \fBca\fR
+The section of the configuration file containing options for this command
 is found as follows: If the \fB\-name\fR command line option is used,
 then it names the section to be used. Otherwise the section to
 be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
@@ -480,8 +538,8 @@ any) used.
 .IX Item "oid_file"
 This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
 Each line of the file should consist of the numerical form of the
-object identifier followed by white space then the short name followed
-by white space and finally the long name.
+object identifier followed by whitespace then the short name followed
+by whitespace and finally the long name.
 .IP "\fBoid_section\fR" 4
 .IX Item "oid_section"
 This specifies a section in the configuration file containing extra
@@ -503,7 +561,8 @@ Same as the \fB\-keyfile\fR option. The file containing the
 .IP "\fB\s-1RANDFILE\s0\fR" 4
 .IX Item "RANDFILE"
 At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
+not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
 .IP "\fBdefault_days\fR" 4
 .IX Item "default_days"
 The same as the \fB\-days\fR option. The number of days to certify
@@ -554,10 +613,10 @@ will be inserted in the CRLs only if this file exists. If this file is
 present, it must contain a valid \s-1CRL\s0 number.
 .IP "\fBx509_extensions\fR" 4
 .IX Item "x509_extensions"
-The same as \fB\-extensions\fR.
+A fallback to the \fB\-extensions\fR option.
 .IP "\fBcrl_extensions\fR" 4
 .IX Item "crl_extensions"
-The same as \fB\-crlexts\fR.
+A fallback to the \fB\-crlexts\fR option.
 .IP "\fBpreserve\fR" 4
 .IX Item "preserve"
 The same as \fB\-preserveDN\fR
@@ -616,7 +675,7 @@ this can be regarded more of a quirk than intended behaviour.
 The input to the \fB\-spkac\fR command line option is a Netscape
 signed public key and challenge. This will usually come from
 the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key.
-It is however possible to create SPKACs using the \fBspkac\fR utility.
+It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1).
 .PP
 The file should contain the variable \s-1SPKAC\s0 set to the value of
 the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
@@ -628,18 +687,18 @@ flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR
 flag is used.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
-Note: these examples assume that the \fBca\fR directory structure is
-already set up and the relevant files already exist. This usually
-involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a
-serial number file and an empty index file and placing them in
-the relevant directories.
-.PP
-To use the sample configuration file below the directories demoCA,
-demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0
-certificate would be copied to demoCA/cacert.pem and its private
-key to demoCA/private/cakey.pem. A file demoCA/serial would be
+Note: these examples assume that the directory structure this command
+assumes is already set up and the relevant files already exist. This
+usually involves creating a \s-1CA\s0 certificate and private key with
+\&\fBopenssl\-req\fR\|(1), a serial number file and an empty index file and
+placing them in the relevant directories.
+.PP
+To use the sample configuration file below the directories \fIdemoCA\fR,
+\&\fIdemoCA/private\fR and \fIdemoCA/newcerts\fR would be created. The \s-1CA\s0
+certificate would be copied to \fIdemoCA/cacert.pem\fR and its private
+key to \fIdemoCA/private/cakey.pem\fR. A file \fIdemoCA/serial\fR would be
 created containing for example \*(L"01\*(R" and the empty index file
-demoCA/index.txt.
+\&\fIdemoCA/index.txt\fR.
 .PP
 Sign a certificate request:
 .PP
@@ -647,6 +706,14 @@ Sign a certificate request:
 \& openssl ca \-in req.pem \-out newcert.pem
 .Ve
 .PP
+Sign an \s-1SM2\s0 certificate request:
+.PP
+.Vb 3
+\& openssl ca \-in sm2.csr \-out sm2.crt \-md sm3 \e
+\&         \-sigopt "distid:1234567812345678" \e
+\&         \-vfyopt "distid:1234567812345678"
+.Ve
+.PP
 Sign a certificate request, using \s-1CA\s0 extensions:
 .PP
 .Vb 1
@@ -681,7 +748,7 @@ A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity
 \& 1.OU=Another Group
 .Ve
 .PP
-A sample configuration file with the relevant sections for \fBca\fR:
+A sample configuration file with the relevant sections for this command:
 .PP
 .Vb 2
 \& [ ca ]
@@ -697,7 +764,6 @@ A sample configuration file with the relevant sections for \fBca\fR:
 \& serial         = $dir/serial           # serial no file
 \& #rand_serial    = yes                  # for random serial#\*(Aqs
 \& private_key    = $dir/private/cakey.pem# CA private key
-\& RANDFILE       = $dir/private/.rand    # random number file
 \&
 \& default_days   = 365                   # how long to certify for
 \& default_crl_days= 30                   # how long before next CRL
@@ -724,8 +790,8 @@ Note: the location of all files can change either by compile time options,
 configuration file entries, environment variables or command line options.
 The values below reflect the default values.
 .PP
-.Vb 10
-\& /usr/local/ssl/lib/openssl.cnf \- master configuration file
+.Vb 9
+\& /etc/ssl/openssl.cnf \- master configuration file
 \& ./demoCA                       \- main CA directory
 \& ./demoCA/cacert.pem            \- CA certificate
 \& ./demoCA/private/cakey.pem     \- CA private key
@@ -734,7 +800,6 @@ The values below reflect the default values.
 \& ./demoCA/index.txt             \- CA text database file
 \& ./demoCA/index.txt.old         \- CA text database backup file
 \& ./demoCA/certs                 \- certificate output file
-\& ./demoCA/.rnd                  \- CA random seed information
 .Ve
 .SH "RESTRICTIONS"
 .IX Header "RESTRICTIONS"
@@ -749,13 +814,15 @@ Although several requests can be input and handled at once it is only
 possible to include one \s-1SPKAC\s0 or self-signed certificate.
 .SH "BUGS"
 .IX Header "BUGS"
+This command is quirky and at times downright unfriendly.
+.PP
 The use of an in-memory text database can cause problems when large
 numbers of certificates are present because, as the name implies
 the database has to be kept in memory.
 .PP
-The \fBca\fR command really needs rewriting or the required functionality
-exposed at either a command or interface level so a more friendly utility
-(perl script or \s-1GUI\s0) can handle things properly. The script
+This command really needs rewriting or the required functionality
+exposed at either a command or interface level so that a more user-friendly
+replacement could handle things properly. The script
 \&\fB\s-1CA\s0.pl\fR helps a little but not very much.
 .PP
 Any fields in a request that are not present in a policy are silently
@@ -769,15 +836,18 @@ Canceling some commands by refusing to certify a certificate can
 create an empty file.
 .SH "WARNINGS"
 .IX Header "WARNINGS"
-The \fBca\fR command is quirky and at times downright unfriendly.
-.PP
-The \fBca\fR utility was originally meant as an example of how to do things
-in a \s-1CA.\s0 It was not supposed to be used as a full blown \s-1CA\s0 itself:
-nevertheless some people are using it for this purpose.
-.PP
-The \fBca\fR command is effectively a single user command: no locking is
-done on the various files and attempts to run more than one \fBca\fR command
-on the same database can have unpredictable results.
+This command was originally meant as an example of how to do things in a \s-1CA.\s0
+Its code does not have production quality.
+It was not supposed to be used as a full blown \s-1CA\s0 itself,
+nevertheless some people are using it for this purpose at least internally.
+When doing so, specific care should be taken to
+properly secure the private key(s) used for signing certificates.
+It is advisable to keep them in a secure \s-1HW\s0 storage such as a smart card or \s-1HSM\s0
+and access them via a suitable engine or crypto provider.
+.PP
+This command command is effectively a single user command: no locking
+is done on the various files and attempts to run more than one \fBopenssl ca\fR
+command on the same database can have unpredictable results.
 .PP
 The \fBcopy_extensions\fR option should be used with caution. If care is
 not taken then it can be a security risk. For example if a certificate
@@ -785,7 +855,6 @@ request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
 \&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot
 this when the certificate is displayed then this will hand the requester
 a valid \s-1CA\s0 certificate.
-.PP
 This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR
 and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
 Then if the request contains a basicConstraints extension it will be
@@ -806,18 +875,37 @@ then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
 .IX Header "HISTORY"
 Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically,
 certificate validity period (specified by any of \fB\-startdate\fR,
-\&\fB\-enddate\fR and \fB\-days\fR) will be encoded as UTCTime if the dates are
+\&\fB\-enddate\fR and \fB\-days\fR) and \s-1CRL\s0 last/next update time (specified by
+any of \fB\-crl_lastupdate\fR, \fB\-crl_nextupdate\fR, \fB\-crldays\fR, \fB\-crlhours\fR
+and \fB\-crlsec\fR) will be encoded as UTCTime if the dates are
 earlier than year 2049 (included), and as GeneralizedTime if the dates
 are in year 2050 or later.
+.PP
+OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+.PP
+The \fB\-section\fR option was added in OpenSSL 3.0.0.
+.PP
+The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
+has no effect.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBreq\fR\|(1), \fBspkac\fR\|(1), \fBx509\fR\|(1), \s-1\fBCA\s0.pl\fR\|(1),
-\&\fBconfig\fR\|(5), \fBx509v3_config\fR\|(5)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-req\fR\|(1),
+\&\fBopenssl\-spkac\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\s-1\fBCA\s0.pl\fR\|(1),
+\&\fBconfig\fR\|(5),
+\&\fBx509v3_config\fR\|(5)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/openssl-ciphers.1
index c5fa7ea97859..0e79ff8190e4 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/openssl-ciphers.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,14 +130,14 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-CIPHERS 1ossl"
+.TH OPENSSL-CIPHERS 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-ciphers, ciphers \- SSL cipher display and cipher list tool
+openssl\-ciphers \- SSL cipher display and cipher list command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBciphers\fR
@@ -156,19 +154,31 @@ openssl\-ciphers, ciphers \- SSL cipher display and cipher list tool
 [\fB\-psk\fR]
 [\fB\-srp\fR]
 [\fB\-stdname\fR]
-[\fB\-convert name\fR]
-[\fB\-ciphersuites val\fR]
-[\fBcipherlist\fR]
+[\fB\-convert\fR \fIname\fR]
+[\fB\-ciphersuites\fR \fIval\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIcipherlist\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBciphers\fR command converts textual OpenSSL cipher lists into ordered
-\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine
-the appropriate cipherlist.
+This command converts textual OpenSSL cipher lists into
+ordered \s-1SSL\s0 cipher preference lists. It can be used to
+determine the appropriate cipherlist.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print a usage message.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .IP "\fB\-s\fR" 4
 .IX Item "-s"
 Only list supported ciphers: those consistent with the security level, and
@@ -190,7 +200,8 @@ listed.
 When combined with \fB\-s\fR includes cipher suites which require \s-1PSK.\s0
 .IP "\fB\-srp\fR" 4
 .IX Item "-srp"
-When combined with \fB\-s\fR includes cipher suites which require \s-1SRP.\s0
+When combined with \fB\-s\fR includes cipher suites which require \s-1SRP.\s0 This option
+is deprecated.
 .IP "\fB\-v\fR" 4
 .IX Item "-v"
 Verbose output: For each cipher suite, list details as provided by
@@ -207,10 +218,10 @@ OpenSSL was built.
 .IP "\fB\-stdname\fR" 4
 .IX Item "-stdname"
 Precede each cipher suite by its standard name.
-.IP "\fB\-convert name\fR" 4
+.IP "\fB\-convert\fR \fIname\fR" 4
 .IX Item "-convert name"
-Convert a standard cipher \fBname\fR to its OpenSSL name.
-.IP "\fB\-ciphersuites val\fR" 4
+Convert a standard cipher \fIname\fR to its OpenSSL name.
+.IP "\fB\-ciphersuites\fR \fIval\fR" 4
 .IX Item "-ciphersuites val"
 Sets the list of TLSv1.3 ciphersuites. This list will be combined with any
 TLSv1.2 and below ciphersuites that have been configured. The format for this
@@ -266,9 +277,9 @@ will not moved to the end of the list.
 The cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort the current
 cipher list in order of encryption algorithm key length.
 .PP
-The cipher string \fB\f(CB@SECLEVEL\fB=n\fR can be used at any point to set the security
-level to \fBn\fR, which should be a number between zero and five, inclusive.
-See SSL_CTX_set_security_level for a description of what each level means.
+The cipher string \fB\f(CB@SECLEVEL\fB\fR=\fIn\fR can be used at any point to set the security
+level to \fIn\fR, which should be a number between zero and five, inclusive.
+See \fBSSL_CTX_set_security_level\fR\|(3) for a description of what each level means.
 .PP
 The cipher list can be prefixed with the \fB\s-1DEFAULT\s0\fR keyword, which enables
 the default cipher list as defined below.  Unlike cipher strings,
@@ -470,6 +481,12 @@ In particular the supported signature algorithms is reduced to support only
 used and only the two suite B compliant cipher suites
 (\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and \s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are
 permissible.
+.IP "\fB\s-1CBC\s0\fR" 4
+.IX Item "CBC"
+All cipher suites using encryption algorithm in Cipher Block Chaining (\s-1CBC\s0)
+mode. These cipher suites are only supported in \s-1TLS\s0 v1.2 and earlier. Currently
+it's an alias for the following cipherstrings: \fB\s-1SSL_DES\s0\fR, \fB\s-1SSL_3DES\s0\fR, \fB\s-1SSL_RC2\s0\fR,
+\&\fB\s-1SSL_IDEA\s0\fR, \fB\s-1SSL_AES128\s0\fR, \fB\s-1SSL_AES256\s0\fR, \fB\s-1SSL_CAMELLIA128\s0\fR, \fB\s-1SSL_CAMELLIA256\s0\fR, \fB\s-1SSL_SEED\s0\fR.
 .SH "CIPHER SUITE NAMES"
 .IX Header "CIPHER SUITE NAMES"
 The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
@@ -570,7 +587,8 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
 .SS "\s-1GOST\s0 cipher suites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0"
 .IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0"
 Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic
-algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distribution.
+algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL
+distribution.
 .PP
 .Vb 4
 \& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89
@@ -578,6 +596,19 @@ algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distributio
 \& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94
 \& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94
 .Ve
+.SS "\s-1GOST\s0 cipher suites, extending \s-1TLS\s0 v1.2"
+.IX Subsection "GOST cipher suites, extending TLS v1.2"
+Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic
+algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL
+distribution.
+.PP
+.Vb 2
+\& TLS_GOSTR341112_256_WITH_28147_CNT_IMIT GOST2012\-GOST8912\-GOST8912
+\& TLS_GOSTR341112_256_WITH_NULL_GOSTR3411 GOST2012\-NULL\-GOST12
+.Ve
+.PP
+Note: \s-1GOST2012\-GOST8912\-GOST8912\s0 is an alias for two ciphers \s-1ID\s0
+old \s-1LEGACY\-GOST2012\-GOST8912\-GOST8912\s0 and new \s-1IANA\-GOST2012\-GOST8912\-GOST8912\s0
 .SS "Additional Export 1024 and other cipher suites"
 .IX Subsection "Additional Export 1024 and other cipher suites"
 Note: these ciphers can also be used in \s-1SSL\s0 v3.
@@ -585,8 +616,8 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3.
 .Vb 1
 \& TLS_DHE_DSS_WITH_RC4_128_SHA            DHE\-DSS\-RC4\-SHA
 .Ve
-.SS "Elliptic curve cipher suites."
-.IX Subsection "Elliptic curve cipher suites."
+.SS "Elliptic curve cipher suites"
+.IX Subsection "Elliptic curve cipher suites"
 .Vb 5
 \& TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE\-RSA\-NULL\-SHA
 \& TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE\-RSA\-RC4\-SHA
@@ -849,10 +880,13 @@ Set security level to 2 and display all ciphers consistent with level 2:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBs_client\fR\|(1), \fBs_server\fR\|(1), \fBssl\fR\|(7)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-s_client\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBssl\fR\|(7)
 .SH "HISTORY"
 .IX Header "HISTORY"
-The \fB\-V\fR option for the \fBciphers\fR command was added in OpenSSL 1.0.0.
+The \fB\-V\fR option was added in OpenSSL 1.0.0.
 .PP
 The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled
 (\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1.
@@ -860,9 +894,9 @@ The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled
 The \fB\-convert\fR option was added in OpenSSL 1.1.1.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-cmds.1 b/secure/usr.bin/openssl/man/openssl-cmds.1
new file mode 100644
index 000000000000..2f5b955394cf
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-cmds.1
@@ -0,0 +1,275 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-CMDS 1ossl"
+.TH OPENSSL-CMDS 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+asn1parse,
+ca,
+ciphers,
+cmp,
+cms,
+crl,
+crl2pkcs7,
+dgst,
+dhparam,
+dsa,
+dsaparam,
+ec,
+ecparam,
+enc,
+engine,
+errstr,
+gendsa,
+genpkey,
+genrsa,
+info,
+kdf,
+mac,
+nseq,
+ocsp,
+passwd,
+pkcs12,
+pkcs7,
+pkcs8,
+pkey,
+pkeyparam,
+pkeyutl,
+prime,
+rand,
+rehash,
+req,
+rsa,
+rsautl,
+s_client,
+s_server,
+s_time,
+sess_id,
+smime,
+speed,
+spkac,
+srp,
+storeutl,
+ts,
+verify,
+version,
+x509
+\&\- OpenSSL application commands
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fIcmd\fR \fB\-help\fR | [\fI\-option\fR | \fI\-option\fR \fIarg\fR] ... [\fIarg\fR] ...
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+Every \fIcmd\fR listed above is a (sub\-)command of the \fBopenssl\fR\|(1) application.
+It has its own detailed manual page at \fBopenssl\-\f(BIcmd\fB\fR(1). For example, to
+view the manual page for the \fBopenssl dgst\fR command, type \f(CW\*(C`man openssl\-dgst\*(C'\fR.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+Among others, every subcommand has a help option.
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message for the subcommand.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-asn1parse\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBopenssl\-cmp\fR\|(1),
+\&\fBopenssl\-cms\fR\|(1),
+\&\fBopenssl\-crl\fR\|(1),
+\&\fBopenssl\-crl2pkcs7\fR\|(1),
+\&\fBopenssl\-dgst\fR\|(1),
+\&\fBopenssl\-dhparam\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-dsaparam\fR\|(1),
+\&\fBopenssl\-ec\fR\|(1),
+\&\fBopenssl\-ecparam\fR\|(1),
+\&\fBopenssl\-enc\fR\|(1),
+\&\fBopenssl\-engine\fR\|(1),
+\&\fBopenssl\-errstr\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-info\fR\|(1),
+\&\fBopenssl\-kdf\fR\|(1),
+\&\fBopenssl\-mac\fR\|(1),
+\&\fBopenssl\-nseq\fR\|(1),
+\&\fBopenssl\-ocsp\fR\|(1),
+\&\fBopenssl\-passwd\fR\|(1),
+\&\fBopenssl\-pkcs12\fR\|(1),
+\&\fBopenssl\-pkcs7\fR\|(1),
+\&\fBopenssl\-pkcs8\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-pkeyparam\fR\|(1),
+\&\fBopenssl\-pkeyutl\fR\|(1),
+\&\fBopenssl\-prime\fR\|(1),
+\&\fBopenssl\-rand\fR\|(1),
+\&\fBopenssl\-rehash\fR\|(1),
+\&\fBopenssl\-req\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-rsautl\fR\|(1),
+\&\fBopenssl\-s_client\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBopenssl\-s_time\fR\|(1),
+\&\fBopenssl\-sess_id\fR\|(1),
+\&\fBopenssl\-smime\fR\|(1),
+\&\fBopenssl\-speed\fR\|(1),
+\&\fBopenssl\-spkac\fR\|(1),
+\&\fBopenssl\-srp\fR\|(1),
+\&\fBopenssl\-storeutl\fR\|(1),
+\&\fBopenssl\-ts\fR\|(1),
+\&\fBopenssl\-verify\fR\|(1),
+\&\fBopenssl\-version\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+.SH "HISTORY"
+.IX Header "HISTORY"
+Initially, the manual page entry for the \f(CW\*(C`openssl \f(CIcmd\f(CW\*(C'\fR command used
+to be available at \fIcmd\fR(1). Later, the alias \fBopenssl\-\f(BIcmd\fB\fR(1) was
+introduced, which made it easier to group the openssl commands using
+the \fBapropos\fR\|(1) command or the shell's tab completion.
+.PP
+In order to reduce cluttering of the global manual page namespace,
+the manual page entries without the 'openssl\-' prefix have been
+deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-cmp.1 b/secure/usr.bin/openssl/man/openssl-cmp.1
new file mode 100644
index 000000000000..007b011c4401
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-cmp.1
@@ -0,0 +1,1355 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-CMP 1ossl"
+.TH OPENSSL-CMP 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-cmp \- Certificate Management Protocol (CMP, RFC 4210) application
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBcmp\fR
+[\fB\-help\fR]
+[\fB\-config\fR \fIfilename\fR]
+[\fB\-section\fR \fInames\fR]
+[\fB\-verbosity\fR \fIlevel\fR]
+.PP
+Generic message options:
+.PP
+[\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR]
+[\fB\-infotype\fR \fIname\fR]
+[\fB\-geninfo\fR \fIOID:int:N\fR]
+.PP
+Certificate enrollment options:
+.PP
+[\fB\-newkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-newkeypass\fR \fIarg\fR]
+[\fB\-subject\fR \fIname\fR]
+[\fB\-issuer\fR \fIname\fR]
+[\fB\-days\fR \fInumber\fR]
+[\fB\-reqexts\fR \fIname\fR]
+[\fB\-sans\fR \fIspec\fR]
+[\fB\-san_nodefault\fR]
+[\fB\-policies\fR \fIname\fR]
+[\fB\-policy_oids\fR \fInames\fR]
+[\fB\-policy_oids_critical\fR]
+[\fB\-popo\fR \fInumber\fR]
+[\fB\-csr\fR \fIfilename\fR]
+[\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-implicit_confirm\fR]
+[\fB\-disable_confirm\fR]
+[\fB\-certout\fR \fIfilename\fR]
+[\fB\-chainout\fR \fIfilename\fR]
+.PP
+Certificate enrollment and revocation options:
+.PP
+[\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-revreason\fR \fInumber\fR]
+.PP
+Message transfer options:
+.PP
+[\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
+[\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
+[\fB\-no_proxy\fR \fIaddresses\fR]
+[\fB\-recipient\fR \fIname\fR]
+[\fB\-path\fR \fIremote_path\fR]
+[\fB\-keep_alive\fR \fIvalue\fR]
+[\fB\-msg_timeout\fR \fIseconds\fR]
+[\fB\-total_timeout\fR \fIseconds\fR]
+.PP
+Server authentication options:
+.PP
+[\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-expect_sender\fR \fIname\fR]
+[\fB\-ignore_keyusage\fR]
+[\fB\-unprotected_errors\fR]
+[\fB\-extracertsout\fR \fIfilename\fR]
+[\fB\-cacertsout\fR \fIfilename\fR]
+.PP
+Client authentication and protection options:
+.PP
+[\fB\-ref\fR \fIvalue\fR]
+[\fB\-secret\fR \fIarg\fR]
+[\fB\-cert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keypass\fR \fIarg\fR]
+[\fB\-digest\fR \fIname\fR]
+[\fB\-mac\fR \fIname\fR]
+[\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-unprotected_requests\fR]
+.PP
+Credentials format options:
+.PP
+[\fB\-certform\fR \fIPEM|DER\fR]
+[\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR]
+[\fB\-otherpass\fR \fIarg\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+.PP
+Random state options:
+.PP
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+.PP
+\&\s-1TLS\s0 connection options:
+.PP
+[\fB\-tls_used\fR]
+[\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-tls_keypass\fR \fIarg\fR]
+[\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-tls_host\fR \fIname\fR]
+.PP
+Client-side debugging options:
+.PP
+[\fB\-batch\fR]
+[\fB\-repeat\fR \fInumber\fR]
+[\fB\-reqin\fR \fIfilenames\fR]
+[\fB\-reqin_new_tid\fR]
+[\fB\-reqout\fR \fIfilenames\fR]
+[\fB\-rspin\fR \fIfilenames\fR]
+[\fB\-rspout\fR \fIfilenames\fR]
+[\fB\-use_mock_srv\fR]
+.PP
+Mock server options:
+.PP
+[\fB\-port\fR \fInumber\fR]
+[\fB\-max_msgs\fR \fInumber\fR]
+[\fB\-srv_ref\fR \fIvalue\fR]
+[\fB\-srv_secret\fR \fIarg\fR]
+[\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-srv_keypass\fR \fIarg\fR]
+[\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-poll_count\fR \fInumber\fR]
+[\fB\-check_after\fR \fInumber\fR]
+[\fB\-grant_implicitconf\fR]
+[\fB\-pkistatus\fR \fInumber\fR]
+[\fB\-failure\fR \fInumber\fR]
+[\fB\-failurebits\fR \fInumber\fR]
+[\fB\-statusstring\fR \fIarg\fR]
+[\fB\-send_error\fR]
+[\fB\-send_unprotected\fR]
+[\fB\-send_unprot_err\fR]
+[\fB\-accept_unprotected\fR]
+[\fB\-accept_unprot_err\fR]
+[\fB\-accept_raverified\fR]
+.PP
+Certificate verification options, for both \s-1CMP\s0 and \s-1TLS:\s0
+.PP
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-extended_crl\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-partial_chain\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-policy_check\fR]
+[\fB\-policy_print\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
+[\fB\-suiteB_128\fR]
+[\fB\-suiteB_128_only\fR]
+[\fB\-suiteB_192\fR]
+[\fB\-trusted_first\fR]
+[\fB\-no_alt_chains\fR]
+[\fB\-use_deltas\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
+[\fB\-x509_strict\fR]
+[\fB\-issuer_checks\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBcmp\fR command is a client implementation for the Certificate
+Management Protocol (\s-1CMP\s0) as defined in \s-1RFC4210.\s0
+It can be used to request certificates from a \s-1CA\s0 server,
+update their certificates,
+request certificates to be revoked, and perform other types of \s-1CMP\s0 requests.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Display a summary of all options
+.IP "\fB\-config\fR \fIfilename\fR" 4
+.IX Item "-config filename"
+Configuration file to use.
+An empty string \f(CW""\fR means none.
+Default filename is from the environment variable \f(CW\*(C`OPENSSL_CONF\*(C'\fR.
+.IP "\fB\-section\fR \fInames\fR" 4
+.IX Item "-section names"
+Section(s) to use within config file defining \s-1CMP\s0 options.
+An empty string \f(CW""\fR means no specific section.
+Default is \f(CW\*(C`cmp\*(C'\fR.
+.Sp
+Multiple section names may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Contents of sections named later may override contents of sections named before.
+In any case, as usual, the \f(CW\*(C`[default]\*(C'\fR section and finally the unnamed
+section (as far as present) can provide per-option fallback values.
+.IP "\fB\-verbosity\fR \fIlevel\fR" 4
+.IX Item "-verbosity level"
+Level of verbosity for logging, error output, etc.
+0 = \s-1EMERG, 1\s0 = \s-1ALERT, 2\s0 = \s-1CRIT, 3\s0 = \s-1ERR, 4\s0 = \s-1WARN, 5\s0 = \s-1NOTE,
+6\s0 = \s-1INFO, 7\s0 = \s-1DEBUG, 8\s0 = \s-1TRACE.\s0
+Defaults to 6 = \s-1INFO.\s0
+.SS "Generic message options"
+.IX Subsection "Generic message options"
+.IP "\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR" 4
+.IX Item "-cmd ir|cr|kur|p10cr|rr|genm"
+\&\s-1CMP\s0 command to execute.
+Currently implemented commands are:
+.RS 4
+.IP "ir \   \- Initialization Request" 8
+.IX Item "ir - Initialization Request"
+.PD 0
+.IP "cr \   \- Certificate Request" 8
+.IX Item "cr - Certificate Request"
+.IP "p10cr \- PKCS#10 Certification Request (for legacy support)" 8
+.IX Item "p10cr - PKCS#10 Certification Request (for legacy support)"
+.IP "kur \ \ \- Key Update Request" 8
+.IX Item "kur - Key Update Request"
+.IP "rr \   \- Revocation Request" 8
+.IX Item "rr - Revocation Request"
+.IP "genm  \- General Message" 8
+.IX Item "genm - General Message"
+.RE
+.RS 4
+.PD
+.Sp
+\&\fBir\fR requests initialization of an end entity into a \s-1PKI\s0 hierarchy
+by issuing a first certificate.
+.Sp
+\&\fBcr\fR requests issuing an additional certificate for an end entity already
+initialized to the \s-1PKI\s0 hierarchy.
+.Sp
+\&\fBp10cr\fR requests issuing an additional certificate similarly to \fBcr\fR
+but using legacy PKCS#10 \s-1CSR\s0 format.
+.Sp
+\&\fBkur\fR requests a (key) update for an existing certificate.
+.Sp
+\&\fBrr\fR requests revocation of an existing certificate.
+.Sp
+\&\fBgenm\fR requests information using a General Message, where optionally
+included \fBInfoTypeAndValue\fRs may be used to state which info is of interest.
+Upon receipt of the General Response, information about all received
+\&\s-1ITAV\s0 \fBinfoType\fRs is printed to stdout.
+.RE
+.IP "\fB\-infotype\fR \fIname\fR" 4
+.IX Item "-infotype name"
+Set InfoType name to use for requesting specific info in \fBgenm\fR,
+e.g., \f(CW\*(C`signKeyPairTypes\*(C'\fR.
+.IP "\fB\-geninfo\fR \fIOID:int:N\fR" 4
+.IX Item "-geninfo OID:int:N"
+generalInfo integer values to place in request PKIHeader with given \s-1OID,\s0
+e.g., \f(CW\*(C`1.2.3.4:int:56789\*(C'\fR.
+.SS "Certificate enrollment options"
+.IX Subsection "Certificate enrollment options"
+.IP "\fB\-newkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-newkey filename|uri"
+The source of the private or public key for the certificate being requested.
+Defaults to the public key in the PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option,
+the public key of the reference certificate, or the current client key.
+.Sp
+The public portion of the key is placed in the certification request.
+.Sp
+Unless \fB\-cmd\fR \fIp10cr\fR, \fB\-popo\fR \fI\-1\fR, or \fB\-popo\fR \fI0\fR is given, the
+private key will be needed as well to provide the proof of possession (\s-1POPO\s0),
+where the \fB\-key\fR option may provide a fallback.
+.IP "\fB\-newkeypass\fR \fIarg\fR" 4
+.IX Item "-newkeypass arg"
+Pass phrase source for the key given with the \fB\-newkey\fR option.
+If not given here, the password will be prompted for if needed.
+.Sp
+For more information about the format of \fIarg\fR see
+\&\fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-subject\fR \fIname\fR" 4
+.IX Item "-subject name"
+X509 Distinguished Name (\s-1DN\s0) of subject to use in the requested certificate
+template.
+If the NULL-DN (\f(CW"/"\fR) is given then no subject is placed in the template.
+Default is the subject \s-1DN\s0 of any PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option.
+For \s-1KUR,\s0 a further fallback is the subject \s-1DN\s0
+of the reference certificate (see \fB\-oldcert\fR) if provided.
+This fallback is used for \s-1IR\s0 and \s-1CR\s0 only if no SANs are set.
+.Sp
+If provided and neither \fB\-cert\fR nor \fB\-oldcert\fR is given,
+the subject \s-1DN\s0 is used as fallback sender of outgoing \s-1CMP\s0 messages.
+.Sp
+The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
+Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash); whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included.
+Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+.Sp
+\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
+.IP "\fB\-issuer\fR \fIname\fR" 4
+.IX Item "-issuer name"
+X509 issuer Distinguished Name (\s-1DN\s0) of the \s-1CA\s0 server
+to place in the requested certificate template in \s-1IR/CR/KUR.\s0
+If the NULL-DN (\f(CW"/"\fR) is given then no issuer is placed in the template.
+.Sp
+If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given,
+the issuer \s-1DN\s0 is used as fallback recipient of outgoing \s-1CMP\s0 messages.
+.Sp
+The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
+For details see the description of the \fB\-subject\fR option.
+.IP "\fB\-days\fR \fInumber\fR" 4
+.IX Item "-days number"
+Number of days the new certificate is requested to be valid for, counting from
+the current time of the host.
+Also triggers the explicit request that the
+validity period starts from the current time (as seen by the host).
+.IP "\fB\-reqexts\fR \fIname\fR" 4
+.IX Item "-reqexts name"
+Name of section in OpenSSL config file defining certificate request extensions.
+If the \fB\-csr\fR option is present, these extensions augment the extensions
+contained the given PKCS#10 \s-1CSR,\s0 overriding any extensions with same OIDs.
+.IP "\fB\-sans\fR \fIspec\fR" 4
+.IX Item "-sans spec"
+One or more \s-1IP\s0 addresses, \s-1DNS\s0 names, or URIs separated by commas or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R")
+to add as Subject Alternative Name(s) (\s-1SAN\s0) certificate request extension.
+If the special element \*(L"critical\*(R" is given the SANs are flagged as critical.
+Cannot be used if any Subject Alternative Name extension is set via \fB\-reqexts\fR.
+.IP "\fB\-san_nodefault\fR" 4
+.IX Item "-san_nodefault"
+When Subject Alternative Names are not given via \fB\-sans\fR
+nor defined via \fB\-reqexts\fR,
+they are copied by default from the reference certificate (see \fB\-oldcert\fR).
+This can be disabled by giving the \fB\-san_nodefault\fR option.
+.IP "\fB\-policies\fR \fIname\fR" 4
+.IX Item "-policies name"
+Name of section in OpenSSL config file defining policies to be set
+as certificate request extension.
+This option cannot be used together with \fB\-policy_oids\fR.
+.IP "\fB\-policy_oids\fR \fInames\fR" 4
+.IX Item "-policy_oids names"
+One or more \s-1OID\s0(s), separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R")
+to add as certificate policies request extension.
+This option cannot be used together with \fB\-policies\fR.
+.IP "\fB\-policy_oids_critical\fR" 4
+.IX Item "-policy_oids_critical"
+Flag the policies given with \fB\-policy_oids\fR as critical.
+.IP "\fB\-popo\fR \fInumber\fR" 4
+.IX Item "-popo number"
+Proof-of-possession (\s-1POPO\s0) method to use for \s-1IR/CR/KUR\s0; values: \f(CW\*(C`\-1\*(C'\fR..<2> where
+\&\f(CW\*(C`\-1\*(C'\fR = \s-1NONE,\s0 \f(CW0\fR = \s-1RAVERIFIED,\s0 \f(CW1\fR = \s-1SIGNATURE\s0 (default), \f(CW2\fR = \s-1KEYENC.\s0
+.Sp
+Note that a signature-based \s-1POPO\s0 can only be produced if a private key
+is provided via the \fB\-newkey\fR or \fB\-key\fR options.
+.IP "\fB\-csr\fR \fIfilename\fR" 4
+.IX Item "-csr filename"
+PKCS#10 \s-1CSR\s0 in \s-1PEM\s0 or \s-1DER\s0 format containing a certificate request.
+With \fB\-cmd\fR \fIp10cr\fR it is used directly in a legacy P10CR message.
+.Sp
+When used with \fB\-cmd\fR \fIir\fR, \fIcr\fR, or \fIkur\fR,
+it is transformed into the respective regular \s-1CMP\s0 request.
+In this case, a private key must be provided (with \fB\-newkey\fR or \fB\-key\fR)
+for the proof of possession (unless \fB\-popo\fR \fI\-1\fR or \fB\-popo\fR \fI0\fR is used)
+and the respective public key is placed in the certification request
+(rather than taking over the public key contained in the PKCS#10 \s-1CSR\s0).
+.Sp
+PKCS#10 \s-1CSR\s0 input may also be used with \fB\-cmd\fR \fIrr\fR
+to specify the certificate to be revoked
+via the included subject name and public key.
+.IP "\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-out_trusted filenames|uris"
+Trusted certificate(s) to use for validating the newly enrolled certificate.
+During this verification, any certificate status checking is disabled.
+.Sp
+Multiple sources may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Each source may contain multiple certificates.
+.Sp
+The certificate verification options
+\&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
+only affect the certificate verification enabled via this option.
+.IP "\fB\-implicit_confirm\fR" 4
+.IX Item "-implicit_confirm"
+Request implicit confirmation of newly enrolled certificates.
+.IP "\fB\-disable_confirm\fR" 4
+.IX Item "-disable_confirm"
+Do not send certificate confirmation message for newly enrolled certificate
+without requesting implicit confirmation
+to cope with broken servers not supporting implicit confirmation correctly.
+\&\fB\s-1WARNING:\s0\fR This leads to behavior violating \s-1RFC 4210.\s0
+.IP "\fB\-certout\fR \fIfilename\fR" 4
+.IX Item "-certout filename"
+The file where the newly enrolled certificate should be saved.
+.IP "\fB\-chainout\fR \fIfilename\fR" 4
+.IX Item "-chainout filename"
+The file where the chain of the newly enrolled certificate should be saved.
+.SS "Certificate enrollment and revocation options"
+.IX Subsection "Certificate enrollment and revocation options"
+.IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-oldcert filename|uri"
+The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
+(\s-1KUR\s0) messages or to be revoked in Revocation Request (\s-1RR\s0) messages.
+For \s-1KUR\s0 the certificate to be updated defaults to \fB\-cert\fR,
+and the resulting certificate is called \fIreference certificate\fR.
+For \s-1RR\s0 the certificate to be revoked can also be specified using \fB\-csr\fR.
+.Sp
+The reference certificate, if any, is also used for
+deriving default subject \s-1DN\s0 and Subject Alternative Names and the
+default issuer entry in the requested certificate template of an \s-1IR/CR/KUR.\s0
+Its public key is used as a fallback in the template of certification requests.
+Its subject is used as sender of outgoing messages if \fB\-cert\fR is not given.
+Its issuer is used as default recipient in \s-1CMP\s0 message headers
+if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given.
+.IP "\fB\-revreason\fR \fInumber\fR" 4
+.IX Item "-revreason number"
+Set CRLReason to be included in revocation request (\s-1RR\s0); values: \f(CW0\fR..\f(CW10\fR
+or \f(CW\*(C`\-1\*(C'\fR for none (which is the default).
+.Sp
+Reason numbers defined in \s-1RFC 5280\s0 are:
+.Sp
+.Vb 10
+\&   CRLReason ::= ENUMERATED {
+\&        unspecified             (0),
+\&        keyCompromise           (1),
+\&        cACompromise            (2),
+\&        affiliationChanged      (3),
+\&        superseded              (4),
+\&        cessationOfOperation    (5),
+\&        certificateHold         (6),
+\&        \-\- value 7 is not used
+\&        removeFromCRL           (8),
+\&        privilegeWithdrawn      (9),
+\&        aACompromise           (10)
+\&    }
+.Ve
+.SS "Message transfer options"
+.IX Subsection "Message transfer options"
+.IP "\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
+.IX Item "-server [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
+The \s-1DNS\s0 hostname or \s-1IP\s0 address and optionally port
+of the \s-1CMP\s0 server to connect to using \s-1HTTP\s0(S).
+This option excludes \fI\-port\fR and \fI\-use_mock_srv\fR.
+It is ignored if \fI\-rspin\fR is given with enough filename arguments.
+.Sp
+The scheme \f(CW\*(C`https\*(C'\fR may be given only if the \fB\-tls_used\fR option is used.
+In this case the default port is 443, else 80.
+The optional userinfo and fragment components are ignored.
+Any given query component is handled as part of the path component.
+If a path is included it provides the default value for the \fB\-path\fR option.
+.IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
+.IX Item "-proxy [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
+The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1CMP\s0 server unless \fB\-no_proxy\fR
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is \f(CW\*(C`https\*(C'\fR; apart from that
+the optional \f(CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored (note that \s-1TLS\s0 may be
+selected by \fB\-tls_used\fR), as well as any path, userinfo, and query, and fragment
+components.
+Defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR
+in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
+This option is ignored if \fI\-server\fR is not given.
+.IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
+.IX Item "-no_proxy addresses"
+List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
+not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Default is from the environment variable \f(CW\*(C`no_proxy\*(C'\fR if set, else \f(CW\*(C`NO_PROXY\*(C'\fR.
+This option is ignored if \fI\-server\fR is not given.
+.IP "\fB\-recipient\fR \fIname\fR" 4
+.IX Item "-recipient name"
+Distinguished Name (\s-1DN\s0) to use in the recipient field of \s-1CMP\s0 request message
+headers, i.e., the \s-1CMP\s0 server (usually the addressed \s-1CA\s0).
+.Sp
+The recipient field in the header of a \s-1CMP\s0 message is mandatory.
+If not given explicitly the recipient is determined in the following order:
+the subject of the \s-1CMP\s0 server certificate given with the \fB\-srvcert\fR option,
+the \fB\-issuer\fR option,
+the issuer of the certificate given with the \fB\-oldcert\fR option,
+the issuer of the \s-1CMP\s0 client certificate (\fB\-cert\fR option),
+as far as any of those is present, else the NULL-DN as last resort.
+.Sp
+The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
+For details see the description of the \fB\-subject\fR option.
+.IP "\fB\-path\fR \fIremote_path\fR" 4
+.IX Item "-path remote_path"
+\&\s-1HTTP\s0 path at the \s-1CMP\s0 server (aka \s-1CMP\s0 alias) to use for \s-1POST\s0 requests.
+Defaults to any path given with \fB\-server\fR, else \f(CW"/"\fR.
+.IP "\fB\-keep_alive\fR \fIvalue\fR" 4
+.IX Item "-keep_alive value"
+If the given value is 0 then \s-1HTTP\s0 connections are not kept open
+after receiving a response, which is the default behavior for \s-1HTTP 1.0.\s0
+If the value is 1 or 2 then persistent connections are requested.
+If the value is 2 then persistent connections are required,
+i.e., in case the server does not grant them an error occurs.
+The default value is 1, which means preferring to keep the connection open.
+.IP "\fB\-msg_timeout\fR \fIseconds\fR" 4
+.IX Item "-msg_timeout seconds"
+Number of seconds a \s-1CMP\s0 request-response message round trip
+is allowed to take before a timeout error is returned.
+A value <= 0 means no limitation (waiting indefinitely).
+Default is to use the \fB\-total_timeout\fR setting.
+.IP "\fB\-total_timeout\fR \fIseconds\fR" 4
+.IX Item "-total_timeout seconds"
+Maximum total number of seconds a transaction may take,
+including polling etc.
+A value <= 0 means no limitation (waiting indefinitely).
+Default is 0.
+.SS "Server authentication options"
+.IX Subsection "Server authentication options"
+.IP "\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-trusted filenames|uris"
+The certificate(s), typically of root CAs, the client shall use as trust anchors
+when validating signature-based protection of \s-1CMP\s0 response messages.
+This option is ignored if the \fB\-srvcert\fR option is given as well.
+It provides more flexibility than \fB\-srvcert\fR because the \s-1CMP\s0 protection
+certificate of the server is not pinned but may be any certificate
+from which a chain to one of the given trust anchors can be constructed.
+.Sp
+If none of \fB\-trusted\fR, \fB\-srvcert\fR, and \fB\-secret\fR is given, message validation
+errors will be thrown unless \fB\-unprotected_errors\fR permits an exception.
+.Sp
+Multiple sources may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Each source may contain multiple certificates.
+.Sp
+The certificate verification options
+\&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
+have no effect on the certificate verification enabled via this option.
+.IP "\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-untrusted filenames|uris"
+Non-trusted intermediate \s-1CA\s0 certificate(s).
+Any extra certificates given with the \fB\-cert\fR option are appended to it.
+All these certificates may be useful for cert path construction
+for the own \s-1CMP\s0 signer certificate (to include in the extraCerts field of
+request messages) and for the \s-1TLS\s0 client certificate (if \s-1TLS\s0 is enabled)
+as well as for chain building
+when validating server certificates (checking signature-based
+\&\s-1CMP\s0 message protection) and when validating newly enrolled certificates.
+.Sp
+Multiple filenames or URLs may be given, separated by commas and/or whitespace.
+Each source may contain multiple certificates.
+.IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-srvcert filename|uri"
+The specific \s-1CMP\s0 server certificate to expect and directly trust (even if it is
+expired) when verifying signature-based protection of \s-1CMP\s0 response messages.
+This pins the accepted server and results in ignoring the \fB\-trusted\fR option.
+.Sp
+If set, the subject of the certificate is also used
+as default value for the recipient of \s-1CMP\s0 requests
+and as default value for the expected sender of \s-1CMP\s0 responses.
+.IP "\fB\-expect_sender\fR \fIname\fR" 4
+.IX Item "-expect_sender name"
+Distinguished Name (\s-1DN\s0) expected in the sender field of incoming \s-1CMP\s0 messages.
+Defaults to the subject \s-1DN\s0 of the pinned \fB\-srvcert\fR, if any.
+.Sp
+This can be used to make sure that only a particular entity is accepted as
+\&\s-1CMP\s0 message signer, and attackers are not able to use arbitrary certificates
+of a trusted \s-1PKI\s0 hierarchy to fraudulently pose as a \s-1CMP\s0 server.
+Note that this option gives slightly more freedom than setting the \fB\-srvcert\fR,
+which pins the server to the holder of a particular certificate, while the
+expected sender name will continue to match after updates of the server cert.
+.Sp
+The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
+For details see the description of the \fB\-subject\fR option.
+.IP "\fB\-ignore_keyusage\fR" 4
+.IX Item "-ignore_keyusage"
+Ignore key usage restrictions in \s-1CMP\s0 signer certificates when validating
+signature-based protection of incoming \s-1CMP\s0 messages.
+By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by \s-1CMP\s0 signer certificates.
+.IP "\fB\-unprotected_errors\fR" 4
+.IX Item "-unprotected_errors"
+Accept missing or invalid protection of negative responses from the server.
+This applies to the following message types and contents:
+.RS 4
+.IP "\(bu" 4
+error messages
+.IP "\(bu" 4
+negative certificate responses (\s-1IP/CP/KUP\s0)
+.IP "\(bu" 4
+negative revocation responses (\s-1RP\s0)
+.IP "\(bu" 4
+negative PKIConf messages
+.RE
+.RS 4
+.Sp
+\&\fB\s-1WARNING:\s0\fR This setting leads to unspecified behavior and it is meant
+exclusively to allow interoperability with server implementations violating
+\&\s-1RFC 4210,\s0 e.g.:
+.IP "\(bu" 4
+section 5.1.3.1 allows exceptions from protecting only for special
+cases:
+\&\*(L"There \s-1MAY\s0 be cases in which the PKIProtection \s-1BIT STRING\s0 is deliberately not
+used to protect a message [...] because other protection, external to \s-1PKIX,\s0 will
+be applied instead.\*(R"
+.IP "\(bu" 4
+section 5.3.21 is clear on ErrMsgContent: \*(L"The \s-1CA MUST\s0 always sign it
+with a signature key.\*(R"
+.IP "\(bu" 4
+appendix D.4 shows PKIConf message having protection
+.RE
+.RS 4
+.RE
+.IP "\fB\-extracertsout\fR \fIfilename\fR" 4
+.IX Item "-extracertsout filename"
+The file where to save all certificates contained in the extraCerts field
+of the last received response message (except for pollRep and PKIConf).
+.IP "\fB\-cacertsout\fR \fIfilename\fR" 4
+.IX Item "-cacertsout filename"
+The file where to save any \s-1CA\s0 certificates contained in the caPubs field of
+the last received certificate response (i.e., \s-1IP, CP,\s0 or \s-1KUP\s0) message.
+.SS "Client authentication options"
+.IX Subsection "Client authentication options"
+.IP "\fB\-ref\fR \fIvalue\fR" 4
+.IX Item "-ref value"
+Reference number/string/value to use as fallback senderKID; this is required
+if no sender name can be determined from the \fB\-cert\fR or <\-subject> options and
+is typically used when authenticating with pre-shared key (password-based \s-1MAC\s0).
+.IP "\fB\-secret\fR \fIarg\fR" 4
+.IX Item "-secret arg"
+Provides the source of a secret value to use with MAC-based message protection.
+This takes precedence over the \fB\-cert\fR and \fB\-key\fR options.
+The secret is used for creating MAC-based protection of outgoing messages
+and for validating incoming messages that have MAC-based protection.
+The algorithm used by default is Password-Based Message Authentication Code (\s-1PBM\s0)
+as defined in \s-1RFC 4210\s0 section 5.1.3.1.
+.Sp
+For more information about the format of \fIarg\fR see
+\&\fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-cert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-cert filename|uri"
+The client's current \s-1CMP\s0 signer certificate.
+Requires the corresponding key to be given with \fB\-key\fR.
+.Sp
+The subject and the public key contained in this certificate
+serve as fallback values in the certificate template of \s-1IR/CR/KUR\s0 messages.
+.Sp
+The subject of this certificate will be used as sender of outgoing \s-1CMP\s0 messages,
+while the subject of \fB\-oldcert\fR or \fB\-subjectName\fR may provide fallback values.
+.Sp
+The issuer of this certificate is used as one of the recipient fallback values
+and as fallback issuer entry in the certificate template of \s-1IR/CR/KUR\s0 messages.
+.Sp
+When performing signature-based message protection,
+this \*(L"protection certificate\*(R", also called \*(L"signer certificate\*(R",
+will be included first in the extraCerts field of outgoing messages
+and the signature is done with the corresponding key.
+In Initialization Request (\s-1IR\s0) messages this can be used for authenticating
+using an external entity certificate as defined in appendix E.7 of \s-1RFC 4210.\s0
+.Sp
+For Key Update Request (\s-1KUR\s0) messages this is also used as
+the certificate to be updated if the \fB\-oldcert\fR option is not given.
+.Sp
+If the file includes further certs, they are appended to the untrusted certs
+because they typically constitute the chain of the client certificate, which
+is included in the extraCerts field in signature-protected request messages.
+.IP "\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-own_trusted filenames|uris"
+If this list of certificates is provided then the chain built for
+the client-side \s-1CMP\s0 signer certificate given with the \fB\-cert\fR option
+is verified using the given certificates as trust anchors.
+.Sp
+Multiple sources may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Each source may contain multiple certificates.
+.Sp
+The certificate verification options
+\&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
+have no effect on the certificate verification enabled via this option.
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+The corresponding private key file for the client's current certificate given in
+the \fB\-cert\fR option.
+This will be used for signature-based message protection unless the \fB\-secret\fR
+option indicating MAC-based protection or \fB\-unprotected_requests\fR is given.
+.Sp
+It is also used as a fallback for the \fB\-newkey\fR option with \s-1IR/CR/KUR\s0 messages.
+.IP "\fB\-keypass\fR \fIarg\fR" 4
+.IX Item "-keypass arg"
+Pass phrase source for the private key given with the \fB\-key\fR option.
+Also used for \fB\-cert\fR and \fB\-oldcert\fR in case it is an encrypted PKCS#12 file.
+If not given here, the password will be prompted for if needed.
+.Sp
+For more information about the format of \fIarg\fR see
+\&\fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-digest\fR \fIname\fR" 4
+.IX Item "-digest name"
+Specifies name of supported digest to use in \s-1RFC 4210\s0's \s-1MSG_SIG_ALG\s0
+and as the one-way function (\s-1OWF\s0) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
+If applicable, this is used for message protection and
+proof-of-possession (\s-1POPO\s0) signatures.
+To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
+Defaults to \f(CW\*(C`sha256\*(C'\fR.
+.IP "\fB\-mac\fR \fIname\fR" 4
+.IX Item "-mac name"
+Specifies the name of the \s-1MAC\s0 algorithm in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
+To get the names of supported \s-1MAC\s0 algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR
+and possibly combine such a name with the name of a supported digest algorithm,
+e.g., hmacWithSHA256.
+Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per \s-1RFC 4210.\s0
+.IP "\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-extracerts filenames|uris"
+Certificates to append in the extraCerts field when sending messages.
+They can be used as the default \s-1CMP\s0 signer certificate chain to include.
+.Sp
+Multiple sources may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Each source may contain multiple certificates.
+.IP "\fB\-unprotected_requests\fR" 4
+.IX Item "-unprotected_requests"
+Send request messages without CMP-level protection.
+.SS "Credentials format options"
+.IX Subsection "Credentials format options"
+.IP "\fB\-certform\fR \fIPEM|DER\fR" 4
+.IX Item "-certform PEM|DER"
+File format to use when saving a certificate to a file.
+Default value is \s-1PEM.\s0
+.IP "\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR" 4
+.IX Item "-keyform PEM|DER|P12|ENGINE"
+The format of the key input; unspecified by default.
+See \*(L"Format Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-otherpass\fR \fIarg\fR" 4
+.IX Item "-otherpass arg"
+Pass phrase source for certificate given with the \fB\-trusted\fR, \fB\-untrusted\fR,
+\&\fB\-own_trusted\fR, \fB\-srvcert\fR, \fB\-out_trusted\fR, \fB\-extracerts\fR,
+\&\fB\-srv_trusted\fR, \fB\-srv_untrusted\fR, \fB\-rsp_extracerts\fR, \fB\-rsp_capubs\fR,
+\&\fB\-tls_extra\fR, and \fB\-tls_trusted\fR options.
+If not given here, the password will be prompted for if needed.
+.Sp
+For more information about the format of \fIarg\fR see
+\&\fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.Sp
+As an alternative to using this combination:
+.Sp
+.Vb 1
+\&    \-engine {engineid} \-key {keyid} \-keyform ENGINE
+.Ve
+.Sp
+\&... it's also possible to just give the key \s-1ID\s0 in \s-1URI\s0 form to \fB\-key\fR,
+like this:
+.Sp
+.Vb 1
+\&    \-key org.openssl.engine:{engineid}:{keyid}
+.Ve
+.Sp
+This applies to all options specifying keys: \fB\-key\fR, \fB\-newkey\fR, and
+\&\fB\-tls_key\fR.
+.SS "Provider options"
+.IX Subsection "Provider options"
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.SS "Random state options"
+.IX Subsection "Random state options"
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.SS "\s-1TLS\s0 connection options"
+.IX Subsection "TLS connection options"
+.IP "\fB\-tls_used\fR" 4
+.IX Item "-tls_used"
+Enable using \s-1TLS\s0 (even when other TLS-related options are not set)
+for message exchange with \s-1CMP\s0 server via \s-1HTTP.\s0
+This option is not supported with the \fI\-port\fR option.
+It is ignored if the \fI\-server\fR option is not given or \fI\-use_mock_srv\fR is given
+or \fI\-rspin\fR is given with enough filename arguments.
+.Sp
+The following TLS-related options are ignored
+if \fB\-tls_used\fR is not given or does not take effect.
+.IP "\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-tls_cert filename|uri"
+Client's \s-1TLS\s0 certificate.
+If the source includes further certs they are used (along with \fB\-untrusted\fR
+certs) for constructing the client cert chain provided to the \s-1TLS\s0 server.
+.IP "\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-tls_key filename|uri"
+Private key for the client's \s-1TLS\s0 certificate.
+.IP "\fB\-tls_keypass\fR \fIarg\fR" 4
+.IX Item "-tls_keypass arg"
+Pass phrase source for client's private \s-1TLS\s0 key \fB\-tls_key\fR.
+Also used for \fB\-tls_cert\fR in case it is an encrypted PKCS#12 file.
+If not given here, the password will be prompted for if needed.
+.Sp
+For more information about the format of \fIarg\fR see
+\&\fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-tls_extra filenames|uris"
+Extra certificates to provide to \s-1TLS\s0 server during \s-1TLS\s0 handshake
+.IP "\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-tls_trusted filenames|uris"
+Trusted certificate(s) to use for validating the \s-1TLS\s0 server certificate.
+This implies hostname validation.
+.Sp
+Multiple sources may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Each source may contain multiple certificates.
+.Sp
+The certificate verification options
+\&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
+have no effect on the certificate verification enabled via this option.
+.IP "\fB\-tls_host\fR \fIname\fR" 4
+.IX Item "-tls_host name"
+Address to be checked during hostname validation.
+This may be a \s-1DNS\s0 name or an \s-1IP\s0 address.
+If not given it defaults to the \fB\-server\fR address.
+.SS "Client-side debugging options"
+.IX Subsection "Client-side debugging options"
+.IP "\fB\-batch\fR" 4
+.IX Item "-batch"
+Do not interactively prompt for input, for instance when a password is needed.
+This can be useful for batch processing and testing.
+.IP "\fB\-repeat\fR \fInumber\fR" 4
+.IX Item "-repeat number"
+Invoke the command the given positive number of times with the same parameters.
+Default is one invocation.
+.IP "\fB\-reqin\fR \fIfilenames\fR" 4
+.IX Item "-reqin filenames"
+Take the sequence of \s-1CMP\s0 requests to send to the server from the given file(s)
+rather than from the sequence of requests produced internally.
+.Sp
+This option is ignored if the \fB\-rspin\fR option is given
+because in the latter case no requests are actually sent.
+.Sp
+Multiple filenames may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+.Sp
+The files are read as far as needed to complete the transaction
+and filenames have been provided.  If more requests are needed,
+the remaining ones are taken from the items at the respective position
+in the sequence of requests produced internally.
+.Sp
+The client needs to update the recipNonce field in the given requests (except
+for the first one) in order to satisfy the checks to be performed by the server.
+This causes re-protection (if protecting requests is required).
+.IP "\fB\-reqin_new_tid\fR" 4
+.IX Item "-reqin_new_tid"
+Use a fresh transactionID for \s-1CMP\s0 request messages read using \fB\-reqin\fR,
+which causes their reprotection (if protecting requests is required).
+This may be needed in case the sequence of requests is reused
+and the \s-1CMP\s0 server complains that the transaction \s-1ID\s0 has already been used.
+.IP "\fB\-reqout\fR \fIfilenames\fR" 4
+.IX Item "-reqout filenames"
+Save the sequence of \s-1CMP\s0 requests created by the client to the given file(s).
+These requests are not sent to the server if the \fB\-reqin\fR option is used, too.
+.Sp
+Multiple filenames may be given, separated by commas and/or whitespace.
+.Sp
+Files are written as far as needed to save the transaction
+and filenames have been provided.
+If the transaction contains more requests, the remaining ones are not saved.
+.IP "\fB\-rspin\fR \fIfilenames\fR" 4
+.IX Item "-rspin filenames"
+Process the sequence of \s-1CMP\s0 responses provided in the given file(s),
+not contacting any given server,
+as long as enough filenames are provided to complete the transaction.
+.Sp
+Multiple filenames may be given, separated by commas and/or whitespace.
+.Sp
+Any server specified via the \fI\-server\fR or \fI\-use_mock_srv\fR options is contacted
+only if more responses are needed to complete the transaction.
+In this case the transaction will fail
+unless the server has been prepared to continue the already started transaction.
+.IP "\fB\-rspout\fR \fIfilenames\fR" 4
+.IX Item "-rspout filenames"
+Save the sequence of actually used \s-1CMP\s0 responses to the given file(s).
+These have been received from the server unless \fB\-rspin\fR takes effect.
+.Sp
+Multiple filenames may be given, separated by commas and/or whitespace.
+.Sp
+Files are written as far as needed to save the responses
+contained in the transaction and filenames have been provided.
+If the transaction contains more responses, the remaining ones are not saved.
+.IP "\fB\-use_mock_srv\fR" 4
+.IX Item "-use_mock_srv"
+Test the client using the internal \s-1CMP\s0 server mock-up at \s-1API\s0 level,
+bypassing socket-based transfer via \s-1HTTP.\s0
+This excludes the \fB\-server\fR and \fB\-port\fR options.
+.SS "Mock server options"
+.IX Subsection "Mock server options"
+.IP "\fB\-port\fR \fInumber\fR" 4
+.IX Item "-port number"
+Act as HTTP-based \s-1CMP\s0 server mock-up listening on the given port.
+This excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options.
+The \fB\-rspin\fR, \fB\-rspout\fR, \fB\-reqin\fR, and \fB\-reqout\fR options
+so far are not supported in this mode.
+.IP "\fB\-max_msgs\fR \fInumber\fR" 4
+.IX Item "-max_msgs number"
+Maximum number of \s-1CMP\s0 (request) messages the \s-1CMP HTTP\s0 server mock-up
+should handle, which must be nonnegative.
+The default value is 0, which means that no limit is imposed.
+In any case the server terminates on internal errors, but not when it
+detects a CMP-level error that it can successfully answer with an error message.
+.IP "\fB\-srv_ref\fR \fIvalue\fR" 4
+.IX Item "-srv_ref value"
+Reference value to use as senderKID of server in case no \fB\-srv_cert\fR is given.
+.IP "\fB\-srv_secret\fR \fIarg\fR" 4
+.IX Item "-srv_secret arg"
+Password source for server authentication with a pre-shared key (secret).
+.IP "\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-srv_cert filename|uri"
+Certificate of the server.
+.IP "\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-srv_key filename|uri"
+Private key used by the server for signing messages.
+.IP "\fB\-srv_keypass\fR \fIarg\fR" 4
+.IX Item "-srv_keypass arg"
+Server private key (and cert) file pass phrase source.
+.IP "\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-srv_trusted filenames|uris"
+Trusted certificates for client authentication.
+.Sp
+The certificate verification options
+\&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
+have no effect on the certificate verification enabled via this option.
+.IP "\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-srv_untrusted filenames|uris"
+Intermediate \s-1CA\s0 certs that may be useful when validating client certificates.
+.IP "\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-rsp_cert filename|uri"
+Certificate to be returned as mock enrollment result.
+.IP "\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-rsp_extracerts filenames|uris"
+Extra certificates to be included in mock certification responses.
+.IP "\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR" 4
+.IX Item "-rsp_capubs filenames|uris"
+\&\s-1CA\s0 certificates to be included in mock Initialization Response (\s-1IP\s0) message.
+.IP "\fB\-poll_count\fR \fInumber\fR" 4
+.IX Item "-poll_count number"
+Number of times the client must poll before receiving a certificate.
+.IP "\fB\-check_after\fR \fInumber\fR" 4
+.IX Item "-check_after number"
+The checkAfter value (number of seconds to wait) to include in poll response.
+.IP "\fB\-grant_implicitconf\fR" 4
+.IX Item "-grant_implicitconf"
+Grant implicit confirmation of newly enrolled certificate.
+.IP "\fB\-pkistatus\fR \fInumber\fR" 4
+.IX Item "-pkistatus number"
+PKIStatus to be included in server response.
+Valid range is 0 (accepted) .. 6 (keyUpdateWarning).
+.IP "\fB\-failure\fR \fInumber\fR" 4
+.IX Item "-failure number"
+A single failure info bit number to be included in server response.
+Valid range is 0 (badAlg) .. 26 (duplicateCertReq).
+.IP "\fB\-failurebits\fR \fInumber\fR Number representing failure bits to be included in server response. Valid range is 0 .. 2^27 \- 1." 4
+.IX Item "-failurebits number Number representing failure bits to be included in server response. Valid range is 0 .. 2^27 - 1."
+.PD 0
+.IP "\fB\-statusstring\fR \fIarg\fR" 4
+.IX Item "-statusstring arg"
+.PD
+Text to be included as status string in server response.
+.IP "\fB\-send_error\fR" 4
+.IX Item "-send_error"
+Force server to reply with error message.
+.IP "\fB\-send_unprotected\fR" 4
+.IX Item "-send_unprotected"
+Send response messages without CMP-level protection.
+.IP "\fB\-send_unprot_err\fR" 4
+.IX Item "-send_unprot_err"
+In case of negative responses, server shall send unprotected error messages,
+certificate responses (\s-1IP/CP/KUP\s0), and revocation responses (\s-1RP\s0).
+\&\s-1WARNING:\s0 This setting leads to behavior violating \s-1RFC 4210.\s0
+.IP "\fB\-accept_unprotected\fR" 4
+.IX Item "-accept_unprotected"
+Accept missing or invalid protection of requests.
+.IP "\fB\-accept_unprot_err\fR" 4
+.IX Item "-accept_unprot_err"
+Accept unprotected error messages from client.
+So far this has no effect because the server does not accept any error messages.
+.IP "\fB\-accept_raverified\fR" 4
+.IX Item "-accept_raverified"
+Accept \s-1RAVERIFED\s0 as proof of possession (\s-1POPO\s0).
+.SS "Certificate verification options, for both \s-1CMP\s0 and \s-1TLS\s0"
+.IX Subsection "Certificate verification options, for both CMP and TLS"
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+The certificate verification options
+\&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
+only affect the certificate verification enabled via the \fB\-out_trusted\fR option.
+.SH "NOTES"
+.IX Header "NOTES"
+When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to
+trust, for instance via the \f(CW\*(C`caPubs\*(C'\fR field of a certificate response,
+authentication of the \s-1CMP\s0 server is particularly critical.
+So special care must be taken setting up server authentication
+using \fB\-trusted\fR and related options for certificate-based authentication
+or \fB\-secret\fR for MAC-based protection.
+.PP
+When setting up \s-1CMP\s0 configurations and experimenting with enrollment options
+typically various errors occur until the configuration is correct and complete.
+When the \s-1CMP\s0 server reports an error the client will by default
+check the protection of the \s-1CMP\s0 response message.
+Yet some \s-1CMP\s0 services tend not to protect negative responses.
+In this case the client will reject them, and thus their contents are not shown
+although they usually contain hints that would be helpful for diagnostics.
+For assisting in such cases the \s-1CMP\s0 client offers a workaround via the
+\&\fB\-unprotected_errors\fR option, which allows accepting such negative messages.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+.SS "Simple examples using the default OpenSSL configuration file"
+.IX Subsection "Simple examples using the default OpenSSL configuration file"
+This \s-1CMP\s0 client implementation comes with demonstrative \s-1CMP\s0 sections
+in the example configuration file \fIopenssl/apps/openssl.cnf\fR,
+which can be used to interact conveniently with the Insta Demo \s-1CA.\s0
+.PP
+In order to enroll an initial certificate from that \s-1CA\s0 it is sufficient
+to issue the following shell commands.
+.PP
+.Vb 1
+\&  export OPENSSL_CONF=/path/to/openssl/apps/openssl.cnf
+.Ve
+.PP
+.Vb 2
+\&  openssl genrsa \-out insta.priv.pem
+\&  openssl cmp \-section insta
+.Ve
+.PP
+This should produce the file \fIinsta.cert.pem\fR containing a new certificate
+for the private key held in \fIinsta.priv.pem\fR.
+It can be viewed using, e.g.,
+.PP
+.Vb 1
+\&  openssl x509 \-noout \-text \-in insta.cert.pem
+.Ve
+.PP
+In case the network setup requires using an \s-1HTTP\s0 proxy it may be given as usual
+via the environment variable \fBhttp_proxy\fR or via the \fB\-proxy\fR option in the
+configuration file or the \s-1CMP\s0 command-line argument \fB\-proxy\fR, for example
+.PP
+.Vb 1
+\&  \-proxy http://192.168.1.1:8080
+.Ve
+.PP
+In the Insta Demo \s-1CA\s0 scenario both clients and the server may use the pre-shared
+secret \fIinsta\fR and the reference value \fI3078\fR to authenticate to each other.
+.PP
+Alternatively, \s-1CMP\s0 messages may be protected in signature-based manner,
+where the trust anchor in this case is \fIinsta.ca.crt\fR
+and the client may use any certificate already obtained from that \s-1CA,\s0
+as specified in the \fB[signature]\fR section of the example configuration.
+This can be used in combination with the \fB[insta]\fR section simply by
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,signature
+.Ve
+.PP
+By default the \s-1CMP IR\s0 message type is used, yet \s-1CR\s0 works equally here.
+This may be specified directly at the command line:
+.PP
+.Vb 1
+\&  openssl cmp \-section insta \-cmd cr
+.Ve
+.PP
+or by referencing in addition the \fB[cr]\fR section of the example configuration:
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,cr
+.Ve
+.PP
+In order to update the enrolled certificate one may call
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,kur
+.Ve
+.PP
+using MAC-based protection with \s-1PBM\s0 or
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,kur,signature
+.Ve
+.PP
+using signature-based protection.
+.PP
+In a similar way any previously enrolled certificate may be revoked by
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,rr \-trusted insta.ca.crt
+.Ve
+.PP
+or
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,rr,signature
+.Ve
+.PP
+Many more options can be given in the configuration file
+and/or on the command line.
+For instance, the \fB\-reqexts\fR \s-1CLI\s0 option may refer to a section in the
+configuration file defining X.509 extensions to use in certificate requests,
+such as \f(CW\*(C`v3_req\*(C'\fR in \fIopenssl/apps/openssl.cnf\fR:
+.PP
+.Vb 1
+\&  openssl cmp \-section insta,cr \-reqexts v3_req
+.Ve
+.SS "Certificate enrollment"
+.IX Subsection "Certificate enrollment"
+The following examples do not make use of a configuration file at first.
+They assume that a \s-1CMP\s0 server can be contacted on the local \s-1TCP\s0 port 80
+and accepts requests under the alias \fI/pkix/\fR.
+.PP
+For enrolling its very first certificate the client generates a client key
+and sends an initial request message to the local \s-1CMP\s0 server
+using a pre-shared secret key for mutual authentication.
+In this example the client does not have the \s-1CA\s0 certificate yet,
+so we specify the name of the \s-1CA\s0 with the \fB\-recipient\fR option
+and save any \s-1CA\s0 certificates that we may receive in the \f(CW\*(C`capubs.pem\*(C'\fR file.
+.PP
+In below command line usage examples the \f(CW\*(C`\e\*(C'\fR at line ends is used just
+for formatting; each of the command invocations should be on a single line.
+.PP
+.Vb 5
+\&  openssl genrsa \-out cl_key.pem
+\&  openssl cmp \-cmd ir \-server 127.0.0.1:80/pkix/ \-recipient "/CN=CMPserver" \e
+\&    \-ref 1234 \-secret pass:1234\-5678 \e
+\&    \-newkey cl_key.pem \-subject "/CN=MyName" \e
+\&    \-cacertsout capubs.pem \-certout cl_cert.pem
+.Ve
+.SS "Certificate update"
+.IX Subsection "Certificate update"
+Then, when the client certificate and its related key pair needs to be updated,
+the client can send a key update request taking the certs in \f(CW\*(C`capubs.pem\*(C'\fR
+as trusted for authenticating the server and using the previous cert and key
+for its own authentication.
+Then it can start using the new cert and key.
+.PP
+.Vb 6
+\&  openssl genrsa \-out cl_key_new.pem
+\&  openssl cmp \-cmd kur \-server 127.0.0.1:80/pkix/ \e
+\&    \-trusted capubs.pem \e
+\&    \-cert cl_cert.pem \-key cl_key.pem \e
+\&    \-newkey cl_key_new.pem \-certout cl_cert.pem
+\&  cp cl_key_new.pem cl_key.pem
+.Ve
+.PP
+This command sequence can be repeated as often as needed.
+.SS "Requesting information from \s-1CMP\s0 server"
+.IX Subsection "Requesting information from CMP server"
+Requesting \*(L"all relevant information\*(R" with an empty General Message.
+This prints information about all received \s-1ITAV\s0 \fBinfoType\fRs to stdout.
+.PP
+.Vb 2
+\&  openssl cmp \-cmd genm \-server 127.0.0.1/pkix/ \-recipient "/CN=CMPserver" \e
+\&    \-ref 1234 \-secret pass:1234\-5678
+.Ve
+.SS "Using a custom configuration file"
+.IX Subsection "Using a custom configuration file"
+For \s-1CMP\s0 client invocations, in particular for certificate enrollment,
+usually many parameters need to be set, which is tedious and error-prone to do
+on the command line.
+Therefore, the client offers the possibility to read
+options from sections of the OpenSSL config file, usually called \fIopenssl.cnf\fR.
+The values found there can still be extended and even overridden by any
+subsequently loaded sections and on the command line.
+.PP
+After including in the configuration file the following sections:
+.PP
+.Vb 8
+\&  [cmp]
+\&  server = 127.0.0.1
+\&  path = pkix/
+\&  trusted = capubs.pem
+\&  cert = cl_cert.pem
+\&  key = cl_key.pem
+\&  newkey = cl_key.pem
+\&  certout = cl_cert.pem
+\&
+\&  [init]
+\&  recipient = "/CN=CMPserver"
+\&  trusted =
+\&  cert =
+\&  key =
+\&  ref = 1234
+\&  secret = pass:1234\-5678\-1234\-567
+\&  subject = "/CN=MyName"
+\&  cacertsout = capubs.pem
+.Ve
+.PP
+the above enrollment transactions reduce to
+.PP
+.Vb 2
+\&  openssl cmp \-section cmp,init
+\&  openssl cmp \-cmd kur \-newkey cl_key_new.pem
+.Ve
+.PP
+and the above transaction using a general message reduces to
+.PP
+.Vb 1
+\&  openssl cmp \-section cmp,init \-cmd genm
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-genrsa\fR\|(1), \fBopenssl\-ecparam\fR\|(1), \fBopenssl\-list\fR\|(1),
+\&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1), \fBx509v3_config\fR\|(5)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fBcmp\fR application was added in OpenSSL 3.0.
+.PP
+The \fB\-engine option\fR was deprecated in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/openssl-cms.1
index d1ad1141c617..0d965105311c 100644
--- a/secure/usr.bin/openssl/man/cms.1
+++ b/secure/usr.bin/openssl/man/openssl-cms.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,49 +130,140 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "CMS 1"
-.TH CMS 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-CMS 1ossl"
+.TH OPENSSL-CMS 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-cms, cms \- CMS utility
+openssl\-cms \- CMS command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBcms\fR
 [\fB\-help\fR]
+.PP
+General options:
+.PP
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-config\fR \fIconfigfile\fR]
+.PP
+Operation options:
+.PP
 [\fB\-encrypt\fR]
 [\fB\-decrypt\fR]
 [\fB\-sign\fR]
 [\fB\-verify\fR]
-[\fB\-cmsout\fR]
 [\fB\-resign\fR]
-[\fB\-data_create\fR]
-[\fB\-data_out\fR]
+[\fB\-sign_receipt\fR]
+[\fB\-verify_receipt\fR \fIreceipt\fR]
 [\fB\-digest_create\fR]
 [\fB\-digest_verify\fR]
 [\fB\-compress\fR]
 [\fB\-uncompress\fR]
 [\fB\-EncryptedData_encrypt\fR]
-[\fB\-sign_receipt\fR]
-[\fB\-verify_receipt receipt\fR]
-[\fB\-in filename\fR]
-[\fB\-inform SMIME|PEM|DER\fR]
-[\fB\-rctform SMIME|PEM|DER\fR]
-[\fB\-out filename\fR]
-[\fB\-outform SMIME|PEM|DER\fR]
-[\fB\-stream \-indef \-noindef\fR]
+[\fB\-EncryptedData_decrypt\fR]
+[\fB\-data_create\fR]
+[\fB\-data_out\fR]
+[\fB\-cmsout\fR]
+.PP
+File format options:
+.PP
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
+[\fB\-rctform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
+[\fB\-stream\fR]
+[\fB\-indef\fR]
 [\fB\-noindef\fR]
-[\fB\-content filename\fR]
+[\fB\-binary\fR]
+[\fB\-crlfeol\fR]
+[\fB\-asciicrlf\fR]
+.PP
+Keys and password options:
+.PP
+[\fB\-pwri_password\fR \fIpassword\fR]
+[\fB\-secretkey\fR \fIkey\fR]
+[\fB\-secretkeyid\fR \fIid\fR]
+[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-keyopt\fR \fIname\fR:\fIparameter\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+.PP
+Encryption options:
+.PP
+[\fB\-originator\fR \fIfile\fR]
+[\fB\-recip\fR \fIfile\fR]
+[\fIrecipient-cert\fR ...]
+[\fB\-\f(BIcipher\fB\fR]
+[\fB\-wrap\fR \fIcipher\fR]
+[\fB\-aes128\-wrap\fR]
+[\fB\-aes192\-wrap\fR]
+[\fB\-aes256\-wrap\fR]
+[\fB\-des3\-wrap\fR]
+[\fB\-debug_decrypt\fR]
+.PP
+Signing options:
+.PP
+[\fB\-md\fR \fIdigest\fR]
+[\fB\-signer\fR \fIfile\fR]
+[\fB\-certfile\fR \fIfile\fR]
+[\fB\-cades\fR]
+[\fB\-nodetach\fR]
+[\fB\-nocerts\fR]
+[\fB\-noattr\fR]
+[\fB\-nosmimecap\fR]
+[\fB\-receipt_request_all\fR]
+[\fB\-receipt_request_first\fR]
+[\fB\-receipt_request_from\fR \fIemailaddress\fR]
+[\fB\-receipt_request_to\fR \fIemailaddress\fR]
+.PP
+Verification options:
+.PP
+[\fB\-signer\fR \fIfile\fR]
+[\fB\-content\fR \fIfilename\fR]
+[\fB\-no_content_verify\fR]
+[\fB\-no_attr_verify\fR]
+[\fB\-nosigs\fR]
+[\fB\-noverify\fR]
+[\fB\-nointern\fR]
+[\fB\-cades\fR]
+[\fB\-verify_retcode\fR]
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+.PP
+Output options:
+.PP
+[\fB\-keyid\fR]
+[\fB\-econtent_type\fR \fItype\fR]
 [\fB\-text\fR]
+[\fB\-certsout\fR \fIfile\fR]
+[\fB\-to\fR \fIaddr\fR]
+[\fB\-from\fR \fIaddr\fR]
+[\fB\-subject\fR \fIsubj\fR]
+.PP
+Printing options:
+.PP
 [\fB\-noout\fR]
 [\fB\-print\fR]
-[\fB\-CAfile file\fR]
-[\fB\-CApath dir\fR]
-[\fB\-no\-CAfile\fR]
-[\fB\-no\-CApath\fR]
-[\fB\-attime timestamp\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-receipt_request_print\fR]
+.PP
+Validation options:
+.PP
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
 [\fB\-check_ss_sig\fR]
 [\fB\-crl_check\fR]
 [\fB\-crl_check_all\fR]
@@ -183,109 +272,90 @@ openssl\-cms, cms \- CMS utility
 [\fB\-ignore_critical\fR]
 [\fB\-inhibit_any\fR]
 [\fB\-inhibit_map\fR]
-[\fB\-no_check_time\fR]
 [\fB\-partial_chain\fR]
-[\fB\-policy arg\fR]
+[\fB\-policy\fR \fIarg\fR]
 [\fB\-policy_check\fR]
 [\fB\-policy_print\fR]
-[\fB\-purpose purpose\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
 [\fB\-suiteB_128\fR]
 [\fB\-suiteB_128_only\fR]
 [\fB\-suiteB_192\fR]
 [\fB\-trusted_first\fR]
 [\fB\-no_alt_chains\fR]
 [\fB\-use_deltas\fR]
-[\fB\-auth_level num\fR]
-[\fB\-verify_depth num\fR]
-[\fB\-verify_email email\fR]
-[\fB\-verify_hostname hostname\fR]
-[\fB\-verify_ip ip\fR]
-[\fB\-verify_name name\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
 [\fB\-x509_strict\fR]
-[\fB\-md digest\fR]
-[\fB\-\f(BIcipher\fB\fR]
-[\fB\-nointern\fR]
-[\fB\-noverify\fR]
-[\fB\-nocerts\fR]
-[\fB\-noattr\fR]
-[\fB\-nosmimecap\fR]
-[\fB\-binary\fR]
-[\fB\-crlfeol\fR]
-[\fB\-asciicrlf\fR]
-[\fB\-nodetach\fR]
-[\fB\-certfile file\fR]
-[\fB\-certsout file\fR]
-[\fB\-signer file\fR]
-[\fB\-recip file\fR]
-[\fB\-keyid\fR]
-[\fB\-receipt_request_all\fR]
-[\fB\-receipt_request_first\fR]
-[\fB\-receipt_request_from emailaddress\fR]
-[\fB\-receipt_request_to emailaddress\fR]
-[\fB\-receipt_request_print\fR]
-[\fB\-secretkey key\fR]
-[\fB\-secretkeyid id\fR]
-[\fB\-econtent_type type\fR]
-[\fB\-inkey file\fR]
-[\fB\-keyopt name:parameter\fR]
-[\fB\-passin arg\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fBcert.pem...\fR]
-[\fB\-to addr\fR]
-[\fB\-from addr\fR]
-[\fB\-subject subj\fR]
-[cert.pem]...
+[\fB\-issuer_checks\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBcms\fR command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and
-verify, compress and uncompress S/MIME messages.
+This command handles data in \s-1CMS\s0 format such as S/MIME v3.1 email messages.
+It can encrypt, decrypt, sign, verify, compress, uncompress, and print messages.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-There are fourteen operation options that set the type of operation to be
-performed. The meaning of the other options varies according to the operation
-type.
+There are a number of operation options that set the type of operation to be
+performed: encrypt, decrypt, sign, verify, resign, sign_receipt, verify_receipt,
+digest_create, digest_verify, compress, uncompress,
+EncryptedData_encrypt, EncryptedData_decrypt, data_create, data_out, or cmsout.
+The relevance of the other options depends on the operation type
+and their meaning may vary according to it.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
+.SS "General options"
+.IX Subsection "General options"
+.IP "\fB\-in\fR \fIfilename\fR" 4
+.IX Item "-in filename"
+The input message to be encrypted or signed or the message to be decrypted
+or verified.
+.IP "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+The message text that has been decrypted or verified or the output \s-1MIME\s0
+format message that has been signed or verified.
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
+.IX Item "-config configfile"
+See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
+.SS "Operation options"
+.IX Subsection "Operation options"
 .IP "\fB\-encrypt\fR" 4
 .IX Item "-encrypt"
-Encrypt mail for the given recipient certificates. Input file is the message
-to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. The
-actual \s-1CMS\s0 type is <B>EnvelopedData<B>.
+Encrypt data for the given recipient certificates. Input file is the message
+to be encrypted. The output file is the encrypted data in \s-1MIME\s0 format. The
+actual \s-1CMS\s0 type is \fBEnvelopedData\fR.
 .Sp
 Note that no revocation check is done for the recipient cert, so if that
 key has been compromised, others may be able to decrypt the text.
 .IP "\fB\-decrypt\fR" 4
 .IX Item "-decrypt"
-Decrypt mail using the supplied certificate and private key. Expects an
-encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
+Decrypt data using the supplied certificate and private key. Expects
+encrypted datain \s-1MIME\s0 format for the input file. The decrypted data
 is written to the output file.
-.IP "\fB\-debug_decrypt\fR" 4
-.IX Item "-debug_decrypt"
-This option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used
-with caution: see the notes section below.
 .IP "\fB\-sign\fR" 4
 .IX Item "-sign"
-Sign mail using the supplied certificate and private key. Input file is
-the message to be signed. The signed message in \s-1MIME\s0 format is written
+Sign data using the supplied certificate and private key. Input file is
+the message to be signed. The signed data in \s-1MIME\s0 format is written
 to the output file.
 .IP "\fB\-verify\fR" 4
 .IX Item "-verify"
-Verify signed mail. Expects a signed mail message on input and outputs
+Verify signed data. Expects a signed data on input and outputs
 the signed data. Both clear text and opaque signing is supported.
-.IP "\fB\-cmsout\fR" 4
-.IX Item "-cmsout"
-Takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
 .IP "\fB\-resign\fR" 4
 .IX Item "-resign"
 Resign a message: take an existing message and one or more new signers.
-.IP "\fB\-data_create\fR" 4
-.IX Item "-data_create"
-Create a \s-1CMS\s0 \fBData\fR type.
-.IP "\fB\-data_out\fR" 4
-.IX Item "-data_out"
-\&\fBData\fR type and output the content.
+.IP "\fB\-sign_receipt\fR" 4
+.IX Item "-sign_receipt"
+Generate and output a signed receipt for the supplied message. The input
+message \fBmust\fR contain a signed receipt request. Functionality is otherwise
+similar to the \fB\-sign\fR operation.
+.IP "\fB\-verify_receipt\fR \fIreceipt\fR" 4
+.IX Item "-verify_receipt receipt"
+Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR
+contain the original receipt request. Functionality is otherwise similar
+to the \fB\-verify\fR operation.
 .IP "\fB\-digest_create\fR" 4
 .IX Item "-digest_create"
 Create a \s-1CMS\s0 \fBDigestedData\fR type.
@@ -305,46 +375,38 @@ output an error.
 .IX Item "-EncryptedData_encrypt"
 Encrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0
 \&\fBEncryptedData\fR type and output the content.
-.IP "\fB\-sign_receipt\fR" 4
-.IX Item "-sign_receipt"
-Generate and output a signed receipt for the supplied message. The input
-message \fBmust\fR contain a signed receipt request. Functionality is otherwise
-similar to the \fB\-sign\fR operation.
-.IP "\fB\-verify_receipt receipt\fR" 4
-.IX Item "-verify_receipt receipt"
-Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR
-contain the original receipt request. Functionality is otherwise similar
-to the \fB\-verify\fR operation.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-The input message to be encrypted or signed or the message to be decrypted
-or verified.
-.IP "\fB\-inform SMIME|PEM|DER\fR" 4
-.IX Item "-inform SMIME|PEM|DER"
-This specifies the input format for the \s-1CMS\s0 structure. The default
-is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
-format change this to expect \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures
-instead. This currently only affects the input format of the \s-1CMS\s0
-structure, if no \s-1CMS\s0 structure is being input (for example with
-\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
-.IP "\fB\-rctform SMIME|PEM|DER\fR" 4
-.IX Item "-rctform SMIME|PEM|DER"
-Specify the format for a signed receipt for use with the \fB\-receipt_verify\fR
-operation.
-.IP "\fB\-out filename\fR" 4
-.IX Item "-out filename"
-The message text that has been decrypted or verified or the output \s-1MIME\s0
-format message that has been signed or verified.
-.IP "\fB\-outform SMIME|PEM|DER\fR" 4
-.IX Item "-outform SMIME|PEM|DER"
-This specifies the output format for the \s-1CMS\s0 structure. The default
-is \fB\s-1SMIME\s0\fR which writes an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
-format change this to write \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures
-instead. This currently only affects the output format of the \s-1CMS\s0
-structure, if no \s-1CMS\s0 structure is being output (for example with
-\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
-.IP "\fB\-stream \-indef \-noindef\fR" 4
-.IX Item "-stream -indef -noindef"
+.IP "\fB\-EncryptedData_decrypt\fR" 4
+.IX Item "-EncryptedData_decrypt"
+Decrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0
+\&\fBEncryptedData\fR type and output the content.
+.IP "\fB\-data_create\fR" 4
+.IX Item "-data_create"
+Create a \s-1CMS\s0 \fBData\fR type.
+.IP "\fB\-data_out\fR" 4
+.IX Item "-data_out"
+\&\fBData\fR type and output the content.
+.IP "\fB\-cmsout\fR" 4
+.IX Item "-cmsout"
+Takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
+.SS "File format options"
+.IX Subsection "File format options"
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
+.IX Item "-inform DER|PEM|SMIME"
+The input format of the \s-1CMS\s0 structure (if one is being read);
+the default is \fB\s-1SMIME\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
+.IX Item "-outform DER|PEM|SMIME"
+The output format of the \s-1CMS\s0 structure (if one is being written);
+the default is \fB\s-1SMIME\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-rctform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
+.IX Item "-rctform DER|PEM|SMIME"
+The signed receipt format for use with the \fB\-receipt_verify\fR; the default
+is \fB\s-1SMIME\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-stream\fR, \fB\-indef\fR" 4
+.IX Item "-stream, -indef"
 The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without
 the need to hold the entire contents in memory, potentially supporting very
@@ -356,81 +418,6 @@ other operations.
 Disable streaming I/O where it would produce and indefinite length constructed
 encoding. This option currently has no effect. In future streaming will be
 enabled by default on all relevant operations and this option will disable it.
-.IP "\fB\-content filename\fR" 4
-.IX Item "-content filename"
-This specifies a file containing the detached content, this is only
-useful with the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0
-structure is using the detached signature form where the content is
-not included. This option will override any content if the input format
-is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
-.IP "\fB\-text\fR" 4
-.IX Item "-text"
-This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
-message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of \s-1MIME\s0
-type text/plain then an error occurs.
-.IP "\fB\-noout\fR" 4
-.IX Item "-noout"
-For the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This
-is useful when combined with the \fB\-print\fR option or if the syntax of the \s-1CMS\s0
-structure is being checked.
-.IP "\fB\-print\fR" 4
-.IX Item "-print"
-For the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This
-is mainly useful for testing purposes.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
-.IP "\fB\-CApath dir\fR" 4
-.IX Item "-CApath dir"
-A directory containing trusted \s-1CA\s0 certificates, only used with
-\&\fB\-verify\fR. This directory must be a standard certificate directory: that
-is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
-to each certificate.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location
-.IP "\fB\-md digest\fR" 4
-.IX Item "-md digest"
-Digest algorithm to use when signing or resigning. If not present then the
-default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
-.IP "\fB\-\f(BIcipher\fB\fR" 4
-.IX Item "-cipher"
-The encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
-or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
-\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
-example \fB\-aes\-128\-cbc\fR. See \fBenc\fR\|(1) for a list of ciphers
-supported by your version of OpenSSL.
-.Sp
-If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and
-\&\fB\-EncryptedData_create\fR commands.
-.IP "\fB\-nointern\fR" 4
-.IX Item "-nointern"
-When verifying a message normally certificates (if any) included in
-the message are searched for the signing certificate. With this option
-only the certificates specified in the \fB\-certfile\fR option are used.
-The supplied certificates can still be used as untrusted CAs however.
-.IP "\fB\-noverify\fR" 4
-.IX Item "-noverify"
-Do not verify the signers certificate of a signed message.
-.IP "\fB\-nocerts\fR" 4
-.IX Item "-nocerts"
-When signing a message the signer's certificate is normally included
-with this option it is excluded. This will reduce the size of the
-signed message but the verifier must have a copy of the signers certificate
-available locally (passed using the \fB\-certfile\fR option for example).
-.IP "\fB\-noattr\fR" 4
-.IX Item "-noattr"
-Normally when a message is signed a set of attributes are included which
-include the signing time and supported symmetric algorithms. With this
-option they are not included.
-.IP "\fB\-nosmimecap\fR" 4
-.IX Item "-nosmimecap"
-Exclude the list of supported algorithms from signed attributes, other options
-such as signing time and content type are still included.
 .IP "\fB\-binary\fR" 4
 .IX Item "-binary"
 Normally the input message is converted to \*(L"canonical\*(R" format which is
@@ -449,121 +436,261 @@ the encapsulated content type. This option is normally used with detached
 content and an output signature format of \s-1DER.\s0 This option is not normally
 needed when verifying as it is enabled automatically if the encapsulated
 content format is detected.
-.IP "\fB\-nodetach\fR" 4
-.IX Item "-nodetach"
-When signing a message use opaque signing: this form is more resistant
-to translation by mail relays but it cannot be read by mail agents that
-do not support S/MIME.  Without this option cleartext signing with
-the \s-1MIME\s0 type multipart/signed is used.
-.IP "\fB\-certfile file\fR" 4
-.IX Item "-certfile file"
-Allows additional certificates to be specified. When signing these will
-be included with the message. When verifying these will be searched for
-the signers certificates. The certificates should be in \s-1PEM\s0 format.
-.IP "\fB\-certsout file\fR" 4
-.IX Item "-certsout file"
-Any certificates contained in the message are written to \fBfile\fR.
-.IP "\fB\-signer file\fR" 4
-.IX Item "-signer file"
-A signing certificate when signing or resigning a message, this option can be
-used multiple times if more than one signer is required. If a message is being
-verified then the signers certificates will be written to this file if the
-verification was successful.
-.IP "\fB\-recip file\fR" 4
-.IX Item "-recip file"
-When decrypting a message this specifies the recipients certificate. The
-certificate must match one of the recipients of the message or an error
-occurs.
-.Sp
-When encrypting a message this option may be used multiple times to specify
-each recipient. This form \fBmust\fR be used if customised parameters are
-required (for example to specify RSA-OAEP).
-.Sp
-Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
-option.
-.IP "\fB\-keyid\fR" 4
-.IX Item "-keyid"
-Use subject key identifier to identify certificates instead of issuer name and
-serial number. The supplied certificate \fBmust\fR include a subject key
-identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options.
-.IP "\fB\-receipt_request_all\fR, \fB\-receipt_request_first\fR" 4
-.IX Item "-receipt_request_all, -receipt_request_first"
-For \fB\-sign\fR option include a signed receipt request. Indicate requests should
-be provided by all recipient or first tier recipients (those mailed directly
-and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included.
-.IP "\fB\-receipt_request_from emailaddress\fR" 4
-.IX Item "-receipt_request_from emailaddress"
-For \fB\-sign\fR option include a signed receipt request. Add an explicit email
-address where receipts should be supplied.
-.IP "\fB\-receipt_request_to emailaddress\fR" 4
-.IX Item "-receipt_request_to emailaddress"
-Add an explicit email address where signed receipts should be sent to. This
-option \fBmust\fR but supplied if a signed receipt it requested.
-.IP "\fB\-receipt_request_print\fR" 4
-.IX Item "-receipt_request_print"
-For the \fB\-verify\fR operation print out the contents of any signed receipt
-requests.
-.IP "\fB\-secretkey key\fR" 4
+.SS "Keys and password options"
+.IX Subsection "Keys and password options"
+.IP "\fB\-pwri_password\fR \fIpassword\fR" 4
+.IX Item "-pwri_password password"
+Specify password for recipient.
+.IP "\fB\-secretkey\fR \fIkey\fR" 4
 .IX Item "-secretkey key"
 Specify symmetric key to use. The key must be supplied in hex format and be
 consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR
 \&\fB\-EncryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used
 with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the
 content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type.
-.IP "\fB\-secretkeyid id\fR" 4
+.IP "\fB\-secretkeyid\fR \fIid\fR" 4
 .IX Item "-secretkeyid id"
 The key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type.
 This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with
-\&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fBid\fR is used to locate the
+\&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fIid\fR is used to locate the
 relevant key if it is not supplied then an attempt is used to decrypt any
 \&\fBKEKRecipientInfo\fR structures.
-.IP "\fB\-econtent_type type\fR" 4
-.IX Item "-econtent_type type"
-Set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type
-is used. The \fBtype\fR argument can be any valid \s-1OID\s0 name in either text or
-numerical format.
-.IP "\fB\-inkey file\fR" 4
-.IX Item "-inkey file"
+.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-inkey filename|uri"
 The private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
 the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
 multiple times to specify successive keys.
-.IP "\fB\-keyopt name:opt\fR" 4
-.IX Item "-keyopt name:opt"
+.IP "\fB\-passin\fR \fIarg\fR" 4
+.IX Item "-passin arg"
+The private key password source. For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-keyopt\fR \fIname\fR:\fIparameter\fR" 4
+.IX Item "-keyopt name:parameter"
 For signing and encryption this option can be used multiple times to
 set customised parameters for the preceding key or certificate. It can
 currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
 or to modify default parameters for \s-1ECDH.\s0
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The private key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fBcert.pem...\fR" 4
-.IX Item "cert.pem..."
-One or more certificates of message recipients: used when encrypting
-a message.
-.IP "\fB\-to, \-from, \-subject\fR" 4
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The format of the private key file; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.SS "Encryption and decryption options"
+.IX Subsection "Encryption and decryption options"
+.IP "\fB\-originator\fR \fIfile\fR" 4
+.IX Item "-originator file"
+A certificate of the originator of the encrypted message. Necessary for
+decryption when Key Agreement is in use for a shared key.
+.IP "\fB\-recip\fR \fIfile\fR" 4
+.IX Item "-recip file"
+When decrypting a message this specifies the certificate of the recipient.
+The certificate must match one of the recipients of the message.
+.Sp
+When encrypting a message this option may be used multiple times to specify
+each recipient. This form \fBmust\fR be used if customised parameters are
+required (for example to specify RSA-OAEP).
+.Sp
+Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
+option.
+.IP "\fIrecipient-cert\fR ..." 4
+.IX Item "recipient-cert ..."
+This is an alternative to using the \fB\-recip\fR option when encrypting a message.
+One or more certificate filenames may be given.
+.IP "\fB\-\f(BIcipher\fB\fR" 4
+.IX Item "-cipher"
+The encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
+or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
+\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
+example \fB\-aes\-128\-cbc\fR. See \fBopenssl\-enc\fR\|(1) for a list of ciphers
+supported by your version of OpenSSL.
+.Sp
+Currently the \s-1AES\s0 variants with \s-1GCM\s0 mode are the only supported \s-1AEAD\s0
+algorithms.
+.Sp
+If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and
+\&\fB\-EncryptedData_create\fR commands.
+.IP "\fB\-wrap\fR \fIcipher\fR" 4
+.IX Item "-wrap cipher"
+Cipher algorithm to use for key wrap when encrypting the message using Key
+Agreement for key transport. The algorithm specified should be suitable for key
+wrap.
+.IP "\fB\-aes128\-wrap\fR, \fB\-aes192\-wrap\fR, \fB\-aes256\-wrap\fR, \fB\-des3\-wrap\fR" 4
+.IX Item "-aes128-wrap, -aes192-wrap, -aes256-wrap, -des3-wrap"
+Use \s-1AES128, AES192, AES256,\s0 or 3DES\-EDE, respectively, to wrap key.
+Depending on the OpenSSL build options used, \fB\-des3\-wrap\fR may not be supported.
+.IP "\fB\-debug_decrypt\fR" 4
+.IX Item "-debug_decrypt"
+This option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used
+with caution: see the notes section below.
+.SS "Signing options"
+.IX Subsection "Signing options"
+.IP "\fB\-md\fR \fIdigest\fR" 4
+.IX Item "-md digest"
+Digest algorithm to use when signing or resigning. If not present then the
+default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
+.IP "\fB\-signer\fR \fIfile\fR" 4
+.IX Item "-signer file"
+A signing certificate.  When signing or resigning a message, this option can be
+used multiple times if more than one signer is required.
+.IP "\fB\-certfile\fR \fIfile\fR" 4
+.IX Item "-certfile file"
+Allows additional certificates to be specified. When signing these will
+be included with the message. When verifying these will be searched for
+the signers certificates.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
+.IP "\fB\-cades\fR" 4
+.IX Item "-cades"
+When used with \fB\-sign\fR,
+add an \s-1ESS\s0 signingCertificate or \s-1ESS\s0 signingCertificateV2 signed-attribute
+to the SignerInfo, in order to make the signature comply with the requirements
+for a CAdES Basic Electronic Signature (CAdES-BES).
+.IP "\fB\-nodetach\fR" 4
+.IX Item "-nodetach"
+When signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the \s-1MIME\s0 type multipart/signed is used.
+.IP "\fB\-nocerts\fR" 4
+.IX Item "-nocerts"
+When signing a message the signer's certificate is normally included
+with this option it is excluded. This will reduce the size of the
+signed message but the verifier must have a copy of the signers certificate
+available locally (passed using the \fB\-certfile\fR option for example).
+.IP "\fB\-noattr\fR" 4
+.IX Item "-noattr"
+Normally when a message is signed a set of attributes are included which
+include the signing time and supported symmetric algorithms. With this
+option they are not included.
+.IP "\fB\-nosmimecap\fR" 4
+.IX Item "-nosmimecap"
+Exclude the list of supported algorithms from signed attributes, other options
+such as signing time and content type are still included.
+.IP "\fB\-receipt_request_all\fR, \fB\-receipt_request_first\fR" 4
+.IX Item "-receipt_request_all, -receipt_request_first"
+For \fB\-sign\fR option include a signed receipt request. Indicate requests should
+be provided by all recipient or first tier recipients (those mailed directly
+and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included.
+.IP "\fB\-receipt_request_from\fR \fIemailaddress\fR" 4
+.IX Item "-receipt_request_from emailaddress"
+For \fB\-sign\fR option include a signed receipt request. Add an explicit email
+address where receipts should be supplied.
+.IP "\fB\-receipt_request_to\fR \fIemailaddress\fR" 4
+.IX Item "-receipt_request_to emailaddress"
+Add an explicit email address where signed receipts should be sent to. This
+option \fBmust\fR but supplied if a signed receipt is requested.
+.SS "Verification options"
+.IX Subsection "Verification options"
+.IP "\fB\-signer\fR \fIfile\fR" 4
+.IX Item "-signer file"
+If a message has been verified successfully then the signers certificate(s)
+will be written to this file if the verification was successful.
+.IP "\fB\-content\fR \fIfilename\fR" 4
+.IX Item "-content filename"
+This specifies a file containing the detached content for operations taking
+S/MIME input, such as the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
+.IP "\fB\-no_content_verify\fR" 4
+.IX Item "-no_content_verify"
+Do not verify signed content signatures.
+.IP "\fB\-no_attr_verify\fR" 4
+.IX Item "-no_attr_verify"
+Do not verify signed attribute signatures.
+.IP "\fB\-nosigs\fR" 4
+.IX Item "-nosigs"
+Don't verify message signature.
+.IP "\fB\-noverify\fR" 4
+.IX Item "-noverify"
+Do not verify the signers certificate of a signed message.
+.IP "\fB\-nointern\fR" 4
+.IX Item "-nointern"
+When verifying a message normally certificates (if any) included in
+the message are searched for the signing certificate. With this option
+only the certificates specified in the \fB\-certfile\fR option are used.
+The supplied certificates can still be used as untrusted CAs however.
+.IP "\fB\-cades\fR" 4
+.IX Item "-cades"
+When used with \fB\-verify\fR, require and check signer certificate digest.
+See the \s-1NOTES\s0 section for more details.
+.IP "\fB\-verify_retcode\fR" 4
+.IX Item "-verify_retcode"
+Exit nonzero on verification failure.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.SS "Output options"
+.IX Subsection "Output options"
+.IP "\fB\-keyid\fR" 4
+.IX Item "-keyid"
+Use subject key identifier to identify certificates instead of issuer name and
+serial number. The supplied certificate \fBmust\fR include a subject key
+identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options.
+.IP "\fB\-econtent_type\fR \fItype\fR" 4
+.IX Item "-econtent_type type"
+Set the encapsulated content type to \fItype\fR if not supplied the \fBData\fR type
+is used. The \fItype\fR argument can be any valid \s-1OID\s0 name in either text or
+numerical format.
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
+message if encrypting or signing. If decrypting or verifying it strips
+off text headers: if the decrypted or verified message is not of \s-1MIME\s0
+type text/plain then an error occurs.
+.IP "\fB\-certsout\fR \fIfile\fR" 4
+.IX Item "-certsout file"
+Any certificates contained in the input message are written to \fIfile\fR.
+.IP "\fB\-to\fR, \fB\-from\fR, \fB\-subject\fR" 4
 .IX Item "-to, -from, -subject"
-The relevant mail headers. These are included outside the signed
+The relevant email headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
-.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
-.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
-Set various certificate chain validation options. See the
-\&\fBverify\fR\|(1) manual page for details.
+.SS "Printing options"
+.IX Subsection "Printing options"
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+For the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure.
+This is useful if the syntax of the \s-1CMS\s0 structure is being checked.
+.IP "\fB\-print\fR" 4
+.IX Item "-print"
+For the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure.
+This implies \fB\-noout\fR.
+This is mainly useful for testing purposes.
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+For the \fB\-cmsout\fR operation when \fB\-print\fR option is in use, specifies
+printing options for string fields. For most cases \fButf8\fR is reasonable value.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-receipt_request_print\fR" 4
+.IX Item "-receipt_request_print"
+For the \fB\-verify\fR operation print out the contents of any signed receipt
+requests.
+.SS "Validation options"
+.IX Subsection "Validation options"
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+Any validation errors cause the command to exit.
 .SH "NOTES"
 .IX Header "NOTES"
 The \s-1MIME\s0 message must be sent without any blank lines between the
@@ -611,6 +738,28 @@ is \*(L"decrypted\*(R" using a random key which will typically output garbage.
 The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection
 and return an error if no recipient can be found: this option should be used
 with caution. For a fuller description see \fBCMS_decrypt\fR\|(3)).
+.SH "CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)"
+.IX Header "CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)"
+A CAdES Basic Electronic Signature (CAdES-BES),
+as defined in the European Standard \s-1ETSI EN 319 122\-1 V1.1.1,\s0 contains:
+.IP "\(bu" 4
+The signed user data as defined in \s-1CMS\s0 (\s-1RFC 3852\s0);
+.IP "\(bu" 4
+Content-type of the EncapsulatedContentInfo value being signed;
+.IP "\(bu" 4
+Message-digest of the eContent \s-1OCTET STRING\s0 within encapContentInfo being signed;
+.IP "\(bu" 4
+An \s-1ESS\s0 signingCertificate or \s-1ESS\s0 signingCertificateV2 attribute,
+as defined in Enhanced Security Services (\s-1ESS\s0), \s-1RFC 2634\s0 and \s-1RFC 5035.\s0
+An \s-1ESS\s0 signingCertificate attribute only allows for \s-1SHA\-1\s0 as digest algorithm.
+An \s-1ESS\s0 signingCertificateV2 attribute allows for any digest algorithm.
+.IP "\(bu" 4
+The digital signature value computed on the user data and, when present, on the signed attributes.
+.Sp
+\&\s-1NOTE\s0 that the \fB\-cades\fR option applies to the \fB\-sign\fR or \fB\-verify\fR operations.
+With this option, the \fB\-verify\fR operation also requires that the
+signingCertificate attribute is present and checks that the given identifiers
+match the verification trust chain built during the verification process.
 .SH "EXIT CODES"
 .IX Header "EXIT CODES"
 .IP "0" 4
@@ -632,16 +781,16 @@ An error occurred decrypting or verifying the message.
 .IX Item "5"
 The message was verified correctly but an error occurred writing out
 the signers certificates.
-.SH "COMPATIBILITY WITH PKCS#7 format."
-.IX Header "COMPATIBILITY WITH PKCS#7 format."
-The \fBsmime\fR utility can only process the older \fBPKCS#7\fR format. The \fBcms\fR
-utility supports Cryptographic Message Syntax format. Use of some features
-will result in messages which cannot be processed by applications which only
-support the older format. These are detailed below.
+.SH "COMPATIBILITY WITH PKCS#7 FORMAT"
+.IX Header "COMPATIBILITY WITH PKCS#7 FORMAT"
+\&\fBopenssl\-smime\fR\|(1) can only process the older \fBPKCS#7\fR format.
+\&\fBopenssl cms\fR supports Cryptographic Message Syntax format.
+Use of some features will result in messages which cannot be processed by
+applications which only support the older format. These are detailed below.
 .PP
 The use of the \fB\-keyid\fR option with \fB\-sign\fR or \fB\-encrypt\fR.
 .PP
-The \fB\-outform \s-1PEM\s0\fR option uses different headers.
+The \fB\-outform\fR \fI\s-1PEM\s0\fR option uses different headers.
 .PP
 The \fB\-compress\fR option.
 .PP
@@ -652,7 +801,7 @@ The use of \s-1PSS\s0 with \fB\-sign\fR.
 The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR.
 .PP
 Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot
-be processed by the older \fBsmime\fR command.
+be processed by the older \fBopenssl\-smime\fR\|(1) command.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Create a cleartext signed message:
@@ -718,7 +867,7 @@ Sign and encrypt mail:
 Note: the encryption command does not include the \fB\-text\fR option because the
 message being encrypted already has \s-1MIME\s0 headers.
 .PP
-Decrypt mail:
+Decrypt a message:
 .PP
 .Vb 1
 \& openssl cms \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
@@ -758,14 +907,14 @@ Add a signer to an existing message:
 \& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
 .Ve
 .PP
-Sign mail using RSA-PSS:
+Sign a message using RSA-PSS:
 .PP
 .Vb 2
 \& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
 \&        \-signer mycert.pem \-keyopt rsa_padding_mode:pss
 .Ve
 .PP
-Create encrypted mail using RSA-OAEP:
+Create an encrypted message using RSA-OAEP:
 .PP
 .Vb 2
 \& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
@@ -778,6 +927,10 @@ Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate:
 \& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
 \&        \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256
 .Ve
+.PP
+Print \s-1CMS\s0 signed binary data in human-readable form:
+.PP
+openssl cms \-in signed.cms \-binary \-inform \s-1DER\s0 \-cmsout \-print
 .SH "BUGS"
 .IX Header "BUGS"
 The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
@@ -797,15 +950,15 @@ user has to manually include the correct encryption algorithm. It should store
 the list of permitted ciphers in a database and only use those.
 .PP
 No revocation checking is done on the signer's certificate.
-.PP
-The \fB\-binary\fR option does not work correctly when processing text input which
-(contrary to the S/MIME specification) uses \s-1LF\s0 rather than \s-1CRLF\s0 line endings.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl_store\-file\fR\|(7)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
 added in OpenSSL 1.0.0.
 .PP
-The \fBkeyopt\fR option was added in OpenSSL 1.0.2.
+The \fB\-keyopt\fR option was added in OpenSSL 1.0.2.
 .PP
 Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
 .PP
@@ -813,11 +966,15 @@ The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR
 was added in OpenSSL 1.0.2.
 .PP
 The \-no_alt_chains option was added in OpenSSL 1.0.2b.
+.PP
+The \fB\-nameopt\fR option was added in OpenSSL 3.0.0.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2008\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/openssl-crl.1
index 4a3d10139a7a..4fc2f47397a4 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/openssl-crl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,66 +130,104 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "CRL 1"
-.TH CRL 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-CRL 1ossl"
+.TH OPENSSL-CRL 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-crl, crl \- CRL utility
+openssl\-crl \- CRL command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBcrl\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-key\fR \fIfilename\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
+[\fB\-dateopt\fR]
 [\fB\-text\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
-[\fB\-nameopt option\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-gendelta\fR \fIfilename\fR]
+[\fB\-badsig\fR]
+[\fB\-verify\fR]
 [\fB\-noout\fR]
 [\fB\-hash\fR]
+[\fB\-hash_old\fR]
+[\fB\-fingerprint\fR]
+[\fB\-crlnumber\fR]
 [\fB\-issuer\fR]
 [\fB\-lastupdate\fR]
 [\fB\-nextupdate\fR]
-[\fB\-CAfile file\fR]
-[\fB\-CApath dir\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format.
+This command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
-structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
-the \s-1DER\s0 form with header and footer lines.
-.IP "\fB\-outform DER|PEM\fR" 4
+The \s-1CRL\s0 input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
+The \s-1CRL\s0 output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-key\fR \fIfilename\fR" 4
+.IX Item "-key filename"
+The private key to be used to sign the \s-1CRL.\s0
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-keyform DER|PEM|P12"
+The format of the private key file; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read from or standard input if this
 option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename to write to or standard output by
 default.
+.IP "\fB\-gendelta\fR \fIfilename\fR" 4
+.IX Item "-gendelta filename"
+Output a comparison of the main \s-1CRL\s0 and the one specified here.
+.IP "\fB\-badsig\fR" 4
+.IX Item "-badsig"
+Corrupt the signature before writing it; this can be useful
+for testing.
+.IP "\fB\-dateopt\fR" 4
+.IX Item "-dateopt"
+Specify the date output format. Values are: rfc_822 and iso_8601.
+Defaults to rfc_822.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 Print out the \s-1CRL\s0 in text form.
-.IP "\fB\-nameopt option\fR" 4
-.IX Item "-nameopt option"
-Option which determines how the subject or issuer names are displayed. See
-the description of \fB\-nameopt\fR in \fBx509\fR\|(1).
+.IP "\fB\-verify\fR" 4
+.IX Item "-verify"
+Verify the signature in the \s-1CRL.\s0
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 Don't output the encoded version of the \s-1CRL.\s0
+.IP "\fB\-fingerprint\fR" 4
+.IX Item "-fingerprint"
+Output the fingerprint of the \s-1CRL.\s0
+.IP "\fB\-crlnumber\fR" 4
+.IX Item "-crlnumber"
+Output the number of the \s-1CRL.\s0
 .IP "\fB\-hash\fR" 4
 .IX Item "-hash"
 Output a hash of the issuer name. This can be use to lookup CRLs in
@@ -209,24 +245,22 @@ Output the lastUpdate field.
 .IP "\fB\-nextupdate\fR" 4
 .IX Item "-nextupdate"
 Output the nextUpdate field.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
-\&\fBfile\fR.
-.IP "\fB\-CApath dir\fR" 4
-.IX Item "-CApath dir"
-Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
-\&\fBdir\fR. This directory must be a standard certificate directory: that
-is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
-to each certificate.
-.SH "NOTES"
-.IX Header "NOTES"
-The \s-1PEM CRL\s0 format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN X509 CRL\-\-\-\-\-
-\& \-\-\-\-\-END X509 CRL\-\-\-\-\-
-.Ve
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0
@@ -238,7 +272,7 @@ Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0
 Output the text form of a \s-1DER\s0 encoded certificate:
 .PP
 .Vb 1
-\& openssl crl \-in crl.der \-inform DER \-text \-noout
+\& openssl crl \-in crl.der \-text \-noout
 .Ve
 .SH "BUGS"
 .IX Header "BUGS"
@@ -246,12 +280,16 @@ Ideally it should be possible to create a \s-1CRL\s0 using appropriate options
 and files too.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBcrl2pkcs7\fR\|(1), \fBca\fR\|(1), \fBx509\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-crl2pkcs7\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\fBossl_store\-file\fR\|(7)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/openssl-crl2pkcs7.1
index 75eb0252002b..70125c7cbe97 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/openssl-crl2pkcs7.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,27 +130,30 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-CRL2PKCS7 1ossl"
+.TH OPENSSL-CRL2PKCS7 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-crl2pkcs7, crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates
+openssl\-crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBcrl2pkcs7\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
-[\fB\-certfile filename\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-certfile\fR \fIfilename\fR]
 [\fB\-nocrl\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more
+This command takes an optional \s-1CRL\s0 and one or more
 certificates and converts them into a PKCS#7 degenerate \*(L"certificates
 only\*(R" structure.
 .SH "OPTIONS"
@@ -160,25 +161,23 @@ only\*(R" structure.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
-structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
-the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0
-.IP "\fB\-outform DER|PEM\fR" 4
+The input format of the \s-1CRL\s0; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0
-encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
-the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0
-.IP "\fB\-in filename\fR" 4
+The output format of the PKCS#7 object; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a \s-1CRL\s0 from or standard input if this
 option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename to write the PKCS#7 structure to or standard
 output by default.
-.IP "\fB\-certfile filename\fR" 4
+.IP "\fB\-certfile\fR \fIfilename\fR" 4
 .IX Item "-certfile filename"
 Specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format.
 All certificates in the file will be added to the PKCS#7 structure. This
@@ -188,6 +187,15 @@ files.
 .IX Item "-nocrl"
 Normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is
 included in the output file and a \s-1CRL\s0 is not read from the input file.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Create a PKCS#7 structure from a certificate and \s-1CRL:\s0
@@ -208,7 +216,7 @@ different certificates:
 The output file is a PKCS#7 signed data structure containing no signers and
 just certificates and an optional \s-1CRL.\s0
 .PP
-This utility can be used to send certificates and CAs to Netscape as part of
+This command can be used to send certificates and CAs to Netscape as part of
 the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output
 as \s-1MIME\s0 type application/x\-x509\-user\-cert.
 .PP
@@ -216,12 +224,13 @@ The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can b
 install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBpkcs7\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkcs7\fR\|(1)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/openssl-dgst.1
index ce0c9c5b350a..8e794097c01f 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/openssl-dgst.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,53 +130,58 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "DGST 1"
-.TH DGST 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-DGST 1ossl"
+.TH OPENSSL-DGST 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-dgst, dgst \- perform digest operations
+openssl\-dgst \- perform digest operations
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
-\&\fBopenssl dgst\fR
+\&\fBopenssl\fR \fBdgst\fR|\fIdigest\fR
 [\fB\-\f(BIdigest\fB\fR]
+[\fB\-list\fR]
 [\fB\-help\fR]
 [\fB\-c\fR]
 [\fB\-d\fR]
-[\fB\-list\fR]
+[\fB\-debug\fR]
 [\fB\-hex\fR]
 [\fB\-binary\fR]
+[\fB\-xoflen\fR \fIlength\fR]
 [\fB\-r\fR]
-[\fB\-out filename\fR]
-[\fB\-sign filename\fR]
-[\fB\-keyform arg\fR]
-[\fB\-passin arg\fR]
-[\fB\-verify filename\fR]
-[\fB\-prverify filename\fR]
-[\fB\-signature filename\fR]
-[\fB\-sigopt nm:v\fR]
-[\fB\-hmac key\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-sign\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-verify\fR \fIfilename\fR]
+[\fB\-prverify\fR \fIfilename\fR]
+[\fB\-signature\fR \fIfilename\fR]
+[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
+[\fB\-hmac\fR \fIkey\fR]
+[\fB\-mac\fR \fIalg\fR]
+[\fB\-macopt\fR \fInm\fR:\fIv\fR]
 [\fB\-fips\-fingerprint\fR]
-[\fB\-rand file...\fR]
-[\fB\-engine id\fR]
-[\fB\-engine_impl\fR]
-[\fBfile...\fR]
-.PP
-\&\fBopenssl\fR \fIdigest\fR [\fB...\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-engine_impl\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIfile\fR ...]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The digest functions output the message digest of a supplied file or files
-in hexadecimal.  The digest functions also generate and verify digital
+This command output the message digest of a supplied file or files
+in hexadecimal, and also generates and verifies digital
 signatures using message digests.
 .PP
-The generic name, \fBdgst\fR, may be used with an option specifying the
+The generic name, \fBopenssl dgst\fR, may be used with an option specifying the
 algorithm to be used.
-The default digest is \fIsha256\fR.
-A supported \fIdigest\fR name may also be used as the command name.
-To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR
-command.
+The default digest is \fBsha256\fR.
+A supported \fIdigest\fR name may also be used as the sub-command name.
+To see the list of supported algorithms, use \f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
@@ -186,18 +189,17 @@ command.
 Print out a usage message.
 .IP "\fB\-\f(BIdigest\fB\fR" 4
 .IX Item "-digest"
-Specifies name of a supported digest to be used. To see the list of
-supported digests, use the command \fIlist \-\-digest\-commands\fR.
+Specifies name of a supported digest to be used. See option \fB\-list\fR below :
+.IP "\fB\-list\fR" 4
+.IX Item "-list"
+Prints out a list of supported message digests.
 .IP "\fB\-c\fR" 4
 .IX Item "-c"
 Print out the digest in two digit groups separated by colons, only relevant if
-\&\fBhex\fR format output is used.
-.IP "\fB\-d\fR" 4
-.IX Item "-d"
+the \fB\-hex\fR option is given as well.
+.IP "\fB\-d\fR, \fB\-debug\fR" 4
+.IX Item "-d, -debug"
 Print out \s-1BIO\s0 debugging information.
-.IP "\fB\-list\fR" 4
-.IX Item "-list"
-Prints out a list of supported message digests.
 .IP "\fB\-hex\fR" 4
 .IX Item "-hex"
 Digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R"
@@ -206,118 +208,159 @@ signatures using \fB\-hex\fR.
 .IP "\fB\-binary\fR" 4
 .IX Item "-binary"
 Output the digest or signature in binary form.
+.IP "\fB\-xoflen\fR \fIlength\fR" 4
+.IX Item "-xoflen length"
+Set the output length for \s-1XOF\s0 algorithms, such as \fBshake128\fR and \fBshake256\fR.
+This option is not supported for signing operations.
+.Sp
+For OpenSSL providers it is recommended to set this value for shake algorithms,
+since the default values are set to only supply half of the maximum security
+strength.
+.Sp
+For backwards compatibility reasons the default xoflen length for \fBshake128\fR is
+16 (bytes) which results in a security strength of only 64 bits. To ensure the
+maximum security strength of 128 bits, the xoflen should be set to at least 32.
+.Sp
+For backwards compatibility reasons the default xoflen length for \fBshake256\fR is
+32 (bytes) which results in a security strength of only 128 bits. To ensure the
+maximum security strength of 256 bits, the xoflen should be set to at least 64.
 .IP "\fB\-r\fR" 4
 .IX Item "-r"
 Output the digest in the \*(L"coreutils\*(R" format, including newlines.
-Used by programs like \fBsha1sum\fR.
-.IP "\fB\-out filename\fR" 4
+Used by programs like \fBsha1sum\fR\|(1).
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Filename to output to, or standard output by default.
-.IP "\fB\-sign filename\fR" 4
-.IX Item "-sign filename"
-Digitally sign the digest using the private key in \*(L"filename\*(R". Note this option
-does not support Ed25519 or Ed448 private keys.
-.IP "\fB\-keyform arg\fR" 4
-.IX Item "-keyform arg"
-Specifies the key format to sign digest with. The \s-1DER, PEM, P12,\s0
-and \s-1ENGINE\s0 formats are supported.
-.IP "\fB\-sigopt nm:v\fR" 4
+.IP "\fB\-sign\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-sign filename|uri"
+Digitally sign the digest using the given private key. Note this option
+does not support Ed25519 or Ed448 private keys. Use the \fBopenssl\-pkeyutl\fR\|(1)
+command instead for this.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The format of the key to sign with; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
 .IX Item "-sigopt nm:v"
 Pass options to the signature algorithm during sign or verify operations.
 Names and values of these options are algorithm-specific.
-.IP "\fB\-passin arg\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-The private key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-verify filename\fR" 4
+The private key password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-verify\fR \fIfilename\fR" 4
 .IX Item "-verify filename"
 Verify the signature using the public key in \*(L"filename\*(R".
-The output is either \*(L"Verification \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R".
-.IP "\fB\-prverify filename\fR" 4
+The output is either \*(L"Verified \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R".
+.IP "\fB\-prverify\fR \fIfilename\fR" 4
 .IX Item "-prverify filename"
 Verify the signature using the private key in \*(L"filename\*(R".
-.IP "\fB\-signature filename\fR" 4
+.IP "\fB\-signature\fR \fIfilename\fR" 4
 .IX Item "-signature filename"
 The actual signature to verify.
-.IP "\fB\-hmac key\fR" 4
+.IP "\fB\-hmac\fR \fIkey\fR" 4
 .IX Item "-hmac key"
 Create a hashed \s-1MAC\s0 using \*(L"key\*(R".
-.IP "\fB\-mac alg\fR" 4
+.Sp
+The \fBopenssl\-mac\fR\|(1) command should be preferred to using this command line
+option.
+.IP "\fB\-mac\fR \fIalg\fR" 4
 .IX Item "-mac alg"
 Create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0
 algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
 which are not based on hash, for instance \fBgost-mac\fR algorithm,
-supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set
+supported by the \fBgost\fR engine. \s-1MAC\s0 keys and other options should be set
 via \fB\-macopt\fR parameter.
-.IP "\fB\-macopt nm:v\fR" 4
+.Sp
+The \fBopenssl\-mac\fR\|(1) command should be preferred to using this command line
+option.
+.IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
 .IX Item "-macopt nm:v"
 Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key.
 Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR:
 .RS 4
-.IP "\fBkey:string\fR" 4
+.IP "\fBkey\fR:\fIstring\fR" 4
 .IX Item "key:string"
 Specifies \s-1MAC\s0 key as alphanumeric string (use if key contain printable
 characters only). String length must conform to any restrictions of
 the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac.
-.IP "\fBhexkey:string\fR" 4
+.IP "\fBhexkey\fR:\fIstring\fR" 4
 .IX Item "hexkey:string"
 Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
 Key length must conform to any restrictions of the \s-1MAC\s0 algorithm
 for example exactly 32 chars for gost-mac.
 .RE
 .RS 4
+.Sp
+The \fBopenssl\-mac\fR\|(1) command should be preferred to using this command line
+option.
 .RE
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
 .IP "\fB\-fips\-fingerprint\fR" 4
 .IX Item "-fips-fingerprint"
 Compute \s-1HMAC\s0 using a specific key for certain OpenSSL-FIPS operations.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Use engine \fBid\fR for operations (including private key storage).
-This engine is not used as source for digest algorithms, unless it is
-also specified in the configuration file or \fB\-engine_impl\fR is also
-specified.
-.IP "\fB\-engine_impl\fR" 4
-.IX Item "-engine_impl"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.Sp
+The engine is not used for digests unless the \fB\-engine_impl\fR option is
+used or it is configured to do so, see \*(L"Engine Configuration Module\*(R" in \fBconfig\fR\|(5).
+.IP "\fB\-engine_impl\fR \fIid\fR" 4
+.IX Item "-engine_impl id"
 When used with the \fB\-engine\fR option, it specifies to also use
-engine \fBid\fR for digest operations.
-.IP "\fBfile...\fR" 4
-.IX Item "file..."
+engine \fIid\fR for digest operations.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fIfile\fR ..." 4
+.IX Item "file ..."
 File or files to digest. If no files are specified then standard input is
 used.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 To create a hex-encoded message digest of a file:
- openssl dgst \-md5 \-hex file.txt
+.PP
+.Vb 3
+\& openssl dgst \-md5 \-hex file.txt
+\& or
+\& openssl md5 file.txt
+.Ve
 .PP
 To sign a file using \s-1SHA\-256\s0 with binary file output:
- openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt
+.PP
+.Vb 3
+\& openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt
+\& or
+\& openssl sha256 \-sign privatekey.pem \-out signature.sign file.txt
+.Ve
 .PP
 To verify a signature:
- openssl dgst \-sha256 \-verify publickey.pem \e
- \-signature signature.sign \e
- file.txt
+.PP
+.Vb 3
+\& openssl dgst \-sha256 \-verify publickey.pem \e
+\& \-signature signature.sign \e
+\& file.txt
+.Ve
 .SH "NOTES"
 .IX Header "NOTES"
 The digest mechanisms that are available will depend on the options
 used when building OpenSSL.
-The \fBlist digest-commands\fR command can be used to list them.
+The \f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR command can be used to list them.
 .PP
 New or agile applications should use probably use \s-1SHA\-256.\s0 Other digests,
 particularly \s-1SHA\-1\s0 and \s-1MD5,\s0 are still widely used for interoperating
 with existing formats and protocols.
 .PP
-When signing a file, \fBdgst\fR will automatically determine the algorithm
+When signing a file, this command will automatically determine the algorithm
 (\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info.
 When verifying signatures, it only handles the \s-1RSA, DSA,\s0 or \s-1ECDSA\s0 signature
 itself, not the related data to identify the signer and algorithm used in
@@ -332,15 +375,23 @@ being signed or verified.
 Hex signatures cannot be verified using \fBopenssl\fR.  Instead, use \*(L"xxd \-r\*(R"
 or similar program to transform the hex signature into a binary signature
 prior to verification.
+.PP
+The \fBopenssl\-mac\fR\|(1) command is preferred over the \fB\-hmac\fR, \fB\-mac\fR and
+\&\fB\-macopt\fR command line options.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-mac\fR\|(1)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0.
 The FIPS-related options were removed in OpenSSL 1.1.0.
+.PP
+The \fB\-engine\fR and \fB\-engine_impl\fR options were deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/openssl-dhparam.1
index 02be7cf0cad2..5e3a4ff53369 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/openssl-dhparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,51 +130,53 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-DHPARAM 1ossl"
+.TH OPENSSL-DHPARAM 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-dhparam, dhparam \- DH parameter manipulation and generation
+openssl\-dhparam \- DH parameter manipulation and generation
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl dhparam\fR
 [\fB\-help\fR]
-[\fB\-inform DER|PEM\fR]
-[\fB\-outform DER|PEM\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
 [\fB\-in\fR \fIfilename\fR]
 [\fB\-out\fR \fIfilename\fR]
 [\fB\-dsaparam\fR]
 [\fB\-check\fR]
 [\fB\-noout\fR]
 [\fB\-text\fR]
-[\fB\-C\fR]
 [\fB\-2\fR]
+[\fB\-3\fR]
 [\fB\-5\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 [\fInumbits\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 This command is used to manipulate \s-1DH\s0 parameter files.
+.PP
+See \*(L"\s-1EXAMPLES\*(R"\s0 in \fBopenssl\-genpkey\fR\|(1) for examples on how to generate
+a key using a named safe prime group without generating intermediate
+parameters.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
-form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the
-default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with
-additional header and footer lines.
-.IP "\fB\-outform DER|PEM\fR" 4
-.IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-inform DER|PEM, -outform DER|PEM"
+The input format and output format; the default is \fB\s-1PEM\s0\fR.
+The object is compatible with the PKCS#3 \fBDHparameter\fR structure.
+See \fBopenssl\-format\-options\fR\|(1) for details.
 .IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read parameters from or standard input if
@@ -201,76 +201,62 @@ avoid small-subgroup attacks that may be possible otherwise.
 .IX Item "-check"
 Performs numerous checks to see if the supplied parameters are valid and
 displays a warning if not.
-.IP "\fB\-2\fR, \fB\-5\fR" 4
-.IX Item "-2, -5"
-The generator to use, either 2 or 5. If present then the
+.IP "\fB\-2\fR, \fB\-3\fR, \fB\-5\fR" 4
+.IX Item "-2, -3, -5"
+The generator to use, either 2, 3 or 5. If present then the
 input file is ignored and parameters are generated instead. If not
-present but \fBnumbits\fR is present, parameters are generated with the
+present but \fInumbits\fR is present, parameters are generated with the
 default generator 2.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
 .IP "\fInumbits\fR" 4
 .IX Item "numbits"
 This option specifies that a parameter set should be generated of size
 \&\fInumbits\fR. It must be the last option. If this option is present then
 the input file is ignored and parameters are generated instead. If
-this option is not present but a generator (\fB\-2\fR or \fB\-5\fR) is
+this option is not present but a generator (\fB\-2\fR, \fB\-3\fR or \fB\-5\fR) is
 present, parameters are generated with a default length of 2048 bits.
+The minimum length is 512 bits. The maximum length is 10000 bits.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 This option inhibits the output of the encoded version of the parameters.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 This option prints out the \s-1DH\s0 parameters in human readable form.
-.IP "\fB\-C\fR" 4
-.IX Item "-C"
-This option converts the parameters into C code. The parameters can then
-be loaded by calling the \fBget_dhNNNN()\fR function.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.SH "WARNINGS"
-.IX Header "WARNINGS"
-The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and
-\&\fBgendh\fR in previous versions of OpenSSL. The \fBdh\fR and \fBgendh\fR
-programs are retained for now but may have different purposes in future
-versions of OpenSSL.
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "NOTES"
 .IX Header "NOTES"
-\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN DH PARAMETERS\-\-\-\-\-
-\& \-\-\-\-\-END DH PARAMETERS\-\-\-\-\-
-.Ve
-.PP
-OpenSSL currently only supports the older PKCS#3 \s-1DH,\s0 not the newer X9.42
-\&\s-1DH.\s0
-.PP
-This program manipulates \s-1DH\s0 parameters not keys.
-.SH "BUGS"
-.IX Header "BUGS"
-There should be a way to generate and manipulate \s-1DH\s0 keys.
+This command replaces the \fBdh\fR and \fBgendh\fR commands of previous
+releases.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBdsaparam\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkeyparam\fR\|(1),
+\&\fBopenssl\-dsaparam\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1).
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-C\fR option was removed in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/openssl-dsa.1
index 61c7a51bb327..ed218e8418bc 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/openssl-dsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,24 +130,24 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "DSA 1"
-.TH DSA 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-DSA 1ossl"
+.TH OPENSSL-DSA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-dsa, dsa \- DSA key processing
+openssl\-dsa \- DSA key processing
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBdsa\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-passin arg\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
 [\fB\-aes128\fR]
 [\fB\-aes192\fR]
 [\fB\-aes256\fR]
@@ -167,10 +165,16 @@ openssl\-dsa, dsa \- DSA key processing
 [\fB\-modulus\fR]
 [\fB\-pubin\fR]
 [\fB\-pubout\fR]
-[\fB\-engine id\fR]
+[\fB\-pvk\-strong\fR]
+[\fB\-pvk\-weak\fR]
+[\fB\-pvk\-none\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various
+This command processes \s-1DSA\s0 keys. They can be converted between various
 forms and their components printed out. \fBNote\fR This command uses the
 traditional SSLeay compatible format for private key encryption: newer
 applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
@@ -179,48 +183,44 @@ applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
-an \s-1ASN1 DER\s0 encoded form of an \s-1ASN.1 SEQUENCE\s0 consisting of the values of
-version (currently zero), p, q, g, the public and private key components
-respectively as \s-1ASN.1\s0 INTEGERs. When used with a public key it uses a
-SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA.\s0
-.Sp
-The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
-encoded with additional header and footer lines. In the case of a private key
-PKCS#8 format is also accepted.
-.IP "\fB\-outform DER|PEM\fR" 4
+The key input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
+The key output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+Private keys are a sequence of \fB\s-1ASN.1 INTEGERS\s0\fR: the version (zero), \fBp\fR,
+\&\fBq\fR, \fBg\fR, and the public and private key components.  Public keys
+are a \fBSubjectPublicKeyInfo\fR structure with the \fB\s-1DSA\s0\fR type.
+.Sp
+The \fB\s-1PEM\s0\fR format also accepts PKCS#8 data.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
 is not specified. If any encryption options are set then a pass phrase will be
 prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.IP "\fB\-passout arg\fR" 4
-.IX Item "-passout arg"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passin arg, -passout arg"
+The password source for the input and output file.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
 .IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
 These options encrypt the private key with the specified
 cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
-means that using the \fBdsa\fR utility to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
 These options can only be used with \s-1PEM\s0 format output files.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
@@ -240,29 +240,36 @@ public key is read instead.
 By default, a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-pvk\-strong\fR" 4
+.IX Item "-pvk-strong"
+Enable 'Strong' \s-1PVK\s0 encoding level (default).
+.IP "\fB\-pvk\-weak\fR" 4
+.IX Item "-pvk-weak"
+Enable 'Weak' \s-1PVK\s0 encoding level.
+.IP "\fB\-pvk\-none\fR" 4
+.IX Item "-pvk-none"
+Don't enforce \s-1PVK\s0 encoding.
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.SH "NOTES"
-.IX Header "NOTES"
-The \s-1PEM\s0 private key format uses the header and footer lines:
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .PP
-.Vb 2
-\& \-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-
-\& \-\-\-\-\-END DSA PRIVATE KEY\-\-\-\-\-
-.Ve
-.PP
-The \s-1PEM\s0 public key format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-
-\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
-.Ve
+The \fBopenssl\-pkey\fR\|(1) command is capable of performing all the operations
+this command can, as well as supporting other public key types.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
+The documentation for the \fBopenssl\-pkey\fR\|(1) command contains examples
+equivalent to the ones listed here.
+.PP
 To remove the pass phrase on a \s-1DSA\s0 private key:
 .PP
 .Vb 1
@@ -294,13 +301,20 @@ To just output the public part of a private key:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBdsaparam\fR\|(1), \fBgendsa\fR\|(1), \fBrsa\fR\|(1),
-\&\fBgenrsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-dsaparam\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/openssl-dsaparam.1
index 93ebf3c3c397..c72c1963d761 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/openssl-dsaparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,54 +130,61 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-DSAPARAM 1ossl"
+.TH OPENSSL-DSAPARAM 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-dsaparam, dsaparam \- DSA parameter manipulation and generation
+openssl\-dsaparam \- DSA parameter manipulation and generation
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl dsaparam\fR
 [\fB\-help\fR]
-[\fB\-inform DER|PEM\fR]
-[\fB\-outform DER|PEM\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
 [\fB\-noout\fR]
 [\fB\-text\fR]
-[\fB\-C\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
 [\fB\-genkey\fR]
-[\fB\-engine id\fR]
-[\fBnumbits\fR]
+[\fB\-verbose\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fInumbits\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 This command is used to manipulate or generate \s-1DSA\s0 parameter files.
+.PP
+\&\s-1DSA\s0 parameter generation can be a slow process and as a result the same set of
+\&\s-1DSA\s0 parameters is often used to generate several distinct keys.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
-form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
-of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists
-of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines.
-.IP "\fB\-outform DER|PEM\fR" 4
+The \s-1DSA\s0 parameters input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
+The \s-1DSA\s0 parameters output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+Parameters are a sequence of \fB\s-1ASN.1 INTEGER\s0\fRs: \fBp\fR, \fBq\fR, and \fBg\fR.
+This is compatible with \s-1RFC 2459\s0 \fBDSS-Parms\fR structure.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read parameters from or standard input if
-this option is not specified. If the \fBnumbits\fR parameter is included then
+this option is not specified. If the \fInumbits\fR parameter is included then
 this option will be ignored.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename parameters to. Standard output is used
 if this option is not present. The output filename should \fBnot\fR be the same
@@ -190,56 +195,52 @@ This option inhibits the output of the encoded version of the parameters.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 This option prints out the \s-1DSA\s0 parameters in human readable form.
-.IP "\fB\-C\fR" 4
-.IX Item "-C"
-This option converts the parameters into C code. The parameters can then
-be loaded by calling the \fBget_dsaXXX()\fR function.
 .IP "\fB\-genkey\fR" 4
 .IX Item "-genkey"
 This option will generate a \s-1DSA\s0 either using the specified or generated
 parameters.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fBnumbits\fR" 4
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Print extra details about the operations being performed.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fInumbits\fR" 4
 .IX Item "numbits"
 This option specifies that a parameter set should be generated of size
-\&\fBnumbits\fR. It must be the last option. If this option is included then
+\&\fInumbits\fR. It must be the last option. If this option is included then
 the input file (if any) is ignored.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.SH "NOTES"
-.IX Header "NOTES"
-\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN DSA PARAMETERS\-\-\-\-\-
-\& \-\-\-\-\-END DSA PARAMETERS\-\-\-\-\-
-.Ve
-.PP
-\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of
-\&\s-1DSA\s0 parameters is often used to generate several distinct keys.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBgendsa\fR\|(1), \fBdsa\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBrsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkeyparam\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-C\fR option was removed in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/openssl-ec.1
index e89e88e9aab7..3f00647cfd9e 100644
--- a/secure/usr.bin/openssl/man/ec.1
+++ b/secure/usr.bin/openssl/man/openssl-ec.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,24 +130,24 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "EC 1"
-.TH EC 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-EC 1ossl"
+.TH OPENSSL-EC 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-ec, ec \- EC key processing
+openssl\-ec \- EC key processing
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBec\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-passin arg\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
@@ -158,61 +156,60 @@ openssl\-ec, ec \- EC key processing
 [\fB\-param_out\fR]
 [\fB\-pubin\fR]
 [\fB\-pubout\fR]
-[\fB\-conv_form arg\fR]
-[\fB\-param_enc arg\fR]
+[\fB\-conv_form\fR \fIarg\fR]
+[\fB\-param_enc\fR \fIarg\fR]
 [\fB\-no_public\fR]
 [\fB\-check\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various
-forms and their components printed out. \fBNote\fR OpenSSL uses the
+The \fBopenssl\-ec\fR\|(1) command processes \s-1EC\s0 keys. They can be converted between
+various forms and their components printed out. \fBNote\fR OpenSSL uses the
 private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography'
 (http://www.secg.org/). To convert an OpenSSL \s-1EC\s0 private key into the
-PKCS#8 private key format use the \fBpkcs8\fR command.
+PKCS#8 private key format use the \fBopenssl\-pkcs8\fR\|(1) command.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
-an \s-1ASN.1 DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structure as specified in \s-1RFC 3280.\s0
-The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
-encoded with additional header and footer lines. In the case of a private key
-PKCS#8 format is also accepted.
-.IP "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-inform DER|PEM|P12|ENGINE"
+The key input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-This specifies the input filename to read a key from or standard input if this
+The key output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+Private keys are an \s-1SEC1\s0 private key or PKCS#8 format.
+Public keys are a \fBSubjectPublicKeyInfo\fR as specified in \s-1IETF RFC 3280.\s0
+.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-in filename|uri"
+This specifies the input to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
 is not specified. If any encryption options are set then a pass phrase will be
 prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.IP "\fB\-passout arg\fR" 4
-.IX Item "-passout arg"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-des|\-des3|\-idea\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passin arg, -passout arg"
+The password source for the input and output file.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-des\fR|\fB\-des3\fR|\fB\-idea\fR" 4
 .IX Item "-des|-des3|-idea"
 These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or
 any other cipher supported by OpenSSL before outputting it. A pass phrase is
 prompted for.
 If none of these options is specified the key is written in plain text. This
-means that using the \fBec\fR utility to read in an encrypted key with no
+means that using this command to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
 setting the encryption options it can be use to add or change the pass phrase.
 These options can only be used with \s-1PEM\s0 format output files.
@@ -222,6 +219,9 @@ Prints out the public, private key components and parameters.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 This option prevents output of the encoded version of the key.
+.IP "\fB\-param_out\fR" 4
+.IX Item "-param_out"
+Print the elliptic curve parameters.
 .IP "\fB\-pubin\fR" 4
 .IX Item "-pubin"
 By default, a private key is read from the input file. With this option a
@@ -231,16 +231,16 @@ public key is read instead.
 By default a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
-.IP "\fB\-conv_form\fR" 4
-.IX Item "-conv_form"
+.IP "\fB\-conv_form\fR \fIarg\fR" 4
+.IX Item "-conv_form arg"
 This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: \fBcompressed\fR (the default
-value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding
+into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the
+default value) and \fBhybrid\fR. For more information regarding
 the point conversion forms please read the X9.62 standard.
 \&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
 by default for binary curves and can be enabled by defining
 the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
-.IP "\fB\-param_enc arg\fR" 4
+.IP "\fB\-param_enc\fR \fIarg\fR" 4
 .IX Item "-param_enc arg"
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
@@ -255,29 +255,27 @@ This option omits the public key components from the private key output.
 .IP "\fB\-check\fR" 4
 .IX Item "-check"
 This option checks the consistency of an \s-1EC\s0 private or public key.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.SH "NOTES"
-.IX Header "NOTES"
-The \s-1PEM\s0 private key format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-
-\& \-\-\-\-\-END EC PRIVATE KEY\-\-\-\-\-
-.Ve
-.PP
-The \s-1PEM\s0 public key format uses the header and footer lines:
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .PP
-.Vb 2
-\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-
-\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
-.Ve
+The \fBopenssl\-pkey\fR\|(1) command is capable of performing all the operations
+this command can, as well as supporting other public key types.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
+The documentation for the \fBopenssl\-pkey\fR\|(1) command contains examples
+equivalent to the ones listed here.
+.PP
 To encrypt a private key using triple \s-1DES:\s0
 .PP
 .Vb 1
@@ -315,12 +313,22 @@ To change the point conversion form to \fBcompressed\fR:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBecparam\fR\|(1), \fBdsa\fR\|(1), \fBrsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-ecparam\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-conv_form\fR and \fB\-no_public\fR options are no longer supported
+with keys loaded from an engine in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/openssl-ecparam.1
index 13e6a62524d5..c70f0cf69653 100644
--- a/secure/usr.bin/openssl/man/ecparam.1
+++ b/secure/usr.bin/openssl/man/openssl-ecparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,58 +130,64 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-ECPARAM 1ossl"
+.TH OPENSSL-ECPARAM 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-ecparam, ecparam \- EC parameter manipulation and generation
+openssl\-ecparam \- EC parameter manipulation and generation
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl ecparam\fR
 [\fB\-help\fR]
-[\fB\-inform DER|PEM\fR]
-[\fB\-outform DER|PEM\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
 [\fB\-noout\fR]
 [\fB\-text\fR]
-[\fB\-C\fR]
 [\fB\-check\fR]
-[\fB\-name arg\fR]
+[\fB\-check_named\fR]
+[\fB\-name\fR \fIarg\fR]
 [\fB\-list_curves\fR]
-[\fB\-conv_form arg\fR]
-[\fB\-param_enc arg\fR]
+[\fB\-conv_form\fR \fIarg\fR]
+[\fB\-param_enc\fR \fIarg\fR]
 [\fB\-no_seed\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
 [\fB\-genkey\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 This command is used to manipulate or generate \s-1EC\s0 parameter files.
+.PP
+OpenSSL is currently not able to generate new groups and therefore
+this command can only create \s-1EC\s0 parameters from known (named) curves.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN.1 DER\s0 encoded
-form compatible with \s-1RFC 3279\s0 EcpkParameters. The \s-1PEM\s0 form is the default
-format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional
-header and footer lines.
-.IP "\fB\-outform DER|PEM\fR" 4
+The \s-1EC\s0 parameters input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
+The \s-1EC\s0 parameters output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+Parameters are encoded as \fBEcpkParameters\fR as specified in \s-1IETF RFC 3279.\s0
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read parameters from or standard input if
 this option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename parameters to. Standard output is used
 if this option is not present. The output filename should \fBnot\fR be the same
@@ -194,23 +198,22 @@ This option inhibits the output of the encoded version of the parameters.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 This option prints out the \s-1EC\s0 parameters in human readable form.
-.IP "\fB\-C\fR" 4
-.IX Item "-C"
-This option converts the \s-1EC\s0 parameters into C code. The parameters can then
-be loaded by calling the \fBget_ec_group_XXX()\fR function.
 .IP "\fB\-check\fR" 4
 .IX Item "-check"
 Validate the elliptic curve parameters.
-.IP "\fB\-name arg\fR" 4
+.IP "\fB\-check_named\fR" 4
+.IX Item "-check_named"
+Validate the elliptic name curve parameters by checking if the curve parameters
+match any built-in curves.
+.IP "\fB\-name\fR \fIarg\fR" 4
 .IX Item "-name arg"
 Use the \s-1EC\s0 parameters with the specified 'short' name. Use \fB\-list_curves\fR
 to get a list of all currently implemented \s-1EC\s0 parameters.
 .IP "\fB\-list_curves\fR" 4
 .IX Item "-list_curves"
-If this options is specified \fBecparam\fR will print out a list of all
-currently implemented \s-1EC\s0 parameters names and exit.
-.IP "\fB\-conv_form\fR" 4
-.IX Item "-conv_form"
+Print out a list of all currently implemented \s-1EC\s0 parameters names and exit.
+.IP "\fB\-conv_form\fR \fIarg\fR" 4
+.IX Item "-conv_form arg"
 This specifies how the points on the elliptic curve are converted
 into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the
 default value) and \fBhybrid\fR. For more information regarding
@@ -218,7 +221,7 @@ the point conversion forms please read the X9.62 standard.
 \&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
 by default for binary curves and can be enabled by defining
 the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
-.IP "\fB\-param_enc arg\fR" 4
+.IP "\fB\-param_enc\fR \fIarg\fR" 4
 .IX Item "-param_enc arg"
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
@@ -234,36 +237,31 @@ is included in the ECParameters structure (see \s-1RFC 3279\s0).
 .IP "\fB\-genkey\fR" 4
 .IX Item "-genkey"
 This option will generate an \s-1EC\s0 private key using the specified parameters.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.SH "NOTES"
-.IX Header "NOTES"
-\&\s-1PEM\s0 format \s-1EC\s0 parameters use the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN EC PARAMETERS\-\-\-\-\-
-\& \-\-\-\-\-END EC PARAMETERS\-\-\-\-\-
-.Ve
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .PP
-OpenSSL is currently not able to generate new groups and therefore
-\&\fBecparam\fR can only create \s-1EC\s0 parameters from known (named) curves.
+The \fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1) commands are capable
+of performing all the operations this command can, as well as supporting
+other public key types.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
+The documentation for the \fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1)
+commands contains examples equivalent to the ones listed here.
+.PP
 To create \s-1EC\s0 parameters with the group 'prime192v1':
 .PP
 .Vb 1
@@ -301,12 +299,21 @@ To print out the \s-1EC\s0 parameters to standard output:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBec\fR\|(1), \fBdsaparam\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkeyparam\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-ec\fR\|(1),
+\&\fBopenssl\-dsaparam\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-C\fR option was removed in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2003\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/openssl-enc.1
index 46f6d08dff53..72b905301a6c 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/openssl-enc.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,50 +130,55 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "ENC 1"
-.TH ENC 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-ENC 1ossl"
+.TH OPENSSL-ENC 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-enc, enc \- symmetric cipher routines
+openssl\-enc \- symmetric cipher routines
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
-\&\fBopenssl enc \-\f(BIcipher\fB\fR
+\&\fBopenssl\fR \fBenc\fR|\fIcipher\fR
+[\fB\-\f(BIcipher\fB\fR]
 [\fB\-help\fR]
 [\fB\-list\fR]
 [\fB\-ciphers\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
-[\fB\-pass arg\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-pass\fR \fIarg\fR]
 [\fB\-e\fR]
 [\fB\-d\fR]
 [\fB\-a\fR]
 [\fB\-base64\fR]
 [\fB\-A\fR]
-[\fB\-k password\fR]
-[\fB\-kfile filename\fR]
-[\fB\-K key\fR]
-[\fB\-iv \s-1IV\s0\fR]
-[\fB\-S salt\fR]
+[\fB\-k\fR \fIpassword\fR]
+[\fB\-kfile\fR \fIfilename\fR]
+[\fB\-K\fR \fIkey\fR]
+[\fB\-iv\fR \fI\s-1IV\s0\fR]
+[\fB\-S\fR \fIsalt\fR]
 [\fB\-salt\fR]
 [\fB\-nosalt\fR]
 [\fB\-z\fR]
-[\fB\-md digest\fR]
-[\fB\-iter count\fR]
+[\fB\-md\fR \fIdigest\fR]
+[\fB\-iter\fR \fIcount\fR]
 [\fB\-pbkdf2\fR]
 [\fB\-p\fR]
 [\fB\-P\fR]
-[\fB\-bufsize number\fR]
+[\fB\-bufsize\fR \fInumber\fR]
 [\fB\-nopad\fR]
+[\fB\-v\fR]
 [\fB\-debug\fR]
 [\fB\-none\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .PP
-\&\fBopenssl\fR \fI[cipher]\fR [\fB...\fR]
+\&\fBopenssl\fR \fIcipher\fR [\fB...\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The symmetric cipher commands allow data to be encrypted or decrypted
@@ -184,6 +187,9 @@ or explicitly provided. Base64 encoding or decoding can also be performed
 either by itself or in addition to the encryption or decryption.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
+.IP "\fB\-\f(BIcipher\fB\fR" 4
+.IX Item "-cipher"
+The cipher to use.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
@@ -193,16 +199,16 @@ List all supported ciphers.
 .IP "\fB\-ciphers\fR" 4
 .IX Item "-ciphers"
 Alias of \-list to display all supported ciphers.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 The input filename, standard input by default.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 The output filename, standard output by default.
-.IP "\fB\-pass arg\fR" 4
+.IP "\fB\-pass\fR \fIarg\fR" 4
 .IX Item "-pass arg"
-The password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+The password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-e\fR" 4
 .IX Item "-e"
 Encrypt the input data: this is the default.
@@ -220,27 +226,28 @@ Same as \fB\-a\fR
 .IP "\fB\-A\fR" 4
 .IX Item "-A"
 If the \fB\-a\fR option is set then base64 process the data on one line.
-.IP "\fB\-k password\fR" 4
+.IP "\fB\-k\fR \fIpassword\fR" 4
 .IX Item "-k password"
 The password to derive the key from. This is for compatibility with previous
 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
-.IP "\fB\-kfile filename\fR" 4
+.IP "\fB\-kfile\fR \fIfilename\fR" 4
 .IX Item "-kfile filename"
-Read the password to derive the key from the first line of \fBfilename\fR.
+Read the password to derive the key from the first line of \fIfilename\fR.
 This is for compatibility with previous versions of OpenSSL. Superseded by
 the \fB\-pass\fR argument.
-.IP "\fB\-md digest\fR" 4
+.IP "\fB\-md\fR \fIdigest\fR" 4
 .IX Item "-md digest"
 Use the specified digest to create the key from the passphrase.
 The default algorithm is sha\-256.
-.IP "\fB\-iter count\fR" 4
+.IP "\fB\-iter\fR \fIcount\fR" 4
 .IX Item "-iter count"
 Use a given number of iterations on the password in deriving the encryption key.
 High values increase the time required to brute-force the resulting file.
 This option enables the use of \s-1PBKDF2\s0 algorithm to derive the key.
 .IP "\fB\-pbkdf2\fR" 4
 .IX Item "-pbkdf2"
-Use \s-1PBKDF2\s0 algorithm with default iteration count unless otherwise specified.
+Use \s-1PBKDF2\s0 algorithm with a default iteration count of 10000
+unless otherwise specified by the \fB\-iter\fR command line option.
 .IP "\fB\-nosalt\fR" 4
 .IX Item "-nosalt"
 Don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be
@@ -250,10 +257,12 @@ OpenSSL.
 .IX Item "-salt"
 Use salt (randomly generated or provide with \fB\-S\fR option) when
 encrypting, this is the default.
-.IP "\fB\-S salt\fR" 4
+.IP "\fB\-S\fR \fIsalt\fR" 4
 .IX Item "-S salt"
 The actual salt to use: this must be represented as a string of hex digits.
-.IP "\fB\-K key\fR" 4
+If this option is used while encrypting, the same exact value will be needed
+again during decryption.
+.IP "\fB\-K\fR \fIkey\fR" 4
 .IX Item "-K key"
 The actual key to use: this must be represented as a string comprised only
 of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
@@ -261,7 +270,7 @@ using the \fB\-iv\fR option. When both a key and a password are specified, the
 key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
 password will be taken. It does not make much sense to specify both key
 and password.
-.IP "\fB\-iv \s-1IV\s0\fR" 4
+.IP "\fB\-iv\fR \fI\s-1IV\s0\fR" 4
 .IX Item "-iv IV"
 The actual \s-1IV\s0 to use: this must be represented as a string comprised only
 of hex digits. When only the key is specified using the \fB\-K\fR option, the
@@ -274,12 +283,15 @@ Print out the key and \s-1IV\s0 used.
 .IX Item "-P"
 Print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
 or decryption.
-.IP "\fB\-bufsize number\fR" 4
+.IP "\fB\-bufsize\fR \fInumber\fR" 4
 .IX Item "-bufsize number"
 Set the buffer size for I/O.
 .IP "\fB\-nopad\fR" 4
 .IX Item "-nopad"
 Disable standard block padding.
+.IP "\fB\-v\fR" 4
+.IX Item "-v"
+Verbose print; display some statistics about I/O and buffer sizes.
 .IP "\fB\-debug\fR" 4
 .IX Item "-debug"
 Debug the BIOs used for I/O.
@@ -291,29 +303,34 @@ or zlib-dynamic option.
 .IP "\fB\-none\fR" 4
 .IX Item "-none"
 Use \s-1NULL\s0 cipher (no encryption or decryption of input).
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
 .SH "NOTES"
 .IX Header "NOTES"
-The program can be called either as \fBopenssl cipher\fR or
-\&\fBopenssl enc \-cipher\fR. The first form doesn't work with
+The program can be called either as \f(CW\*(C`openssl \f(CIcipher\f(CW\*(C'\fR or
+\&\f(CW\*(C`openssl enc \-\f(CIcipher\f(CW\*(C'\fR. The first form doesn't work with
 engine-provided ciphers, because this form is processed before the
 configuration file is read and any ENGINEs loaded.
-Use the \fBlist\fR command to get a list of supported ciphers.
+Use the \fBopenssl\-list\fR\|(1) command to get a list of supported ciphers.
 .PP
 Engines which provide entirely new encryption algorithms (such as the ccgost
 engine which provides gost89 algorithm) should be configured in the
-configuration file. Engines specified on the command line using \-engine
-options can only be used for hardware-assisted implementations of
+configuration file. Engines specified on the command line using \fB\-engine\fR
+option can only be used for hardware-assisted implementations of
 ciphers which are supported by the OpenSSL core or another engine specified
 in the configuration file.
 .PP
@@ -329,9 +346,11 @@ OpenSSL.
 Without the \fB\-salt\fR option it is possible to perform efficient dictionary
 attacks on the password and to attack stream cipher encrypted data. The reason
 for this is that without the salt the same password always generates the same
-encryption key. When the salt is being used the first eight bytes of the
-encrypted data are reserved for the salt: it is generated at random when
-encrypting a file and read from the encrypted file when it is decrypted.
+encryption key.
+.PP
+When the salt is generated at random (that means when encrypting using a
+passphrase without explicit salt given using \fB\-S\fR option), the first bytes
+of the encrypted data are reserved to store the salt for later decrypting.
 .PP
 Some of the ciphers do not have large keys and others have security
 implications if not used correctly. A beginner is advised to just use
@@ -348,31 +367,43 @@ block length.
 All \s-1RC2\s0 ciphers have the same key and effective key length.
 .PP
 Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
+.PP
+Please note that OpenSSL 3.0 changed the effect of the \fB\-S\fR option.
+Any explicit salt value specified via this option is no longer prepended to the
+ciphertext when encrypting, and must again be explicitly provided when decrypting.
+Conversely, when the \fB\-S\fR option is used during decryption, the ciphertext
+is expected to not have a prepended salt value.
+.PP
+When using OpenSSL 3.0 or later to decrypt data that was encrypted with an
+explicit salt under OpenSSL 1.1.1 do not use the \fB\-S\fR option, the salt will
+then be read from the ciphertext.
+To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use
+the \fB\-S\fR option, the salt will be then be generated randomly and prepended
+to the output.
 .SH "SUPPORTED CIPHERS"
 .IX Header "SUPPORTED CIPHERS"
 Note that some of these ciphers can be disabled at compile time
 and some are available only if an appropriate engine is configured
-in the configuration file. The output of the \fBenc\fR command run with
-the \fB\-ciphers\fR option (that is \fBopenssl enc \-ciphers\fR) produces a
-list of ciphers, supported by your version of OpenSSL, including
+in the configuration file. The output when invoking this command
+with the \fB\-list\fR option (that is \f(CW\*(C`openssl enc \-list\*(C'\fR) is
+a list of ciphers, supported by your version of OpenSSL, including
 ones provided by configured engines.
 .PP
-The \fBenc\fR program does not support authenticated encryption modes
+This command does not support authenticated encryption modes
 like \s-1CCM\s0 and \s-1GCM,\s0 and will not support such modes in the future.
-The \fBenc\fR interface by necessity must begin streaming output (e.g.,
-to standard output when \fB\-out\fR is not used) before the authentication
-tag could be validated, leading to the usage of \fBenc\fR in pipelines
-that begin processing untrusted data and are not capable of rolling
-back upon authentication failure.  The \s-1AEAD\s0 modes currently in common
-use also suffer from catastrophic failure of confidentiality and/or
-integrity upon reuse of key/iv/nonce, and since \fBenc\fR places the
+This is due to having to begin streaming output (e.g., to standard output
+when \fB\-out\fR is not used) before the authentication tag could be validated.
+When this command is used in a pipeline, the receiving end will not be
+able to roll back upon authentication failure.  The \s-1AEAD\s0 modes currently in
+common use also suffer from catastrophic failure of confidentiality and/or
+integrity upon reuse of key/iv/nonce, and since \fBopenssl enc\fR places the
 entire burden of key/iv/nonce management upon the user, the risk of
 exposing \s-1AEAD\s0 modes is too great to allow.  These key/iv/nonce
-management issues also affect other modes currently exposed in \fBenc\fR,
+management issues also affect other modes currently exposed in this command,
 but the failure modes are less extreme in these cases, and the
 functionality cannot be removed with a stable release branch.
 For bulk encryption of data, whether using authenticated encryption
-modes or other modes, \fBcms\fR\|(1) is recommended, as it provides a
+modes or other modes, \fBopenssl\-cms\fR\|(1) is recommended, as it provides a
 standard data format and performs the needed key/iv/nonce management.
 .PP
 .Vb 1
@@ -414,7 +445,7 @@ standard data format and performs the needed key/iv/nonce management.
 \& desx               DESX algorithm.
 \&
 \& gost89             GOST 28147\-89 in CFB mode (provided by ccgost engine)
-\& gost89\-cnt        \`GOST 28147\-89 in CNT mode (provided by ccgost engine)
+\& gost89\-cnt         GOST 28147\-89 in CNT mode (provided by ccgost engine)
 \&
 \& idea\-cbc           IDEA algorithm in CBC mode
 \& idea               same as idea\-cbc
@@ -525,7 +556,7 @@ Base64 decode a file then decrypt it using a password supplied in a file:
 .IX Header "BUGS"
 The \fB\-A\fR option when used with large files doesn't work properly.
 .PP
-The \fBenc\fR program only supports a fixed number of algorithms with
+The \fBopenssl enc\fR command only supports a fixed number of algorithms with
 certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
 76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.
 .SH "HISTORY"
@@ -533,11 +564,13 @@ certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
 The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0.
 .PP
 The \fB\-list\fR option was added in OpenSSL 1.1.1e.
+.PP
+The \fB\-ciphers\fR and \fB\-engine\fR options were deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/engine.1 b/secure/usr.bin/openssl/man/openssl-engine.1
index b0fb3758ba9e..03d7d10976d9 100644
--- a/secure/usr.bin/openssl/man/engine.1
+++ b/secure/usr.bin/openssl/man/openssl-engine.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,37 +130,41 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "ENGINE 1"
-.TH ENGINE 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-ENGINE 1ossl"
+.TH OPENSSL-ENGINE 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-engine, engine \- load and query engines
+openssl\-engine \- load and query engines
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl engine\fR
-[ \fIengine...\fR ]
+[\fB\-help\fR]
 [\fB\-v\fR]
 [\fB\-vv\fR]
 [\fB\-vvv\fR]
-[\fB\-vvv\fR]
-[\fB\-vvv\fR]
+[\fB\-vvvv\fR]
 [\fB\-c\fR]
 [\fB\-t\fR]
 [\fB\-tt\fR]
-[\fB\-pre\fR \fIcommand\fR]
-[\fB\-post\fR \fIcommand\fR]
-[ \fIengine...\fR ]
+[\fB\-pre\fR \fIcommand\fR] ...
+[\fB\-post\fR \fIcommand\fR] ...
+[\fIengine\fR ...]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBengine\fR command is used to query the status and capabilities
-of the specified \fBengine\fR's.
+This command has been deprecated.  Providers should be used instead of engines.
+.PP
+This command is used to query the status and capabilities
+of the specified \fIengine\fRs.
 Engines may be specified before and after all other command-line flags.
 Only those specified are queried.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Display an option summary.
 .IP "\fB\-v\fR \fB\-vv\fR \fB\-vvv\fR \fB\-vvvv\fR" 4
 .IX Item "-v -vv -vvv -vvvv"
 Provides information about each specified engine. The first flag lists
@@ -187,9 +189,12 @@ Displays an error trace for any unavailable engine.
 Command-line configuration of engines.
 The \fB\-pre\fR command is given to the engine before it is loaded and
 the \fB\-post\fR command is given after the engine is loaded.
-The \fIcommand\fR is of the form \fIcmd:val\fR where \fIcmd\fR is the command,
+The \fIcommand\fR is of the form \fIcmd\fR:\fIval\fR where \fIcmd\fR is the command,
 and \fIval\fR is the value for the command.
 See the example below.
+.Sp
+These two options are cumulative, so they may be given more than once in the
+same command.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 To list all the commands available to a dynamic engine:
@@ -214,7 +219,7 @@ To list all the commands available to a dynamic engine:
 \&           (input flags): NO_INPUT
 .Ve
 .PP
-To list the capabilities of the \fIrsax\fR engine:
+To list the capabilities of the \fBrsax\fR engine:
 .PP
 .Vb 4
 \& $ openssl engine \-c
@@ -229,12 +234,16 @@ To list the capabilities of the \fIrsax\fR engine:
 The path to the engines directory.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
 \&\fBconfig\fR\|(5)
+.SH "HISTORY"
+.IX Header "HISTORY"
+This command was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/openssl-errstr.1
index 0367600e364f..c8d75151ac5a 100644
--- a/secure/usr.bin/openssl/man/errstr.1
+++ b/secure/usr.bin/openssl/man/openssl-errstr.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,32 +130,36 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-ERRSTR 1ossl"
+.TH OPENSSL-ERRSTR 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-errstr, errstr \- lookup error codes
+openssl\-errstr \- lookup error codes
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
-\&\fBopenssl errstr error_code\fR
+\&\fBopenssl errstr\fR
+[\fB\-help\fR]
+\&\fIerror_code...\fR
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-Sometimes an application will not load error message and only
-numerical forms will be available. The \fBerrstr\fR utility can be used to
-display the meaning of the hex code. The hex code is the hex digits after the
-second colon.
+Sometimes an application will not load error message texts and only
+numerical forms will be available. This command can be
+used to display the meaning of the hex code. The hex code is the hex digits
+after the second colon.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-None.
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Display a usage message.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 The error code:
 .PP
 .Vb 1
-\& 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
+\& 27594:error:2006D080:lib(32)::reason(128)::107:
 .Ve
 .PP
 can be displayed with:
@@ -169,13 +171,13 @@ can be displayed with:
 to produce the error message:
 .PP
 .Vb 1
-\& error:2006D080:BIO routines:BIO_new_file:no such file
+\& error:2006D080:BIO routines::no such file
 .Ve
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2004\-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-fipsinstall.1 b/secure/usr.bin/openssl/man/openssl-fipsinstall.1
new file mode 100644
index 000000000000..ae513d3c29cc
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-fipsinstall.1
@@ -0,0 +1,357 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-FIPSINSTALL 1ossl"
+.TH OPENSSL-FIPSINSTALL 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-fipsinstall \- perform FIPS configuration installation
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl fipsinstall\fR
+[\fB\-help\fR]
+[\fB\-in\fR \fIconfigfilename\fR]
+[\fB\-out\fR \fIconfigfilename\fR]
+[\fB\-module\fR \fImodulefilename\fR]
+[\fB\-provider_name\fR \fIprovidername\fR]
+[\fB\-section_name\fR \fIsectionname\fR]
+[\fB\-verify\fR]
+[\fB\-mac_name\fR \fImacname\fR]
+[\fB\-macopt\fR \fInm\fR:\fIv\fR]
+[\fB\-noout\fR]
+[\fB\-quiet\fR]
+[\fB\-no_conditional_errors\fR]
+[\fB\-no_security_checks\fR]
+[\fB\-self_test_onload\fR]
+[\fB\-corrupt_desc\fR \fIselftest_description\fR]
+[\fB\-corrupt_type\fR \fIselftest_type\fR]
+[\fB\-config\fR \fIparent_config\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is used to generate a \s-1FIPS\s0 module configuration file.
+This configuration file can be used each time a \s-1FIPS\s0 module is loaded
+in order to pass data to the \s-1FIPS\s0 module self tests. The \s-1FIPS\s0 module always
+verifies its \s-1MAC,\s0 but optionally only needs to run the \s-1KAT\s0's once,
+at installation.
+.PP
+The generated configuration file consists of:
+.IP "\- A \s-1MAC\s0 of the \s-1FIPS\s0 module file." 4
+.IX Item "- A MAC of the FIPS module file."
+.PD 0
+.IP "\- A test status indicator." 4
+.IX Item "- A test status indicator."
+.PD
+This indicates if the Known Answer Self Tests (\s-1KAT\s0's) have successfully run.
+.IP "\- A \s-1MAC\s0 of the status indicator." 4
+.IX Item "- A MAC of the status indicator."
+.PD 0
+.IP "\- A control for conditional self tests errors." 4
+.IX Item "- A control for conditional self tests errors."
+.PD
+By default if a continuous test (e.g a key pair test) fails then the \s-1FIPS\s0 module
+will enter an error state, and no services or cryptographic algorithms will be
+able to be accessed after this point.
+The default value of '1' will cause the fips module error state to be entered.
+If the value is '0' then the module error state will not be entered.
+Regardless of whether the error state is entered or not, the current operation
+(e.g. key generation) will return an error. The user is responsible for retrying
+the operation if the module error state is not entered.
+.IP "\- A control to indicate whether run-time security checks are done." 4
+.IX Item "- A control to indicate whether run-time security checks are done."
+This indicates if run-time checks related to enforcement of security parameters
+such as minimum security strength of keys and approved curve names are used.
+The default value of '1' will perform the checks.
+If the value is '0' the checks are not performed and \s-1FIPS\s0 compliance must
+be done by procedures documented in the relevant Security Policy.
+.PP
+This file is described in \fBfips_config\fR\|(5).
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print a usage message.
+.IP "\fB\-module\fR \fIfilename\fR" 4
+.IX Item "-module filename"
+Filename of the \s-1FIPS\s0 module to perform an integrity check on.
+The path provided in the filename is used to load the module when it is
+activated, and this overrides the environment variable \fB\s-1OPENSSL_MODULES\s0\fR.
+.IP "\fB\-out\fR \fIconfigfilename\fR" 4
+.IX Item "-out configfilename"
+Filename to output the configuration data to; the default is standard output.
+.IP "\fB\-in\fR \fIconfigfilename\fR" 4
+.IX Item "-in configfilename"
+Input filename to load configuration data from.
+Must be used if the \fB\-verify\fR option is specified.
+.IP "\fB\-verify\fR" 4
+.IX Item "-verify"
+Verify that the input configuration file contains the correct information.
+.IP "\fB\-provider_name\fR \fIprovidername\fR" 4
+.IX Item "-provider_name providername"
+Name of the provider inside the configuration file.
+The default value is \f(CW\*(C`fips\*(C'\fR.
+.IP "\fB\-section_name\fR \fIsectionname\fR" 4
+.IX Item "-section_name sectionname"
+Name of the section inside the configuration file.
+The default value is \f(CW\*(C`fips_sect\*(C'\fR.
+.IP "\fB\-mac_name\fR \fIname\fR" 4
+.IX Item "-mac_name name"
+Specifies the name of a supported \s-1MAC\s0 algorithm which will be used.
+The \s-1MAC\s0 mechanisms that are available will depend on the options
+used when building OpenSSL.
+To see the list of supported \s-1MAC\s0's use the command
+\&\f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR.  The default is \fB\s-1HMAC\s0\fR.
+.IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-macopt nm:v"
+Passes options to the \s-1MAC\s0 algorithm.
+A comprehensive list of controls can be found in the \s-1EVP_MAC\s0 implementation
+documentation.
+Common control strings used for this command are:
+.RS 4
+.IP "\fBkey\fR:\fIstring\fR" 4
+.IX Item "key:string"
+Specifies the \s-1MAC\s0 key as an alphanumeric string (use if the key contains
+printable characters only).
+The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
+A key must be specified for every \s-1MAC\s0 algorithm.
+If no key is provided, the default that was specified when OpenSSL was
+configured is used.
+.IP "\fBhexkey\fR:\fIstring\fR" 4
+.IX Item "hexkey:string"
+Specifies the \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
+The key length must conform to any restrictions of the \s-1MAC\s0 algorithm.
+A key must be specified for every \s-1MAC\s0 algorithm.
+If no key is provided, the default that was specified when OpenSSL was
+configured is used.
+.IP "\fBdigest\fR:\fIstring\fR" 4
+.IX Item "digest:string"
+Used by \s-1HMAC\s0 as an alphanumeric string (use if the key contains printable
+characters only).
+The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
+To see the list of supported digests, use the command
+\&\f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
+The default digest is \s-1SHA\-256.\s0
+.RE
+.RS 4
+.RE
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+Disable logging of the self tests.
+.IP "\fB\-no_conditional_errors\fR" 4
+.IX Item "-no_conditional_errors"
+Configure the module to not enter an error state if a conditional self test
+fails as described above.
+.IP "\fB\-no_security_checks\fR" 4
+.IX Item "-no_security_checks"
+Configure the module to not perform run-time security checks as described above.
+.IP "\fB\-self_test_onload\fR" 4
+.IX Item "-self_test_onload"
+Do not write the two fields related to the \*(L"test status indicator\*(R" and
+\&\*(L"\s-1MAC\s0 status indicator\*(R" to the output configuration file. Without these fields
+the self tests \s-1KATS\s0 will run each time the module is loaded. This option could be
+used for cross compiling, since the self tests need to run at least once on each
+target machine. Once the self tests have run on the target machine the user
+could possibly then add the 2 fields into the configuration using some other
+mechanism.
+.IP "\fB\-quiet\fR" 4
+.IX Item "-quiet"
+Do not output pass/fail messages. Implies \fB\-noout\fR.
+.IP "\fB\-corrupt_desc\fR \fIselftest_description\fR, \fB\-corrupt_type\fR \fIselftest_type\fR" 4
+.IX Item "-corrupt_desc selftest_description, -corrupt_type selftest_type"
+The corrupt options can be used to test failure of one or more self tests by
+name.
+Either option or both may be used to select the tests to corrupt.
+Refer to the entries for \fBst-desc\fR and \fBst-type\fR in \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7) for
+values that can be used.
+.IP "\fB\-config\fR \fIparent_config\fR" 4
+.IX Item "-config parent_config"
+Test that a \s-1FIPS\s0 provider can be loaded from the specified configuration file.
+A previous call to this application needs to generate the extra configuration
+data that is included by the base \f(CW\*(C`parent_config\*(C'\fR configuration file.
+See \fBconfig\fR\|(5) for further information on how to set up a provider section.
+All other options are ignored if '\-config' is used.
+.SH "NOTES"
+.IX Header "NOTES"
+Self tests results are logged by default if the options \fB\-quiet\fR and \fB\-noout\fR
+are not specified, or if either of the options \fB\-corrupt_desc\fR or
+\&\fB\-corrupt_type\fR are used.
+If the base configuration file is set up to autoload the fips module, then the
+fips module will be loaded and self tested \s-1BEFORE\s0 the fipsinstall application
+has a chance to set up its own self test callback. As a result of this the self
+test output and the options \fB\-corrupt_desc\fR and \fB\-corrupt_type\fR will be ignored.
+For normal usage the base configuration file should use the default provider
+when generating the fips configuration file.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Calculate the mac of a \s-1FIPS\s0 module \fIfips.so\fR and run a \s-1FIPS\s0 self test
+for the module, and save the \fIfips.cnf\fR configuration file:
+.PP
+.Vb 1
+\& openssl fipsinstall \-module ./fips.so \-out fips.cnf \-provider_name fips
+.Ve
+.PP
+Verify that the configuration file \fIfips.cnf\fR contains the correct info:
+.PP
+.Vb 1
+\& openssl fipsinstall \-module ./fips.so \-in fips.cnf  \-provider_name fips \-verify
+.Ve
+.PP
+Corrupt any self tests which have the description \f(CW\*(C`SHA1\*(C'\fR:
+.PP
+.Vb 2
+\& openssl fipsinstall \-module ./fips.so \-out fips.cnf \-provider_name fips \e
+\&         \-corrupt_desc \*(AqSHA1\*(Aq
+.Ve
+.PP
+Validate that the fips module can be loaded from a base configuration file:
+.PP
+.Vb 3
+\& export OPENSSL_CONF_INCLUDE=<path of configuration files>
+\& export OPENSSL_MODULES=<provider\-path>
+\& openssl fipsinstall \-config\*(Aq \*(Aqdefault.cnf\*(Aq
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBconfig\fR\|(5),
+\&\fBfips_config\fR\|(5),
+\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
+\&\s-1\fBEVP_MAC\s0\fR\|(3)
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-format-options.1 b/secure/usr.bin/openssl/man/openssl-format-options.1
new file mode 100644
index 000000000000..b46bff75651f
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-format-options.1
@@ -0,0 +1,263 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-FORMAT-OPTIONS 1ossl"
+.TH OPENSSL-FORMAT-OPTIONS 1ossl "2023-09-19" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-format\-options \- OpenSSL command input and output format options
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR
+\&\fIcommand\fR
+[ \fIoptions\fR ... ]
+[ \fIparameters\fR ... ]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+Several OpenSSL commands can take input or generate output in a variety
+of formats.
+.PP
+Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
+files in any of the \fB\s-1DER\s0\fR, \fB\s-1PEM\s0\fR or \fBP12\fR formats. Specifying their input
+format is no more needed and the openssl commands will automatically try all
+the possible formats. However if the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR input format is specified
+it will be enforced.
+.PP
+In order to access a key via an engine the input format \fB\s-1ENGINE\s0\fR may be used;
+alternatively the key identifier in the <uri> argument of the respective key
+option may be preceded by \f(CW\*(C`org.openssl.engine:\*(C'\fR.
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1) for an example usage of the latter.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.SS "Format Options"
+.IX Subsection "Format Options"
+The options to specify the format are as follows.
+Refer to the individual man page to see which options are accepted.
+.IP "\fB\-inform\fR \fIformat\fR, \fB\-outform\fR \fIformat\fR" 4
+.IX Item "-inform format, -outform format"
+The format of the input or output streams.
+.IP "\fB\-keyform\fR \fIformat\fR" 4
+.IX Item "-keyform format"
+Format of a private key input source.
+.IP "\fB\-CRLform\fR \fIformat\fR" 4
+.IX Item "-CRLform format"
+Format of a \s-1CRL\s0 input source.
+.SS "Format Option Arguments"
+.IX Subsection "Format Option Arguments"
+The possible format arguments are described below.
+Both uppercase and lowercase are accepted.
+.PP
+The list of acceptable format arguments, and the default,
+is described in each command documentation.
+.IP "\fB\s-1DER\s0\fR" 4
+.IX Item "DER"
+A binary format, encoded or parsed according to Distinguished Encoding Rules
+(\s-1DER\s0) of the \s-1ASN.1\s0 data language.
+.IP "\fB\s-1ENGINE\s0\fR" 4
+.IX Item "ENGINE"
+Used to specify that the cryptographic material is in an OpenSSL \fBengine\fR.
+An engine must be configured or specified using the \fB\-engine\fR option.
+A password or \s-1PIN\s0 may be supplied to the engine using the \fB\-passin\fR option.
+.IP "\fBP12\fR" 4
+.IX Item "P12"
+A DER-encoded file containing a PKCS#12 object.
+It might be necessary to provide a decryption password to retrieve
+the private key.
+.IP "\fB\s-1PEM\s0\fR" 4
+.IX Item "PEM"
+A text format defined in \s-1IETF RFC 1421\s0 and \s-1IETF RFC 7468.\s0 Briefly, this is
+a block of base\-64 encoding (defined in \s-1IETF RFC 4648\s0), with specific
+lines used to mark the start and end:
+.Sp
+.Vb 7
+\& Text before the BEGIN line is ignored.
+\& \-\-\-\-\- BEGIN object\-type \-\-\-\-\-
+\& OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
+\& xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
+\& UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
+\& \-\-\-\-\- END object\-type \-\-\-\-\-
+\& Text after the END line is also ignored
+.Ve
+.Sp
+The \fIobject-type\fR must match the type of object that is expected.
+For example a \f(CW\*(C`BEGIN X509 CERTIFICATE\*(C'\fR will not match if the command
+is trying to read a private key. The types supported include:
+.Sp
+.Vb 10
+\& ANY PRIVATE KEY
+\& CERTIFICATE
+\& CERTIFICATE REQUEST
+\& CMS
+\& DH PARAMETERS
+\& DSA PARAMETERS
+\& DSA PUBLIC KEY
+\& EC PARAMETERS
+\& EC PRIVATE KEY
+\& ECDSA PUBLIC KEY
+\& ENCRYPTED PRIVATE KEY
+\& PARAMETERS
+\& PKCS #7 SIGNED DATA
+\& PKCS7
+\& PRIVATE KEY
+\& PUBLIC KEY
+\& RSA PRIVATE KEY
+\& SSL SESSION PARAMETERS
+\& TRUSTED CERTIFICATE
+\& X509 CRL
+\& X9.42 DH PARAMETERS
+.Ve
+.Sp
+The following legacy \fIobject-type\fR's are also supported for compatibility
+with earlier releases:
+.Sp
+.Vb 4
+\& DSA PRIVATE KEY
+\& NEW CERTIFICATE REQUEST
+\& RSA PUBLIC KEY
+\& X509 CERTIFICATE
+.Ve
+.IP "\fB\s-1SMIME\s0\fR" 4
+.IX Item "SMIME"
+An S/MIME object as described in \s-1IETF RFC 8551.\s0
+Earlier versions were known as \s-1CMS\s0 and are compatible.
+Note that the parsing is simple and might fail to parse some legal data.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/openssl-gendsa.1
index a984810ffd5f..1522ba63ad5b 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/openssl-gendsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,19 +130,20 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "GENDSA 1"
-.TH GENDSA 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-GENDSA 1ossl"
+.TH OPENSSL-GENDSA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-gendsa, gendsa \- generate a DSA private key from a set of parameters
+openssl\-gendsa \- generate a DSA private key from a set of parameters
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBgendsa\fR
 [\fB\-help\fR]
-[\fB\-out filename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
 [\fB\-aes128\fR]
 [\fB\-aes192\fR]
 [\fB\-aes256\fR]
@@ -157,63 +156,83 @@ openssl\-gendsa, gendsa \- generate a DSA private key from a set of parameters
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-engine id\fR]
-[\fBparamfile\fR]
+[\fB\-verbose\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIparamfile\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file
-(which will be typically generated by the \fBopenssl dsaparam\fR command).
+This command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file
+(which will be typically generated by the \fBopenssl\-dsaparam\fR\|(1) command).
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Output the key to the specified file. If this argument is not specified then
 standard output is used.
+.IP "\fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passout arg"
+The passphrase used for the output file.
+See \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
 .IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
 These options encrypt the private key with specified
 cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified no encryption is used.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-engine id\fR" 4
+.Sp
+Note that all options must be given before the \fIparamfile\fR argument.
+Otherwise they are ignored.
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Print extra details about the operations being performed.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fBparamfile\fR" 4
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fIparamfile\fR" 4
 .IX Item "paramfile"
-This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this
-file determine the size of the private key. \s-1DSA\s0 parameters can be generated
-and examined using the \fBopenssl dsaparam\fR command.
+The \s-1DSA\s0 parameter file to use. The parameters in this file determine
+the size of the private key. \s-1DSA\s0 parameters can be generated and
+examined using the \fBopenssl\-dsaparam\fR\|(1) command.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "NOTES"
 .IX Header "NOTES"
 \&\s-1DSA\s0 key generation is little more than random number generation so it is
 much quicker that \s-1RSA\s0 key generation for example.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBdsaparam\fR\|(1), \fBdsa\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBrsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-dsaparam\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/openssl-genpkey.1
index 7d249d776de8..c69af1ccd0d2 100644
--- a/secure/usr.bin/openssl/man/genpkey.1
+++ b/secure/usr.bin/openssl/man/openssl-genpkey.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,61 +130,65 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "GENPKEY 1"
-.TH GENPKEY 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-GENPKEY 1ossl"
+.TH OPENSSL-GENPKEY 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-genpkey, genpkey \- generate a private key
+openssl\-genpkey \- generate a private key
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBgenpkey\fR
 [\fB\-help\fR]
-[\fB\-out filename\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-pass arg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-quiet\fR]
+[\fB\-pass\fR \fIarg\fR]
 [\fB\-\f(BIcipher\fB\fR]
-[\fB\-engine id\fR]
-[\fB\-paramfile file\fR]
-[\fB\-algorithm alg\fR]
-[\fB\-pkeyopt opt:value\fR]
+[\fB\-paramfile\fR \fIfile\fR]
+[\fB\-algorithm\fR \fIalg\fR]
+[\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
 [\fB\-genparam\fR]
 [\fB\-text\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-config\fR \fIconfigfile\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBgenpkey\fR command generates a private key.
+This command generates a private key.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Output the key to the specified file. If this argument is not specified then
 standard output is used.
-.IP "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
-.IP "\fB\-pass arg\fR" 4
+The output format, except when \fB\-genparam\fR is given; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+When \fB\-genparam\fR is given, \fB\-outform\fR is ignored.
+.IP "\fB\-quiet\fR" 4
+.IX Item "-quiet"
+Do not output \*(L"status dots\*(R" while generating keys.
+.IP "\fB\-pass\fR \fIarg\fR" 4
 .IX Item "-pass arg"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+The output file password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-\f(BIcipher\fB\fR" 4
 .IX Item "-cipher"
 This option encrypts the private key with the supplied cipher. Any algorithm
 name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. If used this option should precede all other
-options.
-.IP "\fB\-algorithm alg\fR" 4
+.IP "\fB\-algorithm\fR \fIalg\fR" 4
 .IX Item "-algorithm alg"
-Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
+Public key algorithm to use such as \s-1RSA, DSA, DH\s0 or \s-1DHX.\s0 If used this option must
 precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
 are mutually exclusive. Engines may add algorithms in addition to the standard
 built-in ones.
@@ -197,14 +199,11 @@ X25519, X448, ED25519\s0 and \s-1ED448.\s0
 Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
 option) are \s-1DH, DSA\s0 and \s-1EC.\s0
 .Sp
-Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0
-algorithm. These are identical and do not indicate the type of parameters that
-will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3
-or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R"
-below for more details.
-.IP "\fB\-pkeyopt opt:value\fR" 4
+Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for \s-1DHX\s0 keys and
+PKCS#3 refers to \s-1DH\s0 Keys. Some options are not shared between \s-1DH\s0 and \s-1DHX\s0 keys.
+.IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
 .IX Item "-pkeyopt opt:value"
-Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
+Set the public key algorithm option \fIopt\fR to \fIvalue\fR. The precise set of
 options supported depends on the public key algorithm used and its
 implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
 \&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details.
@@ -212,7 +211,7 @@ implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
 .IX Item "-genparam"
 Generate a set of parameters instead of a private key. If used this option must
 precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
-.IP "\fB\-paramfile filename\fR" 4
+.IP "\fB\-paramfile\fR \fIfilename\fR" 4
 .IX Item "-paramfile filename"
 Some public key algorithms generate a private key based on a set of parameters.
 They can be supplied using this option. If this option is used the public key
@@ -223,6 +222,22 @@ are mutually exclusive.
 .IX Item "-text"
 Print an (unencrypted) text representation of private and public keys and
 parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
+.IX Item "-config configfile"
+See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
 .SH "KEY GENERATION OPTIONS"
 .IX Header "KEY GENERATION OPTIONS"
 The options supported by each algorithm and indeed each implementation of an
@@ -240,33 +255,39 @@ The number of primes in the generated key. If not specified 2 is used.
 .IP "\fBrsa_keygen_pubexp:value\fR" 4
 .IX Item "rsa_keygen_pubexp:value"
 The \s-1RSA\s0 public exponent value. This can be a large decimal or
-hexadecimal value if preceded by \fB0x\fR. Default value is 65537.
+hexadecimal value if preceded by \f(CW\*(C`0x\*(C'\fR. Default value is 65537.
 .SS "RSA-PSS Key Generation Options"
 .IX Subsection "RSA-PSS Key Generation Options"
 Note: by default an \fBRSA-PSS\fR key has no parameter restrictions.
-.IP "\fBrsa_keygen_bits:numbits\fR, \fBrsa_keygen_primes:numprimes\fR,  \fBrsa_keygen_pubexp:value\fR" 4
+.IP "\fBrsa_keygen_bits\fR:\fInumbits\fR, \fBrsa_keygen_primes\fR:\fInumprimes\fR, \fBrsa_keygen_pubexp\fR:\fIvalue\fR" 4
 .IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value"
 These options have the same meaning as the \fB\s-1RSA\s0\fR algorithm.
-.IP "\fBrsa_pss_keygen_md:digest\fR" 4
+.IP "\fBrsa_pss_keygen_md\fR:\fIdigest\fR" 4
 .IX Item "rsa_pss_keygen_md:digest"
-If set the key is restricted and can only use \fBdigest\fR for signing.
-.IP "\fBrsa_pss_keygen_mgf1_md:digest\fR" 4
+If set the key is restricted and can only use \fIdigest\fR for signing.
+.IP "\fBrsa_pss_keygen_mgf1_md\fR:\fIdigest\fR" 4
 .IX Item "rsa_pss_keygen_mgf1_md:digest"
-If set the key is restricted and can only use \fBdigest\fR as it's \s-1MGF1\s0
+If set the key is restricted and can only use \fIdigest\fR as it's \s-1MGF1\s0
 parameter.
-.IP "\fBrsa_pss_keygen_saltlen:len\fR" 4
+.IP "\fBrsa_pss_keygen_saltlen\fR:\fIlen\fR" 4
 .IX Item "rsa_pss_keygen_saltlen:len"
-If set the key is restricted and \fBlen\fR specifies the minimum salt length.
+If set the key is restricted and \fIlen\fR specifies the minimum salt length.
 .SS "\s-1EC\s0 Key Generation Options"
 .IX Subsection "EC Key Generation Options"
 The \s-1EC\s0 key generation options can also be used for parameter generation.
-.IP "\fBec_paramgen_curve:curve\fR" 4
+.IP "\fBec_paramgen_curve\fR:\fIcurve\fR" 4
 .IX Item "ec_paramgen_curve:curve"
 The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R".
-.IP "\fBec_param_enc:encoding\fR" 4
+.IP "\fBec_param_enc\fR:\fIencoding\fR" 4
 .IX Item "ec_param_enc:encoding"
-The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either
-\&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R".
+The encoding to use for parameters. The \fIencoding\fR parameter must be either
+\&\fBnamed_curve\fR or \fBexplicit\fR. The default value is \fBnamed_curve\fR.
+.SS "\s-1DH\s0 Key Generation Options"
+.IX Subsection "DH Key Generation Options"
+.IP "\fBgroup\fR:\fIname\fR" 4
+.IX Item "group:name"
+The \fBparamfile\fR option is not required if a named group is used here.
+See the \*(L"\s-1DH\s0 Parameter Generation Options\*(R" section below.
 .SH "PARAMETER GENERATION OPTIONS"
 .IX Header "PARAMETER GENERATION OPTIONS"
 The options supported by each algorithm and indeed each implementation of an
@@ -274,47 +295,168 @@ algorithm can vary. The options for the OpenSSL implementations are detailed
 below.
 .SS "\s-1DSA\s0 Parameter Generation Options"
 .IX Subsection "DSA Parameter Generation Options"
-.IP "\fBdsa_paramgen_bits:numbits\fR" 4
+.IP "\fBdsa_paramgen_bits\fR:\fInumbits\fR" 4
 .IX Item "dsa_paramgen_bits:numbits"
 The number of bits in the generated prime. If not specified 2048 is used.
-.IP "\fBdsa_paramgen_q_bits:numbits\fR" 4
+.IP "\fBdsa_paramgen_q_bits\fR:\fInumbits\fR" 4
 .IX Item "dsa_paramgen_q_bits:numbits"
+.PD 0
+.IP "\fBqbits\fR:\fInumbits\fR" 4
+.IX Item "qbits:numbits"
+.PD
 The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
 specified 224 is used.
-.IP "\fBdsa_paramgen_md:digest\fR" 4
+.IP "\fBdsa_paramgen_md\fR:\fIdigest\fR" 4
 .IX Item "dsa_paramgen_md:digest"
+.PD 0
+.IP "\fBdigest\fR:\fIdigest\fR" 4
+.IX Item "digest:digest"
+.PD
 The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
 or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
 of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be
 ignored. If not set, then a digest will be used that gives an output matching
 the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224
 or \fBsha256\fR if it is 256.
+.IP "\fBproperties\fR:\fIquery\fR" 4
+.IX Item "properties:query"
+The \fIdigest\fR property \fIquery\fR string to use when fetching a digest from a provider.
+.IP "\fBtype\fR:\fItype\fR" 4
+.IX Item "type:type"
+The type of generation to use. Set this to 1 to use legacy \s-1FIPS186\-2\s0 parameter
+generation. The default of 0 uses \s-1FIPS186\-4\s0 parameter generation.
+.IP "\fBgindex\fR:\fIindex\fR" 4
+.IX Item "gindex:index"
+The index to use for canonical generation and verification of the generator g.
+Set this to a positive value ranging from 0..255 to use this mode. Larger values
+will only use the bottom byte.
+This \fIindex\fR must then be reused during key validation to verify the value of g.
+If this value is not set then g is not verifiable. The default value is \-1.
+.IP "\fBhexseed\fR:\fIseed\fR" 4
+.IX Item "hexseed:seed"
+The seed \fIseed\fR data to use instead of generating a random seed internally.
+This should be used for testing purposes only. This will either produced fixed
+values for the generated parameters \s-1OR\s0 it will fail if the seed did not
+generate valid primes.
 .SS "\s-1DH\s0 Parameter Generation Options"
 .IX Subsection "DH Parameter Generation Options"
-.IP "\fBdh_paramgen_prime_len:numbits\fR" 4
+For most use cases it is recommended to use the \fBgroup\fR option rather than
+the \fBtype\fR options. Note that the \fBgroup\fR option is not used by default if
+no parameter generation options are specified.
+.IP "\fBgroup\fR:\fIname\fR" 4
+.IX Item "group:name"
+.PD 0
+.IP "\fBdh_param\fR:\fIname\fR" 4
+.IX Item "dh_param:name"
+.PD
+Use a named \s-1DH\s0 group to select constant values for the \s-1DH\s0 parameters.
+All other options will be ignored if this value is set.
+.Sp
+Valid values that are associated with the \fBalgorithm\fR of \fB\*(L"\s-1DH\*(R"\s0\fR are:
+\&\*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R", \*(L"ffdhe8192\*(R",
+\&\*(L"modp_1536\*(R", \*(L"modp_2048\*(R", \*(L"modp_3072\*(R", \*(L"modp_4096\*(R", \*(L"modp_6144\*(R", \*(L"modp_8192\*(R".
+.Sp
+Valid values that are associated with the \fBalgorithm\fR of \fB\*(L"\s-1DHX\*(R"\s0\fR are the
+\&\s-1RFC5114\s0 names \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R", \*(L"dh_2048_256\*(R".
+.IP "\fBdh_rfc5114\fR:\fInum\fR" 4
+.IX Item "dh_rfc5114:num"
+If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
+instead of generating new parameters. The value \fInum\fR can be one of
+1, 2 or 3 that are equivalent to using the option \fBgroup\fR with one of
+\&\*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R" or \*(L"dh_2048_256\*(R".
+All other options will be ignored if this value is set.
+.IP "\fBpbits\fR:\fInumbits\fR" 4
+.IX Item "pbits:numbits"
+.PD 0
+.IP "\fBdh_paramgen_prime_len\fR:\fInumbits\fR" 4
 .IX Item "dh_paramgen_prime_len:numbits"
-The number of bits in the prime parameter \fBp\fR. The default is 2048.
-.IP "\fBdh_paramgen_subprime_len:numbits\fR" 4
+.PD
+The number of bits in the prime parameter \fIp\fR. The default is 2048.
+.IP "\fBqbits\fR:\fInumbits\fR" 4
+.IX Item "qbits:numbits"
+.PD 0
+.IP "\fBdh_paramgen_subprime_len\fR:\fInumbits\fR" 4
 .IX Item "dh_paramgen_subprime_len:numbits"
-The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the
-prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
-conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters.
-.IP "\fBdh_paramgen_generator:value\fR" 4
+.PD
+The number of bits in the sub prime parameter \fIq\fR. The default is 224.
+Only relevant if used in conjunction with the \fBdh_paramgen_type\fR option to
+generate \s-1DHX\s0 parameters.
+.IP "\fBsafeprime-generator\fR:\fIvalue\fR" 4
+.IX Item "safeprime-generator:value"
+.PD 0
+.IP "\fBdh_paramgen_generator\fR:\fIvalue\fR" 4
 .IX Item "dh_paramgen_generator:value"
-The value to use for the generator \fBg\fR. The default is 2.
-.IP "\fBdh_paramgen_type:value\fR" 4
+.PD
+The value to use for the generator \fIg\fR. The default is 2.
+The \fBalgorithm\fR option must be \fB\*(L"\s-1DH\*(R"\s0\fR for this parameter to be used.
+.IP "\fBtype\fR:\fIstring\fR" 4
+.IX Item "type:string"
+The type name of \s-1DH\s0 parameters to generate. Valid values are:
+.RS 4
+.ie n .IP """generator""" 4
+.el .IP "``generator''" 4
+.IX Item "generator"
+Use a safe prime generator with the option \fBsafeprime_generator\fR
+The \fBalgorithm\fR option must be \fB\*(L"\s-1DH\*(R"\s0\fR.
+.ie n .IP """fips186_4""" 4
+.el .IP "``fips186_4''" 4
+.IX Item "fips186_4"
+\&\s-1FIPS186\-4\s0 parameter generation.
+The \fBalgorithm\fR option must be \fB\*(L"\s-1DHX\*(R"\s0\fR.
+.ie n .IP """fips186_2""" 4
+.el .IP "``fips186_2''" 4
+.IX Item "fips186_2"
+\&\s-1FIPS186\-4\s0 parameter generation.
+The \fBalgorithm\fR option must be \fB\*(L"\s-1DHX\*(R"\s0\fR.
+.ie n .IP """group""" 4
+.el .IP "``group''" 4
+.IX Item "group"
+Can be used with the option \fBpbits\fR to select one of
+\&\*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R" or \*(L"ffdhe8192\*(R".
+The \fBalgorithm\fR option must be \fB\*(L"\s-1DH\*(R"\s0\fR.
+.ie n .IP """default""" 4
+.el .IP "``default''" 4
+.IX Item "default"
+Selects a default type based on the \fBalgorithm\fR. This is used by the
+OpenSSL default provider to set the type for backwards compatibility.
+If \fBalgorithm\fR is \fB\*(L"\s-1DH\*(R"\s0\fR then \fB\*(L"generator\*(R"\fR is used.
+If \fBalgorithm\fR is \fB\*(L"\s-1DHX\*(R"\s0\fR then \fB\*(L"fips186_2\*(R"\fR is used.
+.RE
+.RS 4
+.RE
+.IP "\fBdh_paramgen_type\fR:\fIvalue\fR" 4
 .IX Item "dh_paramgen_type:value"
-The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0
-The default is 0.
-.IP "\fBdh_rfc5114:num\fR" 4
-.IX Item "dh_rfc5114:num"
-If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
-instead of generating new parameters. The value \fBnum\fR can take the
-values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of
-1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
-and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections
-2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter
-options.
+The type of \s-1DH\s0 parameters to generate. Valid values are 0, 1, 2 or 3
+which correspond to setting the option \fBtype\fR to
+\&\*(L"generator\*(R", \*(L"fips186_2\*(R", \*(L"fips186_4\*(R" or \*(L"group\*(R".
+.IP "\fBdigest\fR:\fIdigest\fR" 4
+.IX Item "digest:digest"
+The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
+or \fBsha256\fR. If set, then the number of bits in \fBqbits\fR will match the output
+size of the specified digest and the \fBqbits\fR parameter will be
+ignored. If not set, then a digest will be used that gives an output matching
+the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it is
+224 or \fBsha256\fR if it is 256.
+This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
+.IP "\fBproperties\fR:\fIquery\fR" 4
+.IX Item "properties:query"
+The \fIdigest\fR property \fIquery\fR string to use when fetching a digest from a provider.
+This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
+.IP "\fBgindex\fR:\fIindex\fR" 4
+.IX Item "gindex:index"
+The index to use for canonical generation and verification of the generator g.
+Set this to a positive value ranging from 0..255 to use this mode. Larger values
+will only use the bottom byte.
+This \fIindex\fR must then be reused during key validation to verify the value of g.
+If this value is not set then g is not verifiable. The default value is \-1.
+This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
+.IP "\fBhexseed\fR:\fIseed\fR" 4
+.IX Item "hexseed:seed"
+The seed \fIseed\fR data to use instead of generating a random seed internally.
+This should be used for testing purposes only. This will either produced fixed
+values for the generated parameters \s-1OR\s0 it will fail if the seed did not
+generate valid primes.
+This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
 .SS "\s-1EC\s0 Parameter Generation Options"
 .IX Subsection "EC Parameter Generation Options"
 The \s-1EC\s0 parameter generation options are the same as for key generation. See
@@ -345,11 +487,13 @@ Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent:
 \&     \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3
 .Ve
 .PP
-Generate 2048 bit \s-1DSA\s0 parameters:
+Generate 2048 bit \s-1DSA\s0 parameters that can be validated: The output values for
+gindex and seed are required for key validation purposes and are not saved to
+the output pem file).
 .PP
 .Vb 2
-\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e
-\&     \-pkeyopt dsa_paramgen_bits:2048
+\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \-pkeyopt pbits:2048 \e
+\&     \-pkeyopt qbits:224 \-pkeyopt digest:SHA256 \-pkeyopt gindex:1 \-text
 .Ve
 .PP
 Generate \s-1DSA\s0 key from parameters:
@@ -358,31 +502,65 @@ Generate \s-1DSA\s0 key from parameters:
 \& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
 .Ve
 .PP
-Generate 2048 bit \s-1DH\s0 parameters:
+Generate 4096 bit \s-1DH\s0 Key using safe prime group ffdhe4096:
 .PP
-.Vb 2
-\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
-\&     \-pkeyopt dh_paramgen_prime_len:2048
+.Vb 1
+\& openssl genpkey \-algorithm DH \-out dhkey.pem \-pkeyopt group:ffdhe4096
 .Ve
 .PP
-Generate 2048 bit X9.42 \s-1DH\s0 parameters:
+Generate 2048 bit X9.42 \s-1DH\s0 key with 256 bit subgroup using \s-1RFC5114\s0 group3:
 .PP
-.Vb 3
-\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
-\&     \-pkeyopt dh_paramgen_prime_len:2048 \e
-\&     \-pkeyopt dh_paramgen_type:1
+.Vb 1
+\& openssl genpkey \-algorithm DHX \-out dhkey.pem \-pkeyopt dh_rfc5114:3
 .Ve
 .PP
-Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup:
+Generate a \s-1DH\s0 key using a \s-1DH\s0 parameters file:
 .PP
 .Vb 1
-\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2
+\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
 .Ve
 .PP
-Generate \s-1DH\s0 key from parameters:
+Output \s-1DH\s0 parameters for safe prime group ffdhe2048:
 .PP
 .Vb 1
-\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
+\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt group:ffdhe2048
+.Ve
+.PP
+Output 2048 bit X9.42 \s-1DH\s0 parameters with 224 bit subgroup using \s-1RFC5114\s0 group2:
+.PP
+.Vb 1
+\& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-pkeyopt dh_rfc5114:2
+.Ve
+.PP
+Output 2048 bit X9.42 \s-1DH\s0 parameters with 224 bit subgroup using \s-1FIP186\-4\s0 keygen:
+.PP
+.Vb 3
+\& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-text \e
+\&     \-pkeyopt pbits:2048 \-pkeyopt qbits:224 \-pkeyopt digest:SHA256 \e
+\&     \-pkeyopt gindex:1 \-pkeyopt dh_paramgen_type:2
+.Ve
+.PP
+Output 1024 bit X9.42 \s-1DH\s0 parameters with 160 bit subgroup using \s-1FIP186\-2\s0 keygen:
+.PP
+.Vb 3
+\& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-text \e
+\&     \-pkeyopt pbits:1024 \-pkeyopt qbits:160 \-pkeyopt digest:SHA1 \e
+\&     \-pkeyopt gindex:1 \-pkeyopt dh_paramgen_type:1
+.Ve
+.PP
+Output 2048 bit \s-1DH\s0 parameters:
+.PP
+.Vb 2
+\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
+\&     \-pkeyopt dh_paramgen_prime_len:2048
+.Ve
+.PP
+Output 2048 bit \s-1DH\s0 parameters using a generator:
+.PP
+.Vb 3
+\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
+\&     \-pkeyopt dh_paramgen_prime_len:2048 \e
+\&     \-pkeyopt dh_paramgen_type:1
 .Ve
 .PP
 Generate \s-1EC\s0 parameters:
@@ -424,11 +602,13 @@ The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key dir
 were added in OpenSSL 1.0.2.
 The ability to generate X25519 keys was added in OpenSSL 1.1.0.
 The ability to generate X448, \s-1ED25519\s0 and \s-1ED448\s0 keys was added in OpenSSL 1.1.1.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/openssl-genrsa.1
index dd8d4ea8bac2..d812d7111bf1 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/openssl-genrsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,20 +130,20 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "GENRSA 1"
-.TH GENRSA 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-GENRSA 1ossl"
+.TH OPENSSL-GENRSA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-genrsa, genrsa \- generate an RSA private key
+openssl\-genrsa \- generate an RSA private key
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBgenrsa\fR
 [\fB\-help\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
 [\fB\-aes128\fR]
 [\fB\-aes192\fR]
 [\fB\-aes256\fR]
@@ -158,61 +156,73 @@ openssl\-genrsa, genrsa \- generate an RSA private key
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
+[\fB\-F4\fR]
 [\fB\-f4\fR]
 [\fB\-3\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-engine id\fR]
-[\fB\-primes num\fR]
+[\fB\-primes\fR \fInum\fR]
+[\fB\-verbose\fR]
+[\fB\-traditional\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 [\fBnumbits\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBgenrsa\fR command generates an \s-1RSA\s0 private key.
+This command generates an \s-1RSA\s0 private key.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Output the key to the specified file. If this argument is not specified then
 standard output is used.
-.IP "\fB\-passout arg\fR" 4
+.IP "\fB\-passout\fR \fIarg\fR" 4
 .IX Item "-passout arg"
 The output file password source. For more information about the format
-of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
 .IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
 These options encrypt the private key with specified
 cipher before outputting it. If none of these options is
 specified no encryption is used. If encryption is used a pass phrase is prompted
 for if it is not supplied via the \fB\-passout\fR argument.
-.IP "\fB\-F4|\-3\fR" 4
-.IX Item "-F4|-3"
+.IP "\fB\-F4\fR, \fB\-f4\fR, \fB\-3\fR" 4
+.IX Item "-F4, -f4, -3"
 The public exponent to use, either 65537 or 3. The default is 65537.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-primes num\fR" 4
+The \fB\-3\fR option has been deprecated.
+.IP "\fB\-primes\fR \fInum\fR" 4
 .IX Item "-primes num"
-Specify the number of primes to use while generating the \s-1RSA\s0 key. The \fBnum\fR
+Specify the number of primes to use while generating the \s-1RSA\s0 key. The \fInum\fR
 parameter must be a positive integer that is greater than 1 and less than 16.
-If \fBnum\fR is greater than 2, then the generated key is called a 'multi\-prime'
+If \fInum\fR is greater than 2, then the generated key is called a 'multi\-prime'
 \&\s-1RSA\s0 key, which is defined in \s-1RFC 8017.\s0
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Print extra details about the operations being performed.
+.IP "\fB\-traditional\fR" 4
+.IX Item "-traditional"
+Write the key using the traditional PKCS#1 format instead of the PKCS#8 format.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .IP "\fBnumbits\fR" 4
 .IX Item "numbits"
 The size of the private key to generate in bits. This must be the last option
@@ -232,12 +242,14 @@ may vary somewhat. But in general, more primes lead to less generation time
 of a key.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBgendsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/srp.1 b/secure/usr.bin/openssl/man/openssl-info.1
index e6743337d29d..474e17964154 100644
--- a/secure/usr.bin/openssl/man/srp.1
+++ b/secure/usr.bin/openssl/man/openssl-info.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,67 +130,77 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "SRP 1"
-.TH SRP 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-INFO 1ossl"
+.TH OPENSSL-INFO 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-srp, srp \- maintain SRP password file
+openssl\-info \- print OpenSSL built\-in information
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
-\&\fBopenssl srp\fR
+\&\fBopenssl info\fR
 [\fB\-help\fR]
-[\fB\-verbose\fR]
-[\fB\-add\fR]
-[\fB\-modify\fR]
-[\fB\-delete\fR]
-[\fB\-list\fR]
-[\fB\-name section\fR]
-[\fB\-config file\fR]
-[\fB\-srpvfile file\fR]
-[\fB\-gn identifier\fR]
-[\fB\-userinfo text...\fR]
-[\fB\-passin arg\fR]
-[\fB\-passout arg\fR]
-[\fIuser...\fR]
+[\fB\-configdir\fR]
+[\fB\-enginesdir\fR]
+[\fB\-modulesdir\fR ]
+[\fB\-dsoext\fR]
+[\fB\-dirnamesep\fR]
+[\fB\-listsep\fR]
+[\fB\-seeds\fR]
+[\fB\-cpusettings\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBsrp\fR command is user to maintain an \s-1SRP\s0 (secure remote password)
-file.
-At most one of the \fB\-add\fR, \fB\-modify\fR, \fB\-delete\fR, and \fB\-list\fR options
-can be specified.
-These options take zero or more usernames as parameters and perform the
-appropriate operation on the \s-1SRP\s0 file.
-For \fB\-list\fR, if no \fBuser\fR is given then all users are displayed.
-.PP
-The configuration file to use, and the section within the file, can be
-specified with the \fB\-config\fR and \fB\-name\fR flags, respectively.
-If the config file is not specified, the \fB\-srpvfile\fR can be used to
-just specify the file to operate on.
-.PP
-The \fB\-userinfo\fR option specifies additional information to add when
-adding or modifying a user.
-.PP
-The \fB\-gn\fR flag specifies the \fBg\fR and \fBN\fR values, using one of
-the strengths defined in \s-1IETF RFC 5054.\s0
+This command is used to print out information about OpenSSL.
+The information is written exactly as it is with no extra text, which
+makes useful for scripts.
 .PP
-The \fB\-passin\fR and \fB\-passout\fR arguments are parsed as described in
-the \fBopenssl\fR\|(1) command.
+As a consequence, only one item may be chosen for each run of this
+command.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.IP "[\fB\-help\fR]" 4
-.IX Item "[-help]"
-Display an option summary.
-.IP "[\fB\-verbose\fR]" 4
-.IX Item "[-verbose]"
-Generate verbose output while processing.
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
+.IP "\fB\-configdir\fR" 4
+.IX Item "-configdir"
+Outputs the default directory for OpenSSL configuration files.
+.IP "\fB\-enginesdir\fR" 4
+.IX Item "-enginesdir"
+Outputs the default directory for OpenSSL engine modules.
+.IP "\fB\-modulesdir\fR" 4
+.IX Item "-modulesdir"
+Outputs the default directory for OpenSSL dynamically loadable modules
+other than engine modules.
+.IP "\fB\-dsoext\fR" 4
+.IX Item "-dsoext"
+Outputs the \s-1DSO\s0 extension OpenSSL uses.
+.IP "\fB\-dirnamesep\fR" 4
+.IX Item "-dirnamesep"
+Outputs the separator character between a directory specification and
+a filename.
+Note that on some operating systems, this is not the same as the
+separator between directory elements.
+.IP "\fB\-listsep\fR" 4
+.IX Item "-listsep"
+Outputs the OpenSSL list separator character.
+This is typically used to construct \f(CW$PATH\fR (\f(CW\*(C`%PATH%\*(C'\fR on Windows)
+style lists.
+.IP "\fB\-seeds\fR" 4
+.IX Item "-seeds"
+Outputs the randomness seed sources.
+.IP "\fB\-cpusettings\fR" 4
+.IX Item "-cpusettings"
+Outputs the OpenSSL \s-1CPU\s0 settings info.
+.SH "HISTORY"
+.IX Header "HISTORY"
+This command was added in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-kdf.1 b/secure/usr.bin/openssl/man/openssl-kdf.1
new file mode 100644
index 000000000000..f8b57ac9c56c
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-kdf.1
@@ -0,0 +1,356 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-KDF 1ossl"
+.TH OPENSSL-KDF 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-kdf \- perform Key Derivation Function operations
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl kdf\fR
+[\fB\-help\fR]
+[\fB\-cipher\fR]
+[\fB\-digest\fR]
+[\fB\-mac\fR]
+[\fB\-kdfopt\fR \fInm\fR:\fIv\fR]
+[\fB\-keylen\fR \fInum\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-binary\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+\&\fIkdf_name\fR
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The key derivation functions generate a derived key from either a secret or
+password.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print a usage message.
+.IP "\fB\-keylen\fR \fInum\fR" 4
+.IX Item "-keylen num"
+The output size of the derived key. This field is required.
+.IP "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+Filename to output to, or standard output by default.
+.IP "\fB\-binary\fR" 4
+.IX Item "-binary"
+Output the derived key in binary form. Uses hexadecimal text format if not specified.
+.IP "\fB\-cipher\fR \fIname\fR" 4
+.IX Item "-cipher name"
+Specify the cipher to be used by the \s-1KDF.\s0
+Not all KDFs require a cipher and it is an error to use this option in such
+cases.
+.IP "\fB\-digest\fR \fIname\fR" 4
+.IX Item "-digest name"
+Specify the digest to be used by the \s-1KDF.\s0
+Not all KDFs require a digest and it is an error to use this option in such
+cases.
+To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
+.IP "\fB\-mac\fR \fIname\fR" 4
+.IX Item "-mac name"
+Specify the \s-1MAC\s0 to be used by the \s-1KDF.\s0
+Not all KDFs require a \s-1MAC\s0 and it is an error to use this option in such
+cases.
+.IP "\fB\-kdfopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-kdfopt nm:v"
+Passes options to the \s-1KDF\s0 algorithm.
+A comprehensive list of parameters can be found in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
+Common parameter names used by \fBEVP_KDF_CTX_set_params()\fR are:
+.RS 4
+.IP "\fBkey:\fR\fIstring\fR" 4
+.IX Item "key:string"
+Specifies the secret key as an alphanumeric string (use if the key contains
+printable characters only).
+The string length must conform to any restrictions of the \s-1KDF\s0 algorithm.
+A key must be specified for most \s-1KDF\s0 algorithms.
+.IP "\fBhexkey:\fR\fIstring\fR" 4
+.IX Item "hexkey:string"
+Alternative to the \fBkey:\fR option where
+the secret key is specified in hexadecimal form (two hex digits per byte).
+.IP "\fBpass:\fR\fIstring\fR" 4
+.IX Item "pass:string"
+Specifies the password as an alphanumeric string (use if the password contains
+printable characters only).
+The password must be specified for \s-1PBKDF2\s0 and scrypt.
+.IP "\fBhexpass:\fR\fIstring\fR" 4
+.IX Item "hexpass:string"
+Alternative to the \fBpass:\fR option where
+the password is specified in hexadecimal form (two hex digits per byte).
+.IP "\fBsalt:\fR\fIstring\fR" 4
+.IX Item "salt:string"
+Specifies a non-secret unique cryptographic salt as an alphanumeric string
+(use if it contains printable characters only).
+The length must conform to any restrictions of the \s-1KDF\s0 algorithm.
+A salt parameter is required for several \s-1KDF\s0 algorithms,
+such as \s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7).
+.IP "\fBhexsalt:\fR\fIstring\fR" 4
+.IX Item "hexsalt:string"
+Alternative to the \fBsalt:\fR option where
+the salt is specified in hexadecimal form (two hex digits per byte).
+.IP "\fBinfo:\fR\fIstring\fR" 4
+.IX Item "info:string"
+Some \s-1KDF\s0 implementations, such as \s-1\fBEVP_KDF\-HKDF\s0\fR\|(7), take an 'info' parameter
+for binding the derived key material
+to application\- and context-specific information.
+Specifies the info, fixed info, other info or shared info argument
+as an alphanumeric string (use if it contains printable characters only).
+The length must conform to any restrictions of the \s-1KDF\s0 algorithm.
+.IP "\fBhexinfo:\fR\fIstring\fR" 4
+.IX Item "hexinfo:string"
+Alternative to the \fBinfo:\fR option where
+the info is specified in hexadecimal form (two hex digits per byte).
+.IP "\fBdigest:\fR\fIstring\fR" 4
+.IX Item "digest:string"
+This option is identical to the \fB\-digest\fR option.
+.IP "\fBcipher:\fR\fIstring\fR" 4
+.IX Item "cipher:string"
+This option is identical to the \fB\-cipher\fR option.
+.IP "\fBmac:\fR\fIstring\fR" 4
+.IX Item "mac:string"
+This option is identical to the \fB\-mac\fR option.
+.RE
+.RS 4
+.RE
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fIkdf_name\fR" 4
+.IX Item "kdf_name"
+Specifies the name of a supported \s-1KDF\s0 algorithm which will be used.
+The supported algorithms names include \s-1TLS1\-PRF, HKDF, SSKDF, PBKDF2,
+SSHKDF, X942KDF\-ASN1, X942KDF\-CONCAT, X963KDF\s0 and \s-1SCRYPT.\s0
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Use \s-1TLS1\-PRF\s0 to create a hex-encoded derived key from a secret key and seed:
+.PP
+.Vb 2
+\&    openssl kdf \-keylen 16 \-kdfopt digest:SHA2\-256 \-kdfopt key:secret \e
+\&                \-kdfopt seed:seed TLS1\-PRF
+.Ve
+.PP
+Use \s-1HKDF\s0 to create a hex-encoded derived key from a secret key, salt and info:
+.PP
+.Vb 2
+\&    openssl kdf \-keylen 10 \-kdfopt digest:SHA2\-256 \-kdfopt key:secret \e
+\&                \-kdfopt salt:salt \-kdfopt info:label HKDF
+.Ve
+.PP
+Use \s-1SSKDF\s0 with \s-1KMAC\s0 to create a hex-encoded derived key from a secret key, salt and info:
+.PP
+.Vb 3
+\&    openssl kdf \-keylen 64 \-kdfopt mac:KMAC\-128 \-kdfopt maclen:20 \e
+\&                \-kdfopt hexkey:b74a149a161545 \-kdfopt hexinfo:348a37a2 \e
+\&                \-kdfopt hexsalt:3638271ccd68a2 SSKDF
+.Ve
+.PP
+Use \s-1SSKDF\s0 with \s-1HMAC\s0 to create a hex-encoded derived key from a secret key, salt and info:
+.PP
+.Vb 3
+\&    openssl kdf \-keylen 16 \-kdfopt mac:HMAC \-kdfopt digest:SHA2\-256 \e
+\&                \-kdfopt hexkey:b74a149a \-kdfopt hexinfo:348a37a2 \e
+\&                \-kdfopt hexsalt:3638271c SSKDF
+.Ve
+.PP
+Use \s-1SSKDF\s0 with Hash to create a hex-encoded derived key from a secret key, salt and info:
+.PP
+.Vb 3
+\&    openssl kdf \-keylen 14 \-kdfopt digest:SHA2\-256 \e
+\&                \-kdfopt hexkey:6dbdc23f045488 \e
+\&                \-kdfopt hexinfo:a1b2c3d4 SSKDF
+.Ve
+.PP
+Use \s-1SSHKDF\s0 to create a hex-encoded derived key from a secret key, hash and session_id:
+.PP
+.Vb 5
+\&    openssl kdf \-keylen 16 \-kdfopt digest:SHA2\-256 \e
+\&                \-kdfopt hexkey:0102030405 \e
+\&                \-kdfopt hexxcghash:06090A \e
+\&                \-kdfopt hexsession_id:01020304 \e
+\&                \-kdfopt type:A SSHKDF
+.Ve
+.PP
+Use \s-1PBKDF2\s0 to create a hex-encoded derived key from a password and salt:
+.PP
+.Vb 2
+\&    openssl kdf \-keylen 32 \-kdfopt digest:SHA256 \-kdfopt pass:password \e
+\&                \-kdfopt salt:salt \-kdfopt iter:2 PBKDF2
+.Ve
+.PP
+Use scrypt to create a hex-encoded derived key from a password and salt:
+.PP
+.Vb 3
+\&    openssl kdf \-keylen 64 \-kdfopt pass:password \-kdfopt salt:NaCl \e
+\&                \-kdfopt n:1024 \-kdfopt r:8 \-kdfopt p:16 \e
+\&                \-kdfopt maxmem_bytes:10485760 SCRYPT
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1KDF\s0 mechanisms that are available will depend on the options
+used when building OpenSSL.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkeyutl\fR\|(1),
+\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\s-1\fBEVP_KDF\-SCRYPT\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-TLS1_PRF\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-HKDF\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-SS\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-SSHKDF\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-X942\-ASN1\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-X942\-CONCAT\s0\fR\|(7),
+\&\s-1\fBEVP_KDF\-X963\s0\fR\|(7)
+.SH "HISTORY"
+.IX Header "HISTORY"
+Added in OpenSSL 3.0
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-list.1 b/secure/usr.bin/openssl/man/openssl-list.1
new file mode 100644
index 000000000000..e485f8531dea
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-list.1
@@ -0,0 +1,343 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-LIST 1ossl"
+.TH OPENSSL-LIST 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-list \- list algorithms and features
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl list\fR
+[\fB\-help\fR]
+[\fB\-verbose\fR]
+[\fB\-select\fR \fIname\fR]
+[\fB\-1\fR]
+[\fB\-commands\fR]
+[\fB\-standard\-commands\fR]
+[\fB\-digest\-algorithms\fR]
+[\fB\-digest\-commands\fR]
+[\fB\-kdf\-algorithms\fR]
+[\fB\-mac\-algorithms\fR]
+[\fB\-random\-instances\fR]
+[\fB\-random\-generators\fR]
+[\fB\-cipher\-algorithms\fR]
+[\fB\-cipher\-commands\fR]
+[\fB\-encoders\fR]
+[\fB\-decoders\fR]
+[\fB\-key\-managers\fR]
+[\fB\-key\-exchange\-algorithms\fR]
+[\fB\-kem\-algorithms\fR]
+[\fB\-signature\-algorithms\fR]
+[\fB\-asymcipher\-algorithms\fR]
+[\fB\-public\-key\-algorithms\fR]
+[\fB\-public\-key\-methods\fR]
+[\fB\-store\-loaders\fR]
+[\fB\-providers\fR]
+[\fB\-engines\fR]
+[\fB\-disabled\fR]
+[\fB\-objects\fR]
+[\fB\-options\fR \fIcommand\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is used to generate list of algorithms or disabled
+features.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Display a usage message.
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Displays extra information.
+The options below where verbosity applies say a bit more about what that means.
+.IP "\fB\-select\fR \fIname\fR" 4
+.IX Item "-select name"
+Only list algorithms that match this name.
+.IP "\fB\-1\fR" 4
+.IX Item "-1"
+List the commands, digest-commands, or cipher-commands in a single column.
+If used, this option must be given first.
+.IP "\fB\-commands\fR" 4
+.IX Item "-commands"
+Display a list of standard commands.
+.IP "\fB\-standard\-commands\fR" 4
+.IX Item "-standard-commands"
+List of standard commands.
+.IP "\fB\-digest\-commands\fR" 4
+.IX Item "-digest-commands"
+This option is deprecated. Use \fBdigest-algorithms\fR instead.
+.Sp
+Display a list of message digest commands, which are typically used
+as input to the \fBopenssl\-dgst\fR\|(1) or \fBopenssl\-speed\fR\|(1) commands.
+.IP "\fB\-cipher\-commands\fR" 4
+.IX Item "-cipher-commands"
+This option is deprecated. Use \fBcipher-algorithms\fR instead.
+.Sp
+Display a list of cipher commands, which are typically used as input
+to the \fBopenssl\-enc\fR\|(1) or \fBopenssl\-speed\fR\|(1) commands.
+.IP "\fB\-cipher\-algorithms\fR, \fB\-digest\-algorithms\fR, \fB\-kdf\-algorithms\fR, \fB\-mac\-algorithms\fR," 4
+.IX Item "-cipher-algorithms, -digest-algorithms, -kdf-algorithms, -mac-algorithms,"
+Display a list of symmetric cipher, digest, kdf and mac algorithms.
+See \*(L"Display of algorithm names\*(R" for a description of how names are
+displayed.
+.Sp
+In verbose mode, the algorithms provided by a provider will get additional
+information on what parameters each implementation supports.
+.IP "\fB\-random\-instances\fR" 4
+.IX Item "-random-instances"
+List the primary, public and private random number generator details.
+.IP "\fB\-random\-generators\fR" 4
+.IX Item "-random-generators"
+Display a list of random number generators.
+See \*(L"Display of algorithm names\*(R" for a description of how names are
+displayed.
+.IP "\fB\-encoders\fR" 4
+.IX Item "-encoders"
+Display a list of encoders.
+See \*(L"Display of algorithm names\*(R" for a description of how names are
+displayed.
+.Sp
+In verbose mode, the algorithms provided by a provider will get additional
+information on what parameters each implementation supports.
+.IP "\fB\-decoders\fR" 4
+.IX Item "-decoders"
+Display a list of decoders.
+See \*(L"Display of algorithm names\*(R" for a description of how names are
+displayed.
+.Sp
+In verbose mode, the algorithms provided by a provider will get additional
+information on what parameters each implementation supports.
+.IP "\fB\-public\-key\-algorithms\fR" 4
+.IX Item "-public-key-algorithms"
+Display a list of public key algorithms, with each algorithm as
+a block of multiple lines, all but the first are indented.
+The options \fBkey-exchange-algorithms\fR, \fBkem-algorithms\fR,
+\&\fBsignature-algorithms\fR, and \fBasymcipher-algorithms\fR will display similar info.
+.IP "\fB\-public\-key\-methods\fR" 4
+.IX Item "-public-key-methods"
+Display a list of public key methods.
+.IP "\fB\-key\-managers\fR" 4
+.IX Item "-key-managers"
+Display a list of key managers.
+.IP "\fB\-key\-exchange\-algorithms\fR" 4
+.IX Item "-key-exchange-algorithms"
+Display a list of key exchange algorithms.
+.IP "\fB\-kem\-algorithms\fR" 4
+.IX Item "-kem-algorithms"
+Display a list of key encapsulation algorithms.
+.IP "\fB\-signature\-algorithms\fR" 4
+.IX Item "-signature-algorithms"
+Display a list of signature algorithms.
+.IP "\fB\-asymcipher\-algorithms\fR" 4
+.IX Item "-asymcipher-algorithms"
+Display a list of asymmetric cipher algorithms.
+.IP "\fB\-store\-loaders\fR" 4
+.IX Item "-store-loaders"
+Display a list of store loaders.
+.IP "\fB\-providers\fR" 4
+.IX Item "-providers"
+Display a list of all loaded providers with their names, version and status.
+.Sp
+In verbose mode, the full version and all provider parameters will additionally
+be displayed.
+.IP "\fB\-engines\fR" 4
+.IX Item "-engines"
+This option is deprecated.
+.Sp
+Display a list of loaded engines.
+.IP "\fB\-disabled\fR" 4
+.IX Item "-disabled"
+Display a list of disabled features, those that were compiled out
+of the installation.
+.IP "\fB\-objects\fR" 4
+.IX Item "-objects"
+Display a list of built in objects, i.e. OIDs with names.  They're listed in the
+format described in \*(L"\s-1ASN1\s0 Object Configuration Module\*(R" in \fBconfig\fR\|(5).
+.IP "\fB\-options\fR \fIcommand\fR" 4
+.IX Item "-options command"
+Output a two-column list of the options accepted by the specified \fIcommand\fR.
+The first is the option name, and the second is a one-character indication
+of what type of parameter it takes, if any.
+This is an internal option, used for checking that the documentation
+is complete.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.SS "Display of algorithm names"
+.IX Subsection "Display of algorithm names"
+Algorithm names may be displayed in one of two manners:
+.IP "Legacy implementations" 4
+.IX Item "Legacy implementations"
+Legacy implementations will simply display the main name of the
+algorithm on a line of its own, or in the form \f(CW\*(C`<foo \*(C'\fR bar>> to show
+that \f(CW\*(C`foo\*(C'\fR is an alias for the main name, \f(CW\*(C`bar\*(C'\fR
+.IP "Provided implementations" 4
+.IX Item "Provided implementations"
+Implementations from a provider are displayed like this if the
+implementation is labeled with a single name:
+.Sp
+.Vb 1
+\& foo @ bar
+.Ve
+.Sp
+or like this if it's labeled with multiple names:
+.Sp
+.Vb 1
+\& { foo1, foo2 } @bar
+.Ve
+.Sp
+In both cases, \f(CW\*(C`bar\*(C'\fR is the name of the provider.
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engines\fR, \fB\-digest\-commands\fR, and \fB\-cipher\-commands\fR options
+were deprecated in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-mac.1 b/secure/usr.bin/openssl/man/openssl-mac.1
new file mode 100644
index 000000000000..fe52f1b82168
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-mac.1
@@ -0,0 +1,289 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-MAC 1ossl"
+.TH OPENSSL-MAC 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-mac \- perform Message Authentication Code operations
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl mac\fR
+[\fB\-help\fR]
+[\fB\-cipher\fR]
+[\fB\-digest\fR]
+[\fB\-macopt\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-binary\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+\&\fImac_name\fR
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The message authentication code functions output the \s-1MAC\s0 of a supplied input
+file.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print a usage message.
+.IP "\fB\-in\fR \fIfilename\fR" 4
+.IX Item "-in filename"
+Input filename to calculate a \s-1MAC\s0 for, or standard input by default.
+Standard input is used if the filename is '\-'.
+Files and standard input are expected to be in binary format.
+.IP "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+Filename to output to, or standard output by default.
+.IP "\fB\-binary\fR" 4
+.IX Item "-binary"
+Output the \s-1MAC\s0 in binary form. Uses hexadecimal text format if not specified.
+.IP "\fB\-cipher\fR \fIname\fR" 4
+.IX Item "-cipher name"
+Used by \s-1CMAC\s0 and \s-1GMAC\s0 to specify the cipher algorithm.
+For \s-1CMAC\s0 it must be one of \s-1AES\-128\-CBC, AES\-192\-CBC, AES\-256\-CBC\s0 or
+\&\s-1DES\-EDE3\-CBC.\s0
+For \s-1GMAC\s0 it should be a \s-1GCM\s0 mode cipher e.g. \s-1AES\-128\-GCM.\s0
+.IP "\fB\-digest\fR \fIname\fR" 4
+.IX Item "-digest name"
+Used by \s-1HMAC\s0 as an alphanumeric string (use if the key contains printable
+characters only).
+The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
+To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
+.IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-macopt nm:v"
+Passes options to the \s-1MAC\s0 algorithm.
+A comprehensive list of controls can be found in the \s-1EVP_MAC\s0 implementation
+documentation.
+Common parameter names used by \fBEVP_MAC_CTX_get_params()\fR are:
+.RS 4
+.IP "\fBkey:\fR\fIstring\fR" 4
+.IX Item "key:string"
+Specifies the \s-1MAC\s0 key as an alphanumeric string (use if the key contains
+printable characters only).
+The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
+A key must be specified for every \s-1MAC\s0 algorithm.
+.IP "\fBhexkey:\fR\fIstring\fR" 4
+.IX Item "hexkey:string"
+Specifies the \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
+The key length must conform to any restrictions of the \s-1MAC\s0 algorithm.
+A key must be specified for every \s-1MAC\s0 algorithm.
+.IP "\fBiv:\fR\fIstring\fR" 4
+.IX Item "iv:string"
+Used by \s-1GMAC\s0 to specify an \s-1IV\s0 as an alphanumeric string (use if the \s-1IV\s0 contains
+printable characters only).
+.IP "\fBhexiv:\fR\fIstring\fR" 4
+.IX Item "hexiv:string"
+Used by \s-1GMAC\s0 to specify an \s-1IV\s0 in hexadecimal form (two hex digits per byte).
+.IP "\fBsize:\fR\fIint\fR" 4
+.IX Item "size:int"
+Used by \s-1KMAC128\s0 or \s-1KMAC256\s0 to specify an output length.
+The default sizes are 32 or 64 bytes respectively.
+.IP "\fBcustom:\fR\fIstring\fR" 4
+.IX Item "custom:string"
+Used by \s-1KMAC128\s0 or \s-1KMAC256\s0 to specify a customization string.
+The default is the empty string "".
+.IP "\fBdigest:\fR\fIstring\fR" 4
+.IX Item "digest:string"
+This option is identical to the \fB\-digest\fR option.
+.IP "\fBcipher:\fR\fIstring\fR" 4
+.IX Item "cipher:string"
+This option is identical to the \fB\-cipher\fR option.
+.RE
+.RS 4
+.RE
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fImac_name\fR" 4
+.IX Item "mac_name"
+Specifies the name of a supported \s-1MAC\s0 algorithm which will be used.
+To see the list of supported \s-1MAC\s0's use the command \f(CW\*(C`openssl list
+\&\-mac\-algorithms\*(C'\fR.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+To create a hex-encoded \s-1HMAC\-SHA1 MAC\s0 of a file and write to stdout: \e
+ openssl mac \-digest \s-1SHA1\s0 \e
+         \-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \e
+         \-in msg.bin \s-1HMAC\s0
+.PP
+To create a SipHash \s-1MAC\s0 from a file with a binary file output: \e
+ openssl mac \-macopt hexkey:000102030405060708090A0B0C0D0E0F \e
+         \-in msg.bin \-out out.bin \-binary SipHash
+.PP
+To create a hex-encoded \s-1CMAC\-AES\-128\-CBC MAC\s0 from a file:\e
+ openssl mac \-cipher \s-1AES\-128\-CBC\s0 \e
+         \-macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \e
+         \-in msg.bin \s-1CMAC\s0
+.PP
+To create a hex-encoded \s-1KMAC128 MAC\s0 from a file with a Customisation String
+\&'Tag' and output length of 16: \e
+ openssl mac \-macopt custom:Tag \-macopt hexkey:40414243444546 \e
+         \-macopt size:16 \-in msg.bin \s-1KMAC128\s0
+.PP
+To create a hex-encoded \s-1GMAC\-AES\-128\-GCM\s0 with a \s-1IV\s0 from a file: \e
+ openssl mac \-cipher \s-1AES\-128\-GCM\s0 \-macopt hexiv:E0E00F19FED7BA0136A797F3 \e
+         \-macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \-in msg.bin \s-1GMAC\s0
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1MAC\s0 mechanisms that are available will depend on the options
+used when building OpenSSL.
+Use \f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR to list them.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\s-1\fBEVP_MAC\s0\fR\|(3),
+\&\s-1\fBEVP_MAC\-CMAC\s0\fR\|(7),
+\&\s-1\fBEVP_MAC\-GMAC\s0\fR\|(7),
+\&\s-1\fBEVP_MAC\-HMAC\s0\fR\|(7),
+\&\s-1\fBEVP_MAC\-KMAC\s0\fR\|(7),
+\&\fBEVP_MAC\-Siphash\fR\|(7),
+\&\fBEVP_MAC\-Poly1305\fR\|(7)
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2018\-2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-namedisplay-options.1 b/secure/usr.bin/openssl/man/openssl-namedisplay-options.1
new file mode 100644
index 000000000000..4b9a6515dcd4
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-namedisplay-options.1
@@ -0,0 +1,282 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-NAMEDISPLAY-OPTIONS 1ossl"
+.TH OPENSSL-NAMEDISPLAY-OPTIONS 1ossl "2023-09-19" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-namedisplay\-options \- Distinguished name display options
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR
+\&\fIcommand\fR
+[ \fIoptions\fR ... ]
+[ \fIparameters\fR ... ]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+OpenSSL provides fine-grain control over how the subject and issuer \s-1DN\s0's are
+displayed.
+This is specified by using the \fB\-nameopt\fR option, which takes a
+comma-separated list of options from the following set.
+An option may be preceded by a minus sign, \f(CW\*(C`\-\*(C'\fR, to turn it off.
+The default value is \f(CW\*(C`oneline\*(C'\fR.
+The first four are the most commonly used.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.SS "Name Format Option Arguments"
+.IX Subsection "Name Format Option Arguments"
+The \s-1DN\s0 output format can be fine tuned with the following flags.
+.IP "\fBcompat\fR" 4
+.IX Item "compat"
+Display the name using an old format from previous OpenSSL versions.
+.IP "\fB\s-1RFC2253\s0\fR" 4
+.IX Item "RFC2253"
+Display the name using the format defined in \s-1RFC 2253.\s0
+It is equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR,
+\&\fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, \fBsep_comma_plus\fR, \fBdn_rev\fR
+and \fBsname\fR.
+.IP "\fBoneline\fR" 4
+.IX Item "oneline"
+Display the name in one line, using a format that is more readable
+\&\s-1RFC 2253.\s0
+It is equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR,
+\&\fBdump_nostr\fR, \fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR,
+\&\fBspace_eq\fR and \fBsname\fR options.
+.IP "\fBmultiline\fR" 4
+.IX Item "multiline"
+Display the name using multiple lines.
+It is equivalent to \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, \fBspace_eq\fR,
+\&\fBlname\fR and \fBalign\fR.
+.IP "\fBesc_2253\fR" 4
+.IX Item "esc_2253"
+Escape the \*(L"special\*(R" characters in a field, as required by \s-1RFC 2253.\s0
+That is, any of the characters \f(CW\*(C`,+"<>;\*(C'\fR, \f(CW\*(C`#\*(C'\fR at the beginning of
+a string and leading or trailing spaces.
+.IP "\fBesc_2254\fR" 4
+.IX Item "esc_2254"
+Escape the \*(L"special\*(R" characters in a field as required by \s-1RFC 2254\s0 in a field.
+That is, the \fB\s-1NUL\s0\fR character and of \f(CW\*(C`()*\*(C'\fR.
+.IP "\fBesc_ctrl\fR" 4
+.IX Item "esc_ctrl"
+Escape non-printable \s-1ASCII\s0 characters, codes less than 0x20 (space)
+or greater than 0x7F (\s-1DELETE\s0). They are displayed using \s-1RFC 2253\s0 \f(CW\*(C`\eXX\*(C'\fR
+notation where \fB\s-1XX\s0\fR are the two hex digits representing the character value.
+.IP "\fBesc_msb\fR" 4
+.IX Item "esc_msb"
+Escape any characters with the most significant bit set, that is with
+values larger than 127, as described in \fBesc_ctrl\fR.
+.IP "\fBuse_quote\fR" 4
+.IX Item "use_quote"
+Escapes some characters by surrounding the entire string with quotation
+marks, \f(CW\*(C`"\*(C'\fR.
+Without this option, individual special characters are preceded with
+a backslash character, \f(CW\*(C`\e\*(C'\fR.
+.IP "\fButf8\fR" 4
+.IX Item "utf8"
+Convert all strings to \s-1UTF\-8\s0 format first as required by \s-1RFC 2253.\s0
+If the output device is \s-1UTF\-8\s0 compatible, then using this option (and
+not setting \fBesc_msb\fR) may give the correct display of multibyte
+characters.
+If this option is not set, then multibyte characters larger than 0xFF
+will be output as \f(CW\*(C`\eUXXXX\*(C'\fR for 16 bits or \f(CW\*(C`\eWXXXXXXXX\*(C'\fR for 32 bits.
+In addition, any UTF8Strings will be converted to their character form first.
+.IP "\fBignore_type\fR" 4
+.IX Item "ignore_type"
+This option does not attempt to interpret multibyte characters in any
+way. That is, the content octets are merely dumped as though one octet
+represents each character. This is useful for diagnostic purposes but
+will result in rather odd looking output.
+.IP "\fBshow_type\fR" 4
+.IX Item "show_type"
+Display the type of the \s-1ASN1\s0 character string before the value,
+such as \f(CW\*(C`BMPSTRING: Hello World\*(C'\fR.
+.IP "\fBdump_der\fR" 4
+.IX Item "dump_der"
+Any fields that would be output in hex format are displayed using
+the \s-1DER\s0 encoding of the field.
+If not set, just the content octets are displayed.
+Either way, the \fB#XXXX...\fR format of \s-1RFC 2253\s0 is used.
+.IP "\fBdump_nostr\fR" 4
+.IX Item "dump_nostr"
+Dump non-character strings, such as \s-1ASN.1\s0 \fB\s-1OCTET STRING\s0\fR.
+If this option is not set, then non character string types will be displayed
+as though each content octet represents a single character.
+.IP "\fBdump_all\fR" 4
+.IX Item "dump_all"
+Dump all fields. When this used with \fBdump_der\fR, this allows the
+\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
+.IP "\fBdump_unknown\fR" 4
+.IX Item "dump_unknown"
+Dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
+.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
+.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
+Specify the field separators. The first word is used between the
+Relative Distinguished Names (RDNs) and the second is between
+multiple Attribute Value Assertions (AVAs). Multiple AVAs are
+very rare and their use is discouraged.
+The options ending in \*(L"space\*(R" additionally place a space after the separator to make it more readable.
+The \fBsep_multiline\fR starts each field on its own line, and uses \*(L"plus space\*(R"
+for the \s-1AVA\s0 separator.
+It also indents the fields by four characters.
+The default value is \fBsep_comma_plus_space\fR.
+.IP "\fBdn_rev\fR" 4
+.IX Item "dn_rev"
+Reverse the fields of the \s-1DN\s0 as required by \s-1RFC 2253.\s0
+This also reverses the order of multiple AVAs in a field, but this is
+permissible as there is no ordering on values.
+.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
+.IX Item "nofname, sname, lname, oid"
+Specify how the field name is displayed.
+\&\fBnofname\fR does not display the field at all.
+\&\fBsname\fR uses the \*(L"short name\*(R" form (\s-1CN\s0 for commonName for example).
+\&\fBlname\fR uses the long form.
+\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
+diagnostic purpose.
+.IP "\fBalign\fR" 4
+.IX Item "align"
+Align field values for a more readable output. Only usable with
+\&\fBsep_multiline\fR.
+.IP "\fBspace_eq\fR" 4
+.IX Item "space_eq"
+Places spaces round the equal sign, \f(CW\*(C`=\*(C'\fR, character which follows the field
+name.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/openssl-nseq.1
index 30ca99890211..23897fd918af 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/openssl-nseq.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,37 +130,45 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "NSEQ 1"
-.TH NSEQ 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-NSEQ 1ossl"
+.TH OPENSSL-NSEQ 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-nseq, nseq \- create or examine a Netscape certificate sequence
+openssl\-nseq \- create or examine a Netscape certificate sequence
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBnseq\fR
 [\fB\-help\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
 [\fB\-toseq\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBnseq\fR command takes a file containing a Netscape certificate
+This command takes a file containing a Netscape certificate
 sequence and prints out the certificates contained in it or takes a
 file of certificates and converts it into a Netscape certificate
 sequence.
+.PP
+A Netscape certificate sequence is an old Netscape-specific format that
+can be sometimes be sent to browsers as an alternative to the standard PKCS#7
+format when several certificates are sent to the browser, for example during
+certificate enrollment.  It was also used by Netscape certificate server.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read or standard input if this
 option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename or standard output by default.
 .IP "\fB\-toseq\fR" 4
@@ -171,6 +177,15 @@ Normally a Netscape certificate sequence will be input and the output
 is the certificates contained in it. With the \fB\-toseq\fR option the
 situation is reversed: a Netscape certificate sequence is created from
 a file of certificates.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Output the certificates in a Netscape certificate sequence
@@ -184,28 +199,11 @@ Create a Netscape certificate sequence
 .Vb 1
 \& openssl nseq \-in certs.pem \-toseq \-out nseq.pem
 .Ve
-.SH "NOTES"
-.IX Header "NOTES"
-The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
-\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
-.Ve
-.PP
-A Netscape certificate sequence is a Netscape specific format that can be sent
-to browsers as an alternative to the standard PKCS#7 format when several
-certificates are sent to the browser: for example during certificate enrollment.
-It is used by Netscape certificate server for example.
-.SH "BUGS"
-.IX Header "BUGS"
-This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and
-output files and allowing multiple certificate files to be used.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/openssl-ocsp.1
index 5c8bac8ed1da..36d7910ca18e 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/openssl-ocsp.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,45 +130,87 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "OCSP 1"
-.TH OCSP 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-OCSP 1ossl"
+.TH OPENSSL-OCSP 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-ocsp, ocsp \- Online Certificate Status Protocol utility
+openssl\-ocsp \- Online Certificate Status Protocol command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
+.SS "\s-1OCSP\s0 Client"
+.IX Subsection "OCSP Client"
 \&\fBopenssl\fR \fBocsp\fR
 [\fB\-help\fR]
-[\fB\-out file\fR]
-[\fB\-issuer file\fR]
-[\fB\-cert file\fR]
-[\fB\-serial n\fR]
-[\fB\-signer file\fR]
-[\fB\-signkey file\fR]
-[\fB\-sign_other file\fR]
+[\fB\-out\fR \fIfile\fR]
+[\fB\-issuer\fR \fIfile\fR]
+[\fB\-cert\fR \fIfile\fR]
 [\fB\-no_certs\fR]
+[\fB\-serial\fR \fIn\fR]
+[\fB\-signer\fR \fIfile\fR]
+[\fB\-signkey\fR \fIfile\fR]
+[\fB\-sign_other\fR \fIfile\fR]
+[\fB\-nonce\fR]
+[\fB\-no_nonce\fR]
 [\fB\-req_text\fR]
 [\fB\-resp_text\fR]
 [\fB\-text\fR]
-[\fB\-reqout file\fR]
-[\fB\-respout file\fR]
-[\fB\-reqin file\fR]
-[\fB\-respin file\fR]
-[\fB\-nonce\fR]
-[\fB\-no_nonce\fR]
-[\fB\-url \s-1URL\s0\fR]
-[\fB\-host host:port\fR]
-[\fB\-multi process-count\fR]
-[\fB\-header\fR]
+[\fB\-reqout\fR \fIfile\fR]
+[\fB\-respout\fR \fIfile\fR]
+[\fB\-reqin\fR \fIfile\fR]
+[\fB\-respin\fR \fIfile\fR]
+[\fB\-url\fR \fI\s-1URL\s0\fR]
+[\fB\-host\fR \fIhost\fR:\fIport\fR]
 [\fB\-path\fR]
-[\fB\-CApath dir\fR]
-[\fB\-CAfile file\fR]
+[\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR]
+[\fB\-no_proxy\fR \fIaddresses\fR]
+[\fB\-header\fR]
+[\fB\-timeout\fR \fIseconds\fR]
+[\fB\-VAfile\fR \fIfile\fR]
+[\fB\-validity_period\fR \fIn\fR]
+[\fB\-status_age\fR \fIn\fR]
+[\fB\-noverify\fR]
+[\fB\-verify_other\fR \fIfile\fR]
+[\fB\-trust_other\fR]
+[\fB\-no_intern\fR]
+[\fB\-no_signature_verify\fR]
+[\fB\-no_cert_verify\fR]
+[\fB\-no_chain\fR]
+[\fB\-no_cert_checks\fR]
+[\fB\-no_explicit\fR]
+[\fB\-port\fR \fInum\fR]
+[\fB\-ignore_err\fR]
+.SS "\s-1OCSP\s0 Server"
+.IX Subsection "OCSP Server"
+\&\fBopenssl\fR \fBocsp\fR
+[\fB\-index\fR \fIfile\fR]
+[\fB\-CA\fR \fIfile\fR]
+[\fB\-rsigner\fR \fIfile\fR]
+[\fB\-rkey\fR \fIfile\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-rother\fR \fIfile\fR]
+[\fB\-rsigopt\fR \fInm\fR:\fIv\fR]
+[\fB\-rmd\fR \fIdigest\fR]
+[\fB\-badsig\fR]
+[\fB\-resp_no_certs\fR]
+[\fB\-nmin\fR \fIn\fR]
+[\fB\-ndays\fR \fIn\fR]
+[\fB\-resp_key_id\fR]
+[\fB\-nrequest\fR \fIn\fR]
+[\fB\-multi\fR \fIprocess-count\fR]
+[\fB\-rcid\fR \fIdigest\fR]
+[\fB\-\f(BIdigest\fB\fR]
+[\fB\-CAfile\fR \fIfile\fR]
 [\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
 [\fB\-no\-CApath\fR]
-[\fB\-attime timestamp\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
 [\fB\-check_ss_sig\fR]
 [\fB\-crl_check\fR]
 [\fB\-crl_check_all\fR]
@@ -179,57 +219,34 @@ openssl\-ocsp, ocsp \- Online Certificate Status Protocol utility
 [\fB\-ignore_critical\fR]
 [\fB\-inhibit_any\fR]
 [\fB\-inhibit_map\fR]
-[\fB\-no_check_time\fR]
 [\fB\-partial_chain\fR]
-[\fB\-policy arg\fR]
+[\fB\-policy\fR \fIarg\fR]
 [\fB\-policy_check\fR]
 [\fB\-policy_print\fR]
-[\fB\-purpose purpose\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
 [\fB\-suiteB_128\fR]
 [\fB\-suiteB_128_only\fR]
 [\fB\-suiteB_192\fR]
 [\fB\-trusted_first\fR]
 [\fB\-no_alt_chains\fR]
 [\fB\-use_deltas\fR]
-[\fB\-auth_level num\fR]
-[\fB\-verify_depth num\fR]
-[\fB\-verify_email email\fR]
-[\fB\-verify_hostname hostname\fR]
-[\fB\-verify_ip ip\fR]
-[\fB\-verify_name name\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
 [\fB\-x509_strict\fR]
-[\fB\-VAfile file\fR]
-[\fB\-validity_period n\fR]
-[\fB\-status_age n\fR]
-[\fB\-noverify\fR]
-[\fB\-verify_other file\fR]
-[\fB\-trust_other\fR]
-[\fB\-no_intern\fR]
-[\fB\-no_signature_verify\fR]
-[\fB\-no_cert_verify\fR]
-[\fB\-no_chain\fR]
-[\fB\-no_cert_checks\fR]
-[\fB\-no_explicit\fR]
-[\fB\-port num\fR]
-[\fB\-ignore_err\fR]
-[\fB\-index file\fR]
-[\fB\-CA file\fR]
-[\fB\-rsigner file\fR]
-[\fB\-rkey file\fR]
-[\fB\-rother file\fR]
-[\fB\-rsigopt nm:v\fR]
-[\fB\-resp_no_certs\fR]
-[\fB\-nmin n\fR]
-[\fB\-ndays n\fR]
-[\fB\-resp_key_id\fR]
-[\fB\-nrequest n\fR]
-[\fB\-\f(BIdigest\fB\fR]
+[\fB\-issuer_checks\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
 determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0).
 .PP
-The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used
+This command performs many common \s-1OCSP\s0 tasks. It can be used
 to print out requests and responses, create requests and send queries
 to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
 .SH "OPTIONS"
@@ -241,114 +258,114 @@ The options are described below, divided into those two modes.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 specify output filename, default is standard output.
-.IP "\fB\-issuer filename\fR" 4
+.IP "\fB\-issuer\fR \fIfilename\fR" 4
 .IX Item "-issuer filename"
 This specifies the current issuer certificate. This option can be used
-multiple times. The certificate specified in \fBfilename\fR must be in
-\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
-.IP "\fB\-cert filename\fR" 4
+multiple times.
+This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
+.IP "\fB\-cert\fR \fIfilename\fR" 4
 .IX Item "-cert filename"
-Add the certificate \fBfilename\fR to the request. The issuer certificate
-is taken from the previous \fBissuer\fR option, or an error occurs if no
+Add the certificate \fIfilename\fR to the request. The issuer certificate
+is taken from the previous \fB\-issuer\fR option, or an error occurs if no
 issuer certificate is specified.
-.IP "\fB\-serial num\fR" 4
+.IP "\fB\-no_certs\fR" 4
+.IX Item "-no_certs"
+Don't include any certificates in signed request.
+.IP "\fB\-serial\fR \fInum\fR" 4
 .IX Item "-serial num"
-Same as the \fBcert\fR option except the certificate with serial number
+Same as the \fB\-cert\fR option except the certificate with serial number
 \&\fBnum\fR is added to the request. The serial number is interpreted as a
-decimal integer unless preceded by \fB0x\fR. Negative integers can also
-be specified by preceding the value by a \fB\-\fR sign.
-.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
+decimal integer unless preceded by \f(CW\*(C`0x\*(C'\fR. Negative integers can also
+be specified by preceding the value by a \f(CW\*(C`\-\*(C'\fR sign.
+.IP "\fB\-signer\fR \fIfilename\fR, \fB\-signkey\fR \fIfilename\fR" 4
 .IX Item "-signer filename, -signkey filename"
-Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR
-option and the private key specified by the \fBsignkey\fR option. If
-the \fBsignkey\fR option is not present then the private key is read
+Sign the \s-1OCSP\s0 request using the certificate specified in the \fB\-signer\fR
+option and the private key specified by the \fB\-signkey\fR option. If
+the \fB\-signkey\fR option is not present then the private key is read
 from the same file as the certificate. If neither option is specified then
 the \s-1OCSP\s0 request is not signed.
-.IP "\fB\-sign_other filename\fR" 4
+.IP "\fB\-sign_other\fR \fIfilename\fR" 4
 .IX Item "-sign_other filename"
 Additional certificates to include in the signed request.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
 .IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
 .IX Item "-nonce, -no_nonce"
 Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
-Normally if an \s-1OCSP\s0 request is input using the \fBreqin\fR option no
-nonce is added: using the \fBnonce\fR option will force addition of a nonce.
-If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options)
-a nonce is automatically added specifying \fBno_nonce\fR overrides this.
+Normally if an \s-1OCSP\s0 request is input using the \fB\-reqin\fR option no
+nonce is added: using the \fB\-nonce\fR option will force addition of a nonce.
+If an \s-1OCSP\s0 request is being created (using \fB\-cert\fR and \fB\-serial\fR options)
+a nonce is automatically added specifying \fB\-no_nonce\fR overrides this.
 .IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
 .IX Item "-req_text, -resp_text, -text"
 Print out the text form of the \s-1OCSP\s0 request, response or both respectively.
-.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4
+.IP "\fB\-reqout\fR \fIfile\fR, \fB\-respout\fR \fIfile\fR" 4
 .IX Item "-reqout file, -respout file"
-Write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR.
-.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4
+Write out the \s-1DER\s0 encoded certificate request or response to \fIfile\fR.
+.IP "\fB\-reqin\fR \fIfile\fR, \fB\-respin\fR \fIfile\fR" 4
 .IX Item "-reqin file, -respin file"
-Read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored
+Read \s-1OCSP\s0 request or response file from \fIfile\fR. These option are ignored
 if \s-1OCSP\s0 request or response creation is implied by other options (for example
-with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
-.IP "\fB\-url responder_url\fR" 4
+with \fB\-serial\fR, \fB\-cert\fR and \fB\-host\fR options).
+.IP "\fB\-url\fR \fIresponder_url\fR" 4
 .IX Item "-url responder_url"
 Specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
-.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
+The optional userinfo and fragment components are ignored.
+Any given query component is handled as part of the path component.
+.IP "\fB\-host\fR \fIhostname\fR:\fIport\fR, \fB\-path\fR \fIpathname\fR" 4
 .IX Item "-host hostname:port, -path pathname"
-If the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
-\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 pathname to use
-or \*(L"/\*(R" by default.  This is equivalent to specifying \fB\-url\fR with scheme
+If the \fB\-host\fR option is present then the \s-1OCSP\s0 request is sent to the host
+\&\fIhostname\fR on port \fIport\fR. The \fB\-path\fR option specifies the \s-1HTTP\s0 pathname
+to use or \*(L"/\*(R" by default.  This is equivalent to specifying \fB\-url\fR with scheme
 http:// and the given hostname, port, and pathname.
-.IP "\fB\-header name=value\fR" 4
+.IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR" 4
+.IX Item "-proxy [http[s]://][userinfo@]host[:port][/path]"
+The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1OCSP\s0 server unless \fB\-no_proxy\fR
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is \f(CW\*(C`https\*(C'\fR; apart from that
+the optional \f(CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored,
+as well as any userinfo and path components.
+Defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR
+in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
+.IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
+.IX Item "-no_proxy addresses"
+List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
+not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Default is from the environment variable \f(CW\*(C`no_proxy\*(C'\fR if set, else \f(CW\*(C`NO_PROXY\*(C'\fR.
+.IP "\fB\-header\fR \fIname\fR=\fIvalue\fR" 4
 .IX Item "-header name=value"
-Adds the header \fBname\fR with the specified \fBvalue\fR to the \s-1OCSP\s0 request
+Adds the header \fIname\fR with the specified \fIvalue\fR to the \s-1OCSP\s0 request
 that is sent to the responder.
 This may be repeated.
-.IP "\fB\-timeout seconds\fR" 4
+.IP "\fB\-timeout\fR \fIseconds\fR" 4
 .IX Item "-timeout seconds"
 Connection timeout to the \s-1OCSP\s0 responder in seconds.
 On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits
 the time that the responder is willing to wait for the client request.
 This time is measured from the time the responder accepts the connection until
 the complete request is received.
-.IP "\fB\-multi process-count\fR" 4
-.IX Item "-multi process-count"
-Run the specified number of \s-1OCSP\s0 responder child processes, with the parent
-process respawning child processes as needed.
-Child processes will detect changes in the \s-1CA\s0 index file and automatically
-reload it.
-When running as a responder \fB\-timeout\fR option is recommended to limit the time
-each child is willing to wait for the client's \s-1OCSP\s0 response.
-This option is available on \s-1POSIX\s0 systems (that support the \fBfork()\fR and other
-required unix system-calls).
-.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
-.IX Item "-CAfile file, -CApath pathname"
-File or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
-the signature on the \s-1OCSP\s0 response.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location
-.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
-.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
-Set different certificate verification options.
-See \fBverify\fR\|(1) manual page for details.
-.IP "\fB\-verify_other file\fR" 4
+.IP "\fB\-verify_other\fR \fIfile\fR" 4
 .IX Item "-verify_other file"
-File containing additional certificates to search when attempting to locate
+File or \s-1URI\s0 containing additional certificates to search
+when attempting to locate
 the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
 certificate from the response: this option can be used to supply the necessary
 certificate in such cases.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
 .IP "\fB\-trust_other\fR" 4
 .IX Item "-trust_other"
 The certificates specified by the \fB\-verify_other\fR option should be explicitly
 trusted and no additional checks will be performed on them. This is useful
 when the complete responder certificate chain is not available or trusting a
 root \s-1CA\s0 is not appropriate.
-.IP "\fB\-VAfile file\fR" 4
+.IP "\fB\-VAfile\fR \fIfile\fR" 4
 .IX Item "-VAfile file"
-File containing explicitly trusted responder certificates. Equivalent to the
-\&\fB\-verify_other\fR and \fB\-trust_other\fR options.
+File or \s-1URI\s0 containing explicitly trusted responder certificates.
+Equivalent to the \fB\-verify_other\fR and \fB\-trust_other\fR options.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
 .IP "\fB\-noverify\fR" 4
 .IX Item "-noverify"
 Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce
@@ -382,7 +399,7 @@ Don't perform any additional checks on the \s-1OCSP\s0 response signers certific
 That is do not make any checks to see if the signers certificate is authorised
 to provide the necessary status information: as a result this option should
 only be used for testing purposes.
-.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
+.IP "\fB\-validity_period\fR \fInsec\fR, \fB\-status_age\fR \fIage\fR" 4
 .IX Item "-validity_period nsec, -status_age age"
 These options specify the range of times, in seconds, which will be tolerated
 in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR
@@ -395,38 +412,81 @@ seconds, the default value is 5 minutes.
 .Sp
 If the \fBnotAfter\fR time is omitted from a response then this means that new
 status information is immediately available. In this case the age of the
-\&\fBnotBefore\fR field is checked to see it is not older than \fBage\fR seconds old.
+\&\fBnotBefore\fR field is checked to see it is not older than \fIage\fR seconds old.
 By default this additional check is not performed.
+.IP "\fB\-rcid\fR \fIdigest\fR" 4
+.IX Item "-rcid digest"
+This option sets the digest algorithm to use for certificate identification
+in the \s-1OCSP\s0 response. Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can
+be used. The default is the same digest algorithm used in the request.
 .IP "\fB\-\f(BIdigest\fB\fR" 4
 .IX Item "-digest"
 This option sets digest algorithm to use for certificate identification in the
 \&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used.
 The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the
 digest used by subsequent certificate identifiers.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SS "\s-1OCSP\s0 Server Options"
 .IX Subsection "OCSP Server Options"
-.IP "\fB\-index indexfile\fR" 4
+.IP "\fB\-index\fR \fIindexfile\fR" 4
 .IX Item "-index indexfile"
-The \fBindexfile\fR parameter is the name of a text index file in \fBca\fR
+The \fIindexfile\fR parameter is the name of a text index file in \fBca\fR
 format containing certificate revocation information.
 .Sp
-If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder
-mode, otherwise it is in client mode. The request(s) the responder
-processes can be either specified on the command line (using \fBissuer\fR
-and \fBserial\fR options), supplied in a file (using the \fBreqin\fR option)
-or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified).
+If the \fB\-index\fR option is specified then this command switches to
+responder mode, otherwise it is in client mode. The request(s) the responder
+processes can be either specified on the command line (using \fB\-issuer\fR
+and \fB\-serial\fR options), supplied in a file (using the \fB\-reqin\fR option)
+or via external \s-1OCSP\s0 clients (if \fB\-port\fR or \fB\-url\fR is specified).
 .Sp
-If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options
+If the \fB\-index\fR option is present then the \fB\-CA\fR and \fB\-rsigner\fR options
 must also be present.
-.IP "\fB\-CA file\fR" 4
+.IP "\fB\-CA\fR \fIfile\fR" 4
 .IX Item "-CA file"
-\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR.
-.IP "\fB\-rsigner file\fR" 4
+\&\s-1CA\s0 certificate corresponding to the revocation information in the index
+file given with \fB\-index\fR.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
+.IP "\fB\-rsigner\fR \fIfile\fR" 4
 .IX Item "-rsigner file"
 The certificate to sign \s-1OCSP\s0 responses with.
-.IP "\fB\-rother file\fR" 4
+.IP "\fB\-rkey\fR \fIfile\fR" 4
+.IX Item "-rkey file"
+The private key to sign \s-1OCSP\s0 responses with: if not present the file
+specified in the \fB\-rsigner\fR option is used.
+.IP "\fB\-passin\fR \fIarg\fR" 4
+.IX Item "-passin arg"
+The private key password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-rother\fR \fIfile\fR" 4
 .IX Item "-rother file"
 Additional certificates to include in the \s-1OCSP\s0 response.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
+.IP "\fB\-rsigopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-rsigopt nm:v"
+Pass options to the signature algorithm when signing \s-1OCSP\s0 responses.
+Names and values of these options are algorithm-specific.
+.IP "\fB\-rmd\fR \fIdigest\fR" 4
+.IX Item "-rmd digest"
+The digest to use when signing the response.
+.IP "\fB\-badsig\fR" 4
+.IX Item "-badsig"
+Corrupt the response signature before writing it; this can be useful
+for testing.
 .IP "\fB\-resp_no_certs\fR" 4
 .IX Item "-resp_no_certs"
 Don't include any certificates in the \s-1OCSP\s0 response.
@@ -434,34 +494,37 @@ Don't include any certificates in the \s-1OCSP\s0 response.
 .IX Item "-resp_key_id"
 Identify the signer certificate using the key \s-1ID,\s0 default is to use the
 subject name.
-.IP "\fB\-rkey file\fR" 4
-.IX Item "-rkey file"
-The private key to sign \s-1OCSP\s0 responses with: if not present the file
-specified in the \fBrsigner\fR option is used.
-.IP "\fB\-rsigopt nm:v\fR" 4
-.IX Item "-rsigopt nm:v"
-Pass options to the signature algorithm when signing \s-1OCSP\s0 responses.
-Names and values of these options are algorithm-specific.
-.IP "\fB\-port portnum\fR" 4
+.IP "\fB\-port\fR \fIportnum\fR" 4
 .IX Item "-port portnum"
 Port to listen for \s-1OCSP\s0 requests on. The port may also be specified
 using the \fBurl\fR option.
+A \f(CW0\fR argument indicates that any available port shall be chosen automatically.
 .IP "\fB\-ignore_err\fR" 4
 .IX Item "-ignore_err"
 Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if
 a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue
 running instead of terminating upon receiving a malformed request.
-.IP "\fB\-nrequest number\fR" 4
+.IP "\fB\-nrequest\fR \fInumber\fR" 4
 .IX Item "-nrequest number"
-The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited.
-.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
+The \s-1OCSP\s0 server will exit after receiving \fInumber\fR requests, default unlimited.
+.IP "\fB\-multi\fR \fIprocess-count\fR" 4
+.IX Item "-multi process-count"
+Run the specified number of \s-1OCSP\s0 responder child processes, with the parent
+process respawning child processes as needed.
+Child processes will detect changes in the \s-1CA\s0 index file and automatically
+reload it.
+When running as a responder \fB\-timeout\fR option is recommended to limit the time
+each child is willing to wait for the client's \s-1OCSP\s0 response.
+This option is available on \s-1POSIX\s0 systems (that support the \fBfork()\fR and other
+required unix system-calls).
+.IP "\fB\-nmin\fR \fIminutes\fR, \fB\-ndays\fR \fIdays\fR" 4
 .IX Item "-nmin minutes, -ndays days"
 Number of minutes or days when fresh revocation information is available:
 used in the \fBnextUpdate\fR field. If neither option is present then the
 \&\fBnextUpdate\fR field is omitted meaning fresh revocation information is
 immediately available.
-.SH "OCSP Response verification."
-.IX Header "OCSP Response verification."
+.SH "OCSP RESPONSE VERIFICATION"
+.IX Header "OCSP RESPONSE VERIFICATION"
 \&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0
 .PP
 Initially the \s-1OCSP\s0 responder certificate is located and the signature on
@@ -469,9 +532,9 @@ the \s-1OCSP\s0 request checked using the responder certificate's public key.
 .PP
 Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
 building up a certificate chain in the process. The locations of the trusted
-certificates used to build the chain can be specified by the \fBCAfile\fR
-and \fBCApath\fR options or they will be looked for in the standard OpenSSL
-certificates directory.
+certificates used to build the chain can be specified by the \fB\-CAfile\fR,
+\&\fB\-CApath\fR or \fB\-CAstore\fR options or they will be looked for in the
+standard OpenSSL certificates directory.
 .PP
 If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
 error.
@@ -507,8 +570,8 @@ with the \fB\-VAfile\fR option.
 .SH "NOTES"
 .IX Header "NOTES"
 As noted, most of the verify options are for testing or debugging purposes.
-Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global
-\&\s-1VA\s0') \fB\-VAfile\fR options need to be used.
+Normally only the \fB\-CApath\fR, \fB\-CAfile\fR, \fB\-CAstore\fR and (if the responder
+is a 'global \s-1VA\s0') \fB\-VAfile\fR options need to be used.
 .PP
 The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
 not really usable as a full \s-1OCSP\s0 responder. It contains only a very
@@ -518,8 +581,8 @@ new requests until it has processed the current one. The text index file
 format of revocation is also inefficient for large quantities of revocation
 data.
 .PP
-It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0
-script using the \fBreqin\fR and \fBrespout\fR options.
+It is possible to run this command in responder mode via a \s-1CGI\s0
+script using the \fB\-reqin\fR and \fB\-respout\fR options.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Create an \s-1OCSP\s0 request and write it to a file:
@@ -576,9 +639,9 @@ to a second file.
 The \-no_alt_chains option was added in OpenSSL 1.1.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-passphrase-options.1 b/secure/usr.bin/openssl/man/openssl-passphrase-options.1
new file mode 100644
index 000000000000..1cf8d9195b6f
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-passphrase-options.1
@@ -0,0 +1,195 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-PASSPHRASE-OPTIONS 1ossl"
+.TH OPENSSL-PASSPHRASE-OPTIONS 1ossl "2023-09-19" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-passphrase\-options \- Pass phrase options
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR
+\&\fIcommand\fR
+[ \fIoptions\fR ... ]
+[ \fIparameters\fR ... ]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+Several OpenSSL commands accept password arguments, typically using \fB\-passin\fR
+and \fB\-passout\fR for input and output passwords respectively. These allow
+the password to be obtained from a variety of sources. Both of these
+options take a single argument whose format is described below. If no
+password argument is given and a password is required then the user is
+prompted to enter one: this will typically be read from the current
+terminal with echoing turned off.
+.PP
+Note that character encoding may be relevant, please see
+\&\fBpassphrase\-encoding\fR\|(7).
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.SS "Pass Phrase Option Arguments"
+.IX Subsection "Pass Phrase Option Arguments"
+Pass phrase arguments can be formatted as follows.
+.IP "\fBpass:\fR\fIpassword\fR" 4
+.IX Item "pass:password"
+The actual password is \fIpassword\fR. Since the password is visible
+to utilities (like 'ps' under Unix) this form should only be used
+where security is not important.
+.IP "\fBenv:\fR\fIvar\fR" 4
+.IX Item "env:var"
+Obtain the password from the environment variable \fIvar\fR. Since
+the environment of other processes is visible on certain platforms
+(e.g. ps under certain Unix OSes) this option should be used with caution.
+.IP "\fBfile:\fR\fIpathname\fR" 4
+.IX Item "file:pathname"
+The first line of \fIpathname\fR is the password. If the same \fIpathname\fR
+argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first
+line will be used for the input password and the next line for the output
+password. \fIpathname\fR need not refer to a regular file: it could for example
+refer to a device or named pipe.
+.IP "\fBfd:\fR\fInumber\fR" 4
+.IX Item "fd:number"
+Read the password from the file descriptor \fInumber\fR. This can be used to
+send the data via a pipe for example.
+.IP "\fBstdin\fR" 4
+.IX Item "stdin"
+Read the password from standard input.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/openssl-passwd.1
index 28789e81a867..725564ba9af8 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/openssl-passwd.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,19 +130,18 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PASSWD 1"
-.TH PASSWD 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PASSWD 1ossl"
+.TH OPENSSL-PASSWD 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-passwd, passwd \- compute password hashes
+openssl\-passwd \- compute password hashes
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl passwd\fR
 [\fB\-help\fR]
-[\fB\-crypt\fR]
 [\fB\-1\fR]
 [\fB\-apr1\fR]
 [\fB\-aixmd5\fR]
@@ -156,26 +153,27 @@ openssl\-passwd, passwd \- compute password hashes
 [\fB\-noverify\fR]
 [\fB\-quiet\fR]
 [\fB\-table\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-{\fIpassword\fR}
+[\fB\-reverse\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIpassword\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpasswd\fR command computes the hash of a password typed at
+This command computes the hash of a password typed at
 run-time or the hash of each password in a list.  The password list is
-taken from the named file for option \fB\-in file\fR, from stdin for
+taken from the named file for option \fB\-in\fR, from stdin for
 option \fB\-stdin\fR, or from the command line, or from the terminal otherwise.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-crypt\fR" 4
-.IX Item "-crypt"
-Use the \fBcrypt\fR algorithm (default).
 .IP "\fB\-1\fR" 4
 .IX Item "-1"
-Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR.
+Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR (default).
 .IP "\fB\-apr1\fR" 4
 .IX Item "-apr1"
 Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm).
@@ -210,23 +208,24 @@ Don't output warnings when passwords given at the command line are truncated.
 .IX Item "-table"
 In the output list, prepend the cleartext password and a \s-1TAB\s0 character
 to each password hash.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
+.IP "\fB\-reverse\fR" 4
+.IX Item "-reverse"
+When the \fB\-table\fR option is used, reverse the order of cleartext and hash.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 .Vb 2
-\&  % openssl passwd \-crypt \-salt xx password
-\&  xxj31ZMTZzkVA
-\&
 \&  % openssl passwd \-1 \-salt xxxxxxxx password
 \&  $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
 \&
@@ -236,11 +235,14 @@ This can be used with a subsequent \fB\-rand\fR flag.
 \&  % openssl passwd \-aixmd5 \-salt xxxxxxxx password
 \&  xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/
 .Ve
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-crypt\fR option was removed in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/openssl-pkcs12.1
index dee40e68cde7..193fb7b9e9d0 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/openssl-pkcs12.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,117 +130,193 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PKCS12 1"
-.TH PKCS12 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PKCS12 1ossl"
+.TH OPENSSL-PKCS12 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-pkcs12, pkcs12 \- PKCS#12 file utility
+openssl\-pkcs12 \- PKCS#12 file command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBpkcs12\fR
 [\fB\-help\fR]
-[\fB\-export\fR]
-[\fB\-chain\fR]
-[\fB\-inkey file_or_id\fR]
-[\fB\-certfile filename\fR]
-[\fB\-name name\fR]
-[\fB\-caname name\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-passout\fR \fIarg\fR]
+[\fB\-password\fR \fIarg\fR]
+[\fB\-twopass\fR]
+[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-nokeys\fR]
+[\fB\-nocerts\fR]
 [\fB\-noout\fR]
+[\fB\-legacy\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+.PP
+PKCS#12 input (parsing) options:
+[\fB\-info\fR]
 [\fB\-nomacver\fR]
-[\fB\-nocerts\fR]
 [\fB\-clcerts\fR]
 [\fB\-cacerts\fR]
-[\fB\-nokeys\fR]
-[\fB\-info\fR]
-[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-aria128 | \-aria192 | \-aria256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR]
-[\fB\-noiter\fR]
-[\fB\-maciter | \-nomaciter | \-nomac\fR]
-[\fB\-twopass\fR]
-[\fB\-descert\fR]
-[\fB\-certpbe cipher\fR]
-[\fB\-keypbe cipher\fR]
-[\fB\-macalg digest\fR]
-[\fB\-keyex\fR]
-[\fB\-keysig\fR]
-[\fB\-password arg\fR]
-[\fB\-passin arg\fR]
-[\fB\-passout arg\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-CAfile file\fR]
-[\fB\-CApath dir\fR]
+.PP
+[\fB\-aes128\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
+[\fB\-aria128\fR]
+[\fB\-aria192\fR]
+[\fB\-aria256\fR]
+[\fB\-camellia128\fR]
+[\fB\-camellia192\fR]
+[\fB\-camellia256\fR]
+[\fB\-des\fR]
+[\fB\-des3\fR]
+[\fB\-idea\fR]
+[\fB\-noenc\fR]
+[\fB\-nodes\fR]
+.PP
+PKCS#12 output (export) options:
+.PP
+[\fB\-export\fR]
+[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-certfile\fR \fIfilename\fR]
+[\fB\-passcerts\fR \fIarg\fR]
+[\fB\-chain\fR]
+[\fB\-untrusted\fR \fIfilename\fR]
+[\fB\-CAfile\fR \fIfile\fR]
 [\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
 [\fB\-no\-CApath\fR]
-[\fB\-CSP name\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-name\fR \fIname\fR]
+[\fB\-caname\fR \fIname\fR]
+[\fB\-CSP\fR \fIname\fR]
+[\fB\-LMK\fR]
+[\fB\-keyex\fR]
+[\fB\-keysig\fR]
+[\fB\-keypbe\fR \fIcipher\fR]
+[\fB\-certpbe\fR \fIcipher\fR]
+[\fB\-descert\fR]
+[\fB\-macalg\fR \fIdigest\fR]
+[\fB\-iter\fR \fIcount\fR]
+[\fB\-noiter\fR]
+[\fB\-nomaciter\fR]
+[\fB\-maciter\fR]
+[\fB\-nomac\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
+This command allows PKCS#12 files (sometimes referred to as
 \&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
 programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 There are a lot of options the meaning of some depends of whether a PKCS#12 file
-is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
-file can be created by using the \fB\-export\fR option (see below).
-.SH "PARSING OPTIONS"
-.IX Header "PARSING OPTIONS"
+is being created or parsed. By default a PKCS#12 file is parsed.
+A PKCS#12 file can be created by using the \fB\-export\fR option (see below).
+The PKCS#12 export encryption and \s-1MAC\s0 options such as \fB\-certpbe\fR and \fB\-iter\fR
+and many further options such as \fB\-chain\fR are relevant only with \fB\-export\fR.
+Conversely, the options regarding encryption of private keys when outputting
+PKCS#12 input are relevant only when the \fB\-export\fR option is not given.
+.PP
+The default encryption algorithm is \s-1AES\-256\-CBC\s0 with \s-1PBKDF2\s0 for key derivation.
+.PP
+When encountering problems loading legacy PKCS#12 files that involve,
+for example, \s-1RC2\-40\-CBC,\s0
+try using the \fB\-legacy\fR option and, if needed, the \fB\-provider\-path\fR option.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-This specifies filename of the PKCS#12 file to be parsed. Standard input is used
-by default.
-.IP "\fB\-out filename\fR" 4
-.IX Item "-out filename"
-The filename to write certificates and private keys to, standard output by
-default.  They are all written in \s-1PEM\s0 format.
-.IP "\fB\-passin arg\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-The PKCS#12 file (i.e. input file) password source. For more information about
-the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-passout arg\fR" 4
+The password source for the input, and for encrypting any private keys that
+are output.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-passout\fR \fIarg\fR" 4
 .IX Item "-passout arg"
-Pass phrase source to encrypt any outputted private keys with. For more
-information about the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-password arg\fR" 4
+The password source for output files.
+.IP "\fB\-password\fR \fIarg\fR" 4
 .IX Item "-password arg"
-With \-export, \-password is equivalent to \-passout.
-Otherwise, \-password is equivalent to \-passin.
+With \fB\-export\fR, \fB\-password\fR is equivalent to \fB\-passout\fR,
+otherwise it is equivalent to \fB\-passin\fR.
+.IP "\fB\-twopass\fR" 4
+.IX Item "-twopass"
+Prompt for separate integrity and encryption passwords: most software
+always assumes these are the same so this option will render such
+PKCS#12 files unreadable. Cannot be used in combination with the options
+\&\fB\-password\fR, \fB\-passin\fR if importing from PKCS#12, or \fB\-passout\fR if exporting.
+.IP "\fB\-nokeys\fR" 4
+.IX Item "-nokeys"
+No private keys will be output.
+.IP "\fB\-nocerts\fR" 4
+.IX Item "-nocerts"
+No certificates will be output.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
-This option inhibits output of the keys and certificates to the output file
-version of the PKCS#12 file.
+This option inhibits all credentials output,
+and so the input is just verified.
+.IP "\fB\-legacy\fR" 4
+.IX Item "-legacy"
+Use legacy mode of operation and automatically load the legacy provider.
+If OpenSSL is not installed system-wide,
+it is necessary to also use, for example, \f(CW\*(C`\-provider\-path ./providers\*(C'\fR
+or to set the environment variable \fB\s-1OPENSSL_MODULES\s0\fR
+to point to the directory where the providers can be found.
+.Sp
+In the legacy mode, the default algorithm for certificate encryption
+is \s-1RC2_CBC\s0 or 3DES_CBC depending on whether the \s-1RC2\s0 cipher is enabled
+in the build. The default algorithm for private key encryption is 3DES_CBC.
+If the legacy option is not specified, then the legacy provider is not loaded
+and the default encryption algorithm for both certificates and private keys is
+\&\s-1AES_256_CBC\s0 with \s-1PBKDF2\s0 for key derivation.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.SS "PKCS#12 input (parsing) options"
+.IX Subsection "PKCS#12 input (parsing) options"
+.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-in filename|uri"
+This specifies the input filename or \s-1URI.\s0
+Standard input is used by default.
+Without the \fB\-export\fR option this must be PKCS#12 file to be parsed.
+For use with the \fB\-export\fR option
+see the \*(L"PKCS#12 output (export) options\*(R" section.
+.IP "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+The filename to write certificates and private keys to, standard output by
+default.  They are all written in \s-1PEM\s0 format.
+.IP "\fB\-info\fR" 4
+.IX Item "-info"
+Output additional information about the PKCS#12 file structure, algorithms
+used and iteration counts.
+.IP "\fB\-nomacver\fR" 4
+.IX Item "-nomacver"
+Don't attempt to verify the integrity \s-1MAC.\s0
 .IP "\fB\-clcerts\fR" 4
 .IX Item "-clcerts"
 Only output client certificates (not \s-1CA\s0 certificates).
 .IP "\fB\-cacerts\fR" 4
 .IX Item "-cacerts"
 Only output \s-1CA\s0 certificates (not client certificates).
-.IP "\fB\-nocerts\fR" 4
-.IX Item "-nocerts"
-No certificates at all will be output.
-.IP "\fB\-nokeys\fR" 4
-.IX Item "-nokeys"
-No private keys will be output.
-.IP "\fB\-info\fR" 4
-.IX Item "-info"
-Output additional information about the PKCS#12 file structure, algorithms
-used and iteration counts.
-.IP "\fB\-des\fR" 4
-.IX Item "-des"
-Use \s-1DES\s0 to encrypt private keys before outputting.
-.IP "\fB\-des3\fR" 4
-.IX Item "-des3"
-Use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default.
-.IP "\fB\-idea\fR" 4
-.IX Item "-idea"
-Use \s-1IDEA\s0 to encrypt private keys before outputting.
 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
 .IX Item "-aes128, -aes192, -aes256"
 Use \s-1AES\s0 to encrypt private keys before outputting.
@@ -252,81 +326,96 @@ Use \s-1ARIA\s0 to encrypt private keys before outputting.
 .IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
 .IX Item "-camellia128, -camellia192, -camellia256"
 Use Camellia to encrypt private keys before outputting.
+.IP "\fB\-des\fR" 4
+.IX Item "-des"
+Use \s-1DES\s0 to encrypt private keys before outputting.
+.IP "\fB\-des3\fR" 4
+.IX Item "-des3"
+Use triple \s-1DES\s0 to encrypt private keys before outputting.
+.IP "\fB\-idea\fR" 4
+.IX Item "-idea"
+Use \s-1IDEA\s0 to encrypt private keys before outputting.
+.IP "\fB\-noenc\fR" 4
+.IX Item "-noenc"
+Don't encrypt private keys at all.
 .IP "\fB\-nodes\fR" 4
 .IX Item "-nodes"
-Don't encrypt the private keys at all.
-.IP "\fB\-nomacver\fR" 4
-.IX Item "-nomacver"
-Don't attempt to verify the integrity \s-1MAC\s0 before reading the file.
-.IP "\fB\-twopass\fR" 4
-.IX Item "-twopass"
-Prompt for separate integrity and encryption passwords: most software
-always assumes these are the same so this option will render such
-PKCS#12 files unreadable. Cannot be used in combination with the options
-\&\-password, \-passin (if importing) or \-passout (if exporting).
-.SH "FILE CREATION OPTIONS"
-.IX Header "FILE CREATION OPTIONS"
+This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
+.SS "PKCS#12 output (export) options"
+.IX Subsection "PKCS#12 output (export) options"
 .IP "\fB\-export\fR" 4
 .IX Item "-export"
 This option specifies that a PKCS#12 file will be created rather than
 parsed.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies filename to write the PKCS#12 file to. Standard output is used
 by default.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-The filename to read certificates and private keys from, standard input by
-default.  They must all be in \s-1PEM\s0 format. The order doesn't matter but one
-private key and its corresponding certificate should be present. If additional
-certificates are present they will also be included in the PKCS#12 file.
-.IP "\fB\-inkey file_or_id\fR" 4
-.IX Item "-inkey file_or_id"
-File to read private key from. If not present then a private key must be present
-in the input file.
-If no engine is used, the argument is taken as a file; if an engine is
-specified, the argument is given to the engine as a key identifier.
-.IP "\fB\-name friendlyname\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-in filename|uri"
+This specifies the input filename or \s-1URI.\s0
+Standard input is used by default.
+With the \fB\-export\fR option this is a file with certificates and a key,
+or a \s-1URI\s0 that refers to a key accessed via an engine.
+The order of credentials in a file doesn't matter but one private key and
+its corresponding certificate should be present. If additional
+certificates are present they will also be included in the PKCS#12 output file.
+.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-inkey filename|uri"
+The private key input for \s-1PKCS12\s0 output.
+If this option is not specified then the input file (\fB\-in\fR argument) must
+contain a private key.
+If no engine is used, the argument is taken as a file.
+If the \fB\-engine\fR option is used or the \s-1URI\s0 has prefix \f(CW\*(C`org.openssl.engine:\*(C'\fR
+then the rest of the \s-1URI\s0 is taken as key identifier for the given engine.
+.IP "\fB\-certfile\fR \fIfilename\fR" 4
+.IX Item "-certfile filename"
+An input file with extra certificates to be added to the PKCS#12 output
+if the \fB\-export\fR option is given.
+.IP "\fB\-passcerts\fR \fIarg\fR" 4
+.IX Item "-passcerts arg"
+The password source for certificate input such as \fB\-certfile\fR
+and \fB\-untrusted\fR.
+For more information about the format of \fBarg\fR see
+\&\fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-chain\fR" 4
+.IX Item "-chain"
+If this option is present then the certificate chain of the end entity
+certificate is built and included in the PKCS#12 output file.
+The end entity certificate is the first one read from the \fB\-in\fR file
+if no key is given, else the first certificate matching the given key.
+The standard \s-1CA\s0 trust store is used for chain building,
+as well as any untrusted \s-1CA\s0 certificates given with the \fB\-untrusted\fR option.
+.IP "\fB\-untrusted\fR \fIfilename\fR" 4
+.IX Item "-untrusted filename"
+An input file of untrusted certificates that may be used
+for chain building, which is relevant only when a PKCS#12 file is created
+with the \fB\-export\fR option and the \fB\-chain\fR option is given as well.
+Any certificates that are actually part of the chain are added to the output.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-name\fR \fIfriendlyname\fR" 4
 .IX Item "-name friendlyname"
-This specifies the \*(L"friendly name\*(R" for the certificate and private key. This
+This specifies the \*(L"friendly name\*(R" for the certificates and private key. This
 name is typically displayed in list boxes by software importing the file.
-.IP "\fB\-certfile filename\fR" 4
-.IX Item "-certfile filename"
-A filename to read additional certificates from.
-.IP "\fB\-caname friendlyname\fR" 4
+.IP "\fB\-caname\fR \fIfriendlyname\fR" 4
 .IX Item "-caname friendlyname"
 This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
 used multiple times to specify names for all certificates in the order they
 appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
 displays them.
-.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
-.IX Item "-pass arg, -passout arg"
-The PKCS#12 file (i.e. output file) password source. For more information about
-the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-passin password\fR" 4
-.IX Item "-passin password"
-Pass phrase source to decrypt any input private keys with. For more information
-about the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-chain\fR" 4
-.IX Item "-chain"
-If this option is present then an attempt is made to include the entire
-certificate chain of the user certificate. The standard \s-1CA\s0 store is used
-for this search. If the search fails it is considered a fatal error.
-.IP "\fB\-descert\fR" 4
-.IX Item "-descert"
-Encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12
-file unreadable by some \*(L"export grade\*(R" software. By default the private
-key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0
-unless \s-1RC2\s0 is disabled in which case triple \s-1DES\s0 is used.
-.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
-.IX Item "-keypbe alg, -certpbe alg"
-These options allow the algorithm used to encrypt the private key and
-certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
-can be used (see \fB\s-1NOTES\s0\fR section for more information). If a cipher name
-(as output by the \fBlist-cipher-algorithms\fR command is specified then it
-is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
-use PKCS#12 algorithms.
-.IP "\fB\-keyex|\-keysig\fR" 4
+.IP "\fB\-CSP\fR \fIname\fR" 4
+.IX Item "-CSP name"
+Write \fIname\fR as a Microsoft \s-1CSP\s0 name.
+The password source for the input, and for encrypting any private keys that
+are output.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-LMK\fR" 4
+.IX Item "-LMK"
+Add the \*(L"Local Key Set\*(R" identifier to the attributes.
+.IP "\fB\-keyex\fR|\fB\-keysig\fR" 4
 .IX Item "-keyex|-keysig"
 Specifies that the private key is to be used for key exchange or just signing.
 This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
@@ -336,24 +425,41 @@ option marks the key for signing only. Signing only keys can be used for
 S/MIME signing, authenticode (ActiveX control signing)  and \s-1SSL\s0 client
 authentication, however, due to a bug only \s-1MSIE 5.0\s0 and later support
 the use of signing only keys for \s-1SSL\s0 client authentication.
-.IP "\fB\-macalg digest\fR" 4
+.IP "\fB\-keypbe\fR \fIalg\fR, \fB\-certpbe\fR \fIalg\fR" 4
+.IX Item "-keypbe alg, -certpbe alg"
+These options allow the algorithm used to encrypt the private key and
+certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
+can be used (see \*(L"\s-1NOTES\*(R"\s0 section for more information). If a cipher name
+(as output by \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR) is specified then it
+is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
+use PKCS#12 algorithms.
+.Sp
+Special value \f(CW\*(C`NONE\*(C'\fR disables encryption of the private key and certificates.
+.IP "\fB\-descert\fR" 4
+.IX Item "-descert"
+Encrypt the certificates using triple \s-1DES.\s0 By default the private
+key and the certificates are encrypted using \s-1AES\-256\-CBC\s0 unless
+the '\-legacy' option is used. If '\-descert' is used with the '\-legacy'
+then both, the private key and the certificates are encrypted using triple \s-1DES.\s0
+.IP "\fB\-macalg\fR \fIdigest\fR" 4
 .IX Item "-macalg digest"
-Specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used.
-.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
-.IX Item "-nomaciter, -noiter"
-These options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
-Unless you wish to produce files compatible with \s-1MSIE 4.0\s0 you should leave
-these options alone.
+Specify the \s-1MAC\s0 digest algorithm. If not included \s-1SHA256\s0 will be used.
+.IP "\fB\-iter\fR \fIcount\fR" 4
+.IX Item "-iter count"
+This option specifies the iteration count for the encryption key and \s-1MAC.\s0 The
+default value is 2048.
 .Sp
 To discourage attacks by using large dictionaries of common passwords the
 algorithm that derives keys from passwords can have an iteration count applied
 to it: this causes a certain part of the algorithm to be repeated and slows it
 down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
 have the same password as the keys and certificates it could also be attacked.
-By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using
+.IP "\fB\-noiter\fR, \fB\-nomaciter\fR" 4
+.IX Item "-noiter, -nomaciter"
+By default both encryption and \s-1MAC\s0 iteration counts are set to 2048, using
 these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
 this reduces the file security you should not use these options unless you
-really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
+really have to. Most software supports both \s-1MAC\s0 and encryption iteration counts.
 \&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
 option.
 .IP "\fB\-maciter\fR" 4
@@ -362,35 +468,9 @@ This option is included for compatibility with previous versions, it used
 to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
 .IP "\fB\-nomac\fR" 4
 .IX Item "-nomac"
-Don't attempt to provide the \s-1MAC\s0 integrity.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-\&\s-1CA\s0 storage as a file.
-.IP "\fB\-CApath dir\fR" 4
-.IX Item "-CApath dir"
-\&\s-1CA\s0 storage as a directory. This directory must be a standard certificate
-directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be
-linked to each certificate.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location.
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location.
-.IP "\fB\-CSP name\fR" 4
-.IX Item "-CSP name"
-Write \fBname\fR as a Microsoft \s-1CSP\s0 name.
+Do not attempt to provide the \s-1MAC\s0 integrity. This can be useful with the \s-1FIPS\s0
+provider as the \s-1PKCS12 MAC\s0 requires \s-1PKCS12KDF\s0 which is not an approved \s-1FIPS\s0
+algorithm and cannot be supported by the \s-1FIPS\s0 provider.
 .SH "NOTES"
 .IX Header "NOTES"
 Although there are a large number of options most of them are very rarely
@@ -400,20 +480,21 @@ for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
 If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
 then all certificates will be output in the order they appear in the input
 PKCS#12 files. There is no guarantee that the first certificate present is
-the one corresponding to the private key. Certain software which requires
-a private key and certificate and assumes the first certificate in the
-file is the one corresponding to the private key: this may not always
-be the case. Using the \fB\-clcerts\fR option will solve this problem by only
+the one corresponding to the private key.
+Certain software which tries to get a private key and the corresponding
+certificate might assume that the first certificate in the file is the one
+corresponding to the private key, but that may not always be the case.
+Using the \fB\-clcerts\fR option will solve this problem by only
 outputting the certificate corresponding to the private key. If the \s-1CA\s0
 certificates are required then they can be output to a separate file using
-the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates.
+the \fB\-nokeys\fR \fB\-cacerts\fR options to just output \s-1CA\s0 certificates.
 .PP
 The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
 algorithms for private keys and certificates to be specified. Normally
 the defaults are fine but occasionally software can't handle triple \s-1DES\s0
-encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can
+encrypted private keys, then the option \fB\-keypbe\fR \fI\s-1PBE\-SHA1\-RC2\-40\s0\fR can
 be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete
-description of all algorithms is contained in the \fBpkcs8\fR manual page.
+description of all algorithms is contained in \fBopenssl\-pkcs8\fR\|(1).
 .PP
 Prior 1.1 release passwords containing non-ASCII characters were encoded
 in non-compliant manner, which limited interoperability, in first hand
@@ -423,10 +504,10 @@ this reason even legacy encodings is attempted when reading the
 data. If you use PKCS#12 files in production application you are advised
 to convert the data, because implemented heuristic approach is not
 MT-safe, its sole goal is to facilitate the data upgrade with this
-utility.
+command.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
-Parse a PKCS#12 file and output it to a file:
+Parse a PKCS#12 file and output it to a \s-1PEM\s0 file:
 .PP
 .Vb 1
 \& openssl pkcs12 \-in file.p12 \-out file.pem
@@ -441,7 +522,7 @@ Output only client certificates to a file:
 Don't encrypt the private key:
 .PP
 .Vb 1
-\& openssl pkcs12 \-in file.p12 \-out file.pem \-nodes
+\& openssl pkcs12 \-in file.p12 \-out file.pem \-noenc
 .Ve
 .PP
 Print some info about a PKCS#12 file:
@@ -450,26 +531,45 @@ Print some info about a PKCS#12 file:
 \& openssl pkcs12 \-in file.p12 \-info \-noout
 .Ve
 .PP
-Create a PKCS#12 file:
+Print some info about a PKCS#12 file in legacy mode:
+.PP
+.Vb 1
+\& openssl pkcs12 \-in file.p12 \-info \-noout \-legacy
+.Ve
+.PP
+Create a PKCS#12 file from a \s-1PEM\s0 file that may contain a key and certificates:
 .PP
 .Vb 1
-\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate"
+\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE"
 .Ve
 .PP
 Include some extra certificates:
 .PP
 .Vb 2
-\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e
+\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE" \e
 \&  \-certfile othercerts.pem
 .Ve
+.PP
+Export a PKCS#12 file with data from a certificate \s-1PEM\s0 file and from a further
+\&\s-1PEM\s0 file containing a key, with default algorithms as in the legacy provider:
+.PP
+.Vb 1
+\& openssl pkcs12 \-export \-in cert.pem \-inkey key.pem \-out file.p12 \-legacy
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBpkcs8\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkcs8\fR\|(1),
+\&\fBossl_store\-file\fR\|(7)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+The \fB\-nodes\fR option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/openssl-pkcs7.1
index de30f9f955e4..2ecb10ee8a29 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/openssl-pkcs7.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,69 +130,82 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PKCS7 1"
-.TH PKCS7 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PKCS7 1ossl"
+.TH OPENSSL-PKCS7 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-pkcs7, pkcs7 \- PKCS#7 utility
+openssl\-pkcs7 \- PKCS#7 command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBpkcs7\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-print\fR]
 [\fB\-print_certs\fR]
 [\fB\-text\fR]
 [\fB\-noout\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format.
+This command processes PKCS#7 files.  Note that it only understands PKCS#7
+v 1.5 as specified in \s-1IETF RFC 2315.\s0  It cannot currently parse \s-1CMS\s0 as
+described in \s-1IETF RFC 2630.\s0
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7
-v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
-the \s-1DER\s0 form with header and footer lines.
-.IP "\fB\-outform DER|PEM\fR" 4
-.IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-inform DER|PEM, -outform DER|PEM"
+The input and formats; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+The data is a PKCS#7 Version 1.5 structure.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read from or standard input if this
 option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename to write to or standard output by
 default.
+.IP "\fB\-print\fR" 4
+.IX Item "-print"
+Print out the full \s-1PKCS7\s0 object.
 .IP "\fB\-print_certs\fR" 4
 .IX Item "-print_certs"
 Prints out any certificates or CRLs contained in the file. They are
 preceded by their subject and issuer names in one line format.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
-Prints out certificates details in full rather than just subject and
+Prints out certificate details in full rather than just subject and
 issuer names.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 Don't output the encoded version of the PKCS#7 structure (or certificates
-is \fB\-print_certs\fR is set).
-.IP "\fB\-engine id\fR" 4
+if \fB\-print_certs\fR is set).
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0
@@ -208,35 +219,18 @@ Output all certificates in a file:
 .Vb 1
 \& openssl pkcs7 \-in file.pem \-print_certs \-out certs.pem
 .Ve
-.SH "NOTES"
-.IX Header "NOTES"
-The \s-1PEM\s0 PKCS#7 format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
-\& \-\-\-\-\-END PKCS7\-\-\-\-\-
-.Ve
-.PP
-For compatibility with some CAs it will also accept:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
-\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
-.Ve
-.SH "RESTRICTIONS"
-.IX Header "RESTRICTIONS"
-There is no option to print out all the fields of a PKCS#7 file.
-.PP
-This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they
-cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630.\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBcrl2pkcs7\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-crl2pkcs7\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/openssl-pkcs8.1
index b9e3b50ffbcd..d802f93a6c5c 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/openssl-pkcs8.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,42 +130,45 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PKCS8 1"
-.TH PKCS8 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PKCS8 1ossl"
+.TH OPENSSL-PKCS8 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-pkcs8, pkcs8 \- PKCS#8 format private key conversion tool
+openssl\-pkcs8 \- PKCS#8 format private key conversion command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBpkcs8\fR
 [\fB\-help\fR]
 [\fB\-topk8\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-passin arg\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
-[\fB\-iter count\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
+[\fB\-iter\fR \fIcount\fR]
 [\fB\-noiter\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
 [\fB\-nocrypt\fR]
 [\fB\-traditional\fR]
-[\fB\-v2 alg\fR]
-[\fB\-v2prf alg\fR]
-[\fB\-v1 alg\fR]
-[\fB\-engine id\fR]
+[\fB\-v2\fR \fIalg\fR]
+[\fB\-v2prf\fR \fIalg\fR]
+[\fB\-v1\fR \fIalg\fR]
 [\fB\-scrypt\fR]
-[\fB\-scrypt_N N\fR]
-[\fB\-scrypt_r r\fR]
-[\fB\-scrypt_p p\fR]
+[\fB\-scrypt_N\fR \fIN\fR]
+[\fB\-scrypt_r\fR \fIr\fR]
+[\fB\-scrypt_p\fR \fIp\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle
+This command processes private keys in PKCS#8 format. It can handle
 both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
 format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
 .SH "OPTIONS"
@@ -180,42 +181,54 @@ Print out a usage message.
 Normally a PKCS#8 private key is expected on input and a private key will be
 written to the output file. With the \fB\-topk8\fR option the situation is
 reversed: it reads a private key and writes a PKCS#8 format key.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default
-format is \s-1PEM.\s0
-.IP "\fB\-outform DER|PEM\fR" 4
-.IX Item "-outform DER|PEM"
-This specifies the output format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default
-format is \s-1PEM.\s0
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-inform DER|PEM, -outform DER|PEM"
+The input and formats; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+If a key is being converted from PKCS#8 form (i.e. the \fB\-topk8\fR option is
+not used) then the input file must be in PKCS#8 format. An encrypted
+key is expected unless \fB\-nocrypt\fR is included.
+.Sp
+If \fB\-topk8\fR is not used and \fB\s-1PEM\s0\fR mode is set the output file will be an
+unencrypted private key in PKCS#8 format. If the \fB\-traditional\fR option is
+used then a traditional format private key is written instead.
+.Sp
+If \fB\-topk8\fR is not used and \fB\s-1DER\s0\fR mode is set the output file will be an
+unencrypted private key in traditional \s-1DER\s0 format.
+.Sp
+If \fB\-topk8\fR is used then any supported private key can be used for the input
+file in a format specified by \fB\-inform\fR. The output file will be encrypted
+PKCS#8 format using the specified encryption parameters unless \fB\-nocrypt\fR
+is included.
 .IP "\fB\-traditional\fR" 4
 .IX Item "-traditional"
 When this option is present and \fB\-topk8\fR is not a traditional format private
 key is written.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passin arg, -passout arg"
+The password source for the input and output file.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
 default. If any encryption options are set then a pass phrase will be
 prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.IP "\fB\-passout arg\fR" 4
-.IX Item "-passout arg"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-iter count\fR" 4
+.IP "\fB\-iter\fR \fIcount\fR" 4
 .IX Item "-iter count"
 When creating new PKCS#8 containers, use a given number of iterations on
 the password in deriving the encryption key for the PKCS#8 output.
 High values increase the time required to brute-force a PKCS#8 container.
+.IP "\fB\-noiter\fR" 4
+.IX Item "-noiter"
+When creating new PKCS#8 containers, use 1 as iteration count.
 .IP "\fB\-nocrypt\fR" 4
 .IX Item "-nocrypt"
 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
@@ -224,25 +237,14 @@ this option an unencrypted PrivateKeyInfo structure is expected or output.
 This option does not encrypt private keys at all and should only be used
 when absolutely necessary. Certain software such as some versions of Java
 code signing software used unencrypted private keys.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-v2 alg\fR" 4
+.IP "\fB\-v2\fR \fIalg\fR" 4
 .IX Item "-v2 alg"
 This option sets the PKCS#5 v2.0 algorithm.
 .Sp
-The \fBalg\fR argument is the encryption algorithm to use, valid values include
+The \fIalg\fR argument is the encryption algorithm to use, valid values include
 \&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn't specified then \fBaes256\fR
 is used.
-.IP "\fB\-v2prf alg\fR" 4
+.IP "\fB\-v2prf\fR \fIalg\fR" 4
 .IX Item "-v2prf alg"
 This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value
 value would be \fBhmacWithSHA256\fR. If this option isn't set then the default
@@ -250,46 +252,36 @@ for the cipher is used or \fBhmacWithSHA256\fR if there is no default.
 .Sp
 Some implementations may not support custom \s-1PRF\s0 algorithms and may require
 the \fBhmacWithSHA1\fR option to work.
-.IP "\fB\-v1 alg\fR" 4
+.IP "\fB\-v1\fR \fIalg\fR" 4
 .IX Item "-v1 alg"
 This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used.  Some
 older implementations may not support PKCS#5 v2.0 and may require this option.
 If not specified PKCS#5 v2.0 form is used.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
 .IP "\fB\-scrypt\fR" 4
 .IX Item "-scrypt"
 Uses the \fBscrypt\fR algorithm for private key encryption using default
 parameters: currently N=16384, r=8 and p=1 and \s-1AES\s0 in \s-1CBC\s0 mode with a 256 bit
 key. These parameters can be modified using the \fB\-scrypt_N\fR, \fB\-scrypt_r\fR,
 \&\fB\-scrypt_p\fR and \fB\-v2\fR options.
-.IP "\fB\-scrypt_N N\fR \fB\-scrypt_r r\fR \fB\-scrypt_p p\fR" 4
-.IX Item "-scrypt_N N -scrypt_r r -scrypt_p p"
-Sets the scrypt \fBN\fR, \fBr\fR or \fBp\fR parameters.
-.SH "KEY FORMATS"
-.IX Header "KEY FORMATS"
-Various different formats are used by the pkcs8 utility. These are detailed
-below.
-.PP
-If a key is being converted from PKCS#8 form (i.e. the \fB\-topk8\fR option is
-not used) then the input file must be in PKCS#8 format. An encrypted
-key is expected unless \fB\-nocrypt\fR is included.
-.PP
-If \fB\-topk8\fR is not used and \fB\s-1PEM\s0\fR mode is set the output file will be an
-unencrypted private key in PKCS#8 format. If the \fB\-traditional\fR option is
-used then a traditional format private key is written instead.
-.PP
-If \fB\-topk8\fR is not used and \fB\s-1DER\s0\fR mode is set the output file will be an
-unencrypted private key in traditional \s-1DER\s0 format.
-.PP
-If \fB\-topk8\fR is used then any supported private key can be used for the input
-file in a format specified by \fB\-inform\fR. The output file will be encrypted
-PKCS#8 format using the specified encryption parameters unless \fB\-nocrypt\fR
-is included.
+.IP "\fB\-scrypt_N\fR \fIN\fR, \fB\-scrypt_r\fR \fIr\fR, \fB\-scrypt_p\fR \fIp\fR" 4
+.IX Item "-scrypt_N N, -scrypt_r r, -scrypt_p p"
+Sets the scrypt \fIN\fR, \fIr\fR or \fIp\fR parameters.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "NOTES"
 .IX Header "NOTES"
 By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
@@ -299,21 +291,6 @@ Some older implementations do not support PKCS#5 v2.0 format and require
 the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
 encryption algorithms such as 56 bit \s-1DES.\s0
 .PP
-The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following
-headers and footers:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN ENCRYPTED PRIVATE KEY\-\-\-\-\-
-\& \-\-\-\-\-END ENCRYPTED PRIVATE KEY\-\-\-\-\-
-.Ve
-.PP
-The unencrypted form uses:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
-\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\-
-.Ve
-.PP
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
@@ -322,8 +299,8 @@ important the keys should be converted.
 It is possible to write out \s-1DER\s0 encoded encrypted private keys in
 PKCS#8 format because the encryption details are included at an \s-1ASN1\s0
 level whereas the traditional format includes them at a \s-1PEM\s0 level.
-.SH "PKCS#5 v1.5 and PKCS#12 algorithms."
-.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms."
+.SH "PKCS#5 V1.5 AND PKCS#12 ALGORITHMS"
+.IX Header "PKCS#5 V1.5 AND PKCS#12 ALGORITHMS"
 Various algorithms can be used with the \fB\-v1\fR command line option,
 including PKCS#5 v1.5 and PKCS#12. These are described in more detail
 below.
@@ -419,16 +396,21 @@ There should be an option that prints out the encryption algorithm
 in use and other details such as the iteration count.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBdsa\fR\|(1), \fBrsa\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBgendsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fB\-iter\fR option was added in OpenSSL 1.1.0.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/openssl-pkey.1
index 24b05dc44aaf..398ef5d56757 100644
--- a/secure/usr.bin/openssl/man/pkey.1
+++ b/secure/usr.bin/openssl/man/openssl-pkey.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,114 +130,166 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PKEY 1"
-.TH PKEY 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PKEY 1ossl"
+.TH OPENSSL-PKEY 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-pkey, pkey \- public or private key processing tool
+openssl\-pkey \- public or private key processing command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBpkey\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-passin arg\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
-[\fB\-traditional\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-check\fR]
+[\fB\-pubcheck\fR]
+[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-pubin\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
 [\fB\-\f(BIcipher\fB\fR]
+[\fB\-passout\fR \fIarg\fR]
+[\fB\-traditional\fR]
+[\fB\-pubout\fR]
+[\fB\-noout\fR]
 [\fB\-text\fR]
 [\fB\-text_pub\fR]
-[\fB\-noout\fR]
-[\fB\-pubin\fR]
-[\fB\-pubout\fR]
-[\fB\-engine id\fR]
-[\fB\-check\fR]
-[\fB\-pubcheck\fR]
+[\fB\-ec_conv_form\fR \fIarg\fR]
+[\fB\-ec_param_enc\fR \fIarg\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpkey\fR command processes public or private keys. They can be converted
-between various forms and their components printed out.
+This command processes public or private keys. They can be
+converted between various forms and their components printed.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
+.SS "General options"
+.IX Subsection "General options"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
-.IP "\fB\-outform DER|PEM\fR" 4
-.IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-This specifies the input filename to read a key from or standard input if this
-option is not specified. If the key is encrypted a pass phrase will be
-prompted for.
-.IP "\fB\-passin arg\fR" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-check\fR" 4
+.IX Item "-check"
+This option checks the consistency of a key pair for both public and private
+components.
+.IP "\fB\-pubcheck\fR" 4
+.IX Item "-pubcheck"
+This option checks the correctness of either a public key
+or the public component of a key pair.
+.SS "Input options"
+.IX Subsection "Input options"
+.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-in filename|uri"
+This specifies the input to read a key from
+or standard input if this option is not specified.
+If the key input is encrypted and \fB\-passin\fR is not given
+a pass phrase will be prompted for.
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-inform DER|PEM|P12|ENGINE"
+The key input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-out filename\fR" 4
+The password source for the key input.
+.Sp
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-pubin\fR" 4
+.IX Item "-pubin"
+By default a private key is read from the input.
+With this option only the public components are read.
+.SS "Output options"
+.IX Subsection "Output options"
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
-This specifies the output filename to write a key to or standard output if this
-option is not specified. If any encryption options are set then a pass phrase
-will be prompted for. The output filename should \fBnot\fR be the same as the input
-filename.
-.IP "\fB\-passout password\fR" 4
-.IX Item "-passout password"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+This specifies the output filename to save the encoded and/or text output of key
+or standard output if this option is not specified.
+If any cipher option is set but no \fB\-passout\fR is given
+then a pass phrase will be prompted for.
+The output filename should \fBnot\fR be the same as the input filename.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-outform DER|PEM"
+The key output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-\f(BIcipher\fB\fR" 4
+.IX Item "-cipher"
+Encrypt the \s-1PEM\s0 encoded private key with the supplied cipher. Any algorithm
+name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBaes128\fR.
+Encryption is not supported for \s-1DER\s0 output.
+.IP "\fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passout arg"
+The password source for the output file.
+.Sp
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-traditional\fR" 4
 .IX Item "-traditional"
 Normally a private key is written using standard format: this is PKCS#8 form
 with the appropriate encryption algorithm (if any). If the \fB\-traditional\fR
 option is specified then the older \*(L"traditional\*(R" format is used instead.
-.IP "\fB\-\f(BIcipher\fB\fR" 4
-.IX Item "-cipher"
-These options encrypt the private key with the supplied cipher. Any algorithm
-name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
+.IP "\fB\-pubout\fR" 4
+.IX Item "-pubout"
+By default the private and public key is output;
+this option restricts the output to the public components.
+This option is automatically set if the input is a public key.
+.Sp
+When combined with \fB\-text\fR, this is equivalent to \fB\-text_pub\fR.
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+Do not output the key in encoded form.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
-Prints out the various public or private key components in
-plain text in addition to the encoded version.
+Output the various key components in plain text
+(possibly in addition to the \s-1PEM\s0 encoded form).
+This cannot be combined with encoded output in \s-1DER\s0 format.
 .IP "\fB\-text_pub\fR" 4
 .IX Item "-text_pub"
-Print out only public key components even if a private key is being processed.
-.IP "\fB\-noout\fR" 4
-.IX Item "-noout"
-Do not output the encoded version of the key.
-.IP "\fB\-pubin\fR" 4
-.IX Item "-pubin"
-By default a private key is read from the input file: with this
-option a public key is read instead.
-.IP "\fB\-pubout\fR" 4
-.IX Item "-pubout"
-By default a private key is output: with this option a public
-key will be output instead. This option is automatically set if
-the input is a public key.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-check\fR" 4
-.IX Item "-check"
-This option checks the consistency of a key pair for both public and private
-components.
-.IP "\fB\-pubcheck\fR" 4
-.IX Item "-pubcheck"
-This option checks the correctness of either a public key or the public component
-of a key pair.
+Output in text form only the public key components (also for private keys).
+This cannot be combined with encoded output in \s-1DER\s0 format.
+.IP "\fB\-ec_conv_form\fR \fIarg\fR" 4
+.IX Item "-ec_conv_form arg"
+This option only applies to elliptic-curve based keys.
+.Sp
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: \fBcompressed\fR (the default
+value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding
+the point conversion forms please read the X9.62 standard.
+\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
+.IP "\fB\-ec_param_enc\fR \fIarg\fR" 4
+.IX Item "-ec_param_enc arg"
+This option only applies to elliptic curve based public and private keys.
+.Sp
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
+specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
+explicitly given (see \s-1RFC 3279\s0 for the definition of the
+\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
+\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0
+is currently not implemented in OpenSSL.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
-To remove the pass phrase on an \s-1RSA\s0 private key:
+To remove the pass phrase on a private key:
 .PP
 .Vb 1
 \& openssl pkey \-in key.pem \-out keyout.pem
@@ -274,15 +324,35 @@ To just output the public part of a private key:
 .Vb 1
 \& openssl pkey \-in key.pem \-pubout \-out pubkey.pem
 .Ve
+.PP
+To change the \s-1EC\s0 parameters encoding to \fBexplicit\fR:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-ec_param_enc explicit \-out keyout.pem
+.Ve
+.PP
+To change the \s-1EC\s0 point conversion form to \fBcompressed\fR:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-ec_conv_form compressed \-out keyout.pem
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBgenpkey\fR\|(1), \fBrsa\fR\|(1), \fBpkcs8\fR\|(1),
-\&\fBdsa\fR\|(1), \fBgenrsa\fR\|(1), \fBgendsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-pkcs8\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/openssl-pkeyparam.1
index 69dadd102080..770481f58795 100644
--- a/secure/usr.bin/openssl/man/pkeyparam.1
+++ b/secure/usr.bin/openssl/man/openssl-pkeyparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,38 +130,41 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PKEYPARAM 1"
-.TH PKEYPARAM 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PKEYPARAM 1ossl"
+.TH OPENSSL-PKEYPARAM 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-pkeyparam, pkeyparam \- public key algorithm parameter processing tool
+openssl\-pkeyparam \- public key algorithm parameter processing command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBpkeyparam\fR
 [\fB\-help\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
 [\fB\-text\fR]
 [\fB\-noout\fR]
-[\fB\-engine id\fR]
 [\fB\-check\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpkeyparam\fR command processes public key algorithm parameters.
+This command processes public key algorithm parameters.
 They can be checked for correctness and their components printed out.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read parameters from or standard input if
 this option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write parameters to or standard output if
 this option is not specified.
@@ -173,15 +174,22 @@ Prints out the parameters in plain text in addition to the encoded version.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 Do not output the encoded version of the parameters.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
 .IP "\fB\-check\fR" 4
 .IX Item "-check"
 This option checks the correctness of parameters.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Print out text version of parameters:
@@ -195,13 +203,21 @@ There are no \fB\-inform\fR or \fB\-outform\fR options for this command because
 \&\s-1PEM\s0 format is supported because the key type is determined by the \s-1PEM\s0 headers.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBgenpkey\fR\|(1), \fBrsa\fR\|(1), \fBpkcs8\fR\|(1),
-\&\fBdsa\fR\|(1), \fBgenrsa\fR\|(1), \fBgendsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-pkcs8\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/openssl-pkeyutl.1
index a6290d8becae..0f89bbf417f4 100644
--- a/secure/usr.bin/openssl/man/pkeyutl.1
+++ b/secure/usr.bin/openssl/man/openssl-pkeyutl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,26 +130,28 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PKEYUTL 1"
-.TH PKEYUTL 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PKEYUTL 1ossl"
+.TH OPENSSL-PKEYUTL 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-pkeyutl, pkeyutl \- public key algorithm utility
+openssl\-pkeyutl \- public key algorithm command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBpkeyutl\fR
 [\fB\-help\fR]
-[\fB\-in file\fR]
-[\fB\-out file\fR]
-[\fB\-sigfile file\fR]
-[\fB\-inkey file\fR]
-[\fB\-keyform PEM|DER|ENGINE\fR]
-[\fB\-passin arg\fR]
-[\fB\-peerkey file\fR]
-[\fB\-peerform PEM|DER|ENGINE\fR]
+[\fB\-in\fR \fIfile\fR]
+[\fB\-rawin\fR]
+[\fB\-digest\fR \fIalgorithm\fR]
+[\fB\-out\fR \fIfile\fR]
+[\fB\-sigfile\fR \fIfile\fR]
+[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-peerkey\fR \fIfile\fR]
+[\fB\-peerform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
 [\fB\-pubin\fR]
 [\fB\-certin\fR]
 [\fB\-rev\fR]
@@ -161,51 +161,73 @@ openssl\-pkeyutl, pkeyutl \- public key algorithm utility
 [\fB\-encrypt\fR]
 [\fB\-decrypt\fR]
 [\fB\-derive\fR]
-[\fB\-kdf algorithm\fR]
-[\fB\-kdflen length\fR]
-[\fB\-pkeyopt opt:value\fR]
+[\fB\-kdf\fR \fIalgorithm\fR]
+[\fB\-kdflen\fR \fIlength\fR]
+[\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
+[\fB\-pkeyopt_passin\fR \fIopt\fR[:\fIpassarg\fR]]
 [\fB\-hexdump\fR]
 [\fB\-asn1parse\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
 [\fB\-engine_impl\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-config\fR \fIconfigfile\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBpkeyutl\fR command can be used to perform low-level public key operations
-using any supported algorithm.
+This command can be used to perform low-level public key
+operations using any supported algorithm.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read data from or standard input
 if this option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-rawin\fR" 4
+.IX Item "-rawin"
+This indicates that the input data is raw data, which is not hashed by any
+message digest algorithm. The user can specify a digest algorithm by using
+the \fB\-digest\fR option. This option can only be used with \fB\-sign\fR and
+\&\fB\-verify\fR and must be used with the Ed25519 and Ed448 algorithms.
+.IP "\fB\-digest\fR \fIalgorithm\fR" 4
+.IX Item "-digest algorithm"
+This specifies the digest algorithm which is used to hash the input data before
+signing or verifying it with the input key. This option could be omitted if the
+signature algorithm does not require one (for instance, EdDSA). If this option
+is omitted but the signature algorithm requires one, a default value will be
+used. For signature algorithms like \s-1RSA, DSA\s0 and \s-1ECDSA, SHA\-256\s0 will be the
+default digest algorithm. For \s-1SM2,\s0 it will be \s-1SM3.\s0 If this option is present,
+then the \fB\-rawin\fR option must be also specified.
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename to write to or standard output by
 default.
-.IP "\fB\-sigfile file\fR" 4
+.IP "\fB\-sigfile\fR \fIfile\fR" 4
 .IX Item "-sigfile file"
-Signature file, required for \fBverify\fR operations only
-.IP "\fB\-inkey file\fR" 4
-.IX Item "-inkey file"
-The input key file, by default it should be a private key.
-.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
-.IX Item "-keyform PEM|DER|ENGINE"
-The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0
-.IP "\fB\-passin arg\fR" 4
+Signature file, required for \fB\-verify\fR operations only
+.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-inkey filename|uri"
+The input key, by default it should be a private key.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-The input key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-peerkey file\fR" 4
+The input key password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-peerkey\fR \fIfile\fR" 4
 .IX Item "-peerkey file"
 The peer key file, used by key derivation (agreement) operations.
-.IP "\fB\-peerform PEM|DER|ENGINE\fR" 4
-.IX Item "-peerform PEM|DER|ENGINE"
-The peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0
+.IP "\fB\-peerform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-peerform DER|PEM|P12|ENGINE"
+The peer key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
 .IP "\fB\-pubin\fR" 4
 .IX Item "-pubin"
 The input file is a public key.
@@ -236,20 +258,26 @@ Decrypt the input data using a private key.
 .IP "\fB\-derive\fR" 4
 .IX Item "-derive"
 Derive a shared secret using the peer key.
-.IP "\fB\-kdf algorithm\fR" 4
+.IP "\fB\-kdf\fR \fIalgorithm\fR" 4
 .IX Item "-kdf algorithm"
-Use key derivation function \fBalgorithm\fR.  The supported algorithms are
+Use key derivation function \fIalgorithm\fR.  The supported algorithms are
 at present \fB\s-1TLS1\-PRF\s0\fR and \fB\s-1HKDF\s0\fR.
 Note: additional parameters and the \s-1KDF\s0 output length will normally have to be
 set for this to work.
 See \fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3) and \fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3)
 for the supported string parameters of each algorithm.
-.IP "\fB\-kdflen length\fR" 4
+.IP "\fB\-kdflen\fR \fIlength\fR" 4
 .IX Item "-kdflen length"
 Set the output length for \s-1KDF.\s0
-.IP "\fB\-pkeyopt opt:value\fR" 4
+.IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
 .IX Item "-pkeyopt opt:value"
 Public key options specified as opt:value. See \s-1NOTES\s0 below for more details.
+.IP "\fB\-pkeyopt_passin\fR \fIopt\fR[:\fIpassarg\fR]" 4
+.IX Item "-pkeyopt_passin opt[:passarg]"
+Allows reading a public key option \fIopt\fR from stdin or a password source.
+If only \fIopt\fR is specified, the user will be prompted to enter a password on
+stdin.  Alternatively, \fIpassarg\fR can be specified which can be any value
+supported by \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-hexdump\fR" 4
 .IX Item "-hexdump"
 hex dump the output data.
@@ -257,64 +285,63 @@ hex dump the output data.
 .IX Item "-asn1parse"
 Parse the \s-1ASN.1\s0 output data, this is useful when combined with the
 \&\fB\-verifyrecover\fR option when an \s-1ASN1\s0 structure is signed.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
 .IP "\fB\-engine_impl\fR" 4
 .IX Item "-engine_impl"
 When used with the \fB\-engine\fR option, it specifies to also use
-engine \fBid\fR for crypto operations.
+engine \fIid\fR for crypto operations.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
+.IX Item "-config configfile"
+See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
 .SH "NOTES"
 .IX Header "NOTES"
 The operations and options supported vary according to the key algorithm
 and its implementation. The OpenSSL operations and options are indicated below.
 .PP
-Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option
+Unless otherwise mentioned all algorithms support the \fBdigest:\fR\fIalg\fR option
 which specifies the digest in use for sign, verify and verifyrecover operations.
-The value \fBalg\fR should represent a digest name as used in the
+The value \fIalg\fR should represent a digest name as used in the
 \&\fBEVP_get_digestbyname()\fR function for example \fBsha1\fR. This value is not used to
 hash the input data. It is used (by some algorithms) for sanity-checking the
-lengths of data passed in to the \fBpkeyutl\fR and for creating the structures that
-make up the signature (e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures).
+lengths of data passed in and for creating the structures that make up the
+signature (e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures).
 .PP
-This utility does not hash the input data but rather it will use the data
-directly as input to the signature algorithm. Depending on the key type,
-signature type, and mode of padding, the maximum acceptable lengths of input
-data differ. The signed data can't be longer than the key modulus with \s-1RSA.\s0 In
-case of \s-1ECDSA\s0 and \s-1DSA\s0 the data shouldn't be longer than the field
-size, otherwise it will be silently truncated to the field size. In any event
-the input size must not be larger than the largest supported digest size.
+This command does not hash the input data (except where \-rawin is used) but
+rather it will use the data directly as input to the signature algorithm.
+Depending on the key type, signature type, and mode of padding, the maximum
+acceptable lengths of input data differ. The signed data can't be longer than
+the key modulus with \s-1RSA.\s0 In case of \s-1ECDSA\s0 and \s-1DSA\s0 the data shouldn't be longer
+than the field size, otherwise it will be silently truncated to the field size.
+In any event the input size must not be larger than the largest supported digest
+size.
 .PP
 In other words, if the value of digest is \fBsha1\fR the input should be the 20
 bytes long binary encoding of the \s-1SHA\-1\s0 hash function output.
-.PP
-The Ed25519 and Ed448 signature algorithms are not supported by this utility.
-They accept non-hashed input, but this utility can only be used to sign hashed
-input.
 .SH "RSA ALGORITHM"
 .IX Header "RSA ALGORITHM"
 The \s-1RSA\s0 algorithm generally supports the encrypt, decrypt, sign,
 verify and verifyrecover operations. However, some padding modes
 support only a subset of these operations. The following additional
 \&\fBpkeyopt\fR values are supported:
-.IP "\fBrsa_padding_mode:mode\fR" 4
+.IP "\fBrsa_padding_mode:\fR\fImode\fR" 4
 .IX Item "rsa_padding_mode:mode"
-This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for
-PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR
+This sets the \s-1RSA\s0 padding mode. Acceptable values for \fImode\fR are \fBpkcs1\fR for
+PKCS#1 padding, \fBnone\fR for no padding, \fBoaep\fR
 for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0
 .Sp
 In PKCS#1 padding if the message digest is not set then the supplied data is
@@ -330,14 +357,14 @@ verify and verifyrecover are can be performed in this mode.
 .Sp
 For \fBpss\fR mode only sign and verify are supported and the digest type must be
 specified.
-.IP "\fBrsa_pss_saltlen:len\fR" 4
+.IP "\fBrsa_pss_saltlen:\fR\fIlen\fR" 4
 .IX Item "rsa_pss_saltlen:len"
 For \fBpss\fR mode only this option specifies the salt length. Three special
-values are supported: \*(L"digest\*(R" sets the salt length to the digest length,
-\&\*(L"max\*(R" sets the salt length to the maximum permissible value. When verifying
-\&\*(L"auto\*(R" causes the salt length to be automatically determined based on the
+values are supported: \fBdigest\fR sets the salt length to the digest length,
+\&\fBmax\fR sets the salt length to the maximum permissible value. When verifying
+\&\fBauto\fR causes the salt length to be automatically determined based on the
 \&\fB\s-1PSS\s0\fR block structure.
-.IP "\fBrsa_mgf1_md:digest\fR" 4
+.IP "\fBrsa_mgf1_md:\fR\fIdigest\fR" 4
 .IX Item "rsa_mgf1_md:digest"
 For \s-1PSS\s0 and \s-1OAEP\s0 padding sets the \s-1MGF1\s0 digest. If the \s-1MGF1\s0 digest is not
 explicitly set in \s-1PSS\s0 mode then the signing digest is used.
@@ -349,8 +376,8 @@ Sets the digest used for the \s-1OAEP\s0 hash function. If not explicitly set th
 .IX Header "RSA-PSS ALGORITHM"
 The RSA-PSS algorithm is a restricted version of the \s-1RSA\s0 algorithm which only
 supports the sign and verify operations with \s-1PSS\s0 padding. The following
-additional \fBpkeyopt\fR values are supported:
-.IP "\fBrsa_padding_mode:mode\fR, \fBrsa_pss_saltlen:len\fR, \fBrsa_mgf1_md:digest\fR" 4
+additional \fB\-pkeyopt\fR values are supported:
+.IP "\fBrsa_padding_mode:\fR\fImode\fR, \fBrsa_pss_saltlen:\fR\fIlen\fR, \fBrsa_mgf1_md:\fR\fIdigest\fR" 4
 .IX Item "rsa_padding_mode:mode, rsa_pss_saltlen:len, rsa_mgf1_md:digest"
 These have the same meaning as the \fB\s-1RSA\s0\fR algorithm with some additional
 restrictions. The padding mode can only be set to \fBpss\fR which is the
@@ -374,10 +401,37 @@ The \s-1DH\s0 algorithm only supports the derivation operation and no additional
 The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and
 verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH. SHA1\s0 is assumed by default for
 the \fB\-pkeyopt\fR \fBdigest\fR option.
-.SH "X25519 and X448 ALGORITHMS"
-.IX Header "X25519 and X448 ALGORITHMS"
+.SH "X25519 AND X448 ALGORITHMS"
+.IX Header "X25519 AND X448 ALGORITHMS"
 The X25519 and X448 algorithms support key derivation only. Currently there are
 no additional options.
+.SH "ED25519 AND ED448 ALGORITHMS"
+.IX Header "ED25519 AND ED448 ALGORITHMS"
+These algorithms only support signing and verifying. OpenSSL only implements the
+\&\*(L"pure\*(R" variants of these algorithms so raw data can be passed directly to them
+without hashing them first. The option \fB\-rawin\fR must be used with these
+algorithms with no \fB\-digest\fR specified. Additionally OpenSSL only supports
+\&\*(L"oneshot\*(R" operation with these algorithms. This means that the entire file to
+be signed/verified must be read into memory before processing it. Signing or
+Verifying very large files should be avoided. Additionally the size of the file
+must be known for this to work. If the size of the file cannot be determined
+(for example if the input is stdin) then the sign or verify operation will fail.
+.SH "SM2"
+.IX Header "SM2"
+The \s-1SM2\s0 algorithm supports sign, verify, encrypt and decrypt operations. For
+the sign and verify operations, \s-1SM2\s0 requires an Distinguishing \s-1ID\s0 string to
+be passed in. The following \fB\-pkeyopt\fR value is supported:
+.IP "\fBdistid:\fR\fIstring\fR" 4
+.IX Item "distid:string"
+This sets the \s-1ID\s0 string used in \s-1SM2\s0 sign or verify operations. While verifying
+an \s-1SM2\s0 signature, the \s-1ID\s0 string must be the same one used when signing the data.
+Otherwise the verification will fail.
+.IP "\fBhexdistid:\fR\fIhex_string\fR" 4
+.IX Item "hexdistid:hex_string"
+This sets the \s-1ID\s0 string used in \s-1SM2\s0 sign or verify operations. While verifying
+an \s-1SM2\s0 signature, the \s-1ID\s0 string must be the same one used when signing the data.
+Otherwise the verification will fail. The \s-1ID\s0 string provided with this option
+should be a valid hexadecimal value.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Sign some data using a private key:
@@ -418,6 +472,34 @@ seed consisting of the single byte 0xFF:
 \&    \-pkeyopt hexsecret:ff \-pkeyopt hexseed:ff \-hexdump
 .Ve
 .PP
+Derive a key using \fBscrypt\fR where the password is read from command line:
+.PP
+.Vb 2
+\& openssl pkeyutl \-kdf scrypt \-kdflen 16 \-pkeyopt_passin pass \e
+\&    \-pkeyopt hexsalt:aabbcc \-pkeyopt N:16384 \-pkeyopt r:8 \-pkeyopt p:1
+.Ve
+.PP
+Derive using the same algorithm, but read key from environment variable \s-1MYPASS:\s0
+.PP
+.Vb 2
+\& openssl pkeyutl \-kdf scrypt \-kdflen 16 \-pkeyopt_passin pass:env:MYPASS \e
+\&    \-pkeyopt hexsalt:aabbcc \-pkeyopt N:16384 \-pkeyopt r:8 \-pkeyopt p:1
+.Ve
+.PP
+Sign some data using an \s-1\fBSM2\s0\fR\|(7) private key and a specific \s-1ID:\s0
+.PP
+.Vb 2
+\& openssl pkeyutl \-sign \-in file \-inkey sm2.key \-out sig \-rawin \-digest sm3 \e
+\&    \-pkeyopt distid:someid
+.Ve
+.PP
+Verify some data using an \s-1\fBSM2\s0\fR\|(7) certificate and a specific \s-1ID:\s0
+.PP
+.Vb 2
+\& openssl pkeyutl \-verify \-certin \-in file \-inkey sm2.cert \-sigfile sig \e
+\&    \-rawin \-digest sm3 \-pkeyopt distid:someid
+.Ve
+.PP
 Decrypt some data using a private key with \s-1OAEP\s0 padding using \s-1SHA256:\s0
 .PP
 .Vb 2
@@ -426,14 +508,24 @@ Decrypt some data using a private key with \s-1OAEP\s0 padding using \s-1SHA256:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBgenpkey\fR\|(1), \fBpkey\fR\|(1), \fBrsautl\fR\|(1)
-\&\fBdgst\fR\|(1), \fBrsa\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3), \fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-rsautl\fR\|(1)
+\&\fBopenssl\-dgst\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-kdf\fR\|(1)
+\&\fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3),
+\&\fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3),
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/prime.1 b/secure/usr.bin/openssl/man/openssl-prime.1
index 24cc7fd1c0f8..a7b55f477e09 100644
--- a/secure/usr.bin/openssl/man/prime.1
+++ b/secure/usr.bin/openssl/man/openssl-prime.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,58 +130,69 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "PRIME 1"
-.TH PRIME 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-PRIME 1ossl"
+.TH OPENSSL-PRIME 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-prime, prime \- compute prime numbers
+openssl\-prime \- compute prime numbers
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl prime\fR
 [\fB\-help\fR]
 [\fB\-hex\fR]
 [\fB\-generate\fR]
-[\fB\-bits\fR]
+[\fB\-bits\fR \fInum\fR]
 [\fB\-safe\fR]
-[\fB\-checks\fR]
-[\fInumber...\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-checks\fR \fInum\fR]
+[\fInumber\fR ...]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBprime\fR command checks if the specified numbers are prime.
+This command checks if the specified numbers are prime.
 .PP
 If no numbers are given on the command line, the \fB\-generate\fR flag should
 be used to generate primes according to the requirements specified by the
 rest of the flags.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.IP "[\fB\-help\fR]" 4
-.IX Item "[-help]"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
 Display an option summary.
-.IP "[\fB\-hex\fR]" 4
-.IX Item "[-hex]"
+.IP "\fB\-hex\fR" 4
+.IX Item "-hex"
 Generate hex output.
-.IP "[\fB\-generate\fR]" 4
-.IX Item "[-generate]"
+.IP "\fB\-generate\fR" 4
+.IX Item "-generate"
 Generate a prime number.
-.IP "[\fB\-bits num\fR]" 4
-.IX Item "[-bits num]"
-Generate a prime with \fBnum\fR bits.
-.IP "[\fB\-safe\fR]" 4
-.IX Item "[-safe]"
+.IP "\fB\-bits\fR \fInum\fR" 4
+.IX Item "-bits num"
+Generate a prime with \fInum\fR bits.
+.IP "\fB\-safe\fR" 4
+.IX Item "-safe"
 When used with \fB\-generate\fR, generates a \*(L"safe\*(R" prime. If the number
-generated is \fBn\fR, then check that \fB(n\-1)/2\fR is also prime.
-.IP "[\fB\-checks num\fR]" 4
-.IX Item "[-checks num]"
-Perform the checks \fBnum\fR times to see that the generated number
-is prime.  The default is 20.
+generated is \fIn\fR, then check that \f(CW\*(C`(\f(CIn\f(CW\-1)/2\*(C'\fR is also prime.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-checks\fR \fInum\fR" 4
+.IX Item "-checks num"
+This parameter is ignored.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/openssl-rand.1
index 49297f5525f0..d27374cddfb9 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/openssl-rand.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,23 +130,27 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "RAND 1"
-.TH RAND 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-RAND 1ossl"
+.TH OPENSSL-RAND 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-rand, rand \- generate pseudo\-random bytes
+openssl\-rand \- generate pseudo\-random bytes
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl rand\fR
 [\fB\-help\fR]
 [\fB\-out\fR \fIfile\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
 [\fB\-base64\fR]
 [\fB\-hex\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 \&\fInum\fR
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -159,56 +161,51 @@ The random bytes are generated using the \fBRAND_bytes\fR\|(3) function,
 which provides a security level of 256 bits, provided it managed to
 seed itself successfully from a trusted operating system entropy source.
 Otherwise, the command will fail with a nonzero error code.
-For more details, see \fBRAND_bytes\fR\|(3), \s-1\fBRAND\s0\fR\|(7), and \s-1\fBRAND_DRBG\s0\fR\|(7).
+For more details, see \fBRAND_bytes\fR\|(3), \s-1\fBRAND\s0\fR\|(7), and \s-1\fBEVP_RAND\s0\fR\|(7).
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-out file\fR" 4
+.IP "\fB\-out\fR \fIfile\fR" 4
 .IX Item "-out file"
 Write to \fIfile\fR instead of standard output.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-Explicitly specifying a seed file is in general not necessary, see the
-\&\*(L"\s-1NOTES\*(R"\s0 section for more information.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
 .IP "\fB\-base64\fR" 4
 .IX Item "-base64"
 Perform base64 encoding on the output.
 .IP "\fB\-hex\fR" 4
 .IX Item "-hex"
 Show the output as a hex string.
-.SH "NOTES"
-.IX Header "NOTES"
-Prior to OpenSSL 1.1.1, it was common for applications to store information
-about the state of the random-number generator in a file that was loaded
-at startup and rewritten upon exit. On modern operating systems, this is
-generally no longer necessary as OpenSSL will seed itself from a trusted
-entropy source provided by the operating system. The \fB\-rand\fR  and
-\&\fB\-writerand\fR  flags are still supported for special platforms or
-circumstances that might require them.
-.PP
-It is generally an error to use the same seed file more than once and
-every use of \fB\-rand\fR should be paired with \fB\-writerand\fR.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
 \&\fBRAND_bytes\fR\|(3),
 \&\s-1\fBRAND\s0\fR\|(7),
-\&\s-1\fBRAND_DRBG\s0\fR\|(7)
+\&\s-1\fBEVP_RAND\s0\fR\|(7)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-rehash.1 b/secure/usr.bin/openssl/man/openssl-rehash.1
new file mode 100644
index 000000000000..7edfe617edd3
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-rehash.1
@@ -0,0 +1,279 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-REHASH 1ossl"
+.TH OPENSSL-REHASH 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-rehash, c_rehash \- Create symbolic links to files named by the hash
+values
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR
+\&\fBrehash\fR
+[\fB\-h\fR]
+[\fB\-help\fR]
+[\fB\-old\fR]
+[\fB\-compat\fR]
+[\fB\-n\fR]
+[\fB\-v\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIdirectory\fR] ...
+.PP
+\&\fBc_rehash\fR
+[\fB\-h\fR]
+[\fB\-help\fR]
+[\fB\-old\fR]
+[\fB\-n\fR]
+[\fB\-v\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIdirectory\fR] ...
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is generally equivalent to the external
+script \fBc_rehash\fR,
+except for minor differences noted below.
+.PP
+\&\fBopenssl rehash\fR scans directories and calculates a hash value of
+each \fI.pem\fR, \fI.crt\fR, \fI.cer\fR, or \fI.crl\fR
+file in the specified directory list and creates symbolic links
+for each file, where the name of the link is the hash value.
+(If the platform does not support symbolic links, a copy is made.)
+This command is useful as many programs that use OpenSSL require
+directories to be set up like this in order to find certificates.
+.PP
+If any directories are named on the command line, then those are
+processed in turn. If not, then the \fB\s-1SSL_CERT_DIR\s0\fR environment variable
+is consulted; this should be a colon-separated list of directories,
+like the Unix \fB\s-1PATH\s0\fR variable.
+If that is not set then the default directory (installation-specific
+but often \fI/etc/ssl/certs\fR) is processed.
+.PP
+In order for a directory to be processed, the user must have write
+permissions on that directory, otherwise an error will be generated.
+.PP
+The links created are of the form \fI\s-1HHHHHHHH.D\s0\fR, where each \fIH\fR
+is a hexadecimal character and \fID\fR is a single decimal digit.
+When a directory is processed, all links in it that have a name
+in that syntax are first removed, even if they are being used for
+some other purpose.
+To skip the removal step, use the \fB\-n\fR flag.
+Hashes for \s-1CRL\s0's look similar except the letter \fBr\fR appears after
+the period, like this: \fI\s-1HHHHHHHH.\s0\fR\fBr\fR\fID\fR.
+.PP
+Multiple objects may have the same hash; they will be indicated by
+incrementing the \fID\fR value. Duplicates are found by comparing the
+full \s-1SHA\-1\s0 fingerprint. A warning will be displayed if a duplicate
+is found.
+.PP
+A warning will also be displayed if there are files that
+cannot be parsed as either a certificate or a \s-1CRL\s0 or if
+more than one such object appears in the file.
+.SS "Script Configuration"
+.IX Subsection "Script Configuration"
+The \fBc_rehash\fR script
+uses the \fBopenssl\fR program to compute the hashes and
+fingerprints. If not found in the user's \fB\s-1PATH\s0\fR, then set the
+\&\fB\s-1OPENSSL\s0\fR environment variable to the full pathname.
+Any program can be used, it will be invoked as follows for either
+a certificate or \s-1CRL:\s0
+.PP
+.Vb 2
+\&  $OPENSSL x509 \-hash \-fingerprint \-noout \-in FILENAME
+\&  $OPENSSL crl \-hash \-fingerprint \-noout \-in FILENAME
+.Ve
+.PP
+where \fI\s-1FILENAME\s0\fR is the filename. It must output the hash of the
+file on the first line, and the fingerprint on the second,
+optionally prefixed with some text and an equals sign.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR \fB\-h\fR" 4
+.IX Item "-help -h"
+Display a brief usage message.
+.IP "\fB\-old\fR" 4
+.IX Item "-old"
+Use old-style hashing (\s-1MD5,\s0 as opposed to \s-1SHA\-1\s0) for generating
+links to be used for releases before 1.0.0.
+Note that current versions will not use the old style.
+.IP "\fB\-n\fR" 4
+.IX Item "-n"
+Do not remove existing links.
+This is needed when keeping new and old-style links in the same directory.
+.IP "\fB\-compat\fR" 4
+.IX Item "-compat"
+Generate links for both old-style (\s-1MD5\s0) and new-style (\s-1SHA1\s0) hashing.
+This allows releases before 1.0.0 to use these links along-side newer
+releases.
+.IP "\fB\-v\fR" 4
+.IX Item "-v"
+Print messages about old links removed and new links created.
+By default, this command only lists each directory as it is processed.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+.IP "\fB\s-1OPENSSL\s0\fR" 4
+.IX Item "OPENSSL"
+The path to an executable to use to generate hashes and
+fingerprints (see above).
+.IP "\fB\s-1SSL_CERT_DIR\s0\fR" 4
+.IX Item "SSL_CERT_DIR"
+Colon separated list of directories to operate on.
+Ignored if directories are listed on the command line.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-crl\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1)
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/openssl-req.1
index d4555c4b4fe4..1a5d3263c608 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/openssl-req.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,120 +130,130 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "REQ 1"
-.TH REQ 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-REQ 1ossl"
+.TH OPENSSL-REQ 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-req, req \- PKCS#10 certificate request and certificate generating utility
+openssl\-req \- PKCS#10 certificate request and certificate generating command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBreq\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-passin arg\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
 [\fB\-text\fR]
 [\fB\-pubkey\fR]
 [\fB\-noout\fR]
 [\fB\-verify\fR]
 [\fB\-modulus\fR]
 [\fB\-new\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-newkey rsa:bits\fR]
-[\fB\-newkey alg:file\fR]
+[\fB\-newkey\fR \fIarg\fR]
+[\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
+[\fB\-noenc\fR]
 [\fB\-nodes\fR]
-[\fB\-key filename\fR]
-[\fB\-keyform PEM|DER\fR]
-[\fB\-keyout filename\fR]
-[\fB\-keygen_engine id\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-keyout\fR \fIfilename\fR]
+[\fB\-keygen_engine\fR \fIid\fR]
 [\fB\-\f(BIdigest\fB\fR]
-[\fB\-config filename\fR]
-[\fB\-multivalue\-rdn\fR]
+[\fB\-config\fR \fIfilename\fR]
+[\fB\-section\fR \fIname\fR]
 [\fB\-x509\fR]
-[\fB\-days n\fR]
-[\fB\-set_serial n\fR]
+[\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-days\fR \fIn\fR]
+[\fB\-set_serial\fR \fIn\fR]
 [\fB\-newhdr\fR]
-[\fB\-addext ext\fR]
-[\fB\-extensions section\fR]
-[\fB\-reqexts section\fR]
+[\fB\-copy_extensions\fR \fIarg\fR]
+[\fB\-addext\fR \fIext\fR]
+[\fB\-extensions\fR \fIsection\fR]
+[\fB\-reqexts\fR \fIsection\fR]
 [\fB\-precert\fR]
 [\fB\-utf8\fR]
-[\fB\-nameopt\fR]
 [\fB\-reqopt\fR]
 [\fB\-subject\fR]
-[\fB\-subj arg\fR]
-[\fB\-sigopt nm:v\fR]
+[\fB\-subj\fR \fIarg\fR]
+[\fB\-multivalue\-rdn\fR]
+[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
+[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
 [\fB\-batch\fR]
 [\fB\-verbose\fR]
-[\fB\-engine id\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBreq\fR command primarily creates and processes certificate requests
-in PKCS#10 format. It can additionally create self signed certificates
+This command primarily creates and processes certificate requests (CSRs)
+in PKCS#10 format. It can additionally create self-signed certificates
 for use as root CAs for example.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
-form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it
-consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and
-footer lines.
-.IP "\fB\-outform DER|PEM\fR" 4
-.IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-inform DER|PEM, -outform DER|PEM"
+The input and output formats; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+The data is a PKCS#10 object.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
-This specifies the input filename to read a request from or standard input
-if this option is not specified. A request is only read if the creation
-options (\fB\-new\fR and \fB\-newkey\fR) are not specified.
-.IP "\fB\-sigopt nm:v\fR" 4
+This specifies the input filename to read a request from.
+This defaults to standard input unless \fB\-x509\fR or \fB\-CA\fR is specified.
+A request is only read if the creation options
+(\fB\-new\fR or \fB\-newkey\fR or \fB\-precert\fR) are not specified.
+.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
 .IX Item "-sigopt nm:v"
-Pass options to the signature algorithm during sign or verify operations.
+Pass options to the signature algorithm during sign operations.
 Names and values of these options are algorithm-specific.
-.IP "\fB\-passin arg\fR" 4
+.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-vfyopt nm:v"
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-out filename\fR" 4
-.IX Item "-out filename"
-This specifies the output filename to write to or standard output by
-default.
-.IP "\fB\-passout arg\fR" 4
+The password source for private key and certificate input.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-passout\fR \fIarg\fR" 4
 .IX Item "-passout arg"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+The password source for the output file.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write to or standard output by default.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 Prints out the certificate request in text form.
 .IP "\fB\-subject\fR" 4
 .IX Item "-subject"
-Prints out the request subject (or certificate subject if \fB\-x509\fR is
-specified)
+Prints out the certificate request subject
+(or certificate subject if \fB\-x509\fR is in use).
 .IP "\fB\-pubkey\fR" 4
 .IX Item "-pubkey"
-Outputs the public key.
+Prints out the public key.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
-This option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the certificate request.
 .IP "\fB\-modulus\fR" 4
 .IX Item "-modulus"
-This option prints out the value of the modulus of the public key
-contained in the request.
+Prints out the value of the modulus of the public key contained in the request.
 .IP "\fB\-verify\fR" 4
 .IX Item "-verify"
-Verifies the signature on the request.
+Verifies the self-signature on the request.
 .IP "\fB\-new\fR" 4
 .IX Item "-new"
 This option generates a new certificate request. It will prompt
@@ -253,66 +261,80 @@ the user for the relevant field values. The actual fields
 prompted for and their maximum and minimum sizes are specified
 in the configuration file and any requested extensions.
 .Sp
-If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private
-key using information specified in the configuration file.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-newkey arg\fR" 4
+If the \fB\-key\fR option is not given it will generate a new private key
+using information specified in the configuration file or given with
+the \fB\-newkey\fR and \fB\-pkeyopt\fR options,
+else by default an \s-1RSA\s0 key with 2048 bits length.
+.IP "\fB\-newkey\fR \fIarg\fR" 4
 .IX Item "-newkey arg"
-This option creates a new certificate request and a new private
-key. The argument takes one of several forms. \fBrsa:nbits\fR, where
-\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR
-in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified,
-the default key size, specified in the configuration file is used.
+This option is used to generate a new private key unless \fB\-key\fR is given.
+It is subsequently used as if it was given using the \fB\-key\fR option.
 .Sp
-All other algorithms support the \fB\-newkey alg:file\fR form, where file may be
-an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command
-or and X.509 certificate for a key with appropriate algorithm.
+This option implies the \fB\-new\fR flag to create a new certificate request
+or a new certificate in case \fB\-x509\fR is given.
 .Sp
-\&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR,
-the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm
-\&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an
-error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters,
-if necessary should be specified via \fB\-pkeyopt\fR parameter.
+The argument takes one of several forms.
 .Sp
-\&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
-in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with
-\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST R
-34.10\-2001\s0 key (requires \fBccgost\fR engine configured in the configuration
+[\fBrsa:\fR]\fInbits\fR generates an \s-1RSA\s0 key \fInbits\fR in size.
+If \fInbits\fR is omitted, i.e., \fB\-newkey\fR \fBrsa\fR is specified,
+the default key size specified in the configuration file
+with the \fBdefault_bits\fR option is used if present, else 2048.
+.Sp
+All other algorithms support the \fB\-newkey\fR \fIalgname\fR:\fIfile\fR form, where
+\&\fIfile\fR is an algorithm parameter file, created with \f(CW\*(C`openssl genpkey \-genparam\*(C'\fR
+or an X.509 certificate for a key with appropriate algorithm.
+.Sp
+\&\fBparam:\fR\fIfile\fR generates a key using the parameter file or certificate
+\&\fIfile\fR, the algorithm is determined by the parameters.
+.Sp
+\&\fIalgname\fR[:\fIfile\fR] generates a key using the given algorithm \fIalgname\fR.
+If a parameter file \fIfile\fR is given then the parameters specified there
+are used, where the algorithm parameters must match \fIalgname\fR.
+If algorithm parameters are not given,
+any necessary parameters should be specified via the \fB\-pkeyopt\fR option.
+.Sp
+\&\fBdsa:\fR\fIfilename\fR generates a \s-1DSA\s0 key using the parameters
+in the file \fIfilename\fR. \fBec:\fR\fIfilename\fR generates \s-1EC\s0 key (usable both with
+\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:\fR\fIfilename\fR generates \s-1GOST R
+34.10\-2001\s0 key (requires \fBgost\fR engine configured in the configuration
 file). If just \fBgost2001\fR is specified a parameter set should be
-specified by \fB\-pkeyopt paramset:X\fR
-.IP "\fB\-pkeyopt opt:value\fR" 4
+specified by \fB\-pkeyopt\fR \fIparamset:X\fR
+.IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
 .IX Item "-pkeyopt opt:value"
-Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
+Set the public key algorithm option \fIopt\fR to \fIvalue\fR. The precise set of
 options supported depends on the public key algorithm used and its
-implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR in the \fBgenpkey\fR manual page
-for more details.
-.IP "\fB\-key filename\fR" 4
-.IX Item "-key filename"
-This specifies the file to read the private key from. It also
-accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
-.IP "\fB\-keyform PEM|DER\fR" 4
-.IX Item "-keyform PEM|DER"
-The format of the private key file specified in the \fB\-key\fR
-argument. \s-1PEM\s0 is the default.
-.IP "\fB\-keyout filename\fR" 4
+implementation.
+See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 in \fBopenssl\-genpkey\fR\|(1) for more details.
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless \fB\-in\fR is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+.Sp
+For certificate signing this option is overridden by the \fB\-CA\fR option.
+.Sp
+This option also accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The format of the private key; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-keyout\fR \fIfilename\fR" 4
 .IX Item "-keyout filename"
-This gives the filename to write the newly created private key to.
-If this option is not specified then the filename present in the
-configuration file is used.
-.IP "\fB\-nodes\fR" 4
-.IX Item "-nodes"
+This gives the filename to write any private key to that has been newly created
+or read from \fB\-key\fR.  If neither the \fB\-keyout\fR option nor the \fB\-key\fR option
+are given then the filename specified in the configuration file with the
+\&\fBdefault_keyfile\fR option is used, if present.  Thus, if you want to write the
+private key and the \fB\-key\fR option is provided, you should provide the
+\&\fB\-keyout\fR option explicitly.  If a new key is generated and no filename is
+specified the key is written to standard output.
+.IP "\fB\-noenc\fR" 4
+.IX Item "-noenc"
 If this option is specified then if a private key is created it
 will not be encrypted.
+.IP "\fB\-nodes\fR" 4
+.IX Item "-nodes"
+This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
 .IP "\fB\-\f(BIdigest\fB\fR" 4
 .IX Item "-digest"
 This specifies the message digest to sign the request.
@@ -323,63 +345,99 @@ the configuration file.
 Some public key algorithms may override this choice. For instance, \s-1DSA\s0
 signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use
 \&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR), Ed25519 and Ed448 never use any digest.
-.IP "\fB\-config filename\fR" 4
+.IP "\fB\-config\fR \fIfilename\fR" 4
 .IX Item "-config filename"
 This allows an alternative configuration file to be specified.
 Optional; for a description of the default value,
 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
-.IP "\fB\-subj arg\fR" 4
+.IP "\fB\-section\fR \fIname\fR" 4
+.IX Item "-section name"
+Specifies the name of the section to use; the default is \fBreq\fR.
+.IP "\fB\-subj\fR \fIarg\fR" 4
 .IX Item "-subj arg"
 Sets subject name for new request or supersedes the subject name
-when processing a request.
-The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
-Keyword characters may be escaped by \e (backslash), and whitespace is retained.
+when processing a certificate request.
+.Sp
+The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
+Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
 Empty values are permitted, but the corresponding type will not be included
 in the request.
+Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+.Sp
+\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
 .IP "\fB\-multivalue\-rdn\fR" 4
 .IX Item "-multivalue-rdn"
-This option causes the \-subj argument to be interpreted with full
-support for multivalued RDNs. Example:
-.Sp
-\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR
-.Sp
-If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR.
+This option has been deprecated and has no effect.
 .IP "\fB\-x509\fR" 4
 .IX Item "-x509"
-This option outputs a self signed certificate instead of a certificate
-request. This is typically used to generate a test certificate or
-a self signed root \s-1CA.\s0 The extensions added to the certificate
-(if any) are specified in the configuration file. Unless specified
-using the \fBset_serial\fR option, a large random number will be used for
-the serial number.
+This option outputs a certificate instead of a certificate request.
+This is typically used to generate test certificates.
+It is implied by the \fB\-CA\fR option.
 .Sp
-If existing request is specified with the \fB\-in\fR option, it is converted
-to the self signed certificate otherwise new request is created.
-.IP "\fB\-days n\fR" 4
+This option implies the \fB\-new\fR flag if \fB\-in\fR is not given.
+.Sp
+If an existing request is specified with the \fB\-in\fR option, it is converted
+to the a certificate; otherwise a request is created from scratch.
+.Sp
+Unless specified using the \fB\-set_serial\fR option,
+a large random number will be used for the serial number.
+.Sp
+Unless the \fB\-copy_extensions\fR option is used,
+X.509 extensions are not copied from any provided request input file.
+.Sp
+X.509 extensions to be added can be specified in the configuration file
+or using the \fB\-addext\fR option.
+.IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-CA filename|uri"
+Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing a new certificate
+and implies use of \fB\-x509\fR.
+When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
+The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
+certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as specified below.
+.IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-CAkey filename|uri"
+Sets the \*(L"\s-1CA\*(R"\s0 private key to sign a certificate with.
+The private key must match the public key of the certificate given with \fB\-CA\fR.
+If this option is not provided then the key must be present in the \fB\-CA\fR input.
+.IP "\fB\-days\fR \fIn\fR" 4
 .IX Item "-days n"
-When the \fB\-x509\fR option is being used this specifies the number of
-days to certify the certificate for, otherwise it is ignored. \fBn\fR should
+When \fB\-x509\fR is in use this specifies the number of
+days to certify the certificate for, otherwise it is ignored. \fIn\fR should
 be a positive integer. The default is 30 days.
-.IP "\fB\-set_serial n\fR" 4
+.IP "\fB\-set_serial\fR \fIn\fR" 4
 .IX Item "-set_serial n"
-Serial number to use when outputting a self signed certificate. This
-may be specified as a decimal value or a hex value if preceded by \fB0x\fR.
-.IP "\fB\-addext ext\fR" 4
+Serial number to use when outputting a self-signed certificate.
+This may be specified as a decimal value or a hex value if preceded by \f(CW\*(C`0x\*(C'\fR.
+If not given, a large random number will be used.
+.IP "\fB\-copy_extensions\fR \fIarg\fR" 4
+.IX Item "-copy_extensions arg"
+Determines how X.509 extensions in certificate requests should be handled
+when \fB\-x509\fR is in use.
+If \fIarg\fR is \fBnone\fR or this option is not present then extensions are ignored.
+If \fIarg\fR is \fBcopy\fR or \fBcopyall\fR then
+all extensions in the request are copied to the certificate.
+.Sp
+The main use of this option is to allow a certificate request to supply
+values for certain extensions such as subjectAltName.
+.IP "\fB\-addext\fR \fIext\fR" 4
 .IX Item "-addext ext"
-Add a specific extension to the certificate (if the \fB\-x509\fR option is
-present) or certificate request.  The argument must have the form of
+Add a specific extension to the certificate (if \fB\-x509\fR is in use)
+or certificate request.  The argument must have the form of
 a key=value pair as it would appear in a config file.
 .Sp
 This option can be given multiple times.
-.IP "\fB\-extensions section\fR" 4
+.IP "\fB\-extensions\fR \fIsection\fR" 4
 .IX Item "-extensions section"
 .PD 0
-.IP "\fB\-reqexts section\fR" 4
+.IP "\fB\-reqexts\fR \fIsection\fR" 4
 .IX Item "-reqexts section"
 .PD
 These options specify alternative sections to include certificate
-extensions (if the \fB\-x509\fR option is present) or certificate
-request extensions. This allows several different sections to
+extensions (if \fB\-x509\fR is in use) or certificate request extensions.
+This allows several different sections to
 be used in the same configuration file to specify requests for
 a variety of purposes.
 .IP "\fB\-precert\fR" 4
@@ -397,18 +455,12 @@ This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
 default they are interpreted as \s-1ASCII.\s0 This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid \s-1UTF8\s0 strings.
-.IP "\fB\-nameopt option\fR" 4
-.IX Item "-nameopt option"
-Option which determines how the subject or issuer names are displayed. The
-\&\fBoption\fR argument can be a single option or multiple options separated by
-commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fBx509\fR\|(1) manual page for details.
-.IP "\fB\-reqopt\fR" 4
-.IX Item "-reqopt"
-Customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
+.IP "\fB\-reqopt\fR \fIoption\fR" 4
+.IX Item "-reqopt option"
+Customise the printing format used with \fB\-text\fR. The \fIoption\fR argument can be
 a single option or multiple options separated by commas.
 .Sp
-See discussion of the  \fB\-certopt\fR parameter in the \fBx509\fR\|(1)
+See discussion of the  \fB\-certopt\fR parameter in the \fBopenssl\-x509\fR\|(1)
 command.
 .IP "\fB\-newhdr\fR" 4
 .IX Item "-newhdr"
@@ -420,26 +472,42 @@ Non-interactive mode.
 .IP "\fB\-verbose\fR" 4
 .IX Item "-verbose"
 Print extra details about the operations being performed.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-keygen_engine id\fR" 4
+.IP "\fB\-keygen_engine\fR \fIid\fR" 4
 .IX Item "-keygen_engine id"
-Specifies an engine (by its unique \fBid\fR string) which would be used
+Specifies an engine (by its unique \fIid\fR string) which would be used
 for key generation operations.
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "CONFIGURATION FILE FORMAT"
 .IX Header "CONFIGURATION FILE FORMAT"
 The configuration options are specified in the \fBreq\fR section of
-the configuration file. As with all configuration files if no
-value is specified in the specific section (i.e. \fBreq\fR) then
+the configuration file. An alternate name be specified by using the
+\&\fB\-section\fR option.
+As with all configuration files, if no
+value is specified in the specific section then
 the initial unnamed or \fBdefault\fR section is searched too.
 .PP
 The options available are described in detail below.
-.IP "\fBinput_password output_password\fR" 4
-.IX Item "input_password output_password"
+.IP "\fBinput_password\fR, \fBoutput_password\fR" 4
+.IX Item "input_password, output_password"
 The passwords for the input private key file (if present) and
 the output private key file (if one will be created). The
 command line options \fBpassin\fR and \fBpassout\fR override the
@@ -461,8 +529,8 @@ overridden by the \fB\-keyout\fR option.
 .IX Item "oid_file"
 This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
 Each line of the file should consist of the numerical form of the
-object identifier followed by white space then the short name followed
-by white space and finally the long name.
+object identifier followed by whitespace then the short name followed
+by whitespace and finally the long name.
 .IP "\fBoid_section\fR" 4
 .IX Item "oid_section"
 This specifies a section in the configuration file containing extra
@@ -477,7 +545,7 @@ It is used for private key generation.
 .IP "\fBencrypt_key\fR" 4
 .IX Item "encrypt_key"
 If this is set to \fBno\fR then if a private key is generated it is
-\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line
+\&\fBnot\fR encrypted. This is equivalent to the \fB\-noenc\fR command line
 option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option.
 .IP "\fBdefault_md\fR" 4
 .IX Item "default_md"
@@ -508,8 +576,8 @@ extension section format.
 .IP "\fBx509_extensions\fR" 4
 .IX Item "x509_extensions"
 This specifies the configuration file section containing a list of
-extensions to add to certificate generated when the \fB\-x509\fR switch
-is used. It can be overridden by the \fB\-extensions\fR command line switch.
+extensions to add to certificate generated when \fB\-x509\fR is in use.
+It can be overridden by the \fB\-extensions\fR command line switch.
 .IP "\fBprompt\fR" 4
 .IX Item "prompt"
 If set to the value \fBno\fR this disables prompting of certificate fields
@@ -544,8 +612,8 @@ just consist of field names and values: for example,
 \& emailAddress=someone@somewhere.org
 .Ve
 .PP
-This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file
-with all the field names and values and just pass it to \fBreq\fR. An example
+This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file with
+all the field names and values and just pass it to this command. An example
 of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section.
 .PP
 Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the
@@ -607,12 +675,25 @@ The same but just using req:
 \& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem
 .Ve
 .PP
-Generate a self signed root certificate:
+Generate a self-signed root certificate:
 .PP
 .Vb 1
 \& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem
 .Ve
 .PP
+Create an \s-1SM2\s0 private key and then generate a certificate request from it:
+.PP
+.Vb 2
+\& openssl ecparam \-genkey \-name SM2 \-out sm2.key
+\& openssl req \-new \-key sm2.key \-out sm2.csr \-sm3 \-sigopt "distid:1234567812345678"
+.Ve
+.PP
+Examine and verify an \s-1SM2\s0 certificate request:
+.PP
+.Vb 1
+\& openssl req \-verify \-in sm2.csr \-sm3 \-vfyopt "distid:1234567812345678"
+.Ve
+.PP
 Example of a file pointed to by the \fBoid_file\fR option:
 .PP
 .Vb 2
@@ -670,9 +751,7 @@ Sample configuration file prompting for field values:
 .PP
 Sample configuration containing all field values:
 .PP
-.Vb 1
-\& RANDFILE               = $ENV::HOME/.rnd
-\&
+.Vb 7
 \& [ req ]
 \& default_bits           = 2048
 \& default_keyfile        = keyfile.pem
@@ -705,27 +784,10 @@ on the command line:
 .Ve
 .SH "NOTES"
 .IX Header "NOTES"
-The header and footer lines in the \fB\s-1PEM\s0\fR format are normally:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN CERTIFICATE REQUEST\-\-\-\-\-
-\& \-\-\-\-\-END CERTIFICATE REQUEST\-\-\-\-\-
-.Ve
-.PP
-some software (some versions of Netscape certificate server) instead needs:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN NEW CERTIFICATE REQUEST\-\-\-\-\-
-\& \-\-\-\-\-END NEW CERTIFICATE REQUEST\-\-\-\-\-
-.Ve
-.PP
-which is produced with the \fB\-newhdr\fR option but is otherwise compatible.
-Either form is accepted transparently on input.
-.PP
 The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions
 added. It includes the \fBkeyUsage\fR extension which determines the type of
 key (signature only or general purpose) and any additional OIDs entered
-by the script in an extendedKeyUsage extension.
+by the script in an \fBextendedKeyUsage\fR extension.
 .SH "DIAGNOSTICS"
 .IX Header "DIAGNOSTICS"
 The following messages are frequently asked about:
@@ -735,7 +797,7 @@ The following messages are frequently asked about:
 \&        Unable to load config info
 .Ve
 .PP
-This is followed some time later by...
+This is followed some time later by:
 .PP
 .Vb 2
 \&        unable to find \*(Aqdistinguished_name\*(Aq in config
@@ -784,14 +846,27 @@ statically defined in the configuration file. Some of these: like an email
 address in subjectAltName should be input by the user.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBgendsa\fR\|(1), \fBconfig\fR\|(5),
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1),
+\&\fBconfig\fR\|(5),
 \&\fBx509v3_config\fR\|(5)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-section\fR option was added in OpenSSL 3.0.0.
+.PP
+The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
+has no effect.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+The <\-nodes> option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/openssl-rsa.1
index 9c1684dd3045..d5da3617014b 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/openssl-rsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,24 +130,24 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "RSA 1"
-.TH RSA 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-RSA 1ossl"
+.TH OPENSSL-RSA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-rsa, rsa \- RSA key processing tool
+openssl\-rsa \- RSA key processing command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBrsa\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER\fR]
-[\fB\-in filename\fR]
-[\fB\-passin arg\fR]
-[\fB\-out filename\fR]
-[\fB\-passout arg\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-passout\fR \fIarg\fR]
 [\fB\-aes128\fR]
 [\fB\-aes192\fR]
 [\fB\-aes256\fR]
@@ -165,62 +163,64 @@ openssl\-rsa, rsa \- RSA key processing tool
 [\fB\-text\fR]
 [\fB\-noout\fR]
 [\fB\-modulus\fR]
+[\fB\-traditional\fR]
 [\fB\-check\fR]
 [\fB\-pubin\fR]
 [\fB\-pubout\fR]
 [\fB\-RSAPublicKey_in\fR]
 [\fB\-RSAPublicKey_out\fR]
-[\fB\-engine id\fR]
+[\fB\-pvk\-strong\fR]
+[\fB\-pvk\-weak\fR]
+[\fB\-pvk\-none\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various
-forms and their components printed out. \fBNote\fR this command uses the
-traditional SSLeay compatible format for private key encryption: newer
-applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
-utility.
+This command processes \s-1RSA\s0 keys. They can be converted between
+various forms and their components printed out.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
-form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
-The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
-encoded with additional header and footer lines. On input PKCS#8 format private
-keys are also accepted.
-.IP "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-inform DER|PEM|P12|ENGINE"
+The key input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-This specifies the input filename to read a key from or standard input if this
+The key output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-traditional\fR" 4
+.IX Item "-traditional"
+When writing a private key, use the traditional PKCS#1 format
+instead of the PKCS#8 format.
+.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-in filename|uri"
+This specifies the input to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passin arg, -passout arg"
+The password source for the input and output file.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output if this
 option is not specified. If any encryption options are set then a pass phrase
 will be prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.IP "\fB\-passout password\fR" 4
-.IX Item "-passout password"
-The output file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
 .IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
 These options encrypt the private key with the specified
 cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
-means that using the \fBrsa\fR utility to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
 These options can only be used with \s-1PEM\s0 format output files.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
@@ -247,36 +247,37 @@ the input is a public key.
 .IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4
 .IX Item "-RSAPublicKey_in, -RSAPublicKey_out"
 Like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead.
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-pvk\-strong\fR" 4
+.IX Item "-pvk-strong"
+Enable 'Strong' \s-1PVK\s0 encoding level (default).
+.IP "\fB\-pvk\-weak\fR" 4
+.IX Item "-pvk-weak"
+Enable 'Weak' \s-1PVK\s0 encoding level.
+.IP "\fB\-pvk\-none\fR" 4
+.IX Item "-pvk-none"
+Don't enforce \s-1PVK\s0 encoding.
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "NOTES"
 .IX Header "NOTES"
-The \s-1PEM\s0 private key format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
-\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
-.Ve
-.PP
-The \s-1PEM\s0 public key format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-
-\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
-.Ve
-.PP
-The \s-1PEM\s0 \fBRSAPublicKey\fR format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN RSA PUBLIC KEY\-\-\-\-\-
-\& \-\-\-\-\-END RSA PUBLIC KEY\-\-\-\-\-
-.Ve
+The \fBopenssl\-pkey\fR\|(1) command is capable of performing all the operations
+this command can, as well as supporting other public key types.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
+The documentation for the \fBopenssl\-pkey\fR\|(1) command contains examples
+equivalent to the ones listed here.
+.PP
 To remove the pass phrase on an \s-1RSA\s0 private key:
 .PP
 .Vb 1
@@ -314,17 +315,24 @@ Output the public part of a private key in \fBRSAPublicKey\fR format:
 .Ve
 .SH "BUGS"
 .IX Header "BUGS"
-There should be an option that automatically handles .key files,
+There should be an option that automatically handles \fI.key\fR files,
 without having to manually edit them.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBpkcs8\fR\|(1), \fBdsa\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBgendsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-pkcs8\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/openssl-rsautl.1
index 2e8900ab4a90..621364f7f3a8 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/openssl-rsautl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,58 +130,76 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-RSAUTL 1ossl"
+.TH OPENSSL-RSAUTL 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-rsautl, rsautl \- RSA utility
+openssl\-rsautl \- RSA command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBrsautl\fR
 [\fB\-help\fR]
-[\fB\-in file\fR]
-[\fB\-out file\fR]
-[\fB\-inkey file\fR]
-[\fB\-keyform PEM|DER|ENGINE\fR]
+[\fB\-in\fR \fIfile\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-rev\fR]
+[\fB\-out\fR \fIfile\fR]
+[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
 [\fB\-pubin\fR]
 [\fB\-certin\fR]
 [\fB\-sign\fR]
 [\fB\-verify\fR]
 [\fB\-encrypt\fR]
 [\fB\-decrypt\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
 [\fB\-pkcs\fR]
-[\fB\-ssl\fR]
+[\fB\-x931\fR]
+[\fB\-oaep\fR]
 [\fB\-raw\fR]
 [\fB\-hexdump\fR]
 [\fB\-asn1parse\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt
+This command has been deprecated.
+The \fBopenssl\-pkeyutl\fR\|(1) command should be used instead.
+.PP
+This command can be used to sign, verify, encrypt and decrypt
 data using the \s-1RSA\s0 algorithm.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read data from or standard input
 if this option is not specified.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR" 4
+.IX Item "-passin arg"
+The passphrase used in the output file.
+See see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-rev\fR" 4
+.IX Item "-rev"
+Reverse the order of the input.
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename to write to or standard output by
 default.
-.IP "\fB\-inkey file\fR" 4
-.IX Item "-inkey file"
-The input key file, by default it should be an \s-1RSA\s0 private key.
-.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
-.IX Item "-keyform PEM|DER|ENGINE"
-The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0
+.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-inkey filename|uri"
+The input key, by default it should be an \s-1RSA\s0 private key.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
 .IP "\fB\-pubin\fR" 4
 .IX Item "-pubin"
 The input file is an \s-1RSA\s0 public key.
@@ -203,22 +219,10 @@ Encrypt the input data using an \s-1RSA\s0 public key.
 .IP "\fB\-decrypt\fR" 4
 .IX Item "-decrypt"
 Decrypt the input data using an \s-1RSA\s0 private key.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
-.IX Item "-pkcs, -oaep, -ssl, -raw"
-The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0
-special padding used in \s-1SSL\s0 v2 backwards compatible handshakes,
-or no padding, respectively.
+.IP "\fB\-pkcs\fR, \fB\-oaep\fR, \fB\-x931\fR, \fB\-raw\fR" 4
+.IX Item "-pkcs, -oaep, -x931, -raw"
+The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,
+ANSI X9.31,\s0 or no padding, respectively.
 For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
 .IP "\fB\-hexdump\fR" 4
 .IX Item "-hexdump"
@@ -227,12 +231,31 @@ Hex dump the output data.
 .IX Item "-asn1parse"
 Parse the \s-1ASN.1\s0 output data, this is useful when combined with the
 \&\fB\-verify\fR option.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "NOTES"
 .IX Header "NOTES"
-\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be
+Since this command uses the \s-1RSA\s0 algorithm directly, it can only be
 used to sign or verify small pieces of data.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
+Examples equivalent to these can be found in the documentation for the
+non-deprecated \fBopenssl\-pkeyutl\fR\|(1) command.
+.PP
 Sign some data using a private key:
 .PP
 .Vb 1
@@ -265,8 +288,9 @@ encrypt and decrypt the block would have been of type 2 (the second byte)
 and random padding data visible instead of the 0xff bytes.
 .PP
 It is possible to analyse the signature of certificates using this
-utility in conjunction with \fBasn1parse\fR. Consider the self signed
-example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields:
+command in conjunction with \fBopenssl\-asn1parse\fR\|(1). Consider the self signed
+example in \fIcerts/pca\-cert.pem\fR. Running \fBopenssl\-asn1parse\fR\|(1) as follows
+yields:
 .PP
 .Vb 1
 \& openssl asn1parse \-in pca\-cert.pem
@@ -334,12 +358,21 @@ and its digest computed with:
 which it can be seen agrees with the recovered value above.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBdgst\fR\|(1), \fBrsa\fR\|(1), \fBgenrsa\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkeyutl\fR\|(1),
+\&\fBopenssl\-dgst\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+This command was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/openssl-s_client.1
index 40c3e3871e31..8ae32b5a9be4 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/openssl-s_client.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,177 +130,270 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-S_CLIENT 1ossl"
+.TH OPENSSL-S_CLIENT 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-s_client, s_client \- SSL/TLS client program
+openssl\-s_client \- SSL/TLS client program
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBs_client\fR
 [\fB\-help\fR]
-[\fB\-connect host:port\fR]
-[\fB\-bind host:port\fR]
-[\fB\-proxy host:port\fR]
-[\fB\-unix path\fR]
+[\fB\-ssl_config\fR \fIsection\fR]
+[\fB\-connect\fR \fIhost:port\fR]
+[\fB\-host\fR \fIhostname\fR]
+[\fB\-port\fR \fIport\fR]
+[\fB\-bind\fR \fIhost:port\fR]
+[\fB\-proxy\fR \fIhost:port\fR]
+[\fB\-proxy_user\fR \fIuserid\fR]
+[\fB\-proxy_pass\fR \fIarg\fR]
+[\fB\-unix\fR \fIpath\fR]
 [\fB\-4\fR]
 [\fB\-6\fR]
-[\fB\-servername name\fR]
+[\fB\-servername\fR \fIname\fR]
 [\fB\-noservername\fR]
-[\fB\-verify depth\fR]
+[\fB\-verify\fR \fIdepth\fR]
 [\fB\-verify_return_error\fR]
-[\fB\-cert filename\fR]
-[\fB\-certform DER|PEM\fR]
-[\fB\-key filename\fR]
-[\fB\-keyform DER|PEM\fR]
-[\fB\-cert_chain filename\fR]
+[\fB\-verify_quiet\fR]
+[\fB\-verifyCAfile\fR \fIfilename\fR]
+[\fB\-verifyCApath\fR \fIdir\fR]
+[\fB\-verifyCAstore\fR \fIuri\fR]
+[\fB\-cert\fR \fIfilename\fR]
+[\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
+[\fB\-cert_chain\fR \fIfilename\fR]
 [\fB\-build_chain\fR]
-[\fB\-xkey\fR]
-[\fB\-xcert\fR]
-[\fB\-xchain\fR]
-[\fB\-xchain_build\fR]
-[\fB\-xcertform PEM|DER\fR]
-[\fB\-xkeyform PEM|DER\fR]
-[\fB\-pass arg\fR]
-[\fB\-CApath directory\fR]
-[\fB\-CAfile filename\fR]
-[\fB\-chainCApath directory\fR]
-[\fB\-chainCAfile filename\fR]
-[\fB\-no\-CAfile\fR]
-[\fB\-no\-CApath\fR]
-[\fB\-requestCAfile filename\fR]
-[\fB\-dane_tlsa_domain domain\fR]
-[\fB\-dane_tlsa_rrdata rrdata\fR]
+[\fB\-CRL\fR \fIfilename\fR]
+[\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-crl_download\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-pass\fR \fIarg\fR]
+[\fB\-chainCAfile\fR \fIfilename\fR]
+[\fB\-chainCApath\fR \fIdirectory\fR]
+[\fB\-chainCAstore\fR \fIuri\fR]
+[\fB\-requestCAfile\fR \fIfilename\fR]
+[\fB\-dane_tlsa_domain\fR \fIdomain\fR]
+[\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR]
 [\fB\-dane_ee_no_namechecks\fR]
-[\fB\-attime timestamp\fR]
-[\fB\-check_ss_sig\fR]
-[\fB\-crl_check\fR]
-[\fB\-crl_check_all\fR]
-[\fB\-explicit_policy\fR]
-[\fB\-extended_crl\fR]
-[\fB\-ignore_critical\fR]
-[\fB\-inhibit_any\fR]
-[\fB\-inhibit_map\fR]
-[\fB\-no_check_time\fR]
-[\fB\-partial_chain\fR]
-[\fB\-policy arg\fR]
-[\fB\-policy_check\fR]
-[\fB\-policy_print\fR]
-[\fB\-purpose purpose\fR]
-[\fB\-suiteB_128\fR]
-[\fB\-suiteB_128_only\fR]
-[\fB\-suiteB_192\fR]
-[\fB\-trusted_first\fR]
-[\fB\-no_alt_chains\fR]
-[\fB\-use_deltas\fR]
-[\fB\-auth_level num\fR]
-[\fB\-nameopt option\fR]
-[\fB\-verify_depth num\fR]
-[\fB\-verify_email email\fR]
-[\fB\-verify_hostname hostname\fR]
-[\fB\-verify_ip ip\fR]
-[\fB\-verify_name name\fR]
-[\fB\-build_chain\fR]
-[\fB\-x509_strict\fR]
 [\fB\-reconnect\fR]
 [\fB\-showcerts\fR]
+[\fB\-prexit\fR]
 [\fB\-debug\fR]
+[\fB\-trace\fR]
+[\fB\-nocommands\fR]
+[\fB\-security_debug\fR]
+[\fB\-security_debug_verbose\fR]
 [\fB\-msg\fR]
+[\fB\-timeout\fR]
+[\fB\-mtu\fR \fIsize\fR]
+[\fB\-no_etm\fR]
+[\fB\-keymatexport\fR \fIlabel\fR]
+[\fB\-keymatexportlen\fR \fIlen\fR]
+[\fB\-msgfile\fR \fIfilename\fR]
 [\fB\-nbio_test\fR]
 [\fB\-state\fR]
 [\fB\-nbio\fR]
 [\fB\-crlf\fR]
 [\fB\-ign_eof\fR]
 [\fB\-no_ign_eof\fR]
-[\fB\-psk_identity identity\fR]
-[\fB\-psk key\fR]
-[\fB\-psk_session file\fR]
+[\fB\-psk_identity\fR \fIidentity\fR]
+[\fB\-psk\fR \fIkey\fR]
+[\fB\-psk_session\fR \fIfile\fR]
 [\fB\-quiet\fR]
-[\fB\-ssl3\fR]
-[\fB\-tls1\fR]
-[\fB\-tls1_1\fR]
-[\fB\-tls1_2\fR]
-[\fB\-tls1_3\fR]
-[\fB\-no_ssl3\fR]
-[\fB\-no_tls1\fR]
-[\fB\-no_tls1_1\fR]
-[\fB\-no_tls1_2\fR]
-[\fB\-no_tls1_3\fR]
-[\fB\-dtls\fR]
-[\fB\-dtls1\fR]
-[\fB\-dtls1_2\fR]
 [\fB\-sctp\fR]
 [\fB\-sctp_label_bug\fR]
 [\fB\-fallback_scsv\fR]
 [\fB\-async\fR]
+[\fB\-maxfraglen\fR \fIlen\fR]
 [\fB\-max_send_frag\fR]
 [\fB\-split_send_frag\fR]
 [\fB\-max_pipelines\fR]
 [\fB\-read_buf\fR]
+[\fB\-ignore_unexpected_eof\fR]
 [\fB\-bugs\fR]
 [\fB\-comp\fR]
 [\fB\-no_comp\fR]
+[\fB\-brief\fR]
+[\fB\-legacy_server_connect\fR]
+[\fB\-no_legacy_server_connect\fR]
 [\fB\-allow_no_dhe_kex\fR]
-[\fB\-sigalgs sigalglist\fR]
-[\fB\-curves curvelist\fR]
-[\fB\-cipher cipherlist\fR]
-[\fB\-ciphersuites val\fR]
+[\fB\-sigalgs\fR \fIsigalglist\fR]
+[\fB\-curves\fR \fIcurvelist\fR]
+[\fB\-cipher\fR \fIcipherlist\fR]
+[\fB\-ciphersuites\fR \fIval\fR]
 [\fB\-serverpref\fR]
-[\fB\-starttls protocol\fR]
-[\fB\-xmpphost hostname\fR]
-[\fB\-name hostname\fR]
-[\fB\-engine id\fR]
+[\fB\-starttls\fR \fIprotocol\fR]
+[\fB\-name\fR \fIhostname\fR]
+[\fB\-xmpphost\fR \fIhostname\fR]
+[\fB\-name\fR \fIhostname\fR]
 [\fB\-tlsextdebug\fR]
 [\fB\-no_ticket\fR]
-[\fB\-sess_out filename\fR]
-[\fB\-sess_in filename\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-serverinfo types\fR]
+[\fB\-sess_out\fR \fIfilename\fR]
+[\fB\-serverinfo\fR \fItypes\fR]
+[\fB\-sess_in\fR \fIfilename\fR]
+[\fB\-serverinfo\fR \fItypes\fR]
 [\fB\-status\fR]
-[\fB\-alpn protocols\fR]
-[\fB\-nextprotoneg protocols\fR]
+[\fB\-alpn\fR \fIprotocols\fR]
+[\fB\-nextprotoneg\fR \fIprotocols\fR]
 [\fB\-ct\fR]
 [\fB\-noct\fR]
 [\fB\-ctlogfile\fR]
-[\fB\-keylogfile file\fR]
-[\fB\-early_data file\fR]
+[\fB\-keylogfile\fR \fIfile\fR]
+[\fB\-early_data\fR \fIfile\fR]
 [\fB\-enable_pha\fR]
-[\fBtarget\fR]
+[\fB\-use_srtp\fR \fIvalue\fR]
+[\fB\-srpuser\fR \fIvalue\fR]
+[\fB\-srppass\fR \fIvalue\fR]
+[\fB\-srp_lateuser\fR]
+[\fB\-srp_moregroups\fR]
+[\fB\-srp_strength\fR \fInumber\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-no_ssl3\fR]
+[\fB\-no_tls1\fR]
+[\fB\-no_tls1_1\fR]
+[\fB\-no_tls1_2\fR]
+[\fB\-no_tls1_3\fR]
+[\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fB\-tls1_1\fR]
+[\fB\-tls1_2\fR]
+[\fB\-tls1_3\fR]
+[\fB\-dtls\fR]
+[\fB\-dtls1\fR]
+[\fB\-dtls1_2\fR]
+[\fB\-xkey\fR \fIinfile\fR]
+[\fB\-xcert\fR \fIfile\fR]
+[\fB\-xchain\fR \fIfile\fR]
+[\fB\-xchain_build\fR \fIfile\fR]
+[\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
+[\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-bugs\fR]
+[\fB\-no_comp\fR]
+[\fB\-comp\fR]
+[\fB\-no_ticket\fR]
+[\fB\-serverpref\fR]
+[\fB\-client_renegotiation\fR]
+[\fB\-legacy_renegotiation\fR]
+[\fB\-no_renegotiation\fR]
+[\fB\-no_resumption_on_reneg\fR]
+[\fB\-legacy_server_connect\fR]
+[\fB\-no_legacy_server_connect\fR]
+[\fB\-no_etm\fR]
+[\fB\-allow_no_dhe_kex\fR]
+[\fB\-prioritize_chacha\fR]
+[\fB\-strict\fR]
+[\fB\-sigalgs\fR \fIalgs\fR]
+[\fB\-client_sigalgs\fR \fIalgs\fR]
+[\fB\-groups\fR \fIgroups\fR]
+[\fB\-curves\fR \fIcurves\fR]
+[\fB\-named_curve\fR \fIcurve\fR]
+[\fB\-cipher\fR \fIciphers\fR]
+[\fB\-ciphersuites\fR \fI1.3ciphers\fR]
+[\fB\-min_protocol\fR \fIminprot\fR]
+[\fB\-max_protocol\fR \fImaxprot\fR]
+[\fB\-record_padding\fR \fIpadding\fR]
+[\fB\-debug_broken_protocol\fR]
+[\fB\-no_middlebox\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-ssl_client_engine\fR \fIid\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-extended_crl\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-partial_chain\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-policy_check\fR]
+[\fB\-policy_print\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
+[\fB\-suiteB_128\fR]
+[\fB\-suiteB_128_only\fR]
+[\fB\-suiteB_192\fR]
+[\fB\-trusted_first\fR]
+[\fB\-no_alt_chains\fR]
+[\fB\-use_deltas\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
+[\fB\-x509_strict\fR]
+[\fB\-issuer_checks\fR]
+[\fIhost\fR:\fIport\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
-to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool for
-\&\s-1SSL\s0 servers.
+This command implements a generic \s-1SSL/TLS\s0 client which
+connects to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic
+tool for \s-1SSL\s0 servers.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-In addition to the options below the \fBs_client\fR utility also supports the
+In addition to the options below, this command also supports the
 common and client only options documented
 in the \*(L"Supported Command Line Commands\*(R" section of the \fBSSL_CONF_cmd\fR\|(3)
 manual page.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-connect host:port\fR" 4
+.IP "\fB\-ssl_config\fR \fIsection\fR" 4
+.IX Item "-ssl_config section"
+Use the specified section of the configuration file to configure the \fB\s-1SSL_CTX\s0\fR object.
+.IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
 .IX Item "-connect host:port"
 This specifies the host and optional port to connect to. It is possible to
 select the host and port using the optional target positional argument instead.
 If neither this nor the target positional argument are specified then an attempt
 is made to connect to the local host on port 4433.
-.IP "\fB\-bind host:port\fR]" 4
-.IX Item "-bind host:port]"
+.IP "\fB\-host\fR \fIhostname\fR" 4
+.IX Item "-host hostname"
+Host to connect to; use \fB\-connect\fR instead.
+.IP "\fB\-port\fR \fIport\fR" 4
+.IX Item "-port port"
+Connect to the specified port; use \fB\-connect\fR instead.
+.IP "\fB\-bind\fR \fIhost:port\fR" 4
+.IX Item "-bind host:port"
 This specifies the host address and or port to bind as the source for the
 connection.  For Unix-domain sockets the port is ignored and the host is
 used as the source socket address.
-.IP "\fB\-proxy host:port\fR" 4
+.IP "\fB\-proxy\fR \fIhost:port\fR" 4
 .IX Item "-proxy host:port"
 When used with the \fB\-connect\fR flag, the program uses the host and port
 specified with this flag and issues an \s-1HTTP CONNECT\s0 command to connect
 to the desired server.
-.IP "\fB\-unix path\fR" 4
+.IP "\fB\-proxy_user\fR \fIuserid\fR" 4
+.IX Item "-proxy_user userid"
+When used with the \fB\-proxy\fR flag, the program will attempt to authenticate
+with the specified proxy using basic (base64) authentication.
+\&\s-1NB:\s0 Basic authentication is insecure; the credentials are sent to the proxy
+in easily reversible base64 encoding before any \s-1TLS/SSL\s0 session is established.
+Therefore, these credentials are easily recovered by anyone able to sniff/trace
+the network. Use with caution.
+.IP "\fB\-proxy_pass\fR \fIarg\fR" 4
+.IX Item "-proxy_pass arg"
+The proxy password source, used with the \fB\-proxy_user\fR flag.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-unix\fR \fIpath\fR" 4
 .IX Item "-unix path"
 Connect over the specified Unix-domain socket.
 .IP "\fB\-4\fR" 4
@@ -311,17 +402,17 @@ Use IPv4 only.
 .IP "\fB\-6\fR" 4
 .IX Item "-6"
 Use IPv6 only.
-.IP "\fB\-servername name\fR" 4
+.IP "\fB\-servername\fR \fIname\fR" 4
 .IX Item "-servername name"
 Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message to
-the given value. 
-If \fB\-servername\fR is not provided, the \s-1TLS SNI\s0 extension will be populated with 
-the name given to \fB\-connect\fR if it follows a \s-1DNS\s0 name format. If \fB\-connect\fR is 
+the given value.
+If \fB\-servername\fR is not provided, the \s-1TLS SNI\s0 extension will be populated with
+the name given to \fB\-connect\fR if it follows a \s-1DNS\s0 name format. If \fB\-connect\fR is
 not provided either, the \s-1SNI\s0 is set to \*(L"localhost\*(R".
 This is the default since OpenSSL 1.1.1.
 .Sp
-Even though \s-1SNI\s0 should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, if 
-\&\fB\-servername\fR is provided then that name will be sent, regardless of whether 
+Even though \s-1SNI\s0 should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, if
+\&\fB\-servername\fR is provided then that name will be sent, regardless of whether
 it is a \s-1DNS\s0 name or not.
 .Sp
 This option cannot be used in conjunction with \fB\-noservername\fR.
@@ -329,49 +420,50 @@ This option cannot be used in conjunction with \fB\-noservername\fR.
 .IX Item "-noservername"
 Suppresses sending of the \s-1SNI\s0 (Server Name Indication) extension in the
 ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or
-<\-dane_tlsa_domain> options.
-.IP "\fB\-cert certname\fR" 4
-.IX Item "-cert certname"
-The certificate to use, if one is requested by the server. The default is
-not to use a certificate.
-.IP "\fB\-certform format\fR" 4
-.IX Item "-certform format"
-The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
-.IP "\fB\-key keyfile\fR" 4
-.IX Item "-key keyfile"
-The private key to use. If not specified then the certificate file will
-be used.
-.IP "\fB\-keyform format\fR" 4
-.IX Item "-keyform format"
-The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
+\&\fB\-dane_tlsa_domain\fR options.
+.IP "\fB\-cert\fR \fIfilename\fR" 4
+.IX Item "-cert filename"
+The client certificate to use, if one is requested by the server.
+The default is not to use a certificate.
+.Sp
+The chain for the client certificate may be specified using \fB\-cert_chain\fR.
+.IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-certform DER|PEM|P12"
+The client certificate file format to use; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
 .IP "\fB\-cert_chain\fR" 4
 .IX Item "-cert_chain"
-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-\&\fB\-cert\fR option.
+A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the \fB\-cert\fR option.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
 .IP "\fB\-build_chain\fR" 4
 .IX Item "-build_chain"
-Specify whether the application should build the certificate chain to be
+Specify whether the application should build the client certificate chain to be
 provided to the server.
-.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4
-.IX Item "-xkey infile, -xcert infile, -xchain"
-Specify an extra certificate, private key and certificate chain. These behave
-in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options.  When
-specified, the callback returning the first valid chain will be in use by the
-client.
-.IP "\fB\-xchain_build\fR" 4
-.IX Item "-xchain_build"
-Specify whether the application should build the certificate chain to be
-provided to the server for the extra certificates provided via \fB\-xkey infile\fR,
-\&\fB\-xcert infile\fR, \fB\-xchain\fR options.
-.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4
-.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER"
-Extra certificate and private key format respectively.
-.IP "\fB\-pass arg\fR" 4
+.IP "\fB\-CRL\fR \fIfilename\fR" 4
+.IX Item "-CRL filename"
+\&\s-1CRL\s0 file to use to check the server's certificate.
+.IP "\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-CRLform DER|PEM"
+The \s-1CRL\s0 file format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-crl_download\fR" 4
+.IX Item "-crl_download"
+Download \s-1CRL\s0 from distribution points in the certificate.
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+The client private key to use.
+If not specified then the certificate file will be used to read also the key.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-pass\fR \fIarg\fR" 4
 .IX Item "-pass arg"
-the private key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-verify depth\fR" 4
+the private key and certificate file password source.
+For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-verify\fR \fIdepth\fR" 4
 .IX Item "-verify depth"
 The verify depth to use. This specifies the maximum length of the
 server certificate chain and turns on server certificate verification.
@@ -382,41 +474,48 @@ will never fail due to a server certificate verify failure.
 .IX Item "-verify_return_error"
 Return verification errors instead of continuing. This will typically
 abort the handshake with a fatal error.
-.IP "\fB\-nameopt option\fR" 4
-.IX Item "-nameopt option"
-Option which determines how the subject or issuer names are displayed. The
-\&\fBoption\fR argument can be a single option or multiple options separated by
-commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fBx509\fR\|(1) manual page for details.
-.IP "\fB\-CApath directory\fR" 4
-.IX Item "-CApath directory"
-The directory to use for server certificate verification. This directory
-must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information. These are
-also used when building the client certificate chain.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A file containing trusted certificates to use during server authentication
-and to use when attempting to build the client certificate chain.
-.IP "\fB\-chainCApath directory\fR" 4
-.IX Item "-chainCApath directory"
-The directory to use for building the chain provided to the server. This
-directory must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information.
-.IP "\fB\-chainCAfile file\fR" 4
+.IP "\fB\-verify_quiet\fR" 4
+.IX Item "-verify_quiet"
+Limit verify output to only errors.
+.IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
+.IX Item "-verifyCAfile filename"
+A file in \s-1PEM\s0 format containing trusted certificates to use
+for verifying the server's certificate.
+.IP "\fB\-verifyCApath\fR \fIdir\fR" 4
+.IX Item "-verifyCApath dir"
+A directory containing trusted certificates to use
+for verifying the server's certificate.
+This directory must be in \*(L"hash format\*(R",
+see \fBopenssl\-verify\fR\|(1) for more information.
+.IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
+.IX Item "-verifyCAstore uri"
+The \s-1URI\s0 of a store containing trusted certificates to use
+for verifying the server's certificate.
+.IP "\fB\-chainCAfile\fR \fIfile\fR" 4
 .IX Item "-chainCAfile file"
-A file containing trusted certificates to use when attempting to build the
-client certificate chain.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location
-.IP "\fB\-requestCAfile file\fR" 4
+A file in \s-1PEM\s0 format containing trusted certificates to use
+when attempting to build the client certificate chain.
+.IP "\fB\-chainCApath\fR \fIdirectory\fR" 4
+.IX Item "-chainCApath directory"
+A directory containing trusted certificates to use
+for building the client certificate chain provided to the server.
+This directory must be in \*(L"hash format\*(R",
+see \fBopenssl\-verify\fR\|(1) for more information.
+.IP "\fB\-chainCAstore\fR \fIuri\fR" 4
+.IX Item "-chainCAstore uri"
+The \s-1URI\s0 of a store containing trusted certificates to use
+when attempting to build the client certificate chain.
+The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
+With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
+\&\fB\-chainCApath\fR, depending on if the \s-1URI\s0 indicates a directory or a
+single file.
+See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
+.IP "\fB\-requestCAfile\fR \fIfile\fR" 4
 .IX Item "-requestCAfile file"
 A file containing a list of certificates whose subject names will be sent
 to the server in the \fBcertificate_authorities\fR extension. Only supported
 for \s-1TLS 1.3\s0
-.IP "\fB\-dane_tlsa_domain domain\fR" 4
+.IP "\fB\-dane_tlsa_domain\fR \fIdomain\fR" 4
 .IX Item "-dane_tlsa_domain domain"
 Enable \s-1RFC6698/RFC7671 DANE TLSA\s0 authentication and specify the
 \&\s-1TLSA\s0 base domain which becomes the default \s-1SNI\s0 hint and the primary
@@ -431,10 +530,10 @@ anchor public key that signed (rather than matched) the top-most
 certificate of the chain, the result is reported as \*(L"\s-1TA\s0 public key
 verified\*(R".  Otherwise, either the \s-1TLSA\s0 record \*(L"matched \s-1TA\s0 certificate\*(R"
 at a positive depth or else \*(L"matched \s-1EE\s0 certificate\*(R" at depth 0.
-.IP "\fB\-dane_tlsa_rrdata rrdata\fR" 4
+.IP "\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR" 4
 .IX Item "-dane_tlsa_rrdata rrdata"
 Use one or more times to specify the \s-1RRDATA\s0 fields of the \s-1DANE TLSA\s0
-RRset associated with the target service.  The \fBrrdata\fR value is
+RRset associated with the target service.  The \fIrrdata\fR value is
 specified in \*(L"presentation form\*(R", that is four whitespace separated
 fields that specify the usage, selector, matching type and associated
 data, with the last of these encoded in hexadecimal.  Optional
@@ -471,10 +570,6 @@ In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-
 records already make it possible for a remote domain to redirect client
 connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients
 do not execute scripts downloaded from remote servers.
-.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
-.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
-Set various certificate chain validation options. See the
-\&\fBverify\fR\|(1) manual page for details.
 .IP "\fB\-reconnect\fR" 4
 .IX Item "-reconnect"
 Reconnects to the same server 5 times using the same session \s-1ID,\s0 this can
@@ -500,15 +595,40 @@ Prints out the \s-1SSL\s0 session states.
 .IP "\fB\-debug\fR" 4
 .IX Item "-debug"
 Print extensive debugging information including a hex dump of all traffic.
+.IP "\fB\-nocommands\fR" 4
+.IX Item "-nocommands"
+Do not use interactive command letters.
+.IP "\fB\-security_debug\fR" 4
+.IX Item "-security_debug"
+Enable security debug messages.
+.IP "\fB\-security_debug_verbose\fR" 4
+.IX Item "-security_debug_verbose"
+Output more security debug output.
 .IP "\fB\-msg\fR" 4
 .IX Item "-msg"
+Show protocol messages.
+.IP "\fB\-timeout\fR" 4
+.IX Item "-timeout"
+Enable send/receive timeout on \s-1DTLS\s0 connections.
+.IP "\fB\-mtu\fR \fIsize\fR" 4
+.IX Item "-mtu size"
+Set \s-1MTU\s0 of the link layer to the specified size.
+.IP "\fB\-no_etm\fR" 4
+.IX Item "-no_etm"
+Disable Encrypt-then-MAC negotiation.
+.IP "\fB\-keymatexport\fR \fIlabel\fR" 4
+.IX Item "-keymatexport label"
+Export keying material using the specified label.
+.IP "\fB\-keymatexportlen\fR \fIlen\fR" 4
+.IX Item "-keymatexportlen len"
+Export the specified number of bytes of keying material; default is 20.
+.Sp
 Show all protocol messages with hex dump.
 .IP "\fB\-trace\fR" 4
 .IX Item "-trace"
-Show verbose trace output of protocol messages. OpenSSL needs to be compiled
-with \fBenable-ssl-trace\fR for this option to work.
-.IP "\fB\-msgfile\fR" 4
-.IX Item "-msgfile"
+Show verbose trace output of protocol messages.
+.IP "\fB\-msgfile\fR \fIfilename\fR" 4
+.IX Item "-msgfile filename"
 File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
 .IP "\fB\-nbio_test\fR" 4
 .IX Item "-nbio_test"
@@ -532,35 +652,20 @@ turns on \fB\-ign_eof\fR as well.
 .IX Item "-no_ign_eof"
 Shut down the connection when end of file is reached in the input.
 Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
-.IP "\fB\-psk_identity identity\fR" 4
+.IP "\fB\-psk_identity\fR \fIidentity\fR" 4
 .IX Item "-psk_identity identity"
-Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
+Use the \s-1PSK\s0 identity \fIidentity\fR when using a \s-1PSK\s0 cipher suite.
 The default value is \*(L"Client_identity\*(R" (without the quotes).
-.IP "\fB\-psk key\fR" 4
+.IP "\fB\-psk\fR \fIkey\fR" 4
 .IX Item "-psk key"
-Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
+Use the \s-1PSK\s0 key \fIkey\fR when using a \s-1PSK\s0 cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example \-psk
 1a2b3c4d.
 This option must be provided in order to use a \s-1PSK\s0 cipher.
-.IP "\fB\-psk_session file\fR" 4
+.IP "\fB\-psk_session\fR \fIfile\fR" 4
 .IX Item "-psk_session file"
-Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0
+Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fIfile\fR as the basis of a \s-1PSK.\s0
 Note that this will only work if TLSv1.3 is negotiated.
-.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
-.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
-These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
-By default \fBs_client\fR will negotiate the highest mutually supported protocol
-version.
-When a specific \s-1TLS\s0 version is required, only that version will be offered to
-and accepted from the server.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
-.IX Item "-dtls, -dtls1, -dtls1_2"
-These options make \fBs_client\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0
-With \fB\-dtls\fR, \fBs_client\fR will negotiate any supported \s-1DTLS\s0 protocol version,
-whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support \s-1DTLS1.0\s0 and \s-1DTLS1.2\s0
-respectively.
 .IP "\fB\-sctp\fR" 4
 .IX Item "-sctp"
 Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
@@ -582,11 +687,15 @@ Switch on asynchronous mode. Cryptographic operations will be performed
 asynchronously. This will only have an effect if an asynchronous capable engine
 is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
 (dasync) can be used (if available).
-.IP "\fB\-max_send_frag int\fR" 4
+.IP "\fB\-maxfraglen\fR \fIlen\fR" 4
+.IX Item "-maxfraglen len"
+Enable Maximum Fragment Length Negotiation; allowed values are
+\&\f(CW512\fR, \f(CW1024\fR, \f(CW2048\fR, and \f(CW4096\fR.
+.IP "\fB\-max_send_frag\fR \fIint\fR" 4
 .IX Item "-max_send_frag int"
 The maximum size of data fragment to send.
 See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information.
-.IP "\fB\-split_send_frag int\fR" 4
+.IP "\fB\-split_send_frag\fR \fIint\fR" 4
 .IX Item "-split_send_frag int"
 The size used to split data for encrypt pipelines. If more data is written in
 one go than this value then it will be split into multiple pipelines, up to the
@@ -594,18 +703,26 @@ maximum number of pipelines defined by max_pipelines. This only has an effect if
 a suitable cipher suite has been negotiated, an engine that supports pipelining
 has been loaded, and max_pipelines is greater than 1. See
 \&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information.
-.IP "\fB\-max_pipelines int\fR" 4
+.IP "\fB\-max_pipelines\fR \fIint\fR" 4
 .IX Item "-max_pipelines int"
 The maximum number of encrypt/decrypt pipelines to be used. This will only have
 an effect if an engine has been loaded that supports pipelining (e.g. the dasync
 engine) and a suitable cipher suite has been negotiated. The default value is 1.
 See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information.
-.IP "\fB\-read_buf int\fR" 4
+.IP "\fB\-read_buf\fR \fIint\fR" 4
 .IX Item "-read_buf int"
 The default read buffer size to be used for connections. This will only have an
 effect if the buffer size is larger than the size that would otherwise be used
 and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for
 further information).
+.IP "\fB\-ignore_unexpected_eof\fR" 4
+.IX Item "-ignore_unexpected_eof"
+Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
+shutdown. If the application tries to wait for the close_notify alert but the
+peer closes the connection without sending it, an error is generated. When this
+option is enabled the peer does not need to send the close_notify alert and a
+closed connection will be treated as if the close_notify alert was received.
+For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3).
 .IP "\fB\-bugs\fR" 4
 .IX Item "-bugs"
 There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
@@ -625,12 +742,12 @@ OpenSSL 1.1.0.
 .IX Item "-brief"
 Only provide a brief summary of connection parameters instead of the
 normal verbose output.
-.IP "\fB\-sigalgs sigalglist\fR" 4
+.IP "\fB\-sigalgs\fR \fIsigalglist\fR" 4
 .IX Item "-sigalgs sigalglist"
 Specifies the list of signature algorithms that are sent by the client.
 The server selects one entry in the list based on its preferences.
 For example strings, see \fBSSL_CTX_set1_sigalgs\fR\|(3)
-.IP "\fB\-curves curvelist\fR" 4
+.IP "\fB\-curves\fR \fIcurvelist\fR" 4
 .IX Item "-curves curvelist"
 Specifies the list of supported curves to be sent by the client. The curve is
 ultimately selected by the server. For a list of all curves, use:
@@ -638,28 +755,28 @@ ultimately selected by the server. For a list of all curves, use:
 .Vb 1
 \&    $ openssl ecparam \-list_curves
 .Ve
-.IP "\fB\-cipher cipherlist\fR" 4
+.IP "\fB\-cipher\fR \fIcipherlist\fR" 4
 .IX Item "-cipher cipherlist"
 This allows the TLSv1.2 and below cipher list sent by the client to be modified.
 This list will be combined with any TLSv1.3 ciphersuites that have been
 configured. Although the server determines which ciphersuite is used it should
-take the first supported cipher in the list sent by the client. See the
-\&\fBciphers\fR command for more information.
-.IP "\fB\-ciphersuites val\fR" 4
+take the first supported cipher in the list sent by the client. See
+\&\fBopenssl\-ciphers\fR\|(1) for more information.
+.IP "\fB\-ciphersuites\fR \fIval\fR" 4
 .IX Item "-ciphersuites val"
 This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
 list will be combined with any TLSv1.2 and below ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
-take the first supported cipher in the list sent by the client. See the
-\&\fBciphers\fR command for more information. The format for this list is a simple
+take the first supported cipher in the list sent by the client. See
+\&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a simple
 colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
-.IP "\fB\-starttls protocol\fR" 4
+.IP "\fB\-starttls\fR \fIprotocol\fR" 4
 .IX Item "-starttls protocol"
 Send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
-\&\fBprotocol\fR is a keyword for the intended protocol.  Currently, the only
+\&\fIprotocol\fR is a keyword for the intended protocol.  Currently, the only
 supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
 \&\*(L"irc\*(R", \*(L"postgres\*(R", \*(L"mysql\*(R", \*(L"lmtp\*(R", \*(L"nntp\*(R", \*(L"sieve\*(R" and \*(L"ldap\*(R".
-.IP "\fB\-xmpphost hostname\fR" 4
+.IP "\fB\-xmpphost\fR \fIhostname\fR" 4
 .IX Item "-xmpphost hostname"
 This option, when used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
 specifies the host for the \*(L"to\*(R" attribute of the stream element.
@@ -667,7 +784,7 @@ If this option is not specified, then the host specified with \*(L"\-connect\*(R
 will be used.
 .Sp
 This option is an alias of the \fB\-name\fR option for \*(L"xmpp\*(R" and \*(L"xmpp-server\*(R".
-.IP "\fB\-name hostname\fR" 4
+.IP "\fB\-name\fR \fIhostname\fR" 4
 .IX Item "-name hostname"
 This option is used to specify hostname information for various protocols
 used with \fB\-starttls\fR option. Currently only \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
@@ -686,31 +803,14 @@ Print out a hex dump of any \s-1TLS\s0 extensions received from the server.
 .IP "\fB\-no_ticket\fR" 4
 .IX Item "-no_ticket"
 Disable RFC4507bis session ticket support.
-.IP "\fB\-sess_out filename\fR" 4
+.IP "\fB\-sess_out\fR \fIfilename\fR" 4
 .IX Item "-sess_out filename"
-Output \s-1SSL\s0 session to \fBfilename\fR.
-.IP "\fB\-sess_in sess.pem\fR" 4
-.IX Item "-sess_in sess.pem"
-Load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a
+Output \s-1SSL\s0 session to \fIfilename\fR.
+.IP "\fB\-sess_in\fR \fIfilename\fR" 4
+.IX Item "-sess_in filename"
+Load \s-1SSL\s0 session from \fIfilename\fR. The client will attempt to resume a
 connection from this session.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-serverinfo types\fR" 4
+.IP "\fB\-serverinfo\fR \fItypes\fR" 4
 .IX Item "-serverinfo types"
 A list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and
 65535).  Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension.
@@ -720,12 +820,12 @@ file.
 .IX Item "-status"
 Sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
 response (if any) is printed out.
-.IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4
+.IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4
 .IX Item "-alpn protocols, -nextprotoneg protocols"
 These flags enable the Enable the Application-Layer Protocol Negotiation
 or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
 \&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
-The \fBprotocols\fR list is a comma-separated list of protocol names that
+The \fIprotocols\fR list is a comma-separated list of protocol names that
 the client should advertise support for. The list should contain the most
 desirable protocols first.  Protocol names are printable \s-1ASCII\s0 strings,
 for example \*(L"http/1.1\*(R" or \*(L"spdy/3\*(R".
@@ -746,11 +846,11 @@ for SCTs.
 .IX Item "-ctlogfile"
 A file containing a list of known Certificate Transparency logs. See
 \&\fBSSL_CTX_set_ctlog_list_file\fR\|(3) for the expected file format.
-.IP "\fB\-keylogfile file\fR" 4
+.IP "\fB\-keylogfile\fR \fIfile\fR" 4
 .IX Item "-keylogfile file"
 Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
 (like Wireshark) can decrypt \s-1TLS\s0 connections.
-.IP "\fB\-early_data file\fR" 4
+.IP "\fB\-early_data\fR \fIfile\fR" 4
 .IX Item "-early_data file"
 Reads the contents of the specified file and attempts to send it as early data
 to the server. This will only work with resumed sessions that support early
@@ -759,12 +859,78 @@ data and when the server accepts the early data.
 .IX Item "-enable_pha"
 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
 happen whether or not a certificate has been provided via \fB\-cert\fR.
-.IP "\fB[target]\fR" 4
-.IX Item "[target]"
+.IP "\fB\-use_srtp\fR \fIvalue\fR" 4
+.IX Item "-use_srtp value"
+Offer \s-1SRTP\s0 key management, where \fBvalue\fR is a colon-separated profile list.
+.IP "\fB\-srpuser\fR \fIvalue\fR" 4
+.IX Item "-srpuser value"
+Set the \s-1SRP\s0 username to the specified value. This option is deprecated.
+.IP "\fB\-srppass\fR \fIvalue\fR" 4
+.IX Item "-srppass value"
+Set the \s-1SRP\s0 password to the specified value. This option is deprecated.
+.IP "\fB\-srp_lateuser\fR" 4
+.IX Item "-srp_lateuser"
+\&\s-1SRP\s0 username for the second ClientHello message. This option is deprecated.
+.IP "\fB\-srp_moregroups\fR  This option is deprecated." 4
+.IX Item "-srp_moregroups This option is deprecated."
+Tolerate other than the known \fBg\fR and \fBN\fR values.
+.IP "\fB\-srp_strength\fR \fInumber\fR" 4
+.IX Item "-srp_strength number"
+Set the minimal acceptable length, in bits, for \fBN\fR.  This option is
+deprecated.
+.IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
+.IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3"
+See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
+.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
+.IX Item "-dtls, -dtls1, -dtls1_2"
+These specify the use of \s-1DTLS\s0 instead of \s-1TLS.\s0
+See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \fIfile\fR, \fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyform DER|PEM"
+Set extended certificate verification options.
+See \*(L"Extended Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renegotiation\fR, \fB\-legacy_renegotiation\fR, \fB\-no_renegotiation\fR, \fB\-no_resumption_on_reneg\fR, \fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR, \fB\-no_etm\fR \fB\-allow_no_dhe_kex\fR, \fB\-prioritize_chacha\fR, \fB\-strict\fR, \fB\-sigalgs\fR \fIalgs\fR, \fB\-client_sigalgs\fR \fIalgs\fR, \fB\-groups\fR \fIgroups\fR, \fB\-curves\fR \fIcurves\fR, \fB\-named_curve\fR \fIcurve\fR, \fB\-cipher\fR \fIciphers\fR, \fB\-ciphersuites\fR \fI1.3ciphers\fR, \fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR, \fB\-record_padding\fR \fIpadding\fR, \fB\-debug_broken_protocol\fR, \fB\-no_middlebox\fR" 4
+.IX Item "-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no_renegotiation, -no_resumption_on_reneg, -legacy_server_connect, -no_legacy_server_connect, -no_etm -allow_no_dhe_kex, -prioritize_chacha, -strict, -sigalgs algs, -client_sigalgs algs, -groups groups, -curves curves, -named_curve curve, -cipher ciphers, -ciphersuites 1.3ciphers, -min_protocol minprot, -max_protocol maxprot, -record_padding padding, -debug_broken_protocol, -no_middlebox"
+See \*(L"\s-1SUPPORTED COMMAND LINE COMMANDS\*(R"\s0 in \fBSSL_CONF_cmd\fR\|(3) for details.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-ssl_client_engine\fR \fIid\fR" 4
+.IX Item "-ssl_client_engine id"
+Specify engine to be used for client certificate operations.
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+Verification errors are displayed, for debugging, but the command will
+proceed unless the \fB\-verify_return_error\fR option is used.
+.IP "\fIhost\fR:\fIport\fR" 4
+.IX Item "host:port"
 Rather than providing \fB\-connect\fR, the target hostname and optional port may
 be provided as a single positional argument after all options. If neither this
-nor \fB\-connect\fR are provided, falls back to attempting to connect to localhost
-on port 4433.
+nor \fB\-connect\fR are provided, falls back to attempting to connect to
+\&\fIlocalhost\fR on port \fI4433\fR.
 .SH "CONNECTED COMMANDS"
 .IX Header "CONNECTED COMMANDS"
 If a connection is established with an \s-1SSL\s0 server then any data received
@@ -780,9 +946,6 @@ End the current \s-1SSL\s0 connection and exit.
 .IP "\fBR\fR" 4
 .IX Item "R"
 Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
-.IP "\fBB\fR" 4
-.IX Item "B"
-Send a heartbeat message to the server (\s-1DTLS\s0 only)
 .IP "\fBk\fR" 4
 .IX Item "k"
 Send a key update message to the server (TLSv1.3 only)
@@ -791,7 +954,7 @@ Send a key update message to the server (TLSv1.3 only)
 Send a key update message to the server and request one back (TLSv1.3 only)
 .SH "NOTES"
 .IX Header "NOTES"
-\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0
+This command can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0
 server the command:
 .PP
 .Vb 1
@@ -811,7 +974,7 @@ A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
 list to choose from. This is normally because the server is not sending
 the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
-requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed
+requests a certificate. By using this command, the \s-1CA\s0 list can be viewed
 and checked. However, some servers only request client authentication
 after a specific \s-1URL\s0 is requested. To obtain the list in this case it
 is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
@@ -826,7 +989,7 @@ If there are problems verifying a server certificate then the
 \&\fB\-showcerts\fR option can be used to show all the certificates sent by the
 server.
 .PP
-The \fBs_client\fR utility is a test tool and is designed to continue the
+This command is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
 accept any certificate chain (trusted or not) sent by the peer. Non-test
 applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0
@@ -838,26 +1001,36 @@ connections to come from some particular address and or port.
 .SH "BUGS"
 .IX Header "BUGS"
 Because this program has a lot of options and also because some of the
-techniques used are rather old, the C source of \fBs_client\fR is rather hard to
-read and not a model of how things should be done.
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
 A typical \s-1SSL\s0 client program would be much simpler.
 .PP
 The \fB\-prexit\fR option is a bit of a hack. We should really report
 information whenever a session is renegotiated.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBSSL_CONF_cmd\fR\|(3), \fBsess_id\fR\|(1), \fBs_server\fR\|(1), \fBciphers\fR\|(1),
-\&\fBSSL_CTX_set_max_send_fragment\fR\|(3), \fBSSL_CTX_set_split_send_fragment\fR\|(3),
-\&\fBSSL_CTX_set_max_pipelines\fR\|(3)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-sess_id\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBSSL_CONF_cmd\fR\|(3),
+\&\fBSSL_CTX_set_max_send_fragment\fR\|(3),
+\&\fBSSL_CTX_set_split_send_fragment\fR\|(3),
+\&\fBSSL_CTX_set_max_pipelines\fR\|(3),
+\&\fBossl_store\-file\fR\|(7)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0.
 The \fB\-name\fR option was added in OpenSSL 1.1.1.
+.PP
+The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-s_server.1 b/secure/usr.bin/openssl/man/openssl-s_server.1
new file mode 100644
index 000000000000..dbf1872c85a4
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-s_server.1
@@ -0,0 +1,1040 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-S_SERVER 1ossl"
+.TH OPENSSL-S_SERVER 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-s_server \- SSL/TLS server program
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBs_server\fR
+[\fB\-help\fR]
+[\fB\-port\fR \fI+int\fR]
+[\fB\-accept\fR \fIval\fR]
+[\fB\-unix\fR \fIval\fR]
+[\fB\-4\fR]
+[\fB\-6\fR]
+[\fB\-unlink\fR]
+[\fB\-context\fR \fIval\fR]
+[\fB\-verify\fR \fIint\fR]
+[\fB\-Verify\fR \fIint\fR]
+[\fB\-cert\fR \fIinfile\fR]
+[\fB\-cert2\fR \fIinfile\fR]
+[\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
+[\fB\-cert_chain\fR \fIinfile\fR]
+[\fB\-build_chain\fR]
+[\fB\-serverinfo\fR \fIval\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-key2\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-pass\fR \fIval\fR]
+[\fB\-dcert\fR \fIinfile\fR]
+[\fB\-dcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
+[\fB\-dcert_chain\fR \fIinfile\fR]
+[\fB\-dkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-dkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-dpass\fR \fIval\fR]
+[\fB\-nbio_test\fR]
+[\fB\-crlf\fR]
+[\fB\-debug\fR]
+[\fB\-msg\fR]
+[\fB\-msgfile\fR \fIoutfile\fR]
+[\fB\-state\fR]
+[\fB\-nocert\fR]
+[\fB\-quiet\fR]
+[\fB\-no_resume_ephemeral\fR]
+[\fB\-www\fR]
+[\fB\-WWW\fR]
+[\fB\-http_server_binmode\fR]
+[\fB\-no_ca_names\fR]
+[\fB\-ignore_unexpected_eof\fR]
+[\fB\-servername\fR]
+[\fB\-servername_fatal\fR]
+[\fB\-tlsextdebug\fR]
+[\fB\-HTTP\fR]
+[\fB\-id_prefix\fR \fIval\fR]
+[\fB\-keymatexport\fR \fIval\fR]
+[\fB\-keymatexportlen\fR \fI+int\fR]
+[\fB\-CRL\fR \fIinfile\fR]
+[\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-crl_download\fR]
+[\fB\-chainCAfile\fR \fIinfile\fR]
+[\fB\-chainCApath\fR \fIdir\fR]
+[\fB\-chainCAstore\fR \fIuri\fR]
+[\fB\-verifyCAfile\fR \fIinfile\fR]
+[\fB\-verifyCApath\fR \fIdir\fR]
+[\fB\-verifyCAstore\fR \fIuri\fR]
+[\fB\-no_cache\fR]
+[\fB\-ext_cache\fR]
+[\fB\-verify_return_error\fR]
+[\fB\-verify_quiet\fR]
+[\fB\-ign_eof\fR]
+[\fB\-no_ign_eof\fR]
+[\fB\-no_etm\fR]
+[\fB\-status\fR]
+[\fB\-status_verbose\fR]
+[\fB\-status_timeout\fR \fIint\fR]
+[\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR]
+[\fB\-no_proxy\fR \fIaddresses\fR]
+[\fB\-status_url\fR \fIval\fR]
+[\fB\-status_file\fR \fIinfile\fR]
+[\fB\-ssl_config\fR \fIval\fR]
+[\fB\-trace\fR]
+[\fB\-security_debug\fR]
+[\fB\-security_debug_verbose\fR]
+[\fB\-brief\fR]
+[\fB\-rev\fR]
+[\fB\-async\fR]
+[\fB\-max_send_frag\fR \fI+int\fR]
+[\fB\-split_send_frag\fR \fI+int\fR]
+[\fB\-max_pipelines\fR \fI+int\fR]
+[\fB\-naccept\fR \fI+int\fR]
+[\fB\-read_buf\fR \fI+int\fR]
+[\fB\-bugs\fR]
+[\fB\-no_comp\fR]
+[\fB\-comp\fR]
+[\fB\-no_ticket\fR]
+[\fB\-serverpref\fR]
+[\fB\-legacy_renegotiation\fR]
+[\fB\-no_renegotiation\fR]
+[\fB\-no_resumption_on_reneg\fR]
+[\fB\-allow_no_dhe_kex\fR]
+[\fB\-prioritize_chacha\fR]
+[\fB\-strict\fR]
+[\fB\-sigalgs\fR \fIval\fR]
+[\fB\-client_sigalgs\fR \fIval\fR]
+[\fB\-groups\fR \fIval\fR]
+[\fB\-curves\fR \fIval\fR]
+[\fB\-named_curve\fR \fIval\fR]
+[\fB\-cipher\fR \fIval\fR]
+[\fB\-ciphersuites\fR \fIval\fR]
+[\fB\-dhparam\fR \fIinfile\fR]
+[\fB\-record_padding\fR \fIval\fR]
+[\fB\-debug_broken_protocol\fR]
+[\fB\-nbio\fR]
+[\fB\-psk_identity\fR \fIval\fR]
+[\fB\-psk_hint\fR \fIval\fR]
+[\fB\-psk\fR \fIval\fR]
+[\fB\-psk_session\fR \fIfile\fR]
+[\fB\-srpvfile\fR \fIinfile\fR]
+[\fB\-srpuserseed\fR \fIval\fR]
+[\fB\-timeout\fR]
+[\fB\-mtu\fR \fI+int\fR]
+[\fB\-listen\fR]
+[\fB\-sctp\fR]
+[\fB\-sctp_label_bug\fR]
+[\fB\-use_srtp\fR \fIval\fR]
+[\fB\-no_dhe\fR]
+[\fB\-nextprotoneg\fR \fIval\fR]
+[\fB\-alpn\fR \fIval\fR]
+[\fB\-sendfile\fR]
+[\fB\-keylogfile\fR \fIoutfile\fR]
+[\fB\-recv_max_early_data\fR \fIint\fR]
+[\fB\-max_early_data\fR \fIint\fR]
+[\fB\-early_data\fR]
+[\fB\-stateless\fR]
+[\fB\-anti_replay\fR]
+[\fB\-no_anti_replay\fR]
+[\fB\-num_tickets\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-no_ssl3\fR]
+[\fB\-no_tls1\fR]
+[\fB\-no_tls1_1\fR]
+[\fB\-no_tls1_2\fR]
+[\fB\-no_tls1_3\fR]
+[\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fB\-tls1_1\fR]
+[\fB\-tls1_2\fR]
+[\fB\-tls1_3\fR]
+[\fB\-dtls\fR]
+[\fB\-dtls1\fR]
+[\fB\-dtls1_2\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-extended_crl\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-partial_chain\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-policy_check\fR]
+[\fB\-policy_print\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
+[\fB\-suiteB_128\fR]
+[\fB\-suiteB_128_only\fR]
+[\fB\-suiteB_192\fR]
+[\fB\-trusted_first\fR]
+[\fB\-no_alt_chains\fR]
+[\fB\-use_deltas\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
+[\fB\-x509_strict\fR]
+[\fB\-issuer_checks\fR]
+[\fB\-bugs\fR]
+[\fB\-no_comp\fR]
+[\fB\-comp\fR]
+[\fB\-no_ticket\fR]
+[\fB\-serverpref\fR]
+[\fB\-client_renegotiation\fR]
+[\fB\-legacy_renegotiation\fR]
+[\fB\-no_renegotiation\fR]
+[\fB\-no_resumption_on_reneg\fR]
+[\fB\-legacy_server_connect\fR]
+[\fB\-no_legacy_server_connect\fR]
+[\fB\-no_etm\fR]
+[\fB\-allow_no_dhe_kex\fR]
+[\fB\-prioritize_chacha\fR]
+[\fB\-strict\fR]
+[\fB\-sigalgs\fR \fIalgs\fR]
+[\fB\-client_sigalgs\fR \fIalgs\fR]
+[\fB\-groups\fR \fIgroups\fR]
+[\fB\-curves\fR \fIcurves\fR]
+[\fB\-named_curve\fR \fIcurve\fR]
+[\fB\-cipher\fR \fIciphers\fR]
+[\fB\-ciphersuites\fR \fI1.3ciphers\fR]
+[\fB\-min_protocol\fR \fIminprot\fR]
+[\fB\-max_protocol\fR \fImaxprot\fR]
+[\fB\-record_padding\fR \fIpadding\fR]
+[\fB\-debug_broken_protocol\fR]
+[\fB\-no_middlebox\fR]
+[\fB\-xkey\fR \fIinfile\fR]
+[\fB\-xcert\fR \fIfile\fR]
+[\fB\-xchain\fR \fIfile\fR]
+[\fB\-xchain_build\fR \fIfile\fR]
+[\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
+[\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command implements a generic \s-1SSL/TLS\s0 server which
+listens for connections on a given port using \s-1SSL/TLS.\s0
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+In addition to the options below, this command also supports
+the common and server only options documented
+\&\*(L"Supported Command Line Commands\*(R" in \fBSSL_CONF_cmd\fR\|(3)
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
+.IP "\fB\-port\fR \fI+int\fR" 4
+.IX Item "-port +int"
+The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
+.IP "\fB\-accept\fR \fIval\fR" 4
+.IX Item "-accept val"
+The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is used.
+.IP "\fB\-unix\fR \fIval\fR" 4
+.IX Item "-unix val"
+Unix domain socket to accept on.
+.IP "\fB\-4\fR" 4
+.IX Item "-4"
+Use IPv4 only.
+.IP "\fB\-6\fR" 4
+.IX Item "-6"
+Use IPv6 only.
+.IP "\fB\-unlink\fR" 4
+.IX Item "-unlink"
+For \-unix, unlink any existing socket first.
+.IP "\fB\-context\fR \fIval\fR" 4
+.IX Item "-context val"
+Sets the \s-1SSL\s0 context id. It can be given any string value. If this option
+is not present a default value will be used.
+.IP "\fB\-verify\fR \fIint\fR, \fB\-Verify\fR \fIint\fR" 4
+.IX Item "-verify int, -Verify int"
+The verify depth to use. This specifies the maximum length of the
+client certificate chain and makes the server request a certificate from
+the client. With the \fB\-verify\fR option a certificate is requested but the
+client does not have to send one, with the \fB\-Verify\fR option the client
+must supply a certificate or an error occurs.
+.Sp
+If the cipher suite cannot request a client certificate (for example an
+anonymous cipher suite or \s-1PSK\s0) this option has no effect.
+.IP "\fB\-cert\fR \fIinfile\fR" 4
+.IX Item "-cert infile"
+The certificate to use, most servers cipher suites require the use of a
+certificate and some require a certificate with a certain public key type:
+for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
+(\s-1DSA\s0) key. If not specified then the filename \fIserver.pem\fR will be used.
+.IP "\fB\-cert2\fR \fIinfile\fR" 4
+.IX Item "-cert2 infile"
+The certificate file to use for servername; default is \f(CW\*(C`server2.pem\*(C'\fR.
+.IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-certform DER|PEM|P12"
+The server certificate file format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-cert_chain\fR" 4
+.IX Item "-cert_chain"
+A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the \fB\-cert\fR option.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
+.IP "\fB\-build_chain\fR" 4
+.IX Item "-build_chain"
+Specify whether the application should build the server certificate chain to be
+provided to the client.
+.IP "\fB\-serverinfo\fR \fIval\fR" 4
+.IX Item "-serverinfo val"
+A file containing one or more blocks of \s-1PEM\s0 data.  Each \s-1PEM\s0 block
+must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
+followed by \*(L"length\*(R" bytes of extension data).  If the client sends
+an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
+ServerHello extension will be returned.
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+The private key to use. If not specified then the certificate file will
+be used.
+.IP "\fB\-key2\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key2 filename|uri"
+The private Key file to use for servername if not given via \fB\-cert2\fR.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-pass\fR \fIval\fR" 4
+.IX Item "-pass val"
+The private key and certificate file password source.
+For more information about the format of \fIval\fR,
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-dcert\fR \fIinfile\fR, \fB\-dkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-dcert infile, -dkey filename|uri"
+Specify an additional certificate and private key, these behave in the
+same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
+if they are not specified (no additional certificate and key is used). As
+noted above some cipher suites require a certificate containing a key of
+a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
+and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
+a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
+by using an appropriate certificate.
+.IP "\fB\-dcert_chain\fR" 4
+.IX Item "-dcert_chain"
+A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
+server certificate chain when a certificate specified via the \fB\-dcert\fR option
+is in use.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
+.IP "\fB\-dcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-dcertform DER|PEM|P12"
+The format of the additional certificate file; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-dkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-dkeyform DER|PEM|P12|ENGINE"
+The format of the additional private key; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-dpass\fR \fIval\fR" 4
+.IX Item "-dpass val"
+The passphrase for the additional private key and certificate.
+For more information about the format of \fIval\fR,
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-nbio_test\fR" 4
+.IX Item "-nbio_test"
+Tests non blocking I/O.
+.IP "\fB\-crlf\fR" 4
+.IX Item "-crlf"
+This option translated a line feed from the terminal into \s-1CR+LF.\s0
+.IP "\fB\-debug\fR" 4
+.IX Item "-debug"
+Print extensive debugging information including a hex dump of all traffic.
+.IP "\fB\-security_debug\fR" 4
+.IX Item "-security_debug"
+Print output from \s-1SSL/TLS\s0 security framework.
+.IP "\fB\-security_debug_verbose\fR" 4
+.IX Item "-security_debug_verbose"
+Print more output from \s-1SSL/TLS\s0 security framework
+.IP "\fB\-msg\fR" 4
+.IX Item "-msg"
+Show all protocol messages with hex dump.
+.IP "\fB\-msgfile\fR \fIoutfile\fR" 4
+.IX Item "-msgfile outfile"
+File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
+.IP "\fB\-state\fR" 4
+.IX Item "-state"
+Prints the \s-1SSL\s0 session states.
+.IP "\fB\-CRL\fR \fIinfile\fR" 4
+.IX Item "-CRL infile"
+The \s-1CRL\s0 file to use.
+.IP "\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-CRLform DER|PEM"
+The \s-1CRL\s0 file format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-crl_download\fR" 4
+.IX Item "-crl_download"
+Download CRLs from distribution points given in \s-1CDP\s0 extensions of certificates
+.IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
+.IX Item "-verifyCAfile filename"
+A file in \s-1PEM\s0 format \s-1CA\s0 containing trusted certificates to use
+for verifying client certificates.
+.IP "\fB\-verifyCApath\fR \fIdir\fR" 4
+.IX Item "-verifyCApath dir"
+A directory containing trusted certificates to use
+for verifying client certificates.
+This directory must be in \*(L"hash format\*(R",
+see \fBopenssl\-verify\fR\|(1) for more information.
+.IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
+.IX Item "-verifyCAstore uri"
+The \s-1URI\s0 of a store containing trusted certificates to use
+for verifying client certificates.
+.IP "\fB\-chainCAfile\fR \fIfile\fR" 4
+.IX Item "-chainCAfile file"
+A file in \s-1PEM\s0 format containing trusted certificates to use
+when attempting to build the server certificate chain.
+.IP "\fB\-chainCApath\fR \fIdir\fR" 4
+.IX Item "-chainCApath dir"
+A directory containing trusted certificates to use
+for building the server certificate chain provided to the client.
+This directory must be in \*(L"hash format\*(R",
+see \fBopenssl\-verify\fR\|(1) for more information.
+.IP "\fB\-chainCAstore\fR \fIuri\fR" 4
+.IX Item "-chainCAstore uri"
+The \s-1URI\s0 of a store containing trusted certificates to use
+for building the server certificate chain provided to the client.
+The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
+With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
+\&\fB\-chainCApath\fR, depending on if the \s-1URI\s0 indicates a directory or a
+single file.
+See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
+.IP "\fB\-nocert\fR" 4
+.IX Item "-nocert"
+If this option is set then no certificate is used. This restricts the
+cipher suites available to the anonymous ones (currently just anonymous
+\&\s-1DH\s0).
+.IP "\fB\-quiet\fR" 4
+.IX Item "-quiet"
+Inhibit printing of session and certificate information.
+.IP "\fB\-no_resume_ephemeral\fR" 4
+.IX Item "-no_resume_ephemeral"
+Disable caching and tickets if ephemeral (\s-1EC\s0)DH is used.
+.IP "\fB\-tlsextdebug\fR" 4
+.IX Item "-tlsextdebug"
+Print a hex dump of any \s-1TLS\s0 extensions received from the server.
+.IP "\fB\-www\fR" 4
+.IX Item "-www"
+Sends a status message back to the client when it connects. This includes
+information about the ciphers used and various session parameters.
+The output is in \s-1HTML\s0 format so this option can be used with a web browser.
+The special \s-1URL\s0 \f(CW\*(C`/renegcert\*(C'\fR turns on client cert validation, and \f(CW\*(C`/reneg\*(C'\fR
+tells the server to request renegotiation.
+The \fB\-early_data\fR option cannot be used with this option.
+.IP "\fB\-WWW\fR, \fB\-HTTP\fR" 4
+.IX Item "-WWW, -HTTP"
+Emulates a simple web server. Pages will be resolved relative to the
+current directory, for example if the \s-1URL\s0 \f(CW\*(C`https://myhost/page.html\*(C'\fR is
+requested the file \fI./page.html\fR will be sent.
+If the \fB\-HTTP\fR flag is used, the files are sent directly, and should contain
+any \s-1HTTP\s0 response headers (including status response line).
+If the \fB\-WWW\fR option is used,
+the response headers are generated by the server, and the file extension is
+examined to determine the \fBContent-Type\fR header.
+Extensions of \f(CW\*(C`html\*(C'\fR, \f(CW\*(C`htm\*(C'\fR, and \f(CW\*(C`php\*(C'\fR are \f(CW\*(C`text/html\*(C'\fR and all others are
+\&\f(CW\*(C`text/plain\*(C'\fR.
+In addition, the special \s-1URL\s0 \f(CW\*(C`/stats\*(C'\fR will return status
+information like the \fB\-www\fR option.
+Neither of these options can be used in conjunction with \fB\-early_data\fR.
+.IP "\fB\-http_server_binmode\fR" 4
+.IX Item "-http_server_binmode"
+When acting as web-server (using option \fB\-WWW\fR or \fB\-HTTP\fR) open files requested
+by the client in binary mode.
+.IP "\fB\-no_ca_names\fR" 4
+.IX Item "-no_ca_names"
+Disable \s-1TLS\s0 Extension \s-1CA\s0 Names. You may want to disable it for security reasons
+or for compatibility with some Windows \s-1TLS\s0 implementations crashing when this
+extension is larger than 1024 bytes.
+.IP "\fB\-ignore_unexpected_eof\fR" 4
+.IX Item "-ignore_unexpected_eof"
+Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
+shutdown. If the application tries to wait for the close_notify alert but the
+peer closes the connection without sending it, an error is generated. When this
+option is enabled the peer does not need to send the close_notify alert and a
+closed connection will be treated as if the close_notify alert was received.
+For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3).
+.IP "\fB\-servername\fR" 4
+.IX Item "-servername"
+Servername for HostName \s-1TLS\s0 extension.
+.IP "\fB\-servername_fatal\fR" 4
+.IX Item "-servername_fatal"
+On servername mismatch send fatal alert (default: warning alert).
+.IP "\fB\-id_prefix\fR \fIval\fR" 4
+.IX Item "-id_prefix val"
+Generate \s-1SSL/TLS\s0 session IDs prefixed by \fIval\fR. This is mostly useful
+for testing any \s-1SSL/TLS\s0 code (e.g. proxies) that wish to deal with multiple
+servers, when each of which might be generating a unique range of session
+IDs (e.g. with a certain prefix).
+.IP "\fB\-keymatexport\fR" 4
+.IX Item "-keymatexport"
+Export keying material using label.
+.IP "\fB\-keymatexportlen\fR" 4
+.IX Item "-keymatexportlen"
+Export the given number of bytes of keying material; default 20.
+.IP "\fB\-no_cache\fR" 4
+.IX Item "-no_cache"
+Disable session cache.
+.IP "\fB\-ext_cache\fR." 4
+.IX Item "-ext_cache."
+Disable internal cache, set up and use external cache.
+.IP "\fB\-verify_return_error\fR" 4
+.IX Item "-verify_return_error"
+Verification errors normally just print a message but allow the
+connection to continue, for debugging purposes.
+If this option is used, then verification errors close the connection.
+.IP "\fB\-verify_quiet\fR" 4
+.IX Item "-verify_quiet"
+No verify output except verify errors.
+.IP "\fB\-ign_eof\fR" 4
+.IX Item "-ign_eof"
+Ignore input \s-1EOF\s0 (default: when \fB\-quiet\fR).
+.IP "\fB\-no_ign_eof\fR" 4
+.IX Item "-no_ign_eof"
+Do not ignore input \s-1EOF.\s0
+.IP "\fB\-no_etm\fR" 4
+.IX Item "-no_etm"
+Disable Encrypt-then-MAC negotiation.
+.IP "\fB\-status\fR" 4
+.IX Item "-status"
+Enables certificate status request support (aka \s-1OCSP\s0 stapling).
+.IP "\fB\-status_verbose\fR" 4
+.IX Item "-status_verbose"
+Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives
+a verbose printout of the \s-1OCSP\s0 response.
+.IP "\fB\-status_timeout\fR \fIint\fR" 4
+.IX Item "-status_timeout int"
+Sets the timeout for \s-1OCSP\s0 response to \fIint\fR seconds.
+.IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR" 4
+.IX Item "-proxy [http[s]://][userinfo@]host[:port][/path]"
+The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1OCSP\s0 server unless \fB\-no_proxy\fR
+applies, see below.
+The proxy port defaults to 80 or 443 if the scheme is \f(CW\*(C`https\*(C'\fR; apart from that
+the optional \f(CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored,
+as well as any userinfo and path components.
+Defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR
+in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
+.IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
+.IX Item "-no_proxy addresses"
+List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
+not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
+Default is from the environment variable \f(CW\*(C`no_proxy\*(C'\fR if set, else \f(CW\*(C`NO_PROXY\*(C'\fR.
+.IP "\fB\-status_url\fR \fIval\fR" 4
+.IX Item "-status_url val"
+Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
+server certificate. Without this option an error is returned if the server
+certificate does not contain a responder address.
+The optional userinfo and fragment \s-1URL\s0 components are ignored.
+Any given query component is handled as part of the path component.
+.IP "\fB\-status_file\fR \fIinfile\fR" 4
+.IX Item "-status_file infile"
+Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the
+\&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format.
+.IP "\fB\-ssl_config\fR \fIval\fR" 4
+.IX Item "-ssl_config val"
+Configure \s-1SSL_CTX\s0 using the given configuration value.
+.IP "\fB\-trace\fR" 4
+.IX Item "-trace"
+Show verbose trace output of protocol messages.
+.IP "\fB\-brief\fR" 4
+.IX Item "-brief"
+Provide a brief summary of connection parameters instead of the normal verbose
+output.
+.IP "\fB\-rev\fR" 4
+.IX Item "-rev"
+Simple echo server that sends back received text reversed. Also sets \fB\-brief\fR.
+Cannot be used in conjunction with \fB\-early_data\fR.
+.IP "\fB\-async\fR" 4
+.IX Item "-async"
+Switch on asynchronous mode. Cryptographic operations will be performed
+asynchronously. This will only have an effect if an asynchronous capable engine
+is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
+(dasync) can be used (if available).
+.IP "\fB\-max_send_frag\fR \fI+int\fR" 4
+.IX Item "-max_send_frag +int"
+The maximum size of data fragment to send.
+See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information.
+.IP "\fB\-split_send_frag\fR \fI+int\fR" 4
+.IX Item "-split_send_frag +int"
+The size used to split data for encrypt pipelines. If more data is written in
+one go than this value then it will be split into multiple pipelines, up to the
+maximum number of pipelines defined by max_pipelines. This only has an effect if
+a suitable cipher suite has been negotiated, an engine that supports pipelining
+has been loaded, and max_pipelines is greater than 1. See
+\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information.
+.IP "\fB\-max_pipelines\fR \fI+int\fR" 4
+.IX Item "-max_pipelines +int"
+The maximum number of encrypt/decrypt pipelines to be used. This will only have
+an effect if an engine has been loaded that supports pipelining (e.g. the dasync
+engine) and a suitable cipher suite has been negotiated. The default value is 1.
+See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information.
+.IP "\fB\-naccept\fR \fI+int\fR" 4
+.IX Item "-naccept +int"
+The server will exit after receiving the specified number of connections,
+default unlimited.
+.IP "\fB\-read_buf\fR \fI+int\fR" 4
+.IX Item "-read_buf +int"
+The default read buffer size to be used for connections. This will only have an
+effect if the buffer size is larger than the size that would otherwise be used
+and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for
+further information).
+.IP "\fB\-bugs\fR" 4
+.IX Item "-bugs"
+There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
+option enables various workarounds.
+.IP "\fB\-no_comp\fR" 4
+.IX Item "-no_comp"
+Disable negotiation of \s-1TLS\s0 compression.
+\&\s-1TLS\s0 compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+.IP "\fB\-comp\fR" 4
+.IX Item "-comp"
+Enable negotiation of \s-1TLS\s0 compression.
+This option was introduced in OpenSSL 1.1.0.
+\&\s-1TLS\s0 compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+.IP "\fB\-no_ticket\fR" 4
+.IX Item "-no_ticket"
+Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
+is negotiated. See \fB\-num_tickets\fR.
+.IP "\fB\-num_tickets\fR" 4
+.IX Item "-num_tickets"
+Control the number of tickets that will be sent to the client after a full
+handshake in TLSv1.3. The default number of tickets is 2. This option does not
+affect the number of tickets sent after a resumption handshake.
+.IP "\fB\-serverpref\fR" 4
+.IX Item "-serverpref"
+Use the server's cipher preferences, rather than the client's preferences.
+.IP "\fB\-prioritize_chacha\fR" 4
+.IX Item "-prioritize_chacha"
+Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR.
+.IP "\fB\-no_resumption_on_reneg\fR" 4
+.IX Item "-no_resumption_on_reneg"
+Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option.
+.IP "\fB\-client_sigalgs\fR \fIval\fR" 4
+.IX Item "-client_sigalgs val"
+Signature algorithms to support for client certificate authentication
+(colon-separated list).
+.IP "\fB\-named_curve\fR \fIval\fR" 4
+.IX Item "-named_curve val"
+Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list.
+For a list of all possible curves, use:
+.Sp
+.Vb 1
+\&    $ openssl ecparam \-list_curves
+.Ve
+.IP "\fB\-cipher\fR \fIval\fR" 4
+.IX Item "-cipher val"
+This allows the list of TLSv1.2 and below ciphersuites used by the server to be
+modified. This list is combined with any TLSv1.3 ciphersuites that have been
+configured. When the client sends a list of supported ciphers the first client
+cipher also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist is irrelevant. See
+\&\fBopenssl\-ciphers\fR\|(1) for more information.
+.IP "\fB\-ciphersuites\fR \fIval\fR" 4
+.IX Item "-ciphersuites val"
+This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
+This list is combined with any TLSv1.2 and below ciphersuites that have been
+configured. When the client sends a list of supported ciphers the first client
+cipher also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist is irrelevant. See
+\&\fBopenssl\-ciphers\fR\|(1) command for more information. The format for this list is
+a simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
+.IP "\fB\-dhparam\fR \fIinfile\fR" 4
+.IX Item "-dhparam infile"
+The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
+using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
+load the parameters from the server certificate file.
+If this fails then a static set of parameters hard coded into this command
+will be used.
+.IP "\fB\-nbio\fR" 4
+.IX Item "-nbio"
+Turns on non blocking I/O.
+.IP "\fB\-timeout\fR" 4
+.IX Item "-timeout"
+Enable timeouts.
+.IP "\fB\-mtu\fR" 4
+.IX Item "-mtu"
+Set link-layer \s-1MTU.\s0
+.IP "\fB\-psk_identity\fR \fIval\fR" 4
+.IX Item "-psk_identity val"
+Expect the client to send \s-1PSK\s0 identity \fIval\fR when using a \s-1PSK\s0
+cipher suite, and warn if they do not.  By default, the expected \s-1PSK\s0
+identity is the string \*(L"Client_identity\*(R".
+.IP "\fB\-psk_hint\fR \fIval\fR" 4
+.IX Item "-psk_hint val"
+Use the \s-1PSK\s0 identity hint \fIval\fR when using a \s-1PSK\s0 cipher suite.
+.IP "\fB\-psk\fR \fIval\fR" 4
+.IX Item "-psk val"
+Use the \s-1PSK\s0 key \fIval\fR when using a \s-1PSK\s0 cipher suite. The key is
+given as a hexadecimal number without leading 0x, for example \-psk
+1a2b3c4d.
+This option must be provided in order to use a \s-1PSK\s0 cipher.
+.IP "\fB\-psk_session\fR \fIfile\fR" 4
+.IX Item "-psk_session file"
+Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fIfile\fR as the basis of a \s-1PSK.\s0
+Note that this will only work if TLSv1.3 is negotiated.
+.IP "\fB\-srpvfile\fR" 4
+.IX Item "-srpvfile"
+The verifier file for \s-1SRP.\s0
+This option is deprecated.
+.IP "\fB\-srpuserseed\fR" 4
+.IX Item "-srpuserseed"
+A seed string for a default user salt.
+This option is deprecated.
+.IP "\fB\-listen\fR" 4
+.IX Item "-listen"
+This option can only be used in conjunction with one of the \s-1DTLS\s0 options above.
+With this option, this command will listen on a \s-1UDP\s0 port for incoming
+connections.
+Any ClientHellos that arrive will be checked to see if they have a cookie in
+them or not.
+Any without a cookie will be responded to with a HelloVerifyRequest.
+If a ClientHello with a cookie is received then this command will
+connect to that peer and complete the handshake.
+.IP "\fB\-sctp\fR" 4
+.IX Item "-sctp"
+Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
+conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
+available where OpenSSL has support for \s-1SCTP\s0 enabled.
+.IP "\fB\-sctp_label_bug\fR" 4
+.IX Item "-sctp_label_bug"
+Use the incorrect behaviour of older OpenSSL implementations when computing
+endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
+older broken implementations but breaks interoperability with correct
+implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
+available where OpenSSL has support for \s-1SCTP\s0 enabled.
+.IP "\fB\-use_srtp\fR" 4
+.IX Item "-use_srtp"
+Offer \s-1SRTP\s0 key management with a colon-separated profile list.
+.IP "\fB\-no_dhe\fR" 4
+.IX Item "-no_dhe"
+If this option is set then no \s-1DH\s0 parameters will be loaded effectively
+disabling the ephemeral \s-1DH\s0 cipher suites.
+.IP "\fB\-alpn\fR \fIval\fR, \fB\-nextprotoneg\fR \fIval\fR" 4
+.IX Item "-alpn val, -nextprotoneg val"
+These flags enable the Application-Layer Protocol Negotiation
+or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
+\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
+The \fIval\fR list is a comma-separated list of supported protocol
+names.  The list should contain the most desirable protocols first.
+Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
+\&\*(L"spdy/3\*(R".
+The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
+.IP "\fB\-sendfile\fR" 4
+.IX Item "-sendfile"
+If this option is set and \s-1KTLS\s0 is enabled, \fBSSL_sendfile()\fR will be used
+instead of \fBBIO_write()\fR to send the \s-1HTTP\s0 response requested by a client.
+This option is only valid if \fB\-WWW\fR or \fB\-HTTP\fR is specified.
+.IP "\fB\-keylogfile\fR \fIoutfile\fR" 4
+.IX Item "-keylogfile outfile"
+Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
+(like Wireshark) can decrypt \s-1TLS\s0 connections.
+.IP "\fB\-max_early_data\fR \fIint\fR" 4
+.IX Item "-max_early_data int"
+Change the default maximum early data bytes that are specified for new sessions
+and any incoming early data (when used in conjunction with the \fB\-early_data\fR
+flag). The default value is approximately 16k. The argument must be an integer
+greater than or equal to 0.
+.IP "\fB\-recv_max_early_data\fR \fIint\fR" 4
+.IX Item "-recv_max_early_data int"
+Specify the hard limit on the maximum number of early data bytes that will
+be accepted.
+.IP "\fB\-early_data\fR" 4
+.IX Item "-early_data"
+Accept early data where possible. Cannot be used in conjunction with \fB\-www\fR,
+\&\fB\-WWW\fR, \fB\-HTTP\fR or \fB\-rev\fR.
+.IP "\fB\-stateless\fR" 4
+.IX Item "-stateless"
+Require TLSv1.3 cookies.
+.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
+.IX Item "-anti_replay, -no_anti_replay"
+Switches replay protection on or off, respectively. Replay protection is on by
+default unless overridden by a configuration file. When it is on, OpenSSL will
+automatically detect if a session ticket has been used more than once, TLSv1.3
+has been negotiated, and early data is enabled on the server. A full handshake
+is forced if a session ticket is used a second or subsequent time. Any early
+data that was sent will be rejected.
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
+.IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3"
+See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
+.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
+.IX Item "-dtls, -dtls1, -dtls1_2"
+These specify the use of \s-1DTLS\s0 instead of \s-1TLS.\s0
+See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
+.IP "\fB\-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renegotiation\fR, \fB\-legacy_renegotiation\fR, \fB\-no_renegotiation\fR, \fB\-no_resumption_on_reneg\fR, \fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR, \fB\-no_etm\fR \fB\-allow_no_dhe_kex\fR, \fB\-prioritize_chacha\fR, \fB\-strict\fR, \fB\-sigalgs\fR \fIalgs\fR, \fB\-client_sigalgs\fR \fIalgs\fR, \fB\-groups\fR \fIgroups\fR, \fB\-curves\fR \fIcurves\fR, \fB\-named_curve\fR \fIcurve\fR, \fB\-cipher\fR \fIciphers\fR, \fB\-ciphersuites\fR \fI1.3ciphers\fR, \fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR, \fB\-record_padding\fR \fIpadding\fR, \fB\-debug_broken_protocol\fR, \fB\-no_middlebox\fR" 4
+.IX Item "-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no_renegotiation, -no_resumption_on_reneg, -legacy_server_connect, -no_legacy_server_connect, -no_etm -allow_no_dhe_kex, -prioritize_chacha, -strict, -sigalgs algs, -client_sigalgs algs, -groups groups, -curves curves, -named_curve curve, -cipher ciphers, -ciphersuites 1.3ciphers, -min_protocol minprot, -max_protocol maxprot, -record_padding padding, -debug_broken_protocol, -no_middlebox"
+See \*(L"\s-1SUPPORTED COMMAND LINE COMMANDS\*(R"\s0 in \fBSSL_CONF_cmd\fR\|(3) for details.
+.IP "\fB\-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \fIfile\fR, \fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyform DER|PEM"
+Set extended certificate verification options.
+See \*(L"Extended Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+If the server requests a client certificate, then
+verification errors are displayed, for debugging, but the command will
+proceed unless the \fB\-verify_return_error\fR option is used.
+.SH "CONNECTED COMMANDS"
+.IX Header "CONNECTED COMMANDS"
+If a connection request is established with an \s-1SSL\s0 client and neither the
+\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received
+from the client is displayed and any key presses will be sent to the client.
+.PP
+Certain commands are also recognized which perform special operations. These
+commands are a letter which must appear at the start of a line. They are listed
+below.
+.IP "\fBq\fR" 4
+.IX Item "q"
+End the current \s-1SSL\s0 connection but still accept new connections.
+.IP "\fBQ\fR" 4
+.IX Item "Q"
+End the current \s-1SSL\s0 connection and exit.
+.IP "\fBr\fR" 4
+.IX Item "r"
+Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
+.IP "\fBR\fR" 4
+.IX Item "R"
+Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below
+only).
+.IP "\fBP\fR" 4
+.IX Item "P"
+Send some plain text down the underlying \s-1TCP\s0 connection: this should
+cause the client to disconnect due to a protocol violation.
+.IP "\fBS\fR" 4
+.IX Item "S"
+Print out some session cache status information.
+.IP "\fBk\fR" 4
+.IX Item "k"
+Send a key update message to the client (TLSv1.3 only)
+.IP "\fBK\fR" 4
+.IX Item "K"
+Send a key update message to the client and request one back (TLSv1.3 only)
+.IP "\fBc\fR" 4
+.IX Item "c"
+Send a certificate request to the client (TLSv1.3 only)
+.SH "NOTES"
+.IX Header "NOTES"
+This command can be used to debug \s-1SSL\s0 clients. To accept connections
+from a web browser the command:
+.PP
+.Vb 1
+\& openssl s_server \-accept 443 \-www
+.Ve
+.PP
+can be used for example.
+.PP
+Although specifying an empty list of CAs when requesting a client certificate
+is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
+mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
+.PP
+The session parameters can printed out using the \fBopenssl\-sess_id\fR\|(1) command.
+.SH "BUGS"
+.IX Header "BUGS"
+Because this program has a lot of options and also because some of the
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
+A typical \s-1SSL\s0 server program would be much simpler.
+.PP
+The output of common ciphers is wrong: it just gives the list of ciphers that
+OpenSSL recognizes and the client supports.
+.PP
+There should be a way for this command to print out details
+of any unknown cipher suites a client says it supports.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-sess_id\fR\|(1),
+\&\fBopenssl\-s_client\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBSSL_CONF_cmd\fR\|(3),
+\&\fBSSL_CTX_set_max_send_fragment\fR\|(3),
+\&\fBSSL_CTX_set_split_send_fragment\fR\|(3),
+\&\fBSSL_CTX_set_max_pipelines\fR\|(3),
+\&\fBossl_store\-file\fR\|(7)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \-no_alt_chains option was added in OpenSSL 1.1.0.
+.PP
+The
+\&\-allow\-no\-dhe\-kex and \-prioritize_chacha options were added in OpenSSL 1.1.1.
+.PP
+The \fB\-srpvfile\fR, \fB\-srpuserseed\fR, and \fB\-engine\fR
+option were deprecated in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/openssl-s_time.1
index 5a3eb288b892..83783ac9d30c 100644
--- a/secure/usr.bin/openssl/man/s_time.1
+++ b/secure/usr.bin/openssl/man/openssl-s_time.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,92 +130,82 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "S_TIME 1"
-.TH S_TIME 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-S_TIME 1ossl"
+.TH OPENSSL-S_TIME 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-s_time, s_time \- SSL/TLS performance timing program
+openssl\-s_time \- SSL/TLS performance timing program
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBs_time\fR
 [\fB\-help\fR]
-[\fB\-connect host:port\fR]
-[\fB\-www page\fR]
-[\fB\-cert filename\fR]
-[\fB\-key filename\fR]
-[\fB\-CApath directory\fR]
-[\fB\-CAfile filename\fR]
-[\fB\-no\-CAfile\fR]
-[\fB\-no\-CApath\fR]
+[\fB\-connect\fR \fIhost\fR:\fIport\fR]
+[\fB\-www\fR \fIpage\fR]
+[\fB\-cert\fR \fIfilename\fR]
+[\fB\-key\fR \fIfilename\fR]
 [\fB\-reuse\fR]
 [\fB\-new\fR]
-[\fB\-verify depth\fR]
-[\fB\-nameopt option\fR]
-[\fB\-time seconds\fR]
+[\fB\-verify\fR \fIdepth\fR]
+[\fB\-time\fR \fIseconds\fR]
 [\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fB\-tls1_1\fR]
+[\fB\-tls1_2\fR]
+[\fB\-tls1_3\fR]
 [\fB\-bugs\fR]
-[\fB\-cipher cipherlist\fR]
-[\fB\-ciphersuites val\fR]
+[\fB\-cipher\fR \fIcipherlist\fR]
+[\fB\-ciphersuites\fR \fIval\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-cafile\fR \fIfile\fR]
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBs_time\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a
-remote host using \s-1SSL/TLS.\s0 It can request a page from the server and includes
-the time to transfer the payload data in its timing measurements. It measures
-the number of connections within a given timeframe, the amount of data
-transferred (if any), and calculates the average time spent for one connection.
+This command implements a generic \s-1SSL/TLS\s0 client which
+connects to a remote host using \s-1SSL/TLS.\s0 It can request a page from the server
+and includes the time to transfer the payload data in its timing measurements.
+It measures the number of connections within a given timeframe, the amount of
+data transferred (if any), and calculates the average time spent for one
+connection.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-connect host:port\fR" 4
+.IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
 .IX Item "-connect host:port"
 This specifies the host and optional port to connect to.
-.IP "\fB\-www page\fR" 4
+.IP "\fB\-www\fR \fIpage\fR" 4
 .IX Item "-www page"
 This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the
-index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only
-perform the handshake to establish \s-1SSL\s0 connections but not transfer any
-payload data.
-.IP "\fB\-cert certname\fR" 4
+\&\fIindex.html\fR page. If this parameter is not specified, then this command
+will only perform the handshake to establish \s-1SSL\s0 connections but not transfer
+any payload data.
+.IP "\fB\-cert\fR \fIcertname\fR" 4
 .IX Item "-cert certname"
 The certificate to use, if one is requested by the server. The default is
 not to use a certificate. The file is in \s-1PEM\s0 format.
-.IP "\fB\-key keyfile\fR" 4
+.IP "\fB\-key\fR \fIkeyfile\fR" 4
 .IX Item "-key keyfile"
 The private key to use. If not specified then the certificate file will
 be used. The file is in \s-1PEM\s0 format.
-.IP "\fB\-verify depth\fR" 4
+.IP "\fB\-verify\fR \fIdepth\fR" 4
 .IX Item "-verify depth"
 The verify depth to use. This specifies the maximum length of the
 server certificate chain and turns on server certificate verification.
 Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
-.IP "\fB\-nameopt option\fR" 4
-.IX Item "-nameopt option"
-Option which determines how the subject or issuer names are displayed. The
-\&\fBoption\fR argument can be a single option or multiple options separated by
-commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fBx509\fR\|(1) manual page for details.
-.IP "\fB\-CApath directory\fR" 4
-.IX Item "-CApath directory"
-The directory to use for server certificate verification. This directory
-must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
-also used when building the client certificate chain.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A file containing trusted certificates to use during server authentication
-and to use when attempting to build the client certificate chain.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location
 .IP "\fB\-new\fR" 4
 .IX Item "-new"
 Performs the timing test using a new session \s-1ID\s0 for each connection.
@@ -228,55 +216,64 @@ and executed in sequence.
 Performs the timing test using the same session \s-1ID\s0; this can be used as a test
 that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are
 specified, they are both on by default and executed in sequence.
-.IP "\fB\-ssl3\fR" 4
-.IX Item "-ssl3"
-This option disables the use of \s-1SSL\s0 version 3. By default
-the initial handshake uses a method which should be compatible with all
-servers and permit them to use \s-1SSL\s0 v3 or \s-1TLS\s0 as appropriate.
-.Sp
-The timing program is not as rich in options to turn protocols on and off as
-the \fBs_client\fR\|(1) program and may not connect to all servers.
-Unfortunately there are a lot of ancient and broken servers in use which
-cannot handle this technique and will fail to connect. Some servers only
-work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option.
-.Sp
-Note that this option may not be available, depending on how
-OpenSSL was built.
 .IP "\fB\-bugs\fR" 4
 .IX Item "-bugs"
 There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
 option enables various workarounds.
-.IP "\fB\-cipher cipherlist\fR" 4
+.IP "\fB\-cipher\fR \fIcipherlist\fR" 4
 .IX Item "-cipher cipherlist"
 This allows the TLSv1.2 and below cipher list sent by the client to be modified.
 This list will be combined with any TLSv1.3 ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
 take the first supported cipher in the list sent by the client. See
-\&\fBciphers\fR\|(1) for more information.
-.IP "\fB\-ciphersuites val\fR" 4
+\&\fBopenssl\-ciphers\fR\|(1) for more information.
+.IP "\fB\-ciphersuites\fR \fIval\fR" 4
 .IX Item "-ciphersuites val"
 This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
 list will be combined with any TLSv1.2 and below ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
 take the first supported cipher in the list sent by the client. See
-\&\fBciphers\fR\|(1) for more information. The format for this list is a simple
-colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
-.IP "\fB\-time length\fR" 4
+\&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a
+simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
+.IP "\fB\-time\fR \fIlength\fR" 4
 .IX Item "-time length"
-Specifies how long (in seconds) \fBs_time\fR should establish connections and
-optionally transfer payload data from a server. Server and client performance
-and the link speed determine how many connections \fBs_time\fR can establish.
+Specifies how long (in seconds) this command should establish connections
+and optionally transfer payload data from a server. Server and client
+performance and the link speed determine how many connections it
+can establish.
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-cafile\fR \fIfile\fR" 4
+.IX Item "-cafile file"
+This is an obsolete synonym for \fB\-CAfile\fR.
+.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
+.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3"
+See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
 .SH "NOTES"
 .IX Header "NOTES"
-\&\fBs_time\fR can be used to measure the performance of an \s-1SSL\s0 connection.
+This command can be used to measure the performance of an \s-1SSL\s0 connection.
 To connect to an \s-1SSL HTTP\s0 server and get the default page the command
 .PP
 .Vb 1
 \& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3]
 .Ve
 .PP
-would typically be used (https uses port 443). 'commoncipher' is a cipher to
-which both client and server can agree, see the \fBciphers\fR\|(1) command
+would typically be used (https uses port 443). \fIcommoncipher\fR is a cipher to
+which both client and server can agree, see the \fBopenssl\-ciphers\fR\|(1) command
 for details.
 .PP
 If the handshake fails then there are several possible causes, if it is
@@ -289,10 +286,10 @@ A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
 list to choose from. This is normally because the server is not sending
 the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
-requests a certificate. By using \fBs_client\fR\|(1) the \s-1CA\s0 list can be
+requests a certificate. By using \fBopenssl\-s_client\fR\|(1) the \s-1CA\s0 list can be
 viewed and checked. However, some servers only request client authentication
 after a specific \s-1URL\s0 is requested. To obtain the list in this case it
-is necessary to use the \fB\-prexit\fR option of \fBs_client\fR\|(1) and
+is necessary to use the \fB\-prexit\fR option of \fBopenssl\-s_client\fR\|(1) and
 send an \s-1HTTP\s0 request for an appropriate page.
 .PP
 If a certificate is specified on the command line using the \fB\-cert\fR
@@ -302,19 +299,26 @@ on the command line is no guarantee that the certificate works.
 .SH "BUGS"
 .IX Header "BUGS"
 Because this program does not have all the options of the
-\&\fBs_client\fR\|(1) program to turn protocols on and off, you may not be
-able to measure the performance of all protocols with all servers.
+\&\fBopenssl\-s_client\fR\|(1) program to turn protocols on and off, you may not
+be able to measure the performance of all protocols with all servers.
 .PP
 The \fB\-verify\fR option should really exit if the server verification
 fails.
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-cafile\fR option was deprecated in OpenSSL 3.0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBs_client\fR\|(1), \fBs_server\fR\|(1), \fBciphers\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-s_client\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBossl_store\-file\fR\|(7)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/openssl-sess_id.1
index 48ed5491ff7b..56d1d21c1055 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/openssl-sess_id.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,53 +130,53 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-SESS_ID 1ossl"
+.TH OPENSSL-SESS_ID 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-sess_id, sess_id \- SSL/TLS session handling utility
+openssl\-sess_id \- SSL/TLS session handling command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBsess_id\fR
 [\fB\-help\fR]
-[\fB\-inform PEM|DER\fR]
-[\fB\-outform PEM|DER|NSS\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1NSS\s0\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
 [\fB\-text\fR]
+[\fB\-cert\fR]
 [\fB\-noout\fR]
-[\fB\-context \s-1ID\s0\fR]
+[\fB\-context\fR \fI\s-1ID\s0\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure
-and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session
-master key) in human readable format. Since this is a diagnostic tool that
-needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will
-not need to use it.
+This command processes the encoded version of the \s-1SSL\s0 session
+structure and optionally prints out \s-1SSL\s0 session details (for example
+the \s-1SSL\s0 session master key) in human readable format. Since this is a
+diagnostic tool that needs some knowledge of the \s-1SSL\s0 protocol to use
+properly, most users will not need to use it.
+.PP
+The precise format of the data can vary across OpenSSL versions and
+is not documented.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
-format containing session details. The precise format can vary from one version
-to the next.  The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR
-format base64 encoded with additional header and footer lines.
-.IP "\fB\-outform DER|PEM|NSS\fR" 4
-.IX Item "-outform DER|PEM|NSS"
-This specifies the output format. The \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR options have the same meaning
-and default as the \fB\-inform\fR option. The \fB\s-1NSS\s0\fR option outputs the session id and
-the master key in \s-1NSS\s0 keylog format.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1NSS\s0\fR" 4
+.IX Item "-inform DER|PEM, -outform DER|PEM|NSS"
+The input and output formats; the default is \s-1PEM.\s0
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.Sp
+For \fB\s-1NSS\s0\fR output, the session \s-1ID\s0 and master key are reported in \s-1NSS\s0 \*(L"keylog\*(R"
+format.
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read session information from or standard
 input by default.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write session information to or standard
 output if this option is not specified.
@@ -193,7 +191,7 @@ if the \fB\-text\fR option is also present then it will be printed out in text f
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 This option prevents output of the encoded version of the session.
-.IP "\fB\-context \s-1ID\s0\fR" 4
+.IP "\fB\-context\fR \fI\s-1ID\s0\fR" 4
 .IX Item "-context ID"
 This option can set the session id so the output session information uses the
 supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option won't normally
@@ -244,13 +242,6 @@ The timeout in seconds.
 This is the return code when an \s-1SSL\s0 client certificate is verified.
 .SH "NOTES"
 .IX Header "NOTES"
-The \s-1PEM\s0 encoded session format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN SSL SESSION PARAMETERS\-\-\-\-\-
-\& \-\-\-\-\-END SSL SESSION PARAMETERS\-\-\-\-\-
-.Ve
-.PP
 Since the \s-1SSL\s0 session output contains the master key it is
 possible to read the contents of an encrypted session using this
 information. Therefore, appropriate security precautions should be taken if
@@ -261,12 +252,14 @@ strongly discouraged and should only be used for debugging purposes.
 The cipher and start time should be printed out in human readable form.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBciphers\fR\|(1), \fBs_server\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/openssl-smime.1
index 3baf443865c9..6c7879b38644 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/openssl-smime.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,14 +130,14 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "SMIME 1"
-.TH SMIME 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-SMIME 1ossl"
+.TH OPENSSL-SMIME 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-smime, smime \- S/MIME utility
+openssl\-smime \- S/MIME command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBsmime\fR
@@ -153,12 +151,45 @@ openssl\-smime, smime \- S/MIME utility
 [\fB\-binary\fR]
 [\fB\-crlfeol\fR]
 [\fB\-\f(BIcipher\fB\fR]
-[\fB\-in file\fR]
-[\fB\-CAfile file\fR]
-[\fB\-CApath dir\fR]
+[\fB\-in\fR \fIfile\fR]
+[\fB\-certfile\fR \fIfile\fR]
+[\fB\-signer\fR \fIfile\fR]
+[\fB\-nointern\fR]
+[\fB\-noverify\fR]
+[\fB\-nochain\fR]
+[\fB\-nosigs\fR]
+[\fB\-nocerts\fR]
+[\fB\-noattr\fR]
+[\fB\-nodetach\fR]
+[\fB\-nosmimecap\fR]
+[\fB\-recip\fR \fI file\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-out\fR \fIfile\fR]
+[\fB\-content\fR \fIfile\fR]
+[\fB\-to\fR \fIaddr\fR]
+[\fB\-from\fR \fIad\fR]
+[\fB\-subject\fR \fIs\fR]
+[\fB\-text\fR]
+[\fB\-indef\fR]
+[\fB\-noindef\fR]
+[\fB\-stream\fR]
+[\fB\-md\fR \fIdigest\fR]
+[\fB\-CAfile\fR \fIfile\fR]
 [\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
 [\fB\-no\-CApath\fR]
-[\fB\-attime timestamp\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
 [\fB\-check_ss_sig\fR]
 [\fB\-crl_check\fR]
 [\fB\-crl_check_all\fR]
@@ -168,47 +199,33 @@ openssl\-smime, smime \- S/MIME utility
 [\fB\-inhibit_any\fR]
 [\fB\-inhibit_map\fR]
 [\fB\-partial_chain\fR]
-[\fB\-policy arg\fR]
+[\fB\-policy\fR \fIarg\fR]
 [\fB\-policy_check\fR]
 [\fB\-policy_print\fR]
-[\fB\-purpose purpose\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
 [\fB\-suiteB_128\fR]
 [\fB\-suiteB_128_only\fR]
 [\fB\-suiteB_192\fR]
 [\fB\-trusted_first\fR]
 [\fB\-no_alt_chains\fR]
 [\fB\-use_deltas\fR]
-[\fB\-auth_level num\fR]
-[\fB\-verify_depth num\fR]
-[\fB\-verify_email email\fR]
-[\fB\-verify_hostname hostname\fR]
-[\fB\-verify_ip ip\fR]
-[\fB\-verify_name name\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
 [\fB\-x509_strict\fR]
-[\fB\-certfile file\fR]
-[\fB\-signer file\fR]
-[\fB\-recip  file\fR]
-[\fB\-inform SMIME|PEM|DER\fR]
-[\fB\-passin arg\fR]
-[\fB\-inkey file_or_id\fR]
-[\fB\-out file\fR]
-[\fB\-outform SMIME|PEM|DER\fR]
-[\fB\-content file\fR]
-[\fB\-to addr\fR]
-[\fB\-from ad\fR]
-[\fB\-subject s\fR]
-[\fB\-text\fR]
-[\fB\-indef\fR]
-[\fB\-noindef\fR]
-[\fB\-stream\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-md digest\fR]
-[cert.pem]...
+[\fB\-issuer_checks\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-config\fR \fIconfigfile\fR]
+\&\fIrecipcert\fR ...
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
-verify S/MIME messages.
+This command handles S/MIME mail. It can encrypt, decrypt, sign
+and verify S/MIME messages.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 There are six operation options that set the type of operation to be performed.
@@ -243,32 +260,30 @@ Takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
 .IP "\fB\-resign\fR" 4
 .IX Item "-resign"
 Resign a message: take an existing message and one or more new signers.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 The input message to be encrypted or signed or the \s-1MIME\s0 message to
 be decrypted or verified.
-.IP "\fB\-inform SMIME|PEM|DER\fR" 4
-.IX Item "-inform SMIME|PEM|DER"
-This specifies the input format for the PKCS#7 structure. The default
-is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
-format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
-instead. This currently only affects the input format of the PKCS#7
-structure, if no PKCS#7 structure is being input (for example with
-\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 The message text that has been decrypted or verified or the output \s-1MIME\s0
 format message that has been signed or verified.
-.IP "\fB\-outform SMIME|PEM|DER\fR" 4
-.IX Item "-outform SMIME|PEM|DER"
-This specifies the output format for the PKCS#7 structure. The default
-is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
-format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
-instead. This currently only affects the output format of the PKCS#7
-structure, if no PKCS#7 structure is being output (for example with
-\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
-.IP "\fB\-stream \-indef \-noindef\fR" 4
-.IX Item "-stream -indef -noindef"
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
+.IX Item "-inform DER|PEM|SMIME"
+The input format of the PKCS#7 (S/MIME) structure (if one is being read);
+the default is \fB\s-1SMIME\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
+.IX Item "-outform DER|PEM|SMIME"
+The output format of the PKCS#7 (S/MIME) structure (if one is being written);
+the default is \fB\s-1SMIME\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-stream\fR, \fB\-indef\fR, \fB\-noindef\fR" 4
+.IX Item "-stream, -indef, -noindef"
 The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without
 the need to hold the entire contents in memory, potentially supporting very
@@ -280,7 +295,7 @@ other operations.
 Disable streaming I/O where it would produce and indefinite length constructed
 encoding. This option currently has no effect. In future streaming will be
 enabled by default on all relevant operations and this option will disable it.
-.IP "\fB\-content filename\fR" 4
+.IP "\fB\-content\fR \fIfilename\fR" 4
 .IX Item "-content filename"
 This specifies a file containing the detached content, this is only
 useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
@@ -293,22 +308,7 @@ This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
 off text headers: if the decrypted or verified message is not of \s-1MIME\s0
 type text/plain then an error occurs.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
-.IP "\fB\-CApath dir\fR" 4
-.IX Item "-CApath dir"
-A directory containing trusted \s-1CA\s0 certificates, only used with
-\&\fB\-verify\fR. This directory must be a standard certificate directory: that
-is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
-to each certificate.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location.
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location.
-.IP "\fB\-md digest\fR" 4
+.IP "\fB\-md\fR \fIdigest\fR" 4
 .IX Item "-md digest"
 Digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
@@ -317,7 +317,7 @@ default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
 The encryption algorithm to use. For example \s-1DES\s0  (56 bits) \- \fB\-des\fR,
 triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR,
 \&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
-example \fB\-aes\-128\-cbc\fR. See \fBenc\fR for list of ciphers
+example \fB\-aes\-128\-cbc\fR. See \fBopenssl\-enc\fR\|(1) for list of ciphers
 supported by your version of OpenSSL.
 .Sp
 If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR.
@@ -332,7 +332,7 @@ The supplied certificates can still be used as untrusted CAs however.
 Do not verify the signers certificate of a signed message.
 .IP "\fB\-nochain\fR" 4
 .IX Item "-nochain"
-Do not do chain verification of signers certificates: that is don't
+Do not do chain verification of signers certificates; that is, do not
 use the certificates in the signed message as untrusted CAs.
 .IP "\fB\-nosigs\fR" 4
 .IX Item "-nosigs"
@@ -348,6 +348,15 @@ available locally (passed using the \fB\-certfile\fR option for example).
 Normally when a message is signed a set of attributes are included which
 include the signing time and supported symmetric algorithms. With this
 option they are not included.
+.IP "\fB\-nodetach\fR" 4
+.IX Item "-nodetach"
+When signing a message use opaque signing. This form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the \s-1MIME\s0 type multipart/signed is used.
+.IP "\fB\-nosmimecap\fR" 4
+.IX Item "-nosmimecap"
+When signing a message, do not include the \fBSMIMECapabilities\fR attribute.
 .IP "\fB\-binary\fR" 4
 .IX Item "-binary"
 Normally the input message is converted to \*(L"canonical\*(R" format which is
@@ -358,65 +367,77 @@ is useful when handling binary data which may not be in \s-1MIME\s0 format.
 .IX Item "-crlfeol"
 Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this
 option is present \fB\s-1CRLF\s0\fR is used instead.
-.IP "\fB\-nodetach\fR" 4
-.IX Item "-nodetach"
-When signing a message use opaque signing: this form is more resistant
-to translation by mail relays but it cannot be read by mail agents that
-do not support S/MIME.  Without this option cleartext signing with
-the \s-1MIME\s0 type multipart/signed is used.
-.IP "\fB\-certfile file\fR" 4
+.IP "\fB\-certfile\fR \fIfile\fR" 4
 .IX Item "-certfile file"
 Allows additional certificates to be specified. When signing these will
 be included with the message. When verifying these will be searched for
-the signers certificates. The certificates should be in \s-1PEM\s0 format.
-.IP "\fB\-signer file\fR" 4
+the signers certificates.
+The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
+.IP "\fB\-signer\fR \fIfile\fR" 4
 .IX Item "-signer file"
 A signing certificate when signing or resigning a message, this option can be
 used multiple times if more than one signer is required. If a message is being
 verified then the signers certificates will be written to this file if the
 verification was successful.
-.IP "\fB\-recip file\fR" 4
+.IP "\fB\-nocerts\fR" 4
+.IX Item "-nocerts"
+Don't include signers certificate when signing.
+.IP "\fB\-noattr\fR" 4
+.IX Item "-noattr"
+Don't include any signed attributes when signing.
+.IP "\fB\-recip\fR \fIfile\fR" 4
 .IX Item "-recip file"
 The recipients certificate when decrypting a message. This certificate
 must match one of the recipients of the message or an error occurs.
-.IP "\fB\-inkey file_or_id\fR" 4
-.IX Item "-inkey file_or_id"
+.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-inkey filename|uri"
 The private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
 the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
 multiple times to specify successive keys.
-If no engine is used, the argument is taken as a file; if an engine is
-specified, the argument is given to the engine as a key identifier.
-.IP "\fB\-passin arg\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-The private key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fBcert.pem...\fR" 4
-.IX Item "cert.pem..."
-One or more certificates of message recipients: used when encrypting
-a message.
-.IP "\fB\-to, \-from, \-subject\fR" 4
+The private key password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-to\fR, \fB\-from\fR, \fB\-subject\fR" 4
 .IX Item "-to, -from, -subject"
 The relevant mail headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
-.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
-.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
-Set various options of certificate chain verification. See
-\&\fBverify\fR\|(1) manual page for details.
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+Any verification errors cause the command to exit.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
+.IX Item "-config configfile"
+See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
+.IP "\fIrecipcert\fR ..." 4
+.IX Item "recipcert ..."
+One or more certificates of message recipients, used when encrypting
+a message.
 .SH "NOTES"
 .IX Header "NOTES"
 The \s-1MIME\s0 message must be sent without any blank lines between the
@@ -601,17 +622,22 @@ No revocation checking is done on the signer's certificate.
 .PP
 The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
 structures may cause parsing errors.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl_store\-file\fR\|(7)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
 added in OpenSSL 1.0.0
 .PP
 The \-no_alt_chains option was added in OpenSSL 1.1.0.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/openssl-speed.1
index 48405de92171..c6b04dd01ccd 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/openssl-speed.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,89 +130,138 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "SPEED 1"
-.TH SPEED 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-SPEED 1ossl"
+.TH OPENSSL-SPEED 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-speed, speed \- test library performance
+openssl\-speed \- test library performance
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl speed\fR
 [\fB\-help\fR]
-[\fB\-engine id\fR]
 [\fB\-elapsed\fR]
-[\fB\-evp algo\fR]
+[\fB\-evp\fR \fIalgo\fR]
+[\fB\-hmac\fR \fIalgo\fR]
+[\fB\-cmac\fR \fIalgo\fR]
+[\fB\-mb\fR]
+[\fB\-aead\fR]
+[\fB\-multi\fR \fInum\fR]
+[\fB\-async_jobs\fR \fInum\fR]
+[\fB\-misalign\fR \fInum\fR]
 [\fB\-decrypt\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-primes num\fR]
-[\fB\-seconds num\fR]
-[\fB\-bytes num\fR]
-[\fBalgorithm...\fR]
+[\fB\-primes\fR \fInum\fR]
+[\fB\-seconds\fR \fInum\fR]
+[\fB\-bytes\fR \fInum\fR]
+[\fB\-mr\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fIalgorithm\fR ...]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 This command is used to test the performance of cryptographic algorithms.
-To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR
-or \fIlist \-\-cipher\-commands\fR command. The global \s-1CSPRNG\s0 is denoted by
-the \fIrand\fR algorithm name.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
 .IP "\fB\-elapsed\fR" 4
 .IX Item "-elapsed"
 When calculating operations\- or bytes-per-second, use wall-clock time
 instead of \s-1CPU\s0 user time as divisor. It can be useful when testing speed
 of hardware engines.
-.IP "\fB\-evp algo\fR" 4
+.IP "\fB\-evp\fR \fIalgo\fR" 4
 .IX Item "-evp algo"
 Use the specified cipher or message digest algorithm via the \s-1EVP\s0 interface.
-If \fBalgo\fR is an \s-1AEAD\s0 cipher, then you can pass <\-aead> to benchmark a
-TLS-like sequence. And if \fBalgo\fR is a multi-buffer capable cipher, e.g.
+If \fIalgo\fR is an \s-1AEAD\s0 cipher, then you can pass \fB\-aead\fR to benchmark a
+TLS-like sequence. And if \fIalgo\fR is a multi-buffer capable cipher, e.g.
 aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi-buffer operation.
+.Sp
+To see the algorithms supported with this option, use
+\&\f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR or \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR
+command.
+.IP "\fB\-multi\fR \fInum\fR" 4
+.IX Item "-multi num"
+Run multiple operations in parallel.
+.IP "\fB\-async_jobs\fR \fInum\fR" 4
+.IX Item "-async_jobs num"
+Enable async mode and start specified number of jobs.
+.IP "\fB\-misalign\fR \fInum\fR" 4
+.IX Item "-misalign num"
+Misalign the buffers by the specified number of bytes.
+.IP "\fB\-hmac\fR \fIdigest\fR" 4
+.IX Item "-hmac digest"
+Time the \s-1HMAC\s0 algorithm using the specified message digest.
+.IP "\fB\-cmac\fR \fIcipher\fR" 4
+.IX Item "-cmac cipher"
+Time the \s-1CMAC\s0 algorithm using the specified cipher e.g.
+\&\f(CW\*(C`openssl speed \-cmac aes128\*(C'\fR.
 .IP "\fB\-decrypt\fR" 4
 .IX Item "-decrypt"
 Time the decryption instead of encryption. Affects only the \s-1EVP\s0 testing.
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-primes num\fR" 4
+.IP "\fB\-mb\fR" 4
+.IX Item "-mb"
+Enable multi-block mode on EVP-named cipher.
+.IP "\fB\-aead\fR" 4
+.IX Item "-aead"
+Benchmark EVP-named \s-1AEAD\s0 cipher in TLS-like sequence.
+.IP "\fB\-primes\fR \fInum\fR" 4
 .IX Item "-primes num"
-Generate a \fBnum\fR\-prime \s-1RSA\s0 key and use it to run the benchmarks. This option
+Generate a \fInum\fR\-prime \s-1RSA\s0 key and use it to run the benchmarks. This option
 is only effective if \s-1RSA\s0 algorithm is specified to test.
-.IP "\fB\-seconds num\fR" 4
+.IP "\fB\-seconds\fR \fInum\fR" 4
 .IX Item "-seconds num"
-Run benchmarks for \fBnum\fR seconds.
-.IP "\fB\-bytes num\fR" 4
+Run benchmarks for \fInum\fR seconds.
+.IP "\fB\-bytes\fR \fInum\fR" 4
 .IX Item "-bytes num"
-Run benchmarks on \fBnum\fR\-byte buffers. Affects ciphers, digests and the \s-1CSPRNG.\s0
-.IP "\fB[zero or more test algorithms]\fR" 4
-.IX Item "[zero or more test algorithms]"
-If any options are given, \fBspeed\fR tests those algorithms, otherwise a
+Run benchmarks on \fInum\fR\-byte buffers. Affects ciphers, digests and the \s-1CSPRNG.\s0
+The limit on the size of the buffer is \s-1INT_MAX\s0 \- 64 bytes, which for a 32\-bit 
+int would be 2147483583 bytes.
+.IP "\fB\-mr\fR" 4
+.IX Item "-mr"
+Produce the summary in a mechanical, machine-readable, format.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fIalgorithm\fR ..." 4
+.IX Item "algorithm ..."
+If any \fIalgorithm\fR is given, then those algorithms are tested, otherwise a
 pre-compiled grand selection is tested.
+.SH "BUGS"
+.IX Header "BUGS"
+The \fIalgorithm\fR can be selected only from a pre-compiled subset of things
+that the \f(CW\*(C`openssl speed\*(C'\fR command knows about. To test any additional digest
+or cipher algorithm supported by OpenSSL use the \f(CW\*(C`\-evp\*(C'\fR option.
+.PP
+There is no way to test the speed of any additional public key algorithms
+supported by third party providers with the \f(CW\*(C`openssl speed\*(C'\fR command.
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/openssl-spkac.1
index 5d1f030fd6c8..ac5385688804 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/openssl-spkac.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,33 +130,37 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "SPKAC 1"
-.TH SPKAC 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-SPKAC 1ossl"
+.TH OPENSSL-SPKAC 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-spkac, spkac \- SPKAC printing and generating utility
+openssl\-spkac \- SPKAC printing and generating command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBspkac\fR
 [\fB\-help\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
-[\fB\-key keyfile\fR]
-[\fB\-keyform PEM|DER|ENGINE\fR]
-[\fB\-passin arg\fR]
-[\fB\-challenge string\fR]
+[\fB\-in\fR \fIfilename\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-digest\fR \fIdigest\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-challenge\fR \fIstring\fR]
 [\fB\-pubkey\fR]
-[\fB\-spkac spkacname\fR]
-[\fB\-spksect section\fR]
+[\fB\-spkac\fR \fIspkacname\fR]
+[\fB\-spksect\fR \fIsection\fR]
 [\fB\-noout\fR]
 [\fB\-verify\fR]
-[\fB\-engine id\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBspkac\fR command processes Netscape signed public key and challenge
+This command processes Netscape signed public key and challenge
 (\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
 produce its own SPKACs from a supplied private key.
 .SH "OPTIONS"
@@ -166,36 +168,40 @@ produce its own SPKACs from a supplied private key.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-in filename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read from or standard input if this
 option is not specified. Ignored if the \fB\-key\fR option is used.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 Specifies the output filename to write to or standard output by
 default.
-.IP "\fB\-key keyfile\fR" 4
-.IX Item "-key keyfile"
-Create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
-\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
+.IP "\fB\-digest\fR \fIdigest\fR" 4
+.IX Item "-digest digest"
+Use the specified \fIdigest\fR to sign a created \s-1SPKAC\s0 file.
+The default digest algorithm is \s-1MD5.\s0
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+Create an \s-1SPKAC\s0 file using the private key specified by \fIfilename\fR or \fIuri\fR.
+The \fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
 present.
-.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
-.IX Item "-keyform PEM|DER|ENGINE"
-Whether the key format is \s-1PEM, DER,\s0 or an engine-backed key.
-The default is \s-1PEM.\s0
-.IP "\fB\-passin password\fR" 4
-.IX Item "-passin password"
-The input file password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-challenge string\fR" 4
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-passin\fR \fIarg\fR" 4
+.IX Item "-passin arg"
+The input file password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-challenge\fR \fIstring\fR" 4
 .IX Item "-challenge string"
 Specifies the challenge string if an \s-1SPKAC\s0 is being created.
-.IP "\fB\-spkac spkacname\fR" 4
+.IP "\fB\-spkac\fR \fIspkacname\fR" 4
 .IX Item "-spkac spkacname"
 Allows an alternative name form the variable containing the
 \&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
 generated and input \s-1SPKAC\s0 files.
-.IP "\fB\-spksect section\fR" 4
+.IP "\fB\-spksect\fR \fIsection\fR" 4
 .IX Item "-spksect section"
 Allows an alternative name form the section containing the
 \&\s-1SPKAC.\s0 The default is the default section.
@@ -210,12 +216,19 @@ being created).
 .IP "\fB\-verify\fR" 4
 .IX Item "-verify"
 Verifies the digital signature on the supplied \s-1SPKAC.\s0
-.IP "\fB\-engine id\fR" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Print out the contents of an \s-1SPKAC:\s0
@@ -248,8 +261,8 @@ Example of an \s-1SPKAC,\s0 (long lines split up for clarity):
 .Ve
 .SH "NOTES"
 .IX Header "NOTES"
-A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into
-the \fBca\fR utility.
+A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed to
+\&\fBopenssl\-ca\fR\|(1).
 .PP
 SPKACs are typically generated by Netscape when a form is submitted
 containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
@@ -263,12 +276,18 @@ some applications. Without this it is possible for a previous \s-1SPKAC\s0
 to be used in a \*(L"replay attack\*(R".
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBca\fR\|(1)
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-digest\fR option was added in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-srp.1 b/secure/usr.bin/openssl/man/openssl-srp.1
new file mode 100644
index 000000000000..177395b729db
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-srp.1
@@ -0,0 +1,247 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-SRP 1ossl"
+.TH OPENSSL-SRP 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-srp \- maintain SRP password file
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl srp\fR
+[\fB\-help\fR]
+[\fB\-verbose\fR]
+[\fB\-add\fR]
+[\fB\-modify\fR]
+[\fB\-delete\fR]
+[\fB\-list\fR]
+[\fB\-name\fR \fIsection\fR]
+[\fB\-srpvfile\fR \fIfile\fR]
+[\fB\-gn\fR \fIidentifier\fR]
+[\fB\-userinfo\fR \fItext\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-passout\fR \fIarg\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-config\fR \fIconfigfile\fR]
+[\fIuser\fR ...]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is deprecated. It is used to maintain an \s-1SRP\s0 (secure remote
+password) file. At most one of the \fB\-add\fR, \fB\-modify\fR, \fB\-delete\fR, and \fB\-list\fR
+options can be specified.
+These options take zero or more usernames as parameters and perform the
+appropriate operation on the \s-1SRP\s0 file.
+For \fB\-list\fR, if no \fIuser\fR is given then all users are displayed.
+.PP
+The configuration file to use, and the section within the file, can be
+specified with the \fB\-config\fR and \fB\-name\fR flags, respectively.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Display an option summary.
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Generate verbose output while processing.
+.IP "\fB\-add\fR" 4
+.IX Item "-add"
+Add a user and \s-1SRP\s0 verifier.
+.IP "\fB\-modify\fR" 4
+.IX Item "-modify"
+Modify the \s-1SRP\s0 verifier of an existing user.
+.IP "\fB\-delete\fR" 4
+.IX Item "-delete"
+Delete user from verifier file.
+.IP "\fB\-list\fR" 4
+.IX Item "-list"
+List users.
+.IP "\fB\-name\fR" 4
+.IX Item "-name"
+The particular \s-1SRP\s0 definition to use.
+.IP "\fB\-srpvfile\fR \fIfile\fR" 4
+.IX Item "-srpvfile file"
+If the config file is not specified,
+\&\fB\-srpvfile\fR can be used to specify the file to operate on.
+.IP "\fB\-gn\fR" 4
+.IX Item "-gn"
+Specifies the \fBg\fR and \fBN\fR values, using one of
+the strengths defined in \s-1IETF RFC 5054.\s0
+.IP "\fB\-userinfo\fR" 4
+.IX Item "-userinfo"
+specifies additional information to add when
+adding or modifying a user.
+.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
+.IX Item "-passin arg, -passout arg"
+The password source for the input and output file.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
+.IX Item "-config configfile"
+See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
+.Sp
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/storeutl.1 b/secure/usr.bin/openssl/man/openssl-storeutl.1
index 78cb77b2d5c9..6c55dd9bf5f5 100644
--- a/secure/usr.bin/openssl/man/storeutl.1
+++ b/secure/usr.bin/openssl/man/openssl-storeutl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,64 +130,61 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "STOREUTL 1"
-.TH STOREUTL 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-STOREUTL 1ossl"
+.TH OPENSSL-STOREUTL 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-storeutl, storeutl \- STORE utility
+openssl\-storeutl \- STORE command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBstoreutl\fR
 [\fB\-help\fR]
-[\fB\-out file\fR]
+[\fB\-out\fR \fIfile\fR]
 [\fB\-noout\fR]
-[\fB\-passin arg\fR]
-[\fB\-text arg\fR]
-[\fB\-engine id\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-text\fR \fIarg\fR]
 [\fB\-r\fR]
 [\fB\-certs\fR]
 [\fB\-keys\fR]
 [\fB\-crls\fR]
-[\fB\-subject arg\fR]
-[\fB\-issuer arg\fR]
-[\fB\-serial arg\fR]
-[\fB\-alias arg\fR]
-[\fB\-fingerprint arg\fR]
+[\fB\-subject\fR \fIarg\fR]
+[\fB\-issuer\fR \fIarg\fR]
+[\fB\-serial\fR \fIarg\fR]
+[\fB\-alias\fR \fIarg\fR]
+[\fB\-fingerprint\fR \fIarg\fR]
 [\fB\-\f(BIdigest\fB\fR]
-\&\fBuri\fR ...
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+\&\fIuri\fR
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBstoreutl\fR command can be used to display the contents (after decryption
-as the case may be) fetched from the given URIs.
+This command can be used to display the contents (after
+decryption as the case may be) fetched from the given \s-1URI.\s0
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Print out a usage message.
-.IP "\fB\-out filename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 specifies the output filename to write to or standard output by
 default.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option prevents output of the \s-1PEM\s0 data.
-.IP "\fB\-passin arg\fR" 4
+.IP "\fB\-passin\fR \fIarg\fR" 4
 .IX Item "-passin arg"
-the key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
+the key password source. For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 Prints out the objects in text form, similarly to the \fB\-text\fR output from
-\&\fBopenssl x509\fR, \fBopenssl pkey\fR, etc.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-specifying an engine (by its unique \fBid\fR string) will cause \fBstoreutl\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
+\&\fBopenssl\-x509\fR\|(1), \fBopenssl\-pkey\fR\|(1), etc.
 .IP "\fB\-r\fR" 4
 .IX Item "-r"
 Fetch objects recursively when possible.
@@ -204,46 +199,72 @@ Fetch objects recursively when possible.
 Only select the certificates, keys or CRLs from the given \s-1URI.\s0
 However, if this \s-1URI\s0 would return a set of names (URIs), those are always
 returned.
-.IP "\fB\-subject arg\fR" 4
+.Sp
+Note that all options must be given before the \fIuri\fR argument.
+Otherwise they are ignored.
+.IP "\fB\-subject\fR \fIarg\fR" 4
 .IX Item "-subject arg"
-Search for an object having the subject name \fBarg\fR.
-The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
-Keyword characters may be escaped by \e (backslash), and whitespace is retained.
+Search for an object having the subject name \fIarg\fR.
+.Sp
+The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
+Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
 Empty values are permitted but are ignored for the search.  That is,
 a search with an empty value will have the same effect as not specifying
 the type at all.
-.IP "\fB\-issuer arg\fR" 4
+Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+.Sp
+Example:
+.Sp
+\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
+.IP "\fB\-issuer\fR \fIarg\fR" 4
 .IX Item "-issuer arg"
 .PD 0
-.IP "\fB\-serial arg\fR" 4
+.IP "\fB\-serial\fR \fIarg\fR" 4
 .IX Item "-serial arg"
 .PD
 Search for an object having the given issuer name and serial number.
 These two options \fImust\fR be used together.
-The issuer arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
+The issuer arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR,
 characters may be escaped by \e (backslash), no spaces are skipped.
 The serial arg may be specified as a decimal value or a hex value if preceded
-by \fB0x\fR.
-.IP "\fB\-alias arg\fR" 4
+by \f(CW\*(C`0x\*(C'\fR.
+.IP "\fB\-alias\fR \fIarg\fR" 4
 .IX Item "-alias arg"
 Search for an object having the given alias.
-.IP "\fB\-fingerprint arg\fR" 4
+.IP "\fB\-fingerprint\fR \fIarg\fR" 4
 .IX Item "-fingerprint arg"
 Search for an object having the given fingerprint.
 .IP "\fB\-\f(BIdigest\fB\fR" 4
 .IX Item "-digest"
 The digest that was used to compute the fingerprint given with \fB\-fingerprint\fR.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\fR\|(1)
 .SH "HISTORY"
 .IX Header "HISTORY"
-The \fBopenssl\fR \fBstoreutl\fR app was added in OpenSSL 1.1.1.
+This command was added in OpenSSL 1.1.1.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/openssl-ts.1
index 4fa81c23ed90..861f84c293ab 100644
--- a/secure/usr.bin/openssl/man/ts.1
+++ b/secure/usr.bin/openssl/man/openssl-ts.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,95 +130,106 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "TS 1"
-.TH TS 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-TS 1ossl"
+.TH OPENSSL-TS 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-ts, ts \- Time Stamping Authority tool (client/server)
+openssl\-ts \- Time Stamping Authority command
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBts\fR
+\&\fB\-help\fR
+.PP
+\&\fBopenssl\fR \fBts\fR
 \&\fB\-query\fR
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-config\fR configfile]
-[\fB\-data\fR file_to_hash]
-[\fB\-digest\fR digest_bytes]
+[\fB\-config\fR \fIconfigfile\fR]
+[\fB\-data\fR \fIfile_to_hash\fR]
+[\fB\-digest\fR \fIdigest_bytes\fR]
 [\fB\-\f(BIdigest\fB\fR]
-[\fB\-tspolicy\fR object_id]
+[\fB\-tspolicy\fR \fIobject_id\fR]
 [\fB\-no_nonce\fR]
 [\fB\-cert\fR]
-[\fB\-in\fR request.tsq]
-[\fB\-out\fR request.tsq]
+[\fB\-in\fR \fIrequest.tsq\fR]
+[\fB\-out\fR \fIrequest.tsq\fR]
 [\fB\-text\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .PP
 \&\fBopenssl\fR \fBts\fR
 \&\fB\-reply\fR
-[\fB\-config\fR configfile]
-[\fB\-section\fR tsa_section]
-[\fB\-queryfile\fR request.tsq]
-[\fB\-passin\fR password_src]
-[\fB\-signer\fR tsa_cert.pem]
-[\fB\-inkey\fR file_or_id]
+[\fB\-config\fR \fIconfigfile\fR]
+[\fB\-section\fR \fItsa_section\fR]
+[\fB\-queryfile\fR \fIrequest.tsq\fR]
+[\fB\-passin\fR \fIpassword_src\fR]
+[\fB\-signer\fR \fItsa_cert.pem\fR]
+[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
 [\fB\-\f(BIdigest\fB\fR]
-[\fB\-chain\fR certs_file.pem]
-[\fB\-tspolicy\fR object_id]
-[\fB\-in\fR response.tsr]
+[\fB\-chain\fR \fIcerts_file.pem\fR]
+[\fB\-tspolicy\fR \fIobject_id\fR]
+[\fB\-in\fR \fIresponse.tsr\fR]
 [\fB\-token_in\fR]
-[\fB\-out\fR response.tsr]
+[\fB\-out\fR \fIresponse.tsr\fR]
 [\fB\-token_out\fR]
 [\fB\-text\fR]
-[\fB\-engine\fR id]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .PP
 \&\fBopenssl\fR \fBts\fR
 \&\fB\-verify\fR
-[\fB\-data\fR file_to_hash]
-[\fB\-digest\fR digest_bytes]
-[\fB\-queryfile\fR request.tsq]
-[\fB\-in\fR response.tsr]
+[\fB\-data\fR \fIfile_to_hash\fR]
+[\fB\-digest\fR \fIdigest_bytes\fR]
+[\fB\-queryfile\fR \fIrequest.tsq\fR]
+[\fB\-in\fR \fIresponse.tsr\fR]
 [\fB\-token_in\fR]
-[\fB\-CApath\fR trusted_cert_path]
-[\fB\-CAfile\fR trusted_certs.pem]
-[\fB\-untrusted\fR cert_file.pem]
-[\fIverify options\fR]
-.PP
-\&\fIverify options:\fR
-[\-attime timestamp]
-[\-check_ss_sig]
-[\-crl_check]
-[\-crl_check_all]
-[\-explicit_policy]
-[\-extended_crl]
-[\-ignore_critical]
-[\-inhibit_any]
-[\-inhibit_map]
-[\-issuer_checks]
-[\-no_alt_chains]
-[\-no_check_time]
-[\-partial_chain]
-[\-policy arg]
-[\-policy_check]
-[\-policy_print]
-[\-purpose purpose]
-[\-suiteB_128]
-[\-suiteB_128_only]
-[\-suiteB_192]
-[\-trusted_first]
-[\-use_deltas]
-[\-auth_level num]
-[\-verify_depth num]
-[\-verify_email email]
-[\-verify_hostname hostname]
-[\-verify_ip ip]
-[\-verify_name name]
-[\-x509_strict]
+[\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR]
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-extended_crl\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-partial_chain\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-policy_check\fR]
+[\fB\-policy_print\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
+[\fB\-suiteB_128\fR]
+[\fB\-suiteB_128_only\fR]
+[\fB\-suiteB_192\fR]
+[\fB\-trusted_first\fR]
+[\fB\-no_alt_chains\fR]
+[\fB\-use_deltas\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
+[\fB\-x509_strict\fR]
+[\fB\-issuer_checks\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server
-application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A
+This command is a basic Time Stamping Authority (\s-1TSA\s0) client and
+server application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A
 \&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
 term proof of the existence of a certain datum before a particular
 time. Here is a brief description of the protocol:
@@ -237,9 +246,9 @@ The \s-1TSA\s0 client receives the timestamp token and verifies the
 signature on it. It also checks if the token contains the same hash
 value that it had sent to the \s-1TSA.\s0
 .PP
-There is one \s-1DER\s0 encoded protocol data unit defined for transporting 
-a timestamp request to the \s-1TSA\s0 and one for sending the timestamp response
-back to the client. The \fBts\fR command has three main functions:
+There is one \s-1DER\s0 encoded protocol data unit defined for transporting a
+timestamp request to the \s-1TSA\s0 and one for sending the timestamp response
+back to the client. This command has three main functions:
 creating a timestamp request based on a data file,
 creating a timestamp response based on a request, verifying if a
 response corresponds to a particular request or a data file.
@@ -249,32 +258,33 @@ over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users mu
 requests either by ftp or e\-mail.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.SS "Time Stamp Request generation"
-.IX Subsection "Time Stamp Request generation"
-The \fB\-query\fR switch can be used for creating and printing a timestamp
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
+.IP "\fB\-query\fR" 4
+.IX Item "-query"
+Generate a \s-1TS\s0 query. For details see \*(L"Timestamp Request generation\*(R".
+.IP "\fB\-reply\fR" 4
+.IX Item "-reply"
+Generate a \s-1TS\s0 reply. For details see \*(L"Timestamp Response generation\*(R".
+.IP "\fB\-verify\fR" 4
+.IX Item "-verify"
+Verify a \s-1TS\s0 response. For details see \*(L"Timestamp Response verification\*(R".
+.SS "Timestamp Request generation"
+.IX Subsection "Timestamp Request generation"
+The \fB\-query\fR command can be used for creating and printing a timestamp
 request with the following options:
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-config\fR configfile" 4
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
 .IX Item "-config configfile"
 The configuration file to use.
 Optional; for a description of the default value,
 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
-.IP "\fB\-data\fR file_to_hash" 4
+.IP "\fB\-data\fR \fIfile_to_hash\fR" 4
 .IX Item "-data file_to_hash"
 The data file for which the timestamp request needs to be
 created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR
 parameter is specified. (Optional)
-.IP "\fB\-digest\fR digest_bytes" 4
+.IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
 .IX Item "-digest digest_bytes"
 It is possible to specify the message imprint explicitly without the data
 file. The imprint must be specified in a hexadecimal format, two characters
@@ -284,9 +294,9 @@ in use. (Optional)
 .IP "\fB\-\f(BIdigest\fB\fR" 4
 .IX Item "-digest"
 The message digest to apply to the data file.
-Any digest supported by the OpenSSL \fBdgst\fR command can be used.
-The default is \s-1SHA\-1.\s0 (Optional)
-.IP "\fB\-tspolicy\fR object_id" 4
+Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
+The default is \s-1SHA\-256.\s0 (Optional)
+.IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
 .IX Item "-tspolicy object_id"
 The policy that the client expects the \s-1TSA\s0 to use for creating the
 timestamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined
@@ -302,13 +312,13 @@ protect against replay-attacks. (Optional)
 .IX Item "-cert"
 The \s-1TSA\s0 is expected to include its signing certificate in the
 response. (Optional)
-.IP "\fB\-in\fR request.tsq" 4
+.IP "\fB\-in\fR \fIrequest.tsq\fR" 4
 .IX Item "-in request.tsq"
 This option specifies a previously created timestamp request in \s-1DER\s0
 format that will be printed into the output file. Useful when you need
 to examine the content of a request in human-readable
 format. (Optional)
-.IP "\fB\-out\fR request.tsq" 4
+.IP "\fB\-out\fR \fIrequest.tsq\fR" 4
 .IX Item "-out request.tsq"
 Name of the output file to which the request will be written. Default
 is stdout. (Optional)
@@ -316,8 +326,11 @@ is stdout. (Optional)
 .IX Item "-text"
 If this option is specified the output is human-readable text format
 instead of \s-1DER.\s0 (Optional)
-.SS "Time Stamp Response generation"
-.IX Subsection "Time Stamp Response generation"
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.SS "Timestamp Response generation"
+.IX Subsection "Timestamp Response generation"
 A timestamp response (TimeStampResp) consists of a response status
 and the timestamp token itself (ContentInfo), if the token generation was
 successful. The \fB\-reply\fR command is for creating a timestamp
@@ -325,42 +338,40 @@ response or timestamp token based on a request and printing the
 response/token in human-readable format. If \fB\-token_out\fR is not
 specified the output is always a timestamp response (TimeStampResp),
 otherwise it is a timestamp token (ContentInfo).
-.IP "\fB\-config\fR configfile" 4
+.IP "\fB\-config\fR \fIconfigfile\fR" 4
 .IX Item "-config configfile"
 The configuration file to use.
 Optional; for a description of the default value,
 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
-See \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for configurable variables.
-.IP "\fB\-section\fR tsa_section" 4
+See \*(L"\s-1CONFIGURATION FILE OPTIONS\*(R"\s0 for configurable variables.
+.IP "\fB\-section\fR \fItsa_section\fR" 4
 .IX Item "-section tsa_section"
 The name of the config file section containing the settings for the
 response generation. If not specified the default \s-1TSA\s0 section is
-used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional)
-.IP "\fB\-queryfile\fR request.tsq" 4
+used, see \*(L"\s-1CONFIGURATION FILE OPTIONS\*(R"\s0 for details. (Optional)
+.IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
 .IX Item "-queryfile request.tsq"
 The name of the file containing a \s-1DER\s0 encoded timestamp request. (Optional)
-.IP "\fB\-passin\fR password_src" 4
+.IP "\fB\-passin\fR \fIpassword_src\fR" 4
 .IX Item "-passin password_src"
 Specifies the password source for the private key of the \s-1TSA.\s0 See
-\&\*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1). (Optional)
-.IP "\fB\-signer\fR tsa_cert.pem" 4
+description in \fBopenssl\fR\|(1). (Optional)
+.IP "\fB\-signer\fR \fItsa_cert.pem\fR" 4
 .IX Item "-signer tsa_cert.pem"
 The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing
 certificate must have exactly one extended key usage assigned to it:
 timeStamping. The extended key usage must also be critical, otherwise
 the certificate is going to be refused. Overrides the \fBsigner_cert\fR
 variable of the config file. (Optional)
-.IP "\fB\-inkey\fR file_or_id" 4
-.IX Item "-inkey file_or_id"
+.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-inkey filename|uri"
 The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the
 \&\fBsigner_key\fR config file option. (Optional)
-If no engine is used, the argument is taken as a file; if an engine is
-specified, the argument is given to the engine as a key identifier.
 .IP "\fB\-\f(BIdigest\fB\fR" 4
 .IX Item "-digest"
 Signing digest to use. Overrides the \fBsigner_digest\fR config file
 option. (Mandatory unless specified in the config file)
-.IP "\fB\-chain\fR certs_file.pem" 4
+.IP "\fB\-chain\fR \fIcerts_file.pem\fR" 4
 .IX Item "-chain certs_file.pem"
 The collection of certificates in \s-1PEM\s0 format that will all
 be included in the response in addition to the signer certificate if
@@ -368,13 +379,13 @@ the \fB\-cert\fR option was used for the request. This file is supposed to
 contain the certificate chain for the signer certificate from its
 issuer upwards. The \fB\-reply\fR command does not build a certificate
 chain automatically. (Optional)
-.IP "\fB\-tspolicy\fR object_id" 4
+.IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
 .IX Item "-tspolicy object_id"
 The default policy to use for the response unless the client
 explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified
 either in dotted notation or with its name. Overrides the
 \&\fBdefault_policy\fR config file option. (Optional)
-.IP "\fB\-in\fR response.tsr" 4
+.IP "\fB\-in\fR \fIresponse.tsr\fR" 4
 .IX Item "-in response.tsr"
 Specifies a previously created timestamp response or timestamp token
 (if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written
@@ -388,7 +399,7 @@ the input is a token and the output is a timestamp response a default
 This flag can be used together with the \fB\-in\fR option and indicates
 that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
 of a timestamp response (TimeStampResp). (Optional)
-.IP "\fB\-out\fR response.tsr" 4
+.IP "\fB\-out\fR \fIresponse.tsr\fR" 4
 .IX Item "-out response.tsr"
 The response is written to this file. The format and content of the
 file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is
@@ -401,34 +412,41 @@ response (TimeStampResp). (Optional)
 .IX Item "-text"
 If this option is specified the output is human-readable text format
 instead of \s-1DER.\s0 (Optional)
-.IP "\fB\-engine\fR id" 4
+.IP "\fB\-engine\fR \fIid\fR" 4
 .IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. Default is builtin. (Optional)
-.SS "Time Stamp Response verification"
-.IX Subsection "Time Stamp Response verification"
-The \fB\-verify\fR command is for verifying if a timestamp response or 
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.SS "Timestamp Response verification"
+.IX Subsection "Timestamp Response verification"
+The \fB\-verify\fR command is for verifying if a timestamp response or
 timestamp token is valid and matches a particular timestamp request or
 data file. The \fB\-verify\fR command does not use the configuration file.
-.IP "\fB\-data\fR file_to_hash" 4
+.IP "\fB\-data\fR \fIfile_to_hash\fR" 4
 .IX Item "-data file_to_hash"
 The response or token must be verified against file_to_hash. The file
 is hashed with the message digest algorithm specified in the token.
 The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one.
 (Optional)
-.IP "\fB\-digest\fR digest_bytes" 4
+.IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
 .IX Item "-digest digest_bytes"
 The response or token must be verified against the message digest specified
 with this option. The number of bytes must match the message digest algorithm
 specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be
 specified with this one. (Optional)
-.IP "\fB\-queryfile\fR request.tsq" 4
+.IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
 .IX Item "-queryfile request.tsq"
 The original timestamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR
 options must not be specified with this one. (Optional)
-.IP "\fB\-in\fR response.tsr" 4
+.IP "\fB\-in\fR \fIresponse.tsr\fR" 4
 .IX Item "-in response.tsr"
 The timestamp response that needs to be verified in \s-1DER\s0 format. (Mandatory)
 .IP "\fB\-token_in\fR" 4
@@ -436,36 +454,26 @@ The timestamp response that needs to be verified in \s-1DER\s0 format. (Mandator
 This flag can be used together with the \fB\-in\fR option and indicates
 that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
 of a timestamp response (TimeStampResp). (Optional)
-.IP "\fB\-CApath\fR trusted_cert_path" 4
-.IX Item "-CApath trusted_cert_path"
-The name of the directory containing the trusted \s-1CA\s0 certificates of the
-client. See the similar option of \fBverify\fR\|(1) for additional
-details. Either this option or \fB\-CAfile\fR must be specified. (Optional)
-.IP "\fB\-CAfile\fR trusted_certs.pem" 4
-.IX Item "-CAfile trusted_certs.pem"
-The name of the file containing a set of trusted self-signed \s-1CA\s0
-certificates in \s-1PEM\s0 format. See the similar option of
-\&\fBverify\fR\|(1) for additional details. Either this option
-or \fB\-CApath\fR must be specified.
-(Optional)
-.IP "\fB\-untrusted\fR cert_file.pem" 4
-.IX Item "-untrusted cert_file.pem"
-Set of additional untrusted certificates in \s-1PEM\s0 format which may be
-needed when building the certificate chain for the \s-1TSA\s0's signing
-certificate. This file must contain the \s-1TSA\s0 signing certificate and
-all intermediate \s-1CA\s0 certificates unless the response includes them.
+.IP "\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR" 4
+.IX Item "-untrusted files|uris"
+A set of additional untrusted certificates which may be
+needed when building the certificate chain for the \s-1TSA\s0's signing certificate.
+These do not need to contain the \s-1TSA\s0 signing certificate and intermediate \s-1CA\s0
+certificates as far as the response already includes them.
 (Optional)
-.IP "\fIverify options\fR" 4
-.IX Item "verify options"
-The options \fB\-attime timestamp\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR,
-\&\fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR,
-\&\fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-issuer_checks\fR, \fB\-no_alt_chains\fR,
-\&\fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR,
-\&\fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR,
-\&\fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR,
-\&\fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR,
-\&\fB\-verify_name\fR, and \fB\-x509_strict\fR can be used to control timestamp
-verification.  See \fBverify\fR\|(1).
+.Sp
+Multiple sources may be given, separated by commas and/or whitespace.
+Each file may contain multiple certificates.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-CAstore\fR \fIuri\fR" 4
+.IX Item "-CAfile file, -CApath dir, -CAstore uri"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+At least one of \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR must be specified.
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+Any verification errors cause the command to exit.
 .SH "CONFIGURATION FILE OPTIONS"
 .IX Header "CONFIGURATION FILE OPTIONS"
 The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file.
@@ -484,13 +492,21 @@ that contains all the options for the \fB\-reply\fR command. This default
 section can be overridden with the \fB\-section\fR command line switch. (Optional)
 .IP "\fBoid_file\fR" 4
 .IX Item "oid_file"
-See \fBca\fR\|(1) for description. (Optional)
+This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
+Each line of the file should consist of the numerical form of the
+object identifier followed by whitespace then the short name followed
+by whitespace and finally the long name. (Optional)
 .IP "\fBoid_section\fR" 4
 .IX Item "oid_section"
-See \fBca\fR\|(1) for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by \fB=\fR and the numerical form. The short
+and long names are the same when this option is used. (Optional)
 .IP "\fB\s-1RANDFILE\s0\fR" 4
 .IX Item "RANDFILE"
-See \fBca\fR\|(1) for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
+not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
 .IP "\fBserial\fR" 4
 .IX Item "serial"
 The name of the file containing the hexadecimal serial number of the
@@ -500,7 +516,7 @@ generation a new file is created with serial number 1. (Mandatory)
 .IP "\fBcrypto_device\fR" 4
 .IX Item "crypto_device"
 Specifies the OpenSSL engine that will be set as the default for
-all available algorithms. The default value is builtin, you can specify
+all available algorithms. The default value is built-in, you can specify
 any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0).
 (Optional)
 .IP "\fBsigner_cert\fR" 4
@@ -559,12 +575,13 @@ the \s-1TSA\s0 name field of the response. Default is no. (Optional)
 .IX Item "ess_cert_id_chain"
 The SignedData objects created by the \s-1TSA\s0 always contain the
 certificate identifier of the signing certificate in a signed
-attribute (see \s-1RFC 2634,\s0 Enhanced Security Services). If this option
-is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option
+attribute (see \s-1RFC 2634,\s0 Enhanced Security Services).
+If this variable is set to no, only this signing certificate identifier
+is included in the SigningCertificate signed attribute.
+If this variable is set to yes and the \fBcerts\fR variable or the \fB\-chain\fR option
 is specified then the certificate identifiers of the chain will also
-be included in the SigningCertificate signed attribute. If this
-variable is set to no, only the signing certificate identifier is
-included. Default is no. (Optional)
+be included, where the \fB\-chain\fR option overrides the \fBcerts\fR variable.
+Default is no.  (Optional)
 .IP "\fBess_cert_id_alg\fR" 4
 .IX Item "ess_cert_id_alg"
 This option specifies the hash function to be used to calculate the \s-1TSA\s0's
@@ -573,11 +590,12 @@ public key certificate identifier. Default is sha1. (Optional)
 .IX Header "EXAMPLES"
 All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper
 configuration file, e.g. the example configuration file
-openssl/apps/openssl.cnf will do.
-.SS "Time Stamp Request"
-.IX Subsection "Time Stamp Request"
-To create a timestamp request for design1.txt with \s-1SHA\-1\s0
-without nonce and policy and no certificate is required in the response:
+\&\fIopenssl/apps/openssl.cnf\fR will do.
+.SS "Timestamp Request"
+.IX Subsection "Timestamp Request"
+To create a timestamp request for \fIdesign1.txt\fR with \s-1SHA\-256\s0 digest,
+without nonce and policy, and without requirement for a certificate
+in the response:
 .PP
 .Vb 2
 \&  openssl ts \-query \-data design1.txt \-no_nonce \e
@@ -598,17 +616,17 @@ To print the content of the previous request in human readable format:
 \&  openssl ts \-query \-in design1.tsq \-text
 .Ve
 .PP
-To create a timestamp request which includes the \s-1MD\-5\s0 digest
-of design2.txt, requests the signer certificate and nonce,
+To create a timestamp request which includes the \s-1SHA\-512\s0 digest
+of \fIdesign2.txt\fR, requests the signer certificate and nonce, and
 specifies a policy id (assuming the tsa_policy1 name is defined in the
 \&\s-1OID\s0 section of the config file):
 .PP
 .Vb 2
-\&  openssl ts \-query \-data design2.txt \-md5 \e
+\&  openssl ts \-query \-data design2.txt \-sha512 \e
 \&        \-tspolicy tsa_policy1 \-cert \-out design2.tsq
 .Ve
-.SS "Time Stamp Response"
-.IX Subsection "Time Stamp Response"
+.SS "Timestamp Response"
+.IX Subsection "Timestamp Response"
 Before generating a response a signing certificate must be created for
 the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension
 without any other key usage extensions. You can add this line to the
@@ -618,10 +636,10 @@ user certificate section of the config file to generate a proper certificate;
 \&   extendedKeyUsage = critical,timeStamping
 .Ve
 .PP
-See \fBreq\fR\|(1), \fBca\fR\|(1), and \fBx509\fR\|(1) for instructions. The examples
-below assume that cacert.pem contains the certificate of the \s-1CA,\s0
-tsacert.pem is the signing certificate issued by cacert.pem and
-tsakey.pem is the private key of the \s-1TSA.\s0
+See \fBopenssl\-req\fR\|(1), \fBopenssl\-ca\fR\|(1), and \fBopenssl\-x509\fR\|(1) for
+instructions. The examples below assume that \fIcacert.pem\fR contains the
+certificate of the \s-1CA,\s0 \fItsacert.pem\fR is the signing certificate issued
+by \fIcacert.pem\fR and \fItsakey.pem\fR is the private key of the \s-1TSA.\s0
 .PP
 To create a timestamp response for a request:
 .PP
@@ -666,8 +684,8 @@ valid response:
 .Vb 1
 \&  openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr
 .Ve
-.SS "Time Stamp Verification"
-.IX Subsection "Time Stamp Verification"
+.SS "Timestamp Verification"
+.IX Subsection "Timestamp Verification"
 To verify a timestamp reply against a request:
 .PP
 .Vb 2
@@ -712,16 +730,29 @@ The source code should really be reviewed by somebody else, too.
 .IP "\(bu" 2
 More testing is needed, I have done only some basic tests (see
 test/testtsa).
+.SH "HISTORY"
+.IX Header "HISTORY"
+OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBtsget\fR\|(1), \fBopenssl\fR\|(1), \fBreq\fR\|(1),
-\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBconfig\fR\|(5)
+\&\fBopenssl\fR\|(1),
+\&\fBtsget\fR\|(1),
+\&\fBopenssl\-req\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBconfig\fR\|(5),
+\&\fBossl_store\-file\fR\|(7)
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-verification-options.1 b/secure/usr.bin/openssl/man/openssl-verification-options.1
new file mode 100644
index 000000000000..a3a517c50f6f
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-verification-options.1
@@ -0,0 +1,708 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-VERIFICATION-OPTIONS 1ossl"
+.TH OPENSSL-VERIFICATION-OPTIONS 1ossl "2023-09-19" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-verification\-options \- generic X.509 certificate verification options
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR
+\&\fIcommand\fR
+[ \fIoptions\fR ... ]
+[ \fIparameters\fR ... ]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+There are many situations where X.509 certificates are verified
+within the OpenSSL libraries and in various OpenSSL commands.
+.PP
+Certificate verification is implemented by \fBX509_verify_cert\fR\|(3).
+It is a complicated process consisting of a number of steps
+and depending on numerous options.
+The most important of them are detailed in the following sections.
+.PP
+In a nutshell, a valid chain of certificates needs to be built up and verified
+starting from the \fItarget certificate\fR that is to be verified
+and ending in a certificate that due to some policy is trusted.
+Verification is done relative to the given \fIpurpose\fR, which is the intended use
+of the target certificate, such as \s-1SSL\s0 server, or by default for any purpose.
+.PP
+The details of how each OpenSSL command handles errors
+are documented on the specific command page.
+.PP
+\&\s-1DANE\s0 support is documented in \fBopenssl\-s_client\fR\|(1),
+\&\fBSSL_CTX_dane_enable\fR\|(3), \fBSSL_set1_host\fR\|(3),
+\&\fBX509_VERIFY_PARAM_set_flags\fR\|(3), and \fBX509_check_host\fR\|(3).
+.SS "Trust Anchors"
+.IX Subsection "Trust Anchors"
+In general, according to \s-1RFC 4158\s0 and \s-1RFC 5280,\s0 a \fItrust anchor\fR is
+any public key and related subject distinguished name (\s-1DN\s0) that
+for some reason is considered trusted
+and thus is acceptable as the root of a chain of certificates.
+.PP
+In practice, trust anchors are given in the form of certificates,
+where their essential fields are the public key and the subject \s-1DN.\s0
+In addition to the requirements in \s-1RFC 5280,\s0
+OpenSSL checks the validity period of such certificates
+and makes use of some further fields.
+In particular, the subject key identifier extension, if present,
+is used for matching trust anchors during chain building.
+.PP
+In the most simple and common case, trust anchors are by default
+all self-signed \*(L"root\*(R" \s-1CA\s0 certificates that are placed in the \fItrust store\fR,
+which is a collection of certificates that are trusted for certain uses.
+This is akin to what is used in the trust stores of Mozilla Firefox,
+or Apple's and Microsoft's certificate stores, ...
+.PP
+From the OpenSSL perspective, a trust anchor is a certificate
+that should be augmented with an explicit designation for which
+uses of a target certificate the certificate may serve as a trust anchor.
+In \s-1PEM\s0 encoding, this is indicated by the \f(CW\*(C`TRUSTED CERTIFICATE\*(C'\fR string.
+Such a designation provides a set of positive trust attributes
+explicitly stating trust for the listed purposes
+and/or a set of negative trust attributes
+explicitly rejecting the use for the listed purposes.
+The purposes are encoded using the values defined for the extended key usages
+(EKUs) that may be given in X.509 extensions of end-entity certificates.
+See also the \*(L"Extended Key Usage\*(R" section below.
+.PP
+The currently recognized uses are
+\&\fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR (\s-1SSL\s0 server use),
+\&\fBemailProtection\fR (S/MIME email use), \fBcodeSigning\fR (object signer use),
+\&\fBOCSPSigning\fR (\s-1OCSP\s0 responder use), \fB\s-1OCSP\s0\fR (\s-1OCSP\s0 request use),
+\&\fBtimeStamping\fR (\s-1TSA\s0 server use), and \fBanyExtendedKeyUsage\fR.
+As of OpenSSL 1.1.0, the last of these blocks all uses when rejected or
+enables all uses when trusted.
+.PP
+A certificate, which may be \s-1CA\s0 certificate or an end-entity certificate,
+is considered a trust anchor for the given use
+if and only if all the following conditions hold:
+.IP "\(bu" 4
+It is an an element of the trust store.
+.IP "\(bu" 4
+It does not have a negative trust attribute rejecting the given use.
+.IP "\(bu" 4
+It has a positive trust attribute accepting the given use
+or (by default) one of the following compatibility conditions apply:
+It is self-signed or the \fB\-partial_chain\fR option is given
+(which corresponds to the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag being set).
+.SS "Certification Path Building"
+.IX Subsection "Certification Path Building"
+First, a certificate chain is built up starting from the target certificate
+and ending in a trust anchor.
+.PP
+The chain is built up iteratively, looking up in turn
+a certificate with suitable key usage that
+matches as an issuer of the current \*(L"subject\*(R" certificate as described below.
+If there is such a certificate, the first one found that is currently valid
+is taken, otherwise the one that expired most recently of all such certificates.
+For efficiency, no backtracking is performed, thus
+any further candidate issuer certificates that would match equally are ignored.
+.PP
+When a self-signed certificate has been added, chain construction stops.
+In this case it must fully match a trust anchor, otherwise chain building fails.
+.PP
+A candidate issuer certificate matches a subject certificate
+if all of the following conditions hold:
+.IP "\(bu" 4
+Its subject name matches the issuer name of the subject certificate.
+.IP "\(bu" 4
+If the subject certificate has an authority key identifier extension,
+each of its sub-fields equals the corresponding subject key identifier, serial
+number, and issuer field of the candidate issuer certificate,
+as far as the respective fields are present in both certificates.
+.IP "\(bu" 4
+The certificate signature algorithm used to sign the subject certificate
+is supported and
+equals the public key algorithm of the candidate issuer certificate.
+.PP
+The lookup first searches for issuer certificates in the trust store.
+If it does not find a match there it consults
+the list of untrusted (\*(L"intermediate\*(R" \s-1CA\s0) certificates, if provided.
+.SS "Certification Path Validation"
+.IX Subsection "Certification Path Validation"
+When the certificate chain building process was successful
+the chain components and their links are checked thoroughly.
+.PP
+The first step is to check that each certificate is well-formed.
+Part of these checks are enabled only if the \fB\-x509_strict\fR option is given.
+.PP
+The second step is to check the extensions of every untrusted certificate
+for consistency with the supplied purpose.
+If the \fB\-purpose\fR option is not given then no such checks are done
+except for \s-1SSL/TLS\s0 connection setup,
+where by default \f(CW\*(C`sslserver\*(C'\fR or \f(CW\*(C`sslclient\*(C'\fR, are checked.
+The target or \*(L"leaf\*(R" certificate, as well as any other untrusted certificates,
+must have extensions compatible with the specified purpose.
+All certificates except the target or \*(L"leaf\*(R" must also be valid \s-1CA\s0 certificates.
+The precise extensions required are described in more detail in
+\&\*(L"\s-1CERTIFICATE EXTENSIONS\*(R"\s0 in \fBopenssl\-x509\fR\|(1).
+.PP
+The third step is to check the trust settings on the last certificate
+(which typically is a self-signed root \s-1CA\s0 certificate).
+It must be trusted for the given use.
+For compatibility with previous versions of OpenSSL, a self-signed certificate
+with no trust attributes is considered to be valid for all uses.
+.PP
+The fourth, and final, step is to check the validity of the certificate chain.
+For each element in the chain, including the root \s-1CA\s0 certificate,
+the validity period as specified by the \f(CW\*(C`notBefore\*(C'\fR and \f(CW\*(C`notAfter\*(C'\fR fields
+is checked against the current system time.
+The \fB\-attime\fR flag may be used to use a reference time other than \*(L"now.\*(R"
+The certificate signature is checked as well
+(except for the signature of the typically self-signed root \s-1CA\s0 certificate,
+which is verified only if the \fB\-check_ss_sig\fR option is given).
+When verifying a certificate signature
+the keyUsage extension (if present) of the candidate issuer certificate
+is checked to permit digitalSignature for signing proxy certificates
+or to permit keyCertSign for signing other certificates, respectively.
+If all operations complete successfully then certificate is considered
+valid. If any operation fails then the certificate is not valid.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.SS "Trusted Certificate Options"
+.IX Subsection "Trusted Certificate Options"
+The following options specify how to supply the certificates
+that can be used as trust anchors for certain uses.
+As mentioned, a collection of such certificates is called a \fItrust store\fR.
+.PP
+Note that OpenSSL does not provide a default set of trust anchors.  Many
+Linux distributions include a system default and configure OpenSSL to point
+to that.  Mozilla maintains an influential trust store that can be found at
+<https://www.mozilla.org/en\-US/about/governance/policies/security\-group/certs/>.
+.PP
+The certificates to add to the trust store
+can be specified using following options.
+.IP "\fB\-CAfile\fR \fIfile\fR" 4
+.IX Item "-CAfile file"
+Load the specified file which contains a certificate
+or several of them in case the input is in \s-1PEM\s0 or PKCS#12 format.
+PEM-encoded certificates may also have trust attributes set.
+.IP "\fB\-no\-CAfile\fR" 4
+.IX Item "-no-CAfile"
+Do not load the default file of trusted certificates.
+.IP "\fB\-CApath\fR \fIdir\fR" 4
+.IX Item "-CApath dir"
+Use the specified directory as a collection of trusted certificates,
+i.e., a trust store.
+Files should be named with the hash value of the X.509 SubjectName of each
+certificate. This is so that the library can extract the IssuerName,
+hash it, and directly lookup the file to get the issuer certificate.
+See \fBopenssl\-rehash\fR\|(1) for information on creating this type of directory.
+.IP "\fB\-no\-CApath\fR" 4
+.IX Item "-no-CApath"
+Do not use the default directory of trusted certificates.
+.IP "\fB\-CAstore\fR \fIuri\fR" 4
+.IX Item "-CAstore uri"
+Use \fIuri\fR as a store of \s-1CA\s0 certificates.
+The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
+With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-CAfile\fR or
+\&\fB\-CApath\fR, depending on if the \s-1URI\s0 indicates a single file or
+directory.
+See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
+.Sp
+These certificates are also used when building the server certificate
+chain (for example with \fBopenssl\-s_server\fR\|(1)) or client certificate
+chain (for example with \fBopenssl\-s_time\fR\|(1)).
+.IP "\fB\-no\-CAstore\fR" 4
+.IX Item "-no-CAstore"
+Do not use the default store of trusted \s-1CA\s0 certificates.
+.SS "Verification Options"
+.IX Subsection "Verification Options"
+The certificate verification can be fine-tuned with the following flags.
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Print extra information about the operations being performed.
+.IP "\fB\-attime\fR \fItimestamp\fR" 4
+.IX Item "-attime timestamp"
+Perform validation checks using time specified by \fItimestamp\fR and not
+current system time. \fItimestamp\fR is the number of seconds since
+January 1, 1970 (i.e., the Unix Epoch).
+.IP "\fB\-no_check_time\fR" 4
+.IX Item "-no_check_time"
+This option suppresses checking the validity period of certificates and CRLs
+against the current time. If option \fB\-attime\fR is used to specify
+a verification time, the check is not suppressed.
+.IP "\fB\-x509_strict\fR" 4
+.IX Item "-x509_strict"
+This disables non-compliant workarounds for broken certificates.
+Thus errors are thrown on certificates not compliant with \s-1RFC 5280.\s0
+.Sp
+When this option is set,
+among others, the following certificate well-formedness conditions are checked:
+.RS 4
+.IP "\(bu" 4
+The basicConstraints of \s-1CA\s0 certificates must be marked critical.
+.IP "\(bu" 4
+\&\s-1CA\s0 certificates must explicitly include the keyUsage extension.
+.IP "\(bu" 4
+If a pathlenConstraint is given the key usage keyCertSign must be allowed.
+.IP "\(bu" 4
+The pathlenConstraint must not be given for non-CA certificates.
+.IP "\(bu" 4
+The issuer name of any certificate must not be empty.
+.IP "\(bu" 4
+The subject name of \s-1CA\s0 certs, certs with keyUsage crlSign, and certs
+without subjectAlternativeName must not be empty.
+.IP "\(bu" 4
+If a subjectAlternativeName extension is given it must not be empty.
+.IP "\(bu" 4
+The signatureAlgorithm field and the cert signature must be consistent.
+.IP "\(bu" 4
+Any given authorityKeyIdentifier and any given subjectKeyIdentifier
+must not be marked critical.
+.IP "\(bu" 4
+The authorityKeyIdentifier must be given for X.509v3 certs unless they
+are self-signed.
+.IP "\(bu" 4
+The subjectKeyIdentifier must be given for all X.509v3 \s-1CA\s0 certs.
+.RE
+.RS 4
+.RE
+.IP "\fB\-ignore_critical\fR" 4
+.IX Item "-ignore_critical"
+Normally if an unhandled critical extension is present that is not
+supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0).
+If this option is set critical extensions are ignored.
+.IP "\fB\-issuer_checks\fR" 4
+.IX Item "-issuer_checks"
+Ignored.
+.IP "\fB\-crl_check\fR" 4
+.IX Item "-crl_check"
+Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
+If a valid \s-1CRL\s0 cannot be found an error occurs.
+.IP "\fB\-crl_check_all\fR" 4
+.IX Item "-crl_check_all"
+Checks the validity of \fBall\fR certificates in the chain by attempting
+to look up valid CRLs.
+.IP "\fB\-use_deltas\fR" 4
+.IX Item "-use_deltas"
+Enable support for delta CRLs.
+.IP "\fB\-extended_crl\fR" 4
+.IX Item "-extended_crl"
+Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
+signing keys.
+.IP "\fB\-suiteB_128_only\fR, \fB\-suiteB_128\fR, \fB\-suiteB_192\fR" 4
+.IX Item "-suiteB_128_only, -suiteB_128, -suiteB_192"
+Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
+192 bit, or only 192 bit Level of Security respectively.
+See \s-1RFC6460\s0 for details. In particular the supported signature algorithms are
+reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384\s0 and only the elliptic curves
+P\-256 and P\-384.
+.IP "\fB\-auth_level\fR \fIlevel\fR" 4
+.IX Item "-auth_level level"
+Set the certificate chain authentication security level to \fIlevel\fR.
+The authentication security level determines the acceptable signature and
+public key strength when verifying certificate chains.  For a certificate
+chain to validate, the public keys of all the certificates must meet the
+specified security \fIlevel\fR.  The signature algorithm security level is
+enforced for all the certificates in the chain except for the chain's
+\&\fItrust anchor\fR, which is either directly trusted or validated by means
+other than its signature.  See \fBSSL_CTX_set_security_level\fR\|(3) for the
+definitions of the available levels.  The default security level is \-1,
+or \*(L"not set\*(R".  At security level 0 or lower all algorithms are acceptable.
+Security level 1 requires at least 80\-bit\-equivalent security and is broadly
+interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0
+keys shorter than 1024 bits.
+.IP "\fB\-partial_chain\fR" 4
+.IX Item "-partial_chain"
+Allow verification to succeed if an incomplete chain can be built.
+That is, a chain ending in a certificate that normally would not be trusted
+(because it has no matching positive trust attributes and is not self-signed)
+but is an element of the trust store.
+This certificate may be self-issued or belong to an intermediate \s-1CA.\s0
+.IP "\fB\-check_ss_sig\fR" 4
+.IX Item "-check_ss_sig"
+Verify the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
+certificate with key usage restrictions not including the keyCertSign bit.
+This verification is disabled by default because it doesn't add any security.
+.IP "\fB\-allow_proxy_certs\fR" 4
+.IX Item "-allow_proxy_certs"
+Allow the verification of proxy certificates.
+.IP "\fB\-trusted_first\fR" 4
+.IX Item "-trusted_first"
+As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
+.Sp
+When constructing the certificate chain, the trusted certificates specified
+via \fB\-CAfile\fR, \fB\-CApath\fR, \fB\-CAstore\fR or \fB\-trusted\fR are always used
+before any certificates specified via \fB\-untrusted\fR.
+.IP "\fB\-no_alt_chains\fR" 4
+.IX Item "-no_alt_chains"
+As of OpenSSL 1.1.0, since \fB\-trusted_first\fR always on, this option has no
+effect.
+.IP "\fB\-trusted\fR \fIfile\fR" 4
+.IX Item "-trusted file"
+Parse \fIfile\fR as a set of one or more certificates.
+Each of them qualifies as trusted if has a suitable positive trust attribute
+or it is self-signed or the \fB\-partial_chain\fR option is specified.
+This option implies the \fB\-no\-CAfile\fR, \fB\-no\-CApath\fR, and \fB\-no\-CAstore\fR options
+and it cannot be used with the \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR options, so
+only certificates specified using the \fB\-trusted\fR option are trust anchors.
+This option may be used multiple times.
+.IP "\fB\-untrusted\fR \fIfile\fR" 4
+.IX Item "-untrusted file"
+Parse \fIfile\fR as a set of one or more certificates.
+All certificates (typically of intermediate CAs) are considered untrusted
+and may be used to
+construct a certificate chain from the target certificate to a trust anchor.
+This option may be used multiple times.
+.IP "\fB\-policy\fR \fIarg\fR" 4
+.IX Item "-policy arg"
+Enable policy processing and add \fIarg\fR to the user-initial-policy-set (see
+\&\s-1RFC5280\s0). The policy \fIarg\fR can be an object name an \s-1OID\s0 in numeric form.
+This argument can appear more than once.
+.IP "\fB\-explicit_policy\fR" 4
+.IX Item "-explicit_policy"
+Set policy variable require-explicit-policy (see \s-1RFC5280\s0).
+.IP "\fB\-policy_check\fR" 4
+.IX Item "-policy_check"
+Enables certificate policy processing.
+.IP "\fB\-policy_print\fR" 4
+.IX Item "-policy_print"
+Print out diagnostics related to policy processing.
+.IP "\fB\-inhibit_any\fR" 4
+.IX Item "-inhibit_any"
+Set policy variable inhibit-any-policy (see \s-1RFC5280\s0).
+.IP "\fB\-inhibit_map\fR" 4
+.IX Item "-inhibit_map"
+Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
+.IP "\fB\-purpose\fR \fIpurpose\fR" 4
+.IX Item "-purpose purpose"
+The intended use for the certificate.
+Currently defined purposes are \f(CW\*(C`sslclient\*(C'\fR, \f(CW\*(C`sslserver\*(C'\fR, \f(CW\*(C`nssslserver\*(C'\fR,
+\&\f(CW\*(C`smimesign\*(C'\fR, \f(CW\*(C`smimeencrypt\*(C'\fR, \f(CW\*(C`crlsign\*(C'\fR, \f(CW\*(C`ocsphelper\*(C'\fR, \f(CW\*(C`timestampsign\*(C'\fR,
+and \f(CW\*(C`any\*(C'\fR.
+If peer certificate verification is enabled, by default the \s-1TLS\s0 implementation
+as well as the commands \fBs_client\fR and \fBs_server\fR check for consistency
+with \s-1TLS\s0 server or \s-1TLS\s0 client use, respectively.
+.Sp
+While \s-1IETF RFC 5280\s0 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR
+are only for \s-1WWW\s0 use, in practice they are used for all kinds of \s-1TLS\s0 clients
+and servers, and this is what OpenSSL assumes as well.
+.IP "\fB\-verify_depth\fR \fInum\fR" 4
+.IX Item "-verify_depth num"
+Limit the certificate chain to \fInum\fR intermediate \s-1CA\s0 certificates.
+A maximal depth chain can have up to \fInum\fR+2 certificates, since neither the
+end-entity certificate nor the trust-anchor certificate count against the
+\&\fB\-verify_depth\fR limit.
+.IP "\fB\-verify_email\fR \fIemail\fR" 4
+.IX Item "-verify_email email"
+Verify if \fIemail\fR matches the email address in Subject Alternative Name or
+the email in the subject Distinguished Name.
+.IP "\fB\-verify_hostname\fR \fIhostname\fR" 4
+.IX Item "-verify_hostname hostname"
+Verify if \fIhostname\fR matches \s-1DNS\s0 name in Subject Alternative Name or
+Common Name in the subject certificate.
+.IP "\fB\-verify_ip\fR \fIip\fR" 4
+.IX Item "-verify_ip ip"
+Verify if \fIip\fR matches the \s-1IP\s0 address in Subject Alternative Name of
+the subject certificate.
+.IP "\fB\-verify_name\fR \fIname\fR" 4
+.IX Item "-verify_name name"
+Use default verification policies like trust model and required certificate
+policies identified by \fIname\fR.
+The trust model determines which auxiliary trust or reject OIDs are applicable
+to verifying the given certificate chain.
+They can be given using the \fB\-addtrust\fR and \fB\-addreject\fR options
+for \fBopenssl\-x509\fR\|(1).
+Supported policy names include: \fBdefault\fR, \fBpkcs7\fR, \fBsmime_sign\fR,
+\&\fBssl_client\fR, \fBssl_server\fR.
+These mimics the combinations of purpose and trust settings used in \s-1SSL, CMS\s0
+and S/MIME.
+As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not
+specified, so the \fB\-verify_name\fR options are functionally equivalent to the
+corresponding \fB\-purpose\fR settings.
+.SS "Extended Verification Options"
+.IX Subsection "Extended Verification Options"
+Sometimes there may be more than one certificate chain leading to an
+end-entity certificate.
+This usually happens when a root or intermediate \s-1CA\s0 signs a certificate
+for another a \s-1CA\s0 in other organization.
+Another reason is when a \s-1CA\s0 might have intermediates that use two different
+signature formats, such as a \s-1SHA\-1\s0 and a \s-1SHA\-256\s0 digest.
+.PP
+The following options can be used to provide data that will allow the
+OpenSSL command to generate an alternative chain.
+.IP "\fB\-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIinfile\fR, \fB\-xchain\fR" 4
+.IX Item "-xkey infile, -xcert infile, -xchain"
+Specify an extra certificate, private key and certificate chain. These behave
+in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options.  When
+specified, the callback returning the first valid chain will be in use by the
+client.
+.IP "\fB\-xchain_build\fR" 4
+.IX Item "-xchain_build"
+Specify whether the application should build the certificate chain to be
+provided to the server for the extra certificates via the \fB\-xkey\fR,
+\&\fB\-xcert\fR, and \fB\-xchain\fR options.
+.IP "\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-xcertform DER|PEM|P12"
+The input format for the extra certificate.
+This option has no effect and is retained for backward compatibility only.
+.IP "\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
+.IX Item "-xkeyform DER|PEM|P12"
+The input format for the extra key.
+This option has no effect and is retained for backward compatibility only.
+.SS "Certificate Extensions"
+.IX Subsection "Certificate Extensions"
+Options like \fB\-purpose\fR lead to checking the certificate extensions,
+which determine what the target certificate and intermediate \s-1CA\s0 certificates
+can be used for.
+.PP
+\fIBasic Constraints\fR
+.IX Subsection "Basic Constraints"
+.PP
+The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
+certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0
+if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the
+\&\s-1CA\s0 flag set to true.
+.PP
+If the basicConstraints extension is absent,
+which includes the case that it is an X.509v1 certificate,
+then the certificate is considered to be a \*(L"possible \s-1CA\*(R"\s0 and
+other extensions are checked according to the intended use of the certificate.
+The treatment of certificates without basicConstraints as a \s-1CA\s0
+is presently supported, but this could change in the future.
+.PP
+\fIKey Usage\fR
+.IX Subsection "Key Usage"
+.PP
+If the keyUsage extension is present then additional restraints are
+made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
+keyCertSign bit set if the keyUsage extension is present.
+.PP
+\fIExtended Key Usage\fR
+.IX Subsection "Extended Key Usage"
+.PP
+The extKeyUsage (\s-1EKU\s0) extension places additional restrictions on the
+certificate uses. If this extension is present (whether critical or not)
+the key can only be used for the purposes specified.
+.PP
+A complete description of each check is given below. The comments about
+basicConstraints and keyUsage and X.509v1 certificates above apply to \fBall\fR
+\&\s-1CA\s0 certificates.
+.IP "\fB\s-1SSL\s0 Client\fR" 4
+.IX Item "SSL Client"
+The extended key usage extension must be absent or include the \*(L"web client
+authentication\*(R" \s-1OID.\s0  The keyUsage extension must be absent or it must have the
+digitalSignature bit set.  The Netscape certificate type must be absent
+or it must have the \s-1SSL\s0 client bit set.
+.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
+.IX Item "SSL Client CA"
+The extended key usage extension must be absent or include the \*(L"web client
+authentication\*(R" \s-1OID.\s0
+The Netscape certificate type must be absent or it must have the \s-1SSL CA\s0 bit set.
+This is used as a work around if the basicConstraints extension is absent.
+.IP "\fB\s-1SSL\s0 Server\fR" 4
+.IX Item "SSL Server"
+The extended key usage extension must be absent or include the \*(L"web server
+authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  The keyUsage extension must be
+absent or it
+must have the digitalSignature, the keyEncipherment set or both bits set.
+The Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
+.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
+.IX Item "SSL Server CA"
+The extended key usage extension must be absent or include the \*(L"web server
+authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  The Netscape certificate type must
+be absent or the \s-1SSL CA\s0 bit must be set.
+This is used as a work around if the basicConstraints extension is absent.
+.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
+.IX Item "Netscape SSL Server"
+For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
+keyEncipherment bit set if the keyUsage extension is present. This isn't
+always valid because some cipher suites use the key for digital signing.
+Otherwise it is the same as a normal \s-1SSL\s0 server.
+.IP "\fBCommon S/MIME Client Tests\fR" 4
+.IX Item "Common S/MIME Client Tests"
+The extended key usage extension must be absent or include the \*(L"email
+protection\*(R" \s-1OID.\s0  The Netscape certificate type must be absent or should have the
+S/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type
+then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown.
+This is because some Verisign certificates don't set the S/MIME bit.
+.IP "\fBS/MIME Signing\fR" 4
+.IX Item "S/MIME Signing"
+In addition to the common S/MIME client tests the digitalSignature bit or
+the nonRepudiation bit must be set if the keyUsage extension is present.
+.IP "\fBS/MIME Encryption\fR" 4
+.IX Item "S/MIME Encryption"
+In addition to the common S/MIME tests the keyEncipherment bit must be set
+if the keyUsage extension is present.
+.IP "\fBS/MIME \s-1CA\s0\fR" 4
+.IX Item "S/MIME CA"
+The extended key usage extension must be absent or include the \*(L"email
+protection\*(R" \s-1OID.\s0  The Netscape certificate type must be absent or must have the
+S/MIME \s-1CA\s0 bit set.
+This is used as a work around if the basicConstraints extension is absent.
+.IP "\fB\s-1CRL\s0 Signing\fR" 4
+.IX Item "CRL Signing"
+The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
+set.
+.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
+.IX Item "CRL Signing CA"
+The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
+must be present.
+.SH "BUGS"
+.IX Header "BUGS"
+The issuer checks still suffer from limitations in the underlying X509_LOOKUP
+\&\s-1API.\s0  One consequence of this is that trusted certificates with matching
+subject name must appear in a file (as specified by the \fB\-CAfile\fR option),
+a directory (as specified by \fB\-CApath\fR),
+or a store (as specified by \fB\-CAstore\fR).
+If there are multiple such matches, possibly in multiple locations,
+only the first one (in the mentioned order of locations) is recognised.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_verify_cert\fR\|(3),
+\&\fBopenssl\-verify\fR\|(1),
+\&\fBopenssl\-ocsp\fR\|(1),
+\&\fBopenssl\-ts\fR\|(1),
+\&\fBopenssl\-s_client\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBopenssl\-smime\fR\|(1),
+\&\fBopenssl\-cmp\fR\|(1),
+\&\fBopenssl\-cms\fR\|(1)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The checks enabled by \fB\-x509_strict\fR have been extended in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-verify.1 b/secure/usr.bin/openssl/man/openssl-verify.1
new file mode 100644
index 000000000000..01c43f95f7c9
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-verify.1
@@ -0,0 +1,314 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-VERIFY 1ossl"
+.TH OPENSSL-VERIFY 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-verify \- certificate verification command
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBverify\fR
+[\fB\-help\fR]
+[\fB\-CRLfile\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-crl_download\fR]
+[\fB\-show_chain\fR]
+[\fB\-verbose\fR]
+[\fB\-trusted\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-untrusted\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-extended_crl\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-partial_chain\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-policy_check\fR]
+[\fB\-policy_print\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
+[\fB\-suiteB_128\fR]
+[\fB\-suiteB_128_only\fR]
+[\fB\-suiteB_192\fR]
+[\fB\-trusted_first\fR]
+[\fB\-no_alt_chains\fR]
+[\fB\-use_deltas\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
+[\fB\-x509_strict\fR]
+[\fB\-issuer_checks\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-\-\fR]
+[\fIcertificate\fR ...]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command verifies certificate chains. If a certificate chain has multiple
+problems, this program attempts to display all of them.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
+.IP "\fB\-CRLfile\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-CRLfile filename|uri"
+The file or \s-1URI\s0 should contain one or more CRLs in \s-1PEM\s0 or \s-1DER\s0 format.
+This option can be specified more than once to include CRLs from multiple
+sources.
+.IP "\fB\-crl_download\fR" 4
+.IX Item "-crl_download"
+Attempt to download \s-1CRL\s0 information for certificates via their \s-1CDP\s0 entries.
+.IP "\fB\-show_chain\fR" 4
+.IX Item "-show_chain"
+Display information about the certificate chain that has been built (if
+successful). Certificates in the chain that came from the untrusted list will be
+flagged as \*(L"untrusted\*(R".
+.IP "\fB\-verbose\fR" 4
+.IX Item "-verbose"
+Print extra information about the operations being performed.
+.IP "\fB\-trusted\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-trusted filename|uri"
+A file or \s-1URI\s0 of (more or less) trusted certificates.
+See \fBopenssl\-verification\-options\fR\|(1) for more information on trust settings.
+.Sp
+This option can be specified more than once to load certificates from multiple
+sources.
+.IP "\fB\-untrusted\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-untrusted filename|uri"
+A file or \s-1URI\s0 of untrusted certificates to use for chain building.
+This option can be specified more than once to load certificates from multiple
+sources.
+.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-vfyopt nm:v"
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.Sp
+To load certificates or CRLs that require engine support, specify the
+\&\fB\-engine\fR option before any of the
+\&\fB\-trusted\fR, \fB\-untrusted\fR or \fB\-CRLfile\fR options.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-\-\fR" 4
+.IX Item "--"
+Indicates the last option. All arguments following this are assumed to be
+certificate files. This is useful if the first certificate filename begins
+with a \fB\-\fR.
+.IP "\fIcertificate\fR ..." 4
+.IX Item "certificate ..."
+One or more target certificates to verify, one per file. If no certificates are
+given, this command will attempt to read a single certificate from standard
+input.
+.SH "DIAGNOSTICS"
+.IX Header "DIAGNOSTICS"
+When a verify operation fails the output messages can be somewhat cryptic. The
+general form of the error message is:
+.PP
+.Vb 2
+\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+\& error 24 at 1 depth lookup:invalid CA certificate
+.Ve
+.PP
+The first line contains the name of the certificate being verified followed by
+the subject name of the certificate. The second line contains the error number
+and the depth. The depth is number of the certificate being verified when a
+problem was detected starting with zero for the target (\*(L"leaf\*(R") certificate
+itself then 1 for the \s-1CA\s0 that signed the target certificate and so on.
+Finally a textual version of the error number is presented.
+.PP
+A list of the error codes and messages can be found in
+\&\fBX509_STORE_CTX_get_error\fR\|(3); the full list is defined in the header file
+\&\fI<openssl/x509_vfy.h>\fR.
+.PP
+This command ignores many errors, in order to allow all the problems with a
+certificate chain to be determined.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-verification\-options\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\fBossl_store\-file\fR\|(7)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The \fB\-show_chain\fR option was added in OpenSSL 1.1.0.
+.PP
+The \fB\-engine option\fR was deprecated in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/openssl-version.1
index 7b78d7dbf772..8ff6e8a7878a 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/openssl-version.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,14 +130,14 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "VERSION 1"
-.TH VERSION 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL-VERSION 1ossl"
+.TH OPENSSL-VERSION 1ossl "2023-09-22" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-version, version \- print OpenSSL version information
+openssl\-version \- print OpenSSL version information
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl version\fR
@@ -152,6 +150,9 @@ openssl\-version, version \- print OpenSSL version information
 [\fB\-p\fR]
 [\fB\-d\fR]
 [\fB\-e\fR]
+[\fB\-m\fR]
+[\fB\-r\fR]
+[\fB\-c\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 This command is used to print out version information about OpenSSL.
@@ -183,16 +184,25 @@ Platform setting.
 \&\s-1OPENSSLDIR\s0 setting.
 .IP "\fB\-e\fR" 4
 .IX Item "-e"
-\&\s-1ENGINESDIR\s0 setting.
+\&\s-1ENGINESDIR\s0 settings.
+.IP "\fB\-m\fR" 4
+.IX Item "-m"
+\&\s-1MODULESDIR\s0 settings.
+.IP "\fB\-r\fR" 4
+.IX Item "-r"
+The random number generator source settings.
+.IP "\fB\-c\fR" 4
+.IX Item "-c"
+The OpenSSL \s-1CPU\s0 settings info.
 .SH "NOTES"
 .IX Header "NOTES"
-The output of \fBopenssl version \-a\fR would typically be used when sending
+The output of \f(CW\*(C`openssl version \-a\*(C'\fR would typically be used when sending
 in a bug report.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl-x509.1 b/secure/usr.bin/openssl/man/openssl-x509.1
new file mode 100644
index 000000000000..d27f9ed83ec9
--- /dev/null
+++ b/secure/usr.bin/openssl/man/openssl-x509.1
@@ -0,0 +1,841 @@
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-X509 1ossl"
+.TH OPENSSL-X509 1ossl "2023-09-22" "3.0.11" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+openssl\-x509 \- Certificate display and signing command
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBx509\fR
+[\fB\-help\fR]
+[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-passin\fR \fIarg\fR]
+[\fB\-new\fR]
+[\fB\-x509toreq\fR]
+[\fB\-req\fR]
+[\fB\-copy_extensions\fR \fIarg\fR]
+[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-signkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-out\fR \fIfilename\fR]
+[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
+[\fB\-nocert\fR]
+[\fB\-noout\fR]
+[\fB\-dateopt\fR]
+[\fB\-text\fR]
+[\fB\-certopt\fR \fIoption\fR]
+[\fB\-fingerprint\fR]
+[\fB\-alias\fR]
+[\fB\-serial\fR]
+[\fB\-startdate\fR]
+[\fB\-enddate\fR]
+[\fB\-dates\fR]
+[\fB\-subject\fR]
+[\fB\-issuer\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-email\fR]
+[\fB\-hash\fR]
+[\fB\-subject_hash\fR]
+[\fB\-subject_hash_old\fR]
+[\fB\-issuer_hash\fR]
+[\fB\-issuer_hash_old\fR]
+[\fB\-ext\fR \fIextensions\fR]
+[\fB\-ocspid\fR]
+[\fB\-ocsp_uri\fR]
+[\fB\-purpose\fR]
+[\fB\-pubkey\fR]
+[\fB\-modulus\fR]
+[\fB\-checkend\fR \fInum\fR]
+[\fB\-checkhost\fR \fIhost\fR]
+[\fB\-checkemail\fR \fIhost\fR]
+[\fB\-checkip\fR \fIipaddr\fR]
+[\fB\-set_serial\fR \fIn\fR]
+[\fB\-next_serial\fR]
+[\fB\-days\fR \fIarg\fR]
+[\fB\-preserve_dates\fR]
+[\fB\-subj\fR \fIarg\fR]
+[\fB\-force_pubkey\fR \fIfilename\fR]
+[\fB\-clrext\fR]
+[\fB\-extfile\fR \fIfilename\fR]
+[\fB\-extensions\fR \fIsection\fR]
+[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
+[\fB\-badsig\fR]
+[\fB\-\f(BIdigest\fB\fR]
+[\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
+[\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
+[\fB\-CAserial\fR \fIfilename\fR]
+[\fB\-CAcreateserial\fR]
+[\fB\-trustout\fR]
+[\fB\-setalias\fR \fIarg\fR]
+[\fB\-clrtrust\fR]
+[\fB\-addtrust\fR \fIarg\fR]
+[\fB\-clrreject\fR]
+[\fB\-addreject\fR \fIarg\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+This command is a multi-purposes certificate handling command.
+It can be used to print certificate information,
+convert certificates to various forms, edit certificate trust settings,
+generate certificates from scratch or from certificating requests
+and then self-signing them or signing them like a \*(L"micro \s-1CA\*(R".\s0
+.PP
+Since there are a large number of options they will split up into
+various sections.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.SS "Input, Output, and General Purpose Options"
+.IX Subsection "Input, Output, and General Purpose Options"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
+.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-in filename|uri"
+This specifies the input to read a certificate from
+or the input file for reading a certificate request if the \fB\-req\fR flag is used.
+In both cases this defaults to standard input.
+.Sp
+This option cannot be combined with the \fB\-new\fR flag.
+.IP "\fB\-passin\fR \fIarg\fR" 4
+.IX Item "-passin arg"
+The key and certificate file password source.
+For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-new\fR" 4
+.IX Item "-new"
+Generate a certificate from scratch, not using an input certificate
+or certificate request. So the \fB\-in\fR option must not be used in this case.
+Instead, the \fB\-subj\fR option needs to be given.
+The public key to include can be given with the \fB\-force_pubkey\fR option
+and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option,
+which implies self-signature.
+.IP "\fB\-x509toreq\fR" 4
+.IX Item "-x509toreq"
+Output a PKCS#10 certificate request (rather than a certificate).
+The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for
+self-signing; the corresponding public key is placed in the subjectPKInfo field.
+.Sp
+X.509 extensions included in a certificate input are not copied by default.
+X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
+.IP "\fB\-req\fR" 4
+.IX Item "-req"
+By default a certificate is expected on input.
+With this option a PKCS#10 certificate request is expected instead,
+which must be correctly self-signed.
+.Sp
+X.509 extensions included in the request are not copied by default.
+X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
+.IP "\fB\-copy_extensions\fR \fIarg\fR" 4
+.IX Item "-copy_extensions arg"
+Determines how to handle X.509 extensions
+when converting from a certificate to a request using the \fB\-x509toreq\fR option
+or converting from a request to a certificate using the \fB\-req\fR option.
+If \fIarg\fR is \fBnone\fR or this option is not present then extensions are ignored.
+If \fIarg\fR is \fBcopy\fR or \fBcopyall\fR then all extensions are copied,
+except that subject identifier and authority key identifier extensions
+are not taken over when producing a certificate request.
+.Sp
+The \fB\-ext\fR option can be used to further restrict which extensions to copy.
+.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-inform DER|PEM"
+The input file format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-vfyopt nm:v"
+Pass options to the signature algorithm during verify operations.
+Names and values of these options are algorithm-specific.
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+.Sp
+This option cannot be used in conjunction with the \fB\-CA\fR option.
+.Sp
+It sets the issuer name to the subject name (i.e., makes it self-issued)
+and changes the public key to the supplied value (unless overridden
+by \fB\-force_pubkey\fR).
+Unless the \fB\-preserve_dates\fR option is supplied,
+it sets the validity start date to the current time
+and the end date to a value determined by the \fB\-days\fR option.
+.IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-signkey filename|uri"
+This option is an alias of \fB\-key\fR.
+.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key input format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-out\fR \fIfilename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write to or standard output by default.
+.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
+.IX Item "-outform DER|PEM"
+The output format; the default is \fB\s-1PEM\s0\fR.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-nocert\fR" 4
+.IX Item "-nocert"
+Do not output a certificate (except for printing as requested by below options).
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+This option prevents output except for printing as requested by below options.
+.SS "Certificate Printing Options"
+.IX Subsection "Certificate Printing Options"
+Note: the \fB\-alias\fR and \fB\-purpose\fR options are also printing options
+but are described in the \*(L"Trust Settings\*(R" section.
+.IP "\fB\-dateopt\fR" 4
+.IX Item "-dateopt"
+Specify the date output format. Values are: rfc_822 and iso_8601.
+Defaults to rfc_822.
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+Prints out the certificate in text form. Full details are printed including the
+public key, signature algorithms, issuer and subject names, serial number
+any extensions present and any trust settings.
+.IP "\fB\-certopt\fR \fIoption\fR" 4
+.IX Item "-certopt option"
+Customise the print format used with \fB\-text\fR. The \fIoption\fR argument
+can be a single option or multiple options separated by commas.
+The \fB\-certopt\fR switch may be also be used more than once to set multiple
+options. See the \*(L"Text Printing Flags\*(R" section for more information.
+.IP "\fB\-fingerprint\fR" 4
+.IX Item "-fingerprint"
+Calculates and prints the digest of the \s-1DER\s0 encoded version of the entire
+certificate (see digest options).
+This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
+digests, the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
+.IP "\fB\-alias\fR" 4
+.IX Item "-alias"
+Prints the certificate \*(L"alias\*(R" (nickname), if any.
+.IP "\fB\-serial\fR" 4
+.IX Item "-serial"
+Prints the certificate serial number.
+.IP "\fB\-startdate\fR" 4
+.IX Item "-startdate"
+Prints out the start date of the certificate, that is the notBefore date.
+.IP "\fB\-enddate\fR" 4
+.IX Item "-enddate"
+Prints out the expiry date of the certificate, that is the notAfter date.
+.IP "\fB\-dates\fR" 4
+.IX Item "-dates"
+Prints out the start and expiry dates of a certificate.
+.IP "\fB\-subject\fR" 4
+.IX Item "-subject"
+Prints the subject name.
+.IP "\fB\-issuer\fR" 4
+.IX Item "-issuer"
+Prints the issuer name.
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-email\fR" 4
+.IX Item "-email"
+Prints the email address(es) if any.
+.IP "\fB\-hash\fR" 4
+.IX Item "-hash"
+Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
+.IP "\fB\-subject_hash\fR" 4
+.IX Item "-subject_hash"
+Prints the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
+form an index to allow certificates in a directory to be looked up by subject
+name.
+.IP "\fB\-subject_hash_old\fR" 4
+.IX Item "-subject_hash_old"
+Prints the \*(L"hash\*(R" of the certificate subject name using the older algorithm
+as used by OpenSSL before version 1.0.0.
+.IP "\fB\-issuer_hash\fR" 4
+.IX Item "-issuer_hash"
+Prints the \*(L"hash\*(R" of the certificate issuer name.
+.IP "\fB\-issuer_hash_old\fR" 4
+.IX Item "-issuer_hash_old"
+Prints the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
+as used by OpenSSL before version 1.0.0.
+.IP "\fB\-ext\fR \fIextensions\fR" 4
+.IX Item "-ext extensions"
+Prints out the certificate extensions in text form.
+Can also be used to restrict which extensions to copy.
+Extensions are specified
+with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R".
+See the \fBx509v3_config\fR\|(5) manual page for the extension names.
+.IP "\fB\-ocspid\fR" 4
+.IX Item "-ocspid"
+Prints the \s-1OCSP\s0 hash values for the subject name and public key.
+.IP "\fB\-ocsp_uri\fR" 4
+.IX Item "-ocsp_uri"
+Prints the \s-1OCSP\s0 responder address(es) if any.
+.IP "\fB\-purpose\fR" 4
+.IX Item "-purpose"
+This option performs tests on the certificate extensions and outputs
+the results. For a more complete description see
+\&\*(L"Certificate Extensions\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+.IP "\fB\-pubkey\fR" 4
+.IX Item "-pubkey"
+Prints the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
+.IP "\fB\-modulus\fR" 4
+.IX Item "-modulus"
+This option prints out the value of the modulus of the public key
+contained in the certificate.
+.SS "Certificate Checking Options"
+.IX Subsection "Certificate Checking Options"
+.IP "\fB\-checkend\fR \fIarg\fR" 4
+.IX Item "-checkend arg"
+Checks if the certificate expires within the next \fIarg\fR seconds and exits
+nonzero if yes it will expire or zero if not.
+.IP "\fB\-checkhost\fR \fIhost\fR" 4
+.IX Item "-checkhost host"
+Check that the certificate matches the specified host.
+.IP "\fB\-checkemail\fR \fIemail\fR" 4
+.IX Item "-checkemail email"
+Check that the certificate matches the specified email address.
+.IP "\fB\-checkip\fR \fIipaddr\fR" 4
+.IX Item "-checkip ipaddr"
+Check that the certificate matches the specified \s-1IP\s0 address.
+.SS "Certificate Output Options"
+.IX Subsection "Certificate Output Options"
+.IP "\fB\-set_serial\fR \fIn\fR" 4
+.IX Item "-set_serial n"
+Specifies the serial number to use.
+This option can be used with the \fB\-key\fR, \fB\-signkey\fR, or \fB\-CA\fR options.
+If used in conjunction with the \fB\-CA\fR option
+the serial number file (as specified by the \fB\-CAserial\fR option) is not used.
+.Sp
+The serial number can be decimal or hex (if preceded by \f(CW\*(C`0x\*(C'\fR).
+.IP "\fB\-next_serial\fR" 4
+.IX Item "-next_serial"
+Set the serial to be one more than the number in the certificate.
+.IP "\fB\-days\fR \fIarg\fR" 4
+.IX Item "-days arg"
+Specifies the number of days until a newly generated certificate expires.
+The default is 30.
+Cannot be used together with the \fB\-preserve_dates\fR option.
+.IP "\fB\-preserve_dates\fR" 4
+.IX Item "-preserve_dates"
+When signing a certificate, preserve \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates of any
+input certificate instead of adjusting them to current time and duration.
+Cannot be used together with the \fB\-days\fR option.
+.IP "\fB\-subj\fR \fIarg\fR" 4
+.IX Item "-subj arg"
+When a certificate is created set its subject name to the given value.
+When the certificate is self-signed the issuer name is set to the same value.
+.Sp
+The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
+Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included
+in the certificate.
+Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
+Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
+between the AttributeValueAssertions (AVAs) that specify the members of the set.
+Example:
+.Sp
+\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
+.Sp
+This option can be used in conjunction with the \fB\-force_pubkey\fR option
+to create a certificate even without providing an input certificate
+or certificate request.
+.IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
+.IX Item "-force_pubkey filename"
+When a certificate is created set its public key to the key in \fIfilename\fR
+instead of the key contained in the input
+or given with the \fB\-key\fR (or \fB\-signkey\fR) option.
+.Sp
+This option is useful for creating self-issued certificates that are not
+self-signed, for instance when the key cannot be used for signing, such as \s-1DH.\s0
+It can also be used in conjunction with \fB\-new\fR and \fB\-subj\fR to directly
+generate a certificate containing any desired public key.
+.IP "\fB\-clrext\fR" 4
+.IX Item "-clrext"
+When transforming a certificate to a new certificate
+by default all certificate extensions are retained.
+.Sp
+When transforming a certificate or certificate request,
+the \fB\-clrext\fR option prevents taking over any extensions from the source.
+In any case, when producing a certificate request,
+neither subject identifier nor authority key identifier extensions are included.
+.IP "\fB\-extfile\fR \fIfilename\fR" 4
+.IX Item "-extfile filename"
+Configuration file containing certificate and request X.509 extensions to add.
+.IP "\fB\-extensions\fR \fIsection\fR" 4
+.IX Item "-extensions section"
+The section in the extfile to add X.509 extensions from.
+If this option is not
+specified then the extensions should either be contained in the unnamed
+(default) section or the default section should contain a variable called
+\&\*(L"extensions\*(R" which contains the section to use.
+See the \fBx509v3_config\fR\|(5) manual page for details of the
+extension section format.
+.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
+.IX Item "-sigopt nm:v"
+Pass options to the signature algorithm during sign operations.
+This option may be given multiple times.
+Names and values provided using this option are algorithm-specific.
+.IP "\fB\-badsig\fR" 4
+.IX Item "-badsig"
+Corrupt the signature before writing it; this can be useful
+for testing.
+.IP "\fB\-\f(BIdigest\fB\fR" 4
+.IX Item "-digest"
+The digest to use.
+This affects any signing or printing option that uses a message
+digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options.
+Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
+If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
+the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
+.SS "Micro-CA Options"
+.IX Subsection "Micro-CA Options"
+.IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-CA filename|uri"
+Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing.
+When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
+The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
+certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as detailed below.
+.Sp
+This option cannot be used in conjunction with \fB\-key\fR (or \fB\-signkey\fR).
+This option is normally combined with the \fB\-req\fR option referencing a \s-1CSR.\s0
+Without the \fB\-req\fR option the input must be an existing certificate
+unless the \fB\-new\fR option is given, which generates a certificate from scratch.
+.IP "\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR," 4
+.IX Item "-CAform DER|PEM|P12,"
+The format for the \s-1CA\s0 certificate; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-CAkey filename|uri"
+Sets the \s-1CA\s0 private key to sign a certificate with.
+The private key must match the public key of the certificate given with \fB\-CA\fR.
+If this option is not provided then the key must be present in the \fB\-CA\fR input.
+.IP "\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
+.IX Item "-CAkeyform DER|PEM|P12|ENGINE"
+The format for the \s-1CA\s0 key; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-CAserial\fR \fIfilename\fR" 4
+.IX Item "-CAserial filename"
+Sets the \s-1CA\s0 serial number file to use.
+.Sp
+When creating a certificate with this option and with the \fB\-CA\fR option,
+the certificate serial number is stored in the given file.
+This file consists of one line containing
+an even number of hex digits with the serial number used last time.
+After reading this number, it is incremented and used, and the file is updated.
+.Sp
+The default filename consists of the \s-1CA\s0 certificate file base name with
+\&\fI.srl\fR appended. For example if the \s-1CA\s0 certificate file is called
+\&\fImycacert.pem\fR it expects to find a serial number file called
+\&\fImycacert.srl\fR.
+.Sp
+If the \fB\-CA\fR option is specified and neither <\-CAserial> or <\-CAcreateserial>
+is given and the default serial number file does not exist,
+a random number is generated; this is the recommended practice.
+.IP "\fB\-CAcreateserial\fR" 4
+.IX Item "-CAcreateserial"
+With this option and the \fB\-CA\fR option
+the \s-1CA\s0 serial number file is created if it does not exist.
+A random number is generated, used for the certificate,
+and saved into the serial number file determined as described above.
+.SS "Trust Settings"
+.IX Subsection "Trust Settings"
+A \fBtrusted certificate\fR is an ordinary certificate which has several
+additional pieces of information attached to it such as the permitted
+and prohibited uses of the certificate and possibly an \*(L"alias\*(R" (nickname).
+.PP
+Normally when a certificate is being verified at least one certificate
+must be \*(L"trusted\*(R". By default a trusted certificate must be stored
+locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
+is then usable for any purpose.
+.PP
+Trust settings currently are only used with a root \s-1CA.\s0
+They allow a finer control over the purposes the root \s-1CA\s0 can be used for.
+For example, a \s-1CA\s0 may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
+.PP
+See \fBopenssl\-verification\-options\fR\|(1) for more information
+on the meaning of trust settings.
+.PP
+Future versions of OpenSSL will recognize trust settings on any
+certificate: not just root CAs.
+.IP "\fB\-trustout\fR" 4
+.IX Item "-trustout"
+Mark any certificate \s-1PEM\s0 output as <trusted> certificate rather than ordinary.
+An ordinary or trusted certificate can be input but by default an ordinary
+certificate is output and any trust settings are discarded.
+With the \fB\-trustout\fR option a trusted certificate is output. A trusted
+certificate is automatically output if any trust settings are modified.
+.IP "\fB\-setalias\fR \fIarg\fR" 4
+.IX Item "-setalias arg"
+Sets the \*(L"alias\*(R" of the certificate. This will allow the certificate
+to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
+.IP "\fB\-clrtrust\fR" 4
+.IX Item "-clrtrust"
+Clears all the permitted or trusted uses of the certificate.
+.IP "\fB\-addtrust\fR \fIarg\fR" 4
+.IX Item "-addtrust arg"
+Adds a trusted certificate use.
+Any object name can be used here but currently only \fBclientAuth\fR,
+\&\fBserverAuth\fR, \fBemailProtection\fR, and \fBanyExtendedKeyUsage\fR are defined.
+As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
+enables all purposes when trusted.
+Other OpenSSL applications may define additional uses.
+.IP "\fB\-clrreject\fR" 4
+.IX Item "-clrreject"
+Clears all the prohibited or rejected uses of the certificate.
+.IP "\fB\-addreject\fR \fIarg\fR" 4
+.IX Item "-addreject arg"
+Adds a prohibited trust anchor purpose.
+It accepts the same values as the \fB\-addtrust\fR option.
+.SS "Generic options"
+.IX Subsection "Generic options"
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.SS "Text Printing Flags"
+.IX Subsection "Text Printing Flags"
+As well as customising the name printing format, it is also possible to
+customise the actual fields printed using the \fBcertopt\fR option when
+the \fBtext\fR option is present. The default behaviour is to print all fields.
+.IP "\fBcompatible\fR" 4
+.IX Item "compatible"
+Use the old format. This is equivalent to specifying no printing options at all.
+.IP "\fBno_header\fR" 4
+.IX Item "no_header"
+Don't print header information: that is the lines saying \*(L"Certificate\*(R"
+and \*(L"Data\*(R".
+.IP "\fBno_version\fR" 4
+.IX Item "no_version"
+Don't print out the version number.
+.IP "\fBno_serial\fR" 4
+.IX Item "no_serial"
+Don't print out the serial number.
+.IP "\fBno_signame\fR" 4
+.IX Item "no_signame"
+Don't print out the signature algorithm used.
+.IP "\fBno_validity\fR" 4
+.IX Item "no_validity"
+Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
+.IP "\fBno_subject\fR" 4
+.IX Item "no_subject"
+Don't print out the subject name.
+.IP "\fBno_issuer\fR" 4
+.IX Item "no_issuer"
+Don't print out the issuer name.
+.IP "\fBno_pubkey\fR" 4
+.IX Item "no_pubkey"
+Don't print out the public key.
+.IP "\fBno_sigdump\fR" 4
+.IX Item "no_sigdump"
+Don't give a hexadecimal dump of the certificate signature.
+.IP "\fBno_aux\fR" 4
+.IX Item "no_aux"
+Don't print out certificate trust information.
+.IP "\fBno_extensions\fR" 4
+.IX Item "no_extensions"
+Don't print out any X509V3 extensions.
+.IP "\fBext_default\fR" 4
+.IX Item "ext_default"
+Retain default extension behaviour: attempt to print out unsupported
+certificate extensions.
+.IP "\fBext_error\fR" 4
+.IX Item "ext_error"
+Print an error message for unsupported certificate extensions.
+.IP "\fBext_parse\fR" 4
+.IX Item "ext_parse"
+\&\s-1ASN1\s0 parse unsupported extensions.
+.IP "\fBext_dump\fR" 4
+.IX Item "ext_dump"
+Hex dump unsupported extensions.
+.IP "\fBca_default\fR" 4
+.IX Item "ca_default"
+The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
+\&\fBno_header\fR, and \fBno_version\fR.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Note: in these examples the '\e' means the example should be all on one
+line.
+.PP
+Print the contents of a certificate:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-text
+.Ve
+.PP
+Print the \*(L"Subject Alternative Name\*(R" extension of a certificate:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
+.Ve
+.PP
+Print more extensions of a certificate:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
+.Ve
+.PP
+Print the certificate serial number:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-serial
+.Ve
+.PP
+Print the certificate subject name:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-subject
+.Ve
+.PP
+Print the certificate subject name in \s-1RFC2253\s0 form:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
+.Ve
+.PP
+Print the certificate subject name in oneline form on a terminal
+supporting \s-1UTF8:\s0
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
+.Ve
+.PP
+Print the certificate \s-1SHA1\s0 fingerprint:
+.PP
+.Vb 1
+\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
+.Ve
+.PP
+Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
+.Ve
+.PP
+Convert a certificate to a certificate request:
+.PP
+.Vb 1
+\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem
+.Ve
+.PP
+Convert a certificate request into a self-signed certificate using
+extensions for a \s-1CA:\s0
+.PP
+.Vb 2
+\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
+\&        \-key key.pem \-out cacert.pem
+.Ve
+.PP
+Sign a certificate request using the \s-1CA\s0 certificate above and add user
+certificate extensions:
+.PP
+.Vb 2
+\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
+\&        \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
+.Ve
+.PP
+Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
+\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
+.PP
+.Vb 2
+\& openssl x509 \-in cert.pem \-addtrust clientAuth \e
+\&        \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The conversion to \s-1UTF8\s0 format used with the name options assumes that
+T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
+and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
+it is more likely to print the majority of certificates correctly.
+.PP
+The \fB\-email\fR option searches the subject name and the subject alternative
+name extension. Only unique email addresses will be printed out: it will
+not print the same address more than once.
+.SH "BUGS"
+.IX Header "BUGS"
+It is possible to produce invalid certificates or requests by specifying the
+wrong private key, using unsuitable X.509 extensions,
+or using inconsistent options in some cases: these should be checked.
+.PP
+There should be options to explicitly set such things as start and end
+dates rather than an offset from the current time.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-req\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1),
+\&\fBopenssl\-verify\fR\|(1),
+\&\fBx509v3_config\fR\|(5)
+.SH "HISTORY"
+.IX Header "HISTORY"
+The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
+before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
+version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using the old
+form must have their links rebuilt using \fBopenssl\-rehash\fR\|(1) or similar.
+.PP
+The \fB\-signkey\fR option has been renamed to \fB\-key\fR in OpenSSL 3.0,
+keeping the old name as an alias.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-C\fR option was removed in OpenSSL 3.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index 3fa00932b6fe..b9c625a7d487 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,31 +130,29 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "OPENSSL 1ossl"
+.TH OPENSSL 1ossl "2023-09-19" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl \- OpenSSL command line tool
+openssl \- OpenSSL command line program
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR
 \&\fIcommand\fR
-[ \fIcommand_opts\fR ]
-[ \fIcommand_args\fR ]
-.PP
-\&\fBopenssl\fR \fBlist\fR [ \fBstandard-commands\fR | \fBdigest-commands\fR | \fBcipher-commands\fR | \fBcipher-algorithms\fR | \fBdigest-algorithms\fR | \fBpublic-key-algorithms\fR]
+[ \fIoptions\fR ... ]
+[ \fIparameters\fR ... ]
 .PP
-\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
+\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIoptions\fR ]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0
 v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related
 cryptography standards required by them.
 .PP
-The \fBopenssl\fR program is a command line tool for using the various
+The \fBopenssl\fR program is a command line program for using the various
 cryptography functions of OpenSSL's \fBcrypto\fR library from the shell.
 It can be used for
 .PP
@@ -164,44 +160,22 @@ It can be used for
 \& o  Creation and management of private keys, public keys and parameters
 \& o  Public key cryptographic operations
 \& o  Creation of X.509 certificates, CSRs and CRLs
-\& o  Calculation of Message Digests
+\& o  Calculation of Message Digests and Message Authentication Codes
 \& o  Encryption and Decryption with Ciphers
 \& o  SSL/TLS Client and Server Tests
 \& o  Handling of S/MIME signed or encrypted mail
-\& o  Time Stamp requests, generation and verification
+\& o  Timestamp requests, generation and verification
 .Ve
 .SH "COMMAND SUMMARY"
 .IX Header "COMMAND SUMMARY"
-The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the
-\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments
-(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0).
+The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in
+the \*(L"\s-1SYNOPSIS\*(R"\s0 above).
+Each command can have many options and argument parameters, shown above as
+\&\fIoptions\fR and \fIparameters\fR.
 .PP
 Detailed documentation and use cases for most standard subcommands are available
-(e.g., \fBx509\fR\|(1) or \fBopenssl\-x509\fR\|(1)).
-.PP
-Many commands use an external configuration file for some or all of their
-arguments and have a \fB\-config\fR option to specify that file.
-The environment variable \fB\s-1OPENSSL_CONF\s0\fR can be used to specify
-the location of the file.
-If the environment variable is not specified, then the file is named
-\&\fBopenssl.cnf\fR in the default certificate storage area, whose value
-depends on the configuration flags specified when the OpenSSL
-was built.
-.PP
-The list parameters \fBstandard-commands\fR, \fBdigest-commands\fR,
-and \fBcipher-commands\fR output a list (one entry per line) of the names
-of all standard commands, message digest commands, or cipher commands,
-respectively, that are available in the present \fBopenssl\fR utility.
-.PP
-The list parameters \fBcipher-algorithms\fR and
-\&\fBdigest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as:
-.PP
-.Vb 1
-\& from => to
-.Ve
-.PP
-The list parameter \fBpublic-key-algorithms\fR lists all supported public
-key algorithms.
+(e.g., \fBopenssl\-x509\fR\|(1)). The subcommand \fBopenssl\-list\fR\|(1) may be used to list
+subcommands.
 .PP
 The command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the
 specified name is available.  If no command named \fI\s-1XXX\s0\fR exists, it
@@ -213,6 +187,19 @@ same name, this provides an easy way for shell scripts to test for the
 availability of ciphers in the \fBopenssl\fR program.  (\fBno\-\fR\fI\s-1XXX\s0\fR is
 not able to detect pseudo-commands such as \fBquit\fR,
 \&\fBlist\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.)
+.SS "Configuration Option"
+.IX Subsection "Configuration Option"
+Many commands use an external configuration file for some or all of their
+arguments and have a \fB\-config\fR option to specify that file.
+The default name of the file is \fIopenssl.cnf\fR in the default certificate
+storage area, which can be determined from the \fBopenssl\-version\fR\|(1)
+command using the \fB\-d\fR or \fB\-a\fR option.
+The environment variable \fB\s-1OPENSSL_CONF\s0\fR can be used to specify a different
+file location or to disable loading a configuration (using the empty string).
+.PP
+Among others, the configuration file can be used to load modules
+and to specify parameters for generating certificates and random numbers.
+See \fBconfig\fR\|(5) for details.
 .SS "Standard Commands"
 .IX Subsection "Standard Commands"
 .IP "\fBasn1parse\fR" 4
@@ -226,7 +213,7 @@ Certificate Authority (\s-1CA\s0) Management.
 Cipher Suite Description Determination.
 .IP "\fBcms\fR" 4
 .IX Item "cms"
-\&\s-1CMS\s0 (Cryptographic Message Syntax) utility.
+\&\s-1CMS\s0 (Cryptographic Message Syntax) command.
 .IP "\fBcrl\fR" 4
 .IX Item "crl"
 Certificate Revocation List (\s-1CRL\s0) Management.
@@ -235,22 +222,19 @@ Certificate Revocation List (\s-1CRL\s0) Management.
 \&\s-1CRL\s0 to PKCS#7 Conversion.
 .IP "\fBdgst\fR" 4
 .IX Item "dgst"
-Message Digest Calculation.
-.IP "\fBdh\fR" 4
-.IX Item "dh"
-Diffie-Hellman Parameter Management.
-Obsoleted by \fBdhparam\fR\|(1).
+Message Digest calculation. \s-1MAC\s0 calculations are superseded by
+\&\fBopenssl\-mac\fR\|(1).
 .IP "\fBdhparam\fR" 4
 .IX Item "dhparam"
 Generation and Management of Diffie-Hellman Parameters. Superseded by
-\&\fBgenpkey\fR\|(1) and \fBpkeyparam\fR\|(1).
+\&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1).
 .IP "\fBdsa\fR" 4
 .IX Item "dsa"
 \&\s-1DSA\s0 Data Management.
 .IP "\fBdsaparam\fR" 4
 .IX Item "dsaparam"
 \&\s-1DSA\s0 Parameter Generation and Management. Superseded by
-\&\fBgenpkey\fR\|(1) and \fBpkeyparam\fR\|(1).
+\&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1).
 .IP "\fBec\fR" 4
 .IX Item "ec"
 \&\s-1EC\s0 (Elliptic curve) key processing.
@@ -259,33 +243,47 @@ Generation and Management of Diffie-Hellman Parameters. Superseded by
 \&\s-1EC\s0 parameter manipulation and generation.
 .IP "\fBenc\fR" 4
 .IX Item "enc"
-Encoding with Ciphers.
+Encryption, decryption, and encoding.
 .IP "\fBengine\fR" 4
 .IX Item "engine"
 Engine (loadable module) information and manipulation.
 .IP "\fBerrstr\fR" 4
 .IX Item "errstr"
 Error Number to Error String Conversion.
-.IP "\fBgendh\fR" 4
-.IX Item "gendh"
-Generation of Diffie-Hellman Parameters.
-Obsoleted by \fBdhparam\fR\|(1).
+.IP "\fBfipsinstall\fR" 4
+.IX Item "fipsinstall"
+\&\s-1FIPS\s0 configuration installation.
 .IP "\fBgendsa\fR" 4
 .IX Item "gendsa"
 Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by
-\&\fBgenpkey\fR\|(1) and \fBpkey\fR\|(1).
+\&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkey\fR\|(1).
 .IP "\fBgenpkey\fR" 4
 .IX Item "genpkey"
 Generation of Private Key or Parameters.
 .IP "\fBgenrsa\fR" 4
 .IX Item "genrsa"
-Generation of \s-1RSA\s0 Private Key. Superseded by \fBgenpkey\fR\|(1).
+Generation of \s-1RSA\s0 Private Key. Superseded by \fBopenssl\-genpkey\fR\|(1).
+.IP "\fBhelp\fR" 4
+.IX Item "help"
+Display information about a command's options.
+.IP "\fBinfo\fR" 4
+.IX Item "info"
+Display diverse information built into the OpenSSL libraries.
+.IP "\fBkdf\fR" 4
+.IX Item "kdf"
+Key Derivation Functions.
+.IP "\fBlist\fR" 4
+.IX Item "list"
+List algorithms and features.
+.IP "\fBmac\fR" 4
+.IX Item "mac"
+Message Authentication Code Calculation.
 .IP "\fBnseq\fR" 4
 .IX Item "nseq"
 Create or examine a Netscape certificate sequence.
 .IP "\fBocsp\fR" 4
 .IX Item "ocsp"
-Online Certificate Status Protocol utility.
+Online Certificate Status Protocol command.
 .IP "\fBpasswd\fR" 4
 .IX Item "passwd"
 Generation of hashed passwords.
@@ -297,7 +295,7 @@ PKCS#12 Data Management.
 PKCS#7 Data Management.
 .IP "\fBpkcs8\fR" 4
 .IX Item "pkcs8"
-PKCS#8 format private key conversion tool.
+PKCS#8 format private key conversion command.
 .IP "\fBpkey\fR" 4
 .IX Item "pkey"
 Public and private key management.
@@ -306,7 +304,7 @@ Public and private key management.
 Public key algorithm parameter management.
 .IP "\fBpkeyutl\fR" 4
 .IX Item "pkeyutl"
-Public key algorithm cryptographic operation utility.
+Public key algorithm cryptographic operation command.
 .IP "\fBprime\fR" 4
 .IX Item "prime"
 Compute prime numbers.
@@ -324,8 +322,8 @@ PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management.
 \&\s-1RSA\s0 key management.
 .IP "\fBrsautl\fR" 4
 .IX Item "rsautl"
-\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. Superseded
-by  \fBpkeyutl\fR\|(1).
+\&\s-1RSA\s0 command for signing, verification, encryption, and decryption. Superseded
+by  \fBopenssl\-pkeyutl\fR\|(1).
 .IP "\fBs_client\fR" 4
 .IX Item "s_client"
 This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
@@ -354,19 +352,20 @@ S/MIME mail processing.
 Algorithm Speed Measurement.
 .IP "\fBspkac\fR" 4
 .IX Item "spkac"
-\&\s-1SPKAC\s0 printing and generating utility.
+\&\s-1SPKAC\s0 printing and generating command.
 .IP "\fBsrp\fR" 4
 .IX Item "srp"
-Maintain \s-1SRP\s0 password file.
+Maintain \s-1SRP\s0 password file. This command is deprecated.
 .IP "\fBstoreutl\fR" 4
 .IX Item "storeutl"
-Utility to list and display certificates, keys, CRLs, etc.
+Command to list and display certificates, keys, CRLs, etc.
 .IP "\fBts\fR" 4
 .IX Item "ts"
-Time Stamping Authority tool (client/server).
+Time Stamping Authority command.
 .IP "\fBverify\fR" 4
 .IX Item "verify"
 X.509 Certificate Verification.
+See also the \fBopenssl\-verification\-options\fR\|(1) manual page.
 .IP "\fBversion\fR" 4
 .IX Item "version"
 OpenSSL Version Information.
@@ -432,13 +431,13 @@ BLAKE2s\-256 Digest
 .IP "\fBsm3\fR" 4
 .IX Item "sm3"
 \&\s-1SM3\s0 Digest
-.SS "Encoding and Cipher Commands"
-.IX Subsection "Encoding and Cipher Commands"
+.SS "Encryption, Decryption, and Encoding Commands"
+.IX Subsection "Encryption, Decryption, and Encoding Commands"
 The following aliases provide convenient access to the most used encodings
 and ciphers.
 .PP
 Depending on how OpenSSL was configured and built, not all ciphers listed
-here may be present. See \fBenc\fR\|(1) for more information and command usage.
+here may be present. See \fBopenssl\-enc\fR\|(1) for more information.
 .IP "\fBaes128\fR, \fBaes\-128\-cbc\fR, \fBaes\-128\-cfb\fR, \fBaes\-128\-ctr\fR, \fBaes\-128\-ecb\fR, \fBaes\-128\-ofb\fR" 4
 .IX Item "aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb"
 \&\s-1AES\-128\s0 Cipher
@@ -514,70 +513,300 @@ This section describes some common options with common behavior.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
 Provides a terse summary of all options.
+If an option takes an argument, the \*(L"type\*(R" of argument is also given.
+.IP "\fB\-\-\fR" 4
+.IX Item "--"
+This terminates the list of options. It is mostly useful if any filename
+parameters start with a minus sign:
+.Sp
+.Vb 1
+\& openssl verify [flags...] \-\- \-cert1.pem...
+.Ve
+.SS "Format Options"
+.IX Subsection "Format Options"
+See \fBopenssl\-format\-options\fR\|(1) for manual page.
 .SS "Pass Phrase Options"
 .IX Subsection "Pass Phrase Options"
-Several commands accept password arguments, typically using \fB\-passin\fR
-and \fB\-passout\fR for input and output passwords respectively. These allow
-the password to be obtained from a variety of sources. Both of these
-options take a single argument whose format is described below. If no
-password argument is given and a password is required then the user is
-prompted to enter one: this will typically be read from the current
-terminal with echoing turned off.
+See the \fBopenssl\-passphrase\-options\fR\|(1) manual page.
+.SS "Random State Options"
+.IX Subsection "Random State Options"
+Prior to OpenSSL 1.1.1, it was common for applications to store information
+about the state of the random-number generator in a file that was loaded
+at startup and rewritten upon exit. On modern operating systems, this is
+generally no longer necessary as OpenSSL will seed itself from a trusted
+entropy source provided by the operating system. These flags are still
+supported for special platforms or circumstances that might require them.
+.PP
+It is generally an error to use the same seed file more than once and
+every use of \fB\-rand\fR should be paired with \fB\-writerand\fR.
+.IP "\fB\-rand\fR \fIfiles\fR" 4
+.IX Item "-rand files"
+A file or files containing random data used to seed the random number
+generator.
+Multiple files can be specified separated by an OS-dependent character.
+The separator is \f(CW\*(C`;\*(C'\fR for MS-Windows, \f(CW\*(C`,\*(C'\fR for OpenVMS, and \f(CW\*(C`:\*(C'\fR for
+all others. Another way to specify multiple files is to repeat this flag
+with different filenames.
+.IP "\fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-writerand file"
+Writes the seed data to the specified \fIfile\fR upon exit.
+This file can be used in a subsequent command invocation.
+.SS "Certificate Verification Options"
+.IX Subsection "Certificate Verification Options"
+See the \fBopenssl\-verification\-options\fR\|(1) manual page.
+.SS "Name Format Options"
+.IX Subsection "Name Format Options"
+See the \fBopenssl\-namedisplay\-options\fR\|(1) manual page.
+.SS "\s-1TLS\s0 Version Options"
+.IX Subsection "TLS Version Options"
+Several commands use \s-1SSL, TLS,\s0 or \s-1DTLS.\s0 By default, the commands use \s-1TLS\s0 and
+clients will offer the lowest and highest protocol version they support,
+and servers will pick the highest version that the client offers that is also
+supported by the server.
+.PP
+The options below can be used to limit which protocol versions are used,
+and whether \s-1TCP\s0 (\s-1SSL\s0 and \s-1TLS\s0) or \s-1UDP\s0 (\s-1DTLS\s0) is used.
+Note that not all protocols and flags may be available, depending on how
+OpenSSL was built.
+.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
+.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
+These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
+When a specific \s-1TLS\s0 version is required, only that version will be offered or
+accepted.
+Only one specific protocol can be given and it cannot be combined with any of
+the \fBno_\fR options.
+The \fBno_*\fR options do not work with \fBs_time\fR and \fBciphers\fR commands but work with
+\&\fBs_client\fR and \fBs_server\fR commands.
+.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
+.IX Item "-dtls, -dtls1, -dtls1_2"
+These options specify to use \s-1DTLS\s0 instead of \s-1TLS.\s0
+With \fB\-dtls\fR, clients will negotiate any supported \s-1DTLS\s0 protocol version.
+Use the \fB\-dtls1\fR or \fB\-dtls1_2\fR options to support only \s-1DTLS1.0\s0 or \s-1DTLS1.2,\s0
+respectively.
+.SS "Engine Options"
+.IX Subsection "Engine Options"
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+Load the engine identified by \fIid\fR and use all the methods it implements
+(algorithms, key storage, etc.), unless specified otherwise in the
+command-specific documentation or it is configured to do so, as described in
+\&\*(L"Engine Configuration\*(R" in \fBconfig\fR\|(5).
+.Sp
+The engine will be used for key ids specified with \fB\-key\fR and similar
+options when an option like \fB\-keyform engine\fR is given.
+.Sp
+A special case is the \f(CW\*(C`loader_attic\*(C'\fR engine, which
+is meant just for internal OpenSSL testing purposes and
+supports loading keys, parameters, certificates, and CRLs from files.
+When this engine is used, files with such credentials are read via this engine.
+Using the \f(CW\*(C`file:\*(C'\fR schema is optional; a plain file (path) name will do.
 .PP
-Note that character encoding may be relevant, please see
-\&\fBpassphrase\-encoding\fR\|(7).
-.IP "\fBpass:password\fR" 4
-.IX Item "pass:password"
-The actual password is \fBpassword\fR. Since the password is visible
-to utilities (like 'ps' under Unix) this form should only be used
-where security is not important.
-.IP "\fBenv:var\fR" 4
-.IX Item "env:var"
-Obtain the password from the environment variable \fBvar\fR. Since
-the environment of other processes is visible on certain platforms
-(e.g. ps under certain Unix OSes) this option should be used with caution.
-.IP "\fBfile:pathname\fR" 4
-.IX Item "file:pathname"
-The first line of \fBpathname\fR is the password. If the same \fBpathname\fR
-argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first
-line will be used for the input password and the next line for the output
-password. \fBpathname\fR need not refer to a regular file: it could for example
-refer to a device or named pipe.
-.IP "\fBfd:number\fR" 4
-.IX Item "fd:number"
-Read the password from the file descriptor \fBnumber\fR. This can be used to
-send the data via a pipe for example.
-.IP "\fBstdin\fR" 4
-.IX Item "stdin"
-Read the password from standard input.
+Options specifying keys, like \fB\-key\fR and similar, can use the generic
+OpenSSL engine key loading \s-1URI\s0 scheme \f(CW\*(C`org.openssl.engine:\*(C'\fR to retrieve
+private keys and public keys.  The \s-1URI\s0 syntax is as follows, in simplified
+form:
+.PP
+.Vb 1
+\&    org.openssl.engine:{engineid}:{keyid}
+.Ve
+.PP
+Where \f(CW\*(C`{engineid}\*(C'\fR is the identity/name of the engine, and \f(CW\*(C`{keyid}\*(C'\fR is a
+key identifier that's acceptable by that engine.  For example, when using an
+engine that interfaces against a PKCS#11 implementation, the generic key \s-1URI\s0
+would be something like this (this happens to be an example for the PKCS#11
+engine that's part of OpenSC):
+.PP
+.Vb 1
+\&    \-key org.openssl.engine:pkcs11:label_some\-private\-key
+.Ve
+.PP
+As a third possibility, for engines and providers that have implemented
+their own \s-1\fBOSSL_STORE_LOADER\s0\fR\|(3), \f(CW\*(C`org.openssl.engine:\*(C'\fR should not be
+necessary.  For a PKCS#11 implementation that has implemented such a loader,
+the PKCS#11 \s-1URI\s0 as defined in \s-1RFC 7512\s0 should be possible to use directly:
+.PP
+.Vb 1
+\&    \-key pkcs11:object=some\-private\-key;pin\-value=1234
+.Ve
+.SS "Provider Options"
+.IX Subsection "Provider Options"
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+Load and initialize the provider identified by \fIname\fR. The \fIname\fR
+can be also a path to the provider module. In that case the provider name
+will be the specified path and not just the provider module name.
+Interpretation of relative paths is platform specific. The configured
+\&\*(L"\s-1MODULESDIR\*(R"\s0 path, \fB\s-1OPENSSL_MODULES\s0\fR environment variable, or the path
+specified by \fB\-provider\-path\fR is prepended to relative paths.
+See \fBprovider\fR\|(7) for a more detailed description.
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+Specifies the search path that is to be used for looking for providers.
+Equivalently, the \fB\s-1OPENSSL_MODULES\s0\fR environment variable may be set.
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+Specifies the \fIproperty query clause\fR to be used when fetching algorithms
+from the loaded providers.
+See \fBproperty\fR\|(7) for a more detailed description.
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+The OpenSSL library can be take some configuration parameters from the
+environment.  Some of these variables are listed below.  For information
+about specific commands, see \fBopenssl\-engine\fR\|(1),
+\&\fBopenssl\-rehash\fR\|(1), and \fBtsget\fR\|(1).
+.PP
+For information about the use of environment variables in configuration,
+see \*(L"\s-1ENVIRONMENT\*(R"\s0 in \fBconfig\fR\|(5).
+.PP
+For information about querying or specifying \s-1CPU\s0 architecture flags, see
+\&\fBOPENSSL_ia32cap\fR\|(3), and \fBOPENSSL_s390xcap\fR\|(3).
+.PP
+For information about all environment variables used by the OpenSSL libraries,
+see \fBopenssl\-env\fR\|(7).
+.IP "\fBOPENSSL_TRACE=\fR\fIname\fR[,...]" 4
+.IX Item "OPENSSL_TRACE=name[,...]"
+Enable tracing output of OpenSSL library, by name.
+This output will only make sense if you know OpenSSL internals well.
+Also, it might not give you any output at all, depending on how
+OpenSSL was built.
+.Sp
+The value is a comma separated list of names, with the following
+available:
+.RS 4
+.IP "\fB\s-1TRACE\s0\fR" 4
+.IX Item "TRACE"
+Traces the OpenSSL trace \s-1API\s0 itself.
+.IP "\fB\s-1INIT\s0\fR" 4
+.IX Item "INIT"
+Traces OpenSSL library initialization and cleanup.
+.IP "\fB\s-1TLS\s0\fR" 4
+.IX Item "TLS"
+Traces the \s-1TLS/SSL\s0 protocol.
+.IP "\fB\s-1TLS_CIPHER\s0\fR" 4
+.IX Item "TLS_CIPHER"
+Traces the ciphers used by the \s-1TLS/SSL\s0 protocol.
+.IP "\fB\s-1CONF\s0\fR" 4
+.IX Item "CONF"
+Show details about provider and engine configuration.
+.IP "\fB\s-1ENGINE_TABLE\s0\fR" 4
+.IX Item "ENGINE_TABLE"
+The function that is used by \s-1RSA, DSA\s0 (etc) code to select registered
+ENGINEs, cache defaults and functional references (etc), will generate
+debugging summaries.
+.IP "\fB\s-1ENGINE_REF_COUNT\s0\fR" 4
+.IX Item "ENGINE_REF_COUNT"
+Reference counts in the \s-1ENGINE\s0 structure will be monitored with a line
+of generated for each change.
+.IP "\fB\s-1PKCS5V2\s0\fR" 4
+.IX Item "PKCS5V2"
+Traces PKCS#5 v2 key generation.
+.IP "\fB\s-1PKCS12_KEYGEN\s0\fR" 4
+.IX Item "PKCS12_KEYGEN"
+Traces PKCS#12 key generation.
+.IP "\fB\s-1PKCS12_DECRYPT\s0\fR" 4
+.IX Item "PKCS12_DECRYPT"
+Traces PKCS#12 decryption.
+.IP "\fBX509V3_POLICY\fR" 4
+.IX Item "X509V3_POLICY"
+Generates the complete policy tree at various points during X.509 v3
+policy evaluation.
+.IP "\fB\s-1BN_CTX\s0\fR" 4
+.IX Item "BN_CTX"
+Traces \s-1BIGNUM\s0 context operations.
+.IP "\fB\s-1CMP\s0\fR" 4
+.IX Item "CMP"
+Traces \s-1CMP\s0 client and server activity.
+.IP "\fB\s-1STORE\s0\fR" 4
+.IX Item "STORE"
+Traces \s-1STORE\s0 operations.
+.IP "\fB\s-1DECODER\s0\fR" 4
+.IX Item "DECODER"
+Traces decoder operations.
+.IP "\fB\s-1ENCODER\s0\fR" 4
+.IX Item "ENCODER"
+Traces encoder operations.
+.IP "\fB\s-1REF_COUNT\s0\fR" 4
+.IX Item "REF_COUNT"
+Traces decrementing certain \s-1ASN.1\s0 structure references.
+.RE
+.RS 4
+.RE
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBasn1parse\fR\|(1), \fBca\fR\|(1), \fBciphers\fR\|(1), \fBcms\fR\|(1), \fBconfig\fR\|(5),
-\&\fBcrl\fR\|(1), \fBcrl2pkcs7\fR\|(1), \fBdgst\fR\|(1),
-\&\fBdhparam\fR\|(1), \fBdsa\fR\|(1), \fBdsaparam\fR\|(1),
-\&\fBec\fR\|(1), \fBecparam\fR\|(1),
-\&\fBenc\fR\|(1), \fBengine\fR\|(1), \fBerrstr\fR\|(1), \fBgendsa\fR\|(1), \fBgenpkey\fR\|(1),
-\&\fBgenrsa\fR\|(1), \fBnseq\fR\|(1), \fBocsp\fR\|(1),
-\&\fBpasswd\fR\|(1),
-\&\fBpkcs12\fR\|(1), \fBpkcs7\fR\|(1), \fBpkcs8\fR\|(1),
-\&\fBpkey\fR\|(1), \fBpkeyparam\fR\|(1), \fBpkeyutl\fR\|(1), \fBprime\fR\|(1),
-\&\fBrand\fR\|(1), \fBrehash\fR\|(1), \fBreq\fR\|(1), \fBrsa\fR\|(1),
-\&\fBrsautl\fR\|(1), \fBs_client\fR\|(1),
-\&\fBs_server\fR\|(1), \fBs_time\fR\|(1), \fBsess_id\fR\|(1),
-\&\fBsmime\fR\|(1), \fBspeed\fR\|(1), \fBspkac\fR\|(1), \fBsrp\fR\|(1), \fBstoreutl\fR\|(1),
-\&\fBts\fR\|(1),
-\&\fBverify\fR\|(1), \fBversion\fR\|(1), \fBx509\fR\|(1),
-\&\fBcrypto\fR\|(7), \fBssl\fR\|(7), \fBx509v3_config\fR\|(5)
+\&\fBopenssl\-asn1parse\fR\|(1),
+\&\fBopenssl\-ca\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBopenssl\-cms\fR\|(1),
+\&\fBopenssl\-crl\fR\|(1),
+\&\fBopenssl\-crl2pkcs7\fR\|(1),
+\&\fBopenssl\-dgst\fR\|(1),
+\&\fBopenssl\-dhparam\fR\|(1),
+\&\fBopenssl\-dsa\fR\|(1),
+\&\fBopenssl\-dsaparam\fR\|(1),
+\&\fBopenssl\-ec\fR\|(1),
+\&\fBopenssl\-ecparam\fR\|(1),
+\&\fBopenssl\-enc\fR\|(1),
+\&\fBopenssl\-engine\fR\|(1),
+\&\fBopenssl\-errstr\fR\|(1),
+\&\fBopenssl\-gendsa\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBopenssl\-genrsa\fR\|(1),
+\&\fBopenssl\-kdf\fR\|(1),
+\&\fBopenssl\-list\fR\|(1),
+\&\fBopenssl\-mac\fR\|(1),
+\&\fBopenssl\-nseq\fR\|(1),
+\&\fBopenssl\-ocsp\fR\|(1),
+\&\fBopenssl\-passwd\fR\|(1),
+\&\fBopenssl\-pkcs12\fR\|(1),
+\&\fBopenssl\-pkcs7\fR\|(1),
+\&\fBopenssl\-pkcs8\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-pkeyparam\fR\|(1),
+\&\fBopenssl\-pkeyutl\fR\|(1),
+\&\fBopenssl\-prime\fR\|(1),
+\&\fBopenssl\-rand\fR\|(1),
+\&\fBopenssl\-rehash\fR\|(1),
+\&\fBopenssl\-req\fR\|(1),
+\&\fBopenssl\-rsa\fR\|(1),
+\&\fBopenssl\-rsautl\fR\|(1),
+\&\fBopenssl\-s_client\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBopenssl\-s_time\fR\|(1),
+\&\fBopenssl\-sess_id\fR\|(1),
+\&\fBopenssl\-smime\fR\|(1),
+\&\fBopenssl\-speed\fR\|(1),
+\&\fBopenssl\-spkac\fR\|(1),
+\&\fBopenssl\-srp\fR\|(1),
+\&\fBopenssl\-storeutl\fR\|(1),
+\&\fBopenssl\-ts\fR\|(1),
+\&\fBopenssl\-verify\fR\|(1),
+\&\fBopenssl\-version\fR\|(1),
+\&\fBopenssl\-x509\fR\|(1),
+\&\fBconfig\fR\|(5),
+\&\fBcrypto\fR\|(7),
+\&\fBopenssl\-env\fR\|(7).
+\&\fBssl\fR\|(7),
+\&\fBx509v3_config\fR\|(5)
 .SH "HISTORY"
 .IX Header "HISTORY"
-The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-algorithms\fR pseudo-commands were added in OpenSSL 1.0.0;
+The \fBlist\fR \-\fI\s-1XXX\s0\fR\fB\-algorithms\fR options were added in OpenSSL 1.0.0;
 For notes on the availability of other commands, see their individual
 manual pages.
+.PP
+The \fB\-issuer_checks\fR option is deprecated as of OpenSSL 1.1.0 and
+is silently ignored.
+.PP
+The \fB\-xcertform\fR and \fB\-xkeyform\fR options
+are obsolete since OpenSSL 3.0 and have no effect.
+.PP
+The interactive mode, which could be invoked by running \f(CW\*(C`openssl\*(C'\fR
+with no further arguments, was removed in OpenSSL 3.0, and running
+that program with no arguments is now equivalent to \f(CW\*(C`openssl help\*(C'\fR.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
deleted file mode 100644
index d6cab4c0c0c2..000000000000
--- a/secure/usr.bin/openssl/man/s_server.1
+++ /dev/null
@@ -1,868 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2022-06-21" "1.1.1p" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-openssl\-s_server, s_server \- SSL/TLS server program
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBopenssl\fR \fBs_server\fR
-[\fB\-help\fR]
-[\fB\-port +int\fR]
-[\fB\-accept val\fR]
-[\fB\-unix val\fR]
-[\fB\-4\fR]
-[\fB\-6\fR]
-[\fB\-unlink\fR]
-[\fB\-context val\fR]
-[\fB\-verify int\fR]
-[\fB\-Verify int\fR]
-[\fB\-cert infile\fR]
-[\fB\-nameopt val\fR]
-[\fB\-naccept +int\fR]
-[\fB\-serverinfo val\fR]
-[\fB\-certform PEM|DER\fR]
-[\fB\-key infile\fR]
-[\fB\-keyform format\fR]
-[\fB\-pass val\fR]
-[\fB\-dcert infile\fR]
-[\fB\-dcertform PEM|DER\fR]
-[\fB\-dkey infile\fR]
-[\fB\-dkeyform PEM|DER\fR]
-[\fB\-dpass val\fR]
-[\fB\-nbio_test\fR]
-[\fB\-crlf\fR]
-[\fB\-debug\fR]
-[\fB\-msg\fR]
-[\fB\-msgfile outfile\fR]
-[\fB\-state\fR]
-[\fB\-CAfile infile\fR]
-[\fB\-CApath dir\fR]
-[\fB\-no\-CAfile\fR]
-[\fB\-no\-CApath\fR]
-[\fB\-nocert\fR]
-[\fB\-quiet\fR]
-[\fB\-no_resume_ephemeral\fR]
-[\fB\-www\fR]
-[\fB\-WWW\fR]
-[\fB\-servername\fR]
-[\fB\-servername_fatal\fR]
-[\fB\-cert2 infile\fR]
-[\fB\-key2 infile\fR]
-[\fB\-tlsextdebug\fR]
-[\fB\-HTTP\fR]
-[\fB\-id_prefix val\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-keymatexport val\fR]
-[\fB\-keymatexportlen +int\fR]
-[\fB\-CRL infile\fR]
-[\fB\-crl_download\fR]
-[\fB\-cert_chain infile\fR]
-[\fB\-dcert_chain infile\fR]
-[\fB\-chainCApath dir\fR]
-[\fB\-verifyCApath dir\fR]
-[\fB\-no_cache\fR]
-[\fB\-ext_cache\fR]
-[\fB\-CRLform PEM|DER\fR]
-[\fB\-verify_return_error\fR]
-[\fB\-verify_quiet\fR]
-[\fB\-build_chain\fR]
-[\fB\-chainCAfile infile\fR]
-[\fB\-verifyCAfile infile\fR]
-[\fB\-ign_eof\fR]
-[\fB\-no_ign_eof\fR]
-[\fB\-status\fR]
-[\fB\-status_verbose\fR]
-[\fB\-status_timeout int\fR]
-[\fB\-status_url val\fR]
-[\fB\-status_file infile\fR]
-[\fB\-trace\fR]
-[\fB\-security_debug\fR]
-[\fB\-security_debug_verbose\fR]
-[\fB\-brief\fR]
-[\fB\-rev\fR]
-[\fB\-async\fR]
-[\fB\-ssl_config val\fR]
-[\fB\-max_send_frag +int\fR]
-[\fB\-split_send_frag +int\fR]
-[\fB\-max_pipelines +int\fR]
-[\fB\-read_buf +int\fR]
-[\fB\-no_ssl3\fR]
-[\fB\-no_tls1\fR]
-[\fB\-no_tls1_1\fR]
-[\fB\-no_tls1_2\fR]
-[\fB\-no_tls1_3\fR]
-[\fB\-bugs\fR]
-[\fB\-no_comp\fR]
-[\fB\-comp\fR]
-[\fB\-no_ticket\fR]
-[\fB\-num_tickets\fR]
-[\fB\-serverpref\fR]
-[\fB\-legacy_renegotiation\fR]
-[\fB\-no_renegotiation\fR]
-[\fB\-legacy_server_connect\fR]
-[\fB\-no_resumption_on_reneg\fR]
-[\fB\-no_legacy_server_connect\fR]
-[\fB\-allow_no_dhe_kex\fR]
-[\fB\-prioritize_chacha\fR]
-[\fB\-strict\fR]
-[\fB\-sigalgs val\fR]
-[\fB\-client_sigalgs val\fR]
-[\fB\-groups val\fR]
-[\fB\-curves val\fR]
-[\fB\-named_curve val\fR]
-[\fB\-cipher val\fR]
-[\fB\-ciphersuites val\fR]
-[\fB\-dhparam infile\fR]
-[\fB\-record_padding val\fR]
-[\fB\-debug_broken_protocol\fR]
-[\fB\-policy val\fR]
-[\fB\-purpose val\fR]
-[\fB\-verify_name val\fR]
-[\fB\-verify_depth int\fR]
-[\fB\-auth_level int\fR]
-[\fB\-attime intmax\fR]
-[\fB\-verify_hostname val\fR]
-[\fB\-verify_email val\fR]
-[\fB\-verify_ip\fR]
-[\fB\-ignore_critical\fR]
-[\fB\-issuer_checks\fR]
-[\fB\-crl_check\fR]
-[\fB\-crl_check_all\fR]
-[\fB\-policy_check\fR]
-[\fB\-explicit_policy\fR]
-[\fB\-inhibit_any\fR]
-[\fB\-inhibit_map\fR]
-[\fB\-x509_strict\fR]
-[\fB\-extended_crl\fR]
-[\fB\-use_deltas\fR]
-[\fB\-policy_print\fR]
-[\fB\-check_ss_sig\fR]
-[\fB\-trusted_first\fR]
-[\fB\-suiteB_128_only\fR]
-[\fB\-suiteB_128\fR]
-[\fB\-suiteB_192\fR]
-[\fB\-partial_chain\fR]
-[\fB\-no_alt_chains\fR]
-[\fB\-no_check_time\fR]
-[\fB\-allow_proxy_certs\fR]
-[\fB\-xkey\fR]
-[\fB\-xcert\fR]
-[\fB\-xchain\fR]
-[\fB\-xchain_build\fR]
-[\fB\-xcertform PEM|DER\fR]
-[\fB\-xkeyform PEM|DER\fR]
-[\fB\-nbio\fR]
-[\fB\-psk_identity val\fR]
-[\fB\-psk_hint val\fR]
-[\fB\-psk val\fR]
-[\fB\-psk_session file\fR]
-[\fB\-srpvfile infile\fR]
-[\fB\-srpuserseed val\fR]
-[\fB\-ssl3\fR]
-[\fB\-tls1\fR]
-[\fB\-tls1_1\fR]
-[\fB\-tls1_2\fR]
-[\fB\-tls1_3\fR]
-[\fB\-dtls\fR]
-[\fB\-timeout\fR]
-[\fB\-mtu +int\fR]
-[\fB\-listen\fR]
-[\fB\-dtls1\fR]
-[\fB\-dtls1_2\fR]
-[\fB\-sctp\fR]
-[\fB\-sctp_label_bug\fR]
-[\fB\-no_dhe\fR]
-[\fB\-nextprotoneg val\fR]
-[\fB\-use_srtp val\fR]
-[\fB\-alpn val\fR]
-[\fB\-engine val\fR]
-[\fB\-keylogfile outfile\fR]
-[\fB\-max_early_data int\fR]
-[\fB\-early_data\fR]
-[\fB\-anti_replay\fR]
-[\fB\-no_anti_replay\fR]
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens
-for connections on a given port using \s-1SSL/TLS.\s0
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-In addition to the options below the \fBs_server\fR utility also supports the
-common and server only options documented
-in the \*(L"Supported Command Line Commands\*(R" section of the \fBSSL_CONF_cmd\fR\|(3)
-manual page.
-.IP "\fB\-help\fR" 4
-.IX Item "-help"
-Print out a usage message.
-.IP "\fB\-port +int\fR" 4
-.IX Item "-port +int"
-The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
-.IP "\fB\-accept val\fR" 4
-.IX Item "-accept val"
-The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is used.
-.IP "\fB\-unix val\fR" 4
-.IX Item "-unix val"
-Unix domain socket to accept on.
-.IP "\fB\-4\fR" 4
-.IX Item "-4"
-Use IPv4 only.
-.IP "\fB\-6\fR" 4
-.IX Item "-6"
-Use IPv6 only.
-.IP "\fB\-unlink\fR" 4
-.IX Item "-unlink"
-For \-unix, unlink any existing socket first.
-.IP "\fB\-context val\fR" 4
-.IX Item "-context val"
-Sets the \s-1SSL\s0 context id. It can be given any string value. If this option
-is not present a default value will be used.
-.IP "\fB\-verify int\fR, \fB\-Verify int\fR" 4
-.IX Item "-verify int, -Verify int"
-The verify depth to use. This specifies the maximum length of the
-client certificate chain and makes the server request a certificate from
-the client. With the \fB\-verify\fR option a certificate is requested but the
-client does not have to send one, with the \fB\-Verify\fR option the client
-must supply a certificate or an error occurs.
-.Sp
-If the cipher suite cannot request a client certificate (for example an
-anonymous cipher suite or \s-1PSK\s0) this option has no effect.
-.IP "\fB\-cert infile\fR" 4
-.IX Item "-cert infile"
-The certificate to use, most servers cipher suites require the use of a
-certificate and some require a certificate with a certain public key type:
-for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
-(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
-.IP "\fB\-cert_chain\fR" 4
-.IX Item "-cert_chain"
-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-\&\fB\-cert\fR option.
-.IP "\fB\-build_chain\fR" 4
-.IX Item "-build_chain"
-Specify whether the application should build the certificate chain to be
-provided to the client.
-.IP "\fB\-nameopt val\fR" 4
-.IX Item "-nameopt val"
-Option which determines how the subject or issuer names are displayed. The
-\&\fBval\fR argument can be a single option or multiple options separated by
-commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fBx509\fR\|(1) manual page for details.
-.IP "\fB\-naccept +int\fR" 4
-.IX Item "-naccept +int"
-The server will exit after receiving the specified number of connections,
-default unlimited.
-.IP "\fB\-serverinfo val\fR" 4
-.IX Item "-serverinfo val"
-A file containing one or more blocks of \s-1PEM\s0 data.  Each \s-1PEM\s0 block
-must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
-followed by \*(L"length\*(R" bytes of extension data).  If the client sends
-an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
-ServerHello extension will be returned.
-.IP "\fB\-certform PEM|DER\fR" 4
-.IX Item "-certform PEM|DER"
-The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
-.IP "\fB\-key infile\fR" 4
-.IX Item "-key infile"
-The private key to use. If not specified then the certificate file will
-be used.
-.IP "\fB\-keyform format\fR" 4
-.IX Item "-keyform format"
-The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
-.IP "\fB\-pass val\fR" 4
-.IX Item "-pass val"
-The private key password source. For more information about the format of \fBval\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-dcert infile\fR, \fB\-dkey infile\fR" 4
-.IX Item "-dcert infile, -dkey infile"
-Specify an additional certificate and private key, these behave in the
-same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
-if they are not specified (no additional certificate and key is used). As
-noted above some cipher suites require a certificate containing a key of
-a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
-and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
-a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
-by using an appropriate certificate.
-.IP "\fB\-dcert_chain\fR" 4
-.IX Item "-dcert_chain"
-A file containing trusted certificates to use when attempting to build the
-server certificate chain when a certificate specified via the \fB\-dcert\fR option
-is in use.
-.IP "\fB\-dcertform PEM|DER\fR, \fB\-dkeyform PEM|DER\fR, \fB\-dpass val\fR" 4
-.IX Item "-dcertform PEM|DER, -dkeyform PEM|DER, -dpass val"
-Additional certificate and private key format and passphrase respectively.
-.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4
-.IX Item "-xkey infile, -xcert infile, -xchain"
-Specify an extra certificate, private key and certificate chain. These behave
-in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options.  When
-specified, the callback returning the first valid chain will be in use by
-the server.
-.IP "\fB\-xchain_build\fR" 4
-.IX Item "-xchain_build"
-Specify whether the application should build the certificate chain to be
-provided to the client for the extra certificates provided via \fB\-xkey infile\fR,
-\&\fB\-xcert infile\fR, \fB\-xchain\fR options.
-.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4
-.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER"
-Extra certificate and private key format respectively.
-.IP "\fB\-nbio_test\fR" 4
-.IX Item "-nbio_test"
-Tests non blocking I/O.
-.IP "\fB\-crlf\fR" 4
-.IX Item "-crlf"
-This option translated a line feed from the terminal into \s-1CR+LF.\s0
-.IP "\fB\-debug\fR" 4
-.IX Item "-debug"
-Print extensive debugging information including a hex dump of all traffic.
-.IP "\fB\-msg\fR" 4
-.IX Item "-msg"
-Show all protocol messages with hex dump.
-.IP "\fB\-msgfile outfile\fR" 4
-.IX Item "-msgfile outfile"
-File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
-.IP "\fB\-state\fR" 4
-.IX Item "-state"
-Prints the \s-1SSL\s0 session states.
-.IP "\fB\-CAfile infile\fR" 4
-.IX Item "-CAfile infile"
-A file containing trusted certificates to use during client authentication
-and to use when attempting to build the server certificate chain. The list
-is also used in the list of acceptable client CAs passed to the client when
-a certificate is requested.
-.IP "\fB\-CApath dir\fR" 4
-.IX Item "-CApath dir"
-The directory to use for client certificate verification. This directory
-must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information. These are
-also used when building the server certificate chain.
-.IP "\fB\-chainCApath dir\fR" 4
-.IX Item "-chainCApath dir"
-The directory to use for building the chain provided to the client. This
-directory must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information.
-.IP "\fB\-chainCAfile file\fR" 4
-.IX Item "-chainCAfile file"
-A file containing trusted certificates to use when attempting to build the
-server certificate chain.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location.
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location.
-.IP "\fB\-nocert\fR" 4
-.IX Item "-nocert"
-If this option is set then no certificate is used. This restricts the
-cipher suites available to the anonymous ones (currently just anonymous
-\&\s-1DH\s0).
-.IP "\fB\-quiet\fR" 4
-.IX Item "-quiet"
-Inhibit printing of session and certificate information.
-.IP "\fB\-www\fR" 4
-.IX Item "-www"
-Sends a status message back to the client when it connects. This includes
-information about the ciphers used and various session parameters.
-The output is in \s-1HTML\s0 format so this option will normally be used with a
-web browser. Cannot be used in conjunction with \fB\-early_data\fR.
-.IP "\fB\-WWW\fR" 4
-.IX Item "-WWW"
-Emulates a simple web server. Pages will be resolved relative to the
-current directory, for example if the \s-1URL\s0 https://myhost/page.html is
-requested the file ./page.html will be loaded. Cannot be used in conjunction
-with \fB\-early_data\fR.
-.IP "\fB\-tlsextdebug\fR" 4
-.IX Item "-tlsextdebug"
-Print a hex dump of any \s-1TLS\s0 extensions received from the server.
-.IP "\fB\-HTTP\fR" 4
-.IX Item "-HTTP"
-Emulates a simple web server. Pages will be resolved relative to the
-current directory, for example if the \s-1URL\s0 https://myhost/page.html is
-requested the file ./page.html will be loaded. The files loaded are
-assumed to contain a complete and correct \s-1HTTP\s0 response (lines that
-are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). Cannot be
-used in conjunction with \fB\-early_data\fR.
-.IP "\fB\-id_prefix val\fR" 4
-.IX Item "-id_prefix val"
-Generate \s-1SSL/TLS\s0 session IDs prefixed by \fBval\fR. This is mostly useful
-for testing any \s-1SSL/TLS\s0 code (e.g. proxies) that wish to deal with multiple
-servers, when each of which might be generating a unique range of session
-IDs (e.g. with a certain prefix).
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-verify_return_error\fR" 4
-.IX Item "-verify_return_error"
-Verification errors normally just print a message but allow the
-connection to continue, for debugging purposes.
-If this option is used, then verification errors close the connection.
-.IP "\fB\-status\fR" 4
-.IX Item "-status"
-Enables certificate status request support (aka \s-1OCSP\s0 stapling).
-.IP "\fB\-status_verbose\fR" 4
-.IX Item "-status_verbose"
-Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives
-a verbose printout of the \s-1OCSP\s0 response.
-.IP "\fB\-status_timeout int\fR" 4
-.IX Item "-status_timeout int"
-Sets the timeout for \s-1OCSP\s0 response to \fBint\fR seconds.
-.IP "\fB\-status_url val\fR" 4
-.IX Item "-status_url val"
-Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
-server certificate. Without this option an error is returned if the server
-certificate does not contain a responder address.
-.IP "\fB\-status_file infile\fR" 4
-.IX Item "-status_file infile"
-Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the
-\&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format.
-.IP "\fB\-trace\fR" 4
-.IX Item "-trace"
-Show verbose trace output of protocol messages. OpenSSL needs to be compiled
-with \fBenable-ssl-trace\fR for this option to work.
-.IP "\fB\-brief\fR" 4
-.IX Item "-brief"
-Provide a brief summary of connection parameters instead of the normal verbose
-output.
-.IP "\fB\-rev\fR" 4
-.IX Item "-rev"
-Simple test server which just reverses the text received from the client
-and sends it back to the server. Also sets \fB\-brief\fR. Cannot be used in
-conjunction with \fB\-early_data\fR.
-.IP "\fB\-async\fR" 4
-.IX Item "-async"
-Switch on asynchronous mode. Cryptographic operations will be performed
-asynchronously. This will only have an effect if an asynchronous capable engine
-is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
-(dasync) can be used (if available).
-.IP "\fB\-max_send_frag +int\fR" 4
-.IX Item "-max_send_frag +int"
-The maximum size of data fragment to send.
-See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information.
-.IP "\fB\-split_send_frag +int\fR" 4
-.IX Item "-split_send_frag +int"
-The size used to split data for encrypt pipelines. If more data is written in
-one go than this value then it will be split into multiple pipelines, up to the
-maximum number of pipelines defined by max_pipelines. This only has an effect if
-a suitable cipher suite has been negotiated, an engine that supports pipelining
-has been loaded, and max_pipelines is greater than 1. See
-\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information.
-.IP "\fB\-max_pipelines +int\fR" 4
-.IX Item "-max_pipelines +int"
-The maximum number of encrypt/decrypt pipelines to be used. This will only have
-an effect if an engine has been loaded that supports pipelining (e.g. the dasync
-engine) and a suitable cipher suite has been negotiated. The default value is 1.
-See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information.
-.IP "\fB\-read_buf +int\fR" 4
-.IX Item "-read_buf +int"
-The default read buffer size to be used for connections. This will only have an
-effect if the buffer size is larger than the size that would otherwise be used
-and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for
-further information).
-.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
-.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
-These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
-By default \fBs_server\fR will negotiate the highest mutually supported protocol
-version.
-When a specific \s-1TLS\s0 version is required, only that version will be accepted
-from the client.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-.IP "\fB\-bugs\fR" 4
-.IX Item "-bugs"
-There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
-option enables various workarounds.
-.IP "\fB\-no_comp\fR" 4
-.IX Item "-no_comp"
-Disable negotiation of \s-1TLS\s0 compression.
-\&\s-1TLS\s0 compression is not recommended and is off by default as of
-OpenSSL 1.1.0.
-.IP "\fB\-comp\fR" 4
-.IX Item "-comp"
-Enable negotiation of \s-1TLS\s0 compression.
-This option was introduced in OpenSSL 1.1.0.
-\&\s-1TLS\s0 compression is not recommended and is off by default as of
-OpenSSL 1.1.0.
-.IP "\fB\-no_ticket\fR" 4
-.IX Item "-no_ticket"
-Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
-is negotiated. See \fB\-num_tickets\fR.
-.IP "\fB\-num_tickets\fR" 4
-.IX Item "-num_tickets"
-Control the number of tickets that will be sent to the client after a full
-handshake in TLSv1.3. The default number of tickets is 2. This option does not
-affect the number of tickets sent after a resumption handshake.
-.IP "\fB\-serverpref\fR" 4
-.IX Item "-serverpref"
-Use the server's cipher preferences, rather than the client's preferences.
-.IP "\fB\-prioritize_chacha\fR" 4
-.IX Item "-prioritize_chacha"
-Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR.
-.IP "\fB\-no_resumption_on_reneg\fR" 4
-.IX Item "-no_resumption_on_reneg"
-Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option.
-.IP "\fB\-client_sigalgs val\fR" 4
-.IX Item "-client_sigalgs val"
-Signature algorithms to support for client certificate authentication
-(colon-separated list).
-.IP "\fB\-named_curve val\fR" 4
-.IX Item "-named_curve val"
-Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list.
-For a list of all possible curves, use:
-.Sp
-.Vb 1
-\&    $ openssl ecparam \-list_curves
-.Ve
-.IP "\fB\-cipher val\fR" 4
-.IX Item "-cipher val"
-This allows the list of TLSv1.2 and below ciphersuites used by the server to be
-modified. This list is combined with any TLSv1.3 ciphersuites that have been
-configured. When the client sends a list of supported ciphers the first client
-cipher also included in the server list is used. Because the client specifies
-the preference order, the order of the server cipherlist is irrelevant. See
-the \fBciphers\fR command for more information.
-.IP "\fB\-ciphersuites val\fR" 4
-.IX Item "-ciphersuites val"
-This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
-This list is combined with any TLSv1.2 and below ciphersuites that have been
-configured. When the client sends a list of supported ciphers the first client
-cipher also included in the server list is used. Because the client specifies
-the preference order, the order of the server cipherlist is irrelevant. See
-the \fBciphers\fR command for more information. The format for this list is a
-simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
-.IP "\fB\-dhparam infile\fR" 4
-.IX Item "-dhparam infile"
-The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
-using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
-load the parameters from the server certificate file.
-If this fails then a static set of parameters hard coded into the \fBs_server\fR
-program will be used.
-.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
-.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
-Set different peer certificate verification options.
-See the \fBverify\fR\|(1) manual page for details.
-.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4
-.IX Item "-crl_check, -crl_check_all"
-Check the peer certificate has not been revoked by its \s-1CA.\s0
-The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR
-option all CRLs of all CAs in the chain are checked.
-.IP "\fB\-nbio\fR" 4
-.IX Item "-nbio"
-Turns on non blocking I/O.
-.IP "\fB\-psk_identity val\fR" 4
-.IX Item "-psk_identity val"
-Expect the client to send \s-1PSK\s0 identity \fBval\fR when using a \s-1PSK\s0
-cipher suite, and warn if they do not.  By default, the expected \s-1PSK\s0
-identity is the string \*(L"Client_identity\*(R".
-.IP "\fB\-psk_hint val\fR" 4
-.IX Item "-psk_hint val"
-Use the \s-1PSK\s0 identity hint \fBval\fR when using a \s-1PSK\s0 cipher suite.
-.IP "\fB\-psk val\fR" 4
-.IX Item "-psk val"
-Use the \s-1PSK\s0 key \fBval\fR when using a \s-1PSK\s0 cipher suite. The key is
-given as a hexadecimal number without leading 0x, for example \-psk
-1a2b3c4d.
-This option must be provided in order to use a \s-1PSK\s0 cipher.
-.IP "\fB\-psk_session file\fR" 4
-.IX Item "-psk_session file"
-Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0
-Note that this will only work if TLSv1.3 is negotiated.
-.IP "\fB\-listen\fR" 4
-.IX Item "-listen"
-This option can only be used in conjunction with one of the \s-1DTLS\s0 options above.
-With this option \fBs_server\fR will listen on a \s-1UDP\s0 port for incoming connections.
-Any ClientHellos that arrive will be checked to see if they have a cookie in
-them or not.
-Any without a cookie will be responded to with a HelloVerifyRequest.
-If a ClientHello with a cookie is received then \fBs_server\fR will connect to
-that peer and complete the handshake.
-.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
-.IX Item "-dtls, -dtls1, -dtls1_2"
-These options make \fBs_server\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0
-With \fB\-dtls\fR, \fBs_server\fR will negotiate any supported \s-1DTLS\s0 protocol version,
-whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support DTLSv1.0 and DTLSv1.2
-respectively.
-.IP "\fB\-sctp\fR" 4
-.IX Item "-sctp"
-Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
-conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
-available where OpenSSL has support for \s-1SCTP\s0 enabled.
-.IP "\fB\-sctp_label_bug\fR" 4
-.IX Item "-sctp_label_bug"
-Use the incorrect behaviour of older OpenSSL implementations when computing
-endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
-older broken implementations but breaks interoperability with correct
-implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
-available where OpenSSL has support for \s-1SCTP\s0 enabled.
-.IP "\fB\-no_dhe\fR" 4
-.IX Item "-no_dhe"
-If this option is set then no \s-1DH\s0 parameters will be loaded effectively
-disabling the ephemeral \s-1DH\s0 cipher suites.
-.IP "\fB\-alpn val\fR, \fB\-nextprotoneg val\fR" 4
-.IX Item "-alpn val, -nextprotoneg val"
-These flags enable the Application-Layer Protocol Negotiation
-or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
-\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
-The \fBval\fR list is a comma-separated list of supported protocol
-names.  The list should contain the most desirable protocols first.
-Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
-\&\*(L"spdy/3\*(R".
-The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
-.IP "\fB\-engine val\fR" 4
-.IX Item "-engine val"
-Specifying an engine (by its unique id string in \fBval\fR) will cause \fBs_server\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-keylogfile outfile\fR" 4
-.IX Item "-keylogfile outfile"
-Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
-(like Wireshark) can decrypt \s-1TLS\s0 connections.
-.IP "\fB\-max_early_data int\fR" 4
-.IX Item "-max_early_data int"
-Change the default maximum early data bytes that are specified for new sessions
-and any incoming early data (when used in conjunction with the \fB\-early_data\fR
-flag). The default value is approximately 16k. The argument must be an integer
-greater than or equal to 0.
-.IP "\fB\-early_data\fR" 4
-.IX Item "-early_data"
-Accept early data where possible. Cannot be used in conjunction with \fB\-www\fR,
-\&\fB\-WWW\fR, \fB\-HTTP\fR or \fB\-rev\fR.
-.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
-.IX Item "-anti_replay, -no_anti_replay"
-Switches replay protection on or off, respectively. Replay protection is on by
-default unless overridden by a configuration file. When it is on, OpenSSL will
-automatically detect if a session ticket has been used more than once, TLSv1.3
-has been negotiated, and early data is enabled on the server. A full handshake
-is forced if a session ticket is used a second or subsequent time. Any early
-data that was sent will be rejected.
-.SH "CONNECTED COMMANDS"
-.IX Header "CONNECTED COMMANDS"
-If a connection request is established with an \s-1SSL\s0 client and neither the
-\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received
-from the client is displayed and any key presses will be sent to the client.
-.PP
-Certain commands are also recognized which perform special operations. These
-commands are a letter which must appear at the start of a line. They are listed
-below.
-.IP "\fBq\fR" 4
-.IX Item "q"
-End the current \s-1SSL\s0 connection but still accept new connections.
-.IP "\fBQ\fR" 4
-.IX Item "Q"
-End the current \s-1SSL\s0 connection and exit.
-.IP "\fBr\fR" 4
-.IX Item "r"
-Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
-.IP "\fBR\fR" 4
-.IX Item "R"
-Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below
-only).
-.IP "\fBP\fR" 4
-.IX Item "P"
-Send some plain text down the underlying \s-1TCP\s0 connection: this should
-cause the client to disconnect due to a protocol violation.
-.IP "\fBS\fR" 4
-.IX Item "S"
-Print out some session cache status information.
-.IP "\fBB\fR" 4
-.IX Item "B"
-Send a heartbeat message to the client (\s-1DTLS\s0 only)
-.IP "\fBk\fR" 4
-.IX Item "k"
-Send a key update message to the client (TLSv1.3 only)
-.IP "\fBK\fR" 4
-.IX Item "K"
-Send a key update message to the client and request one back (TLSv1.3 only)
-.IP "\fBc\fR" 4
-.IX Item "c"
-Send a certificate request to the client (TLSv1.3 only)
-.SH "NOTES"
-.IX Header "NOTES"
-\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from
-a web browser the command:
-.PP
-.Vb 1
-\& openssl s_server \-accept 443 \-www
-.Ve
-.PP
-can be used for example.
-.PP
-Although specifying an empty list of CAs when requesting a client certificate
-is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
-mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
-.PP
-The session parameters can printed out using the \fBsess_id\fR program.
-.SH "BUGS"
-.IX Header "BUGS"
-Because this program has a lot of options and also because some of the
-techniques used are rather old, the C source of \fBs_server\fR is rather hard to
-read and not a model of how things should be done.
-A typical \s-1SSL\s0 server program would be much simpler.
-.PP
-The output of common ciphers is wrong: it just gives the list of ciphers that
-OpenSSL recognizes and the client supports.
-.PP
-There should be a way for the \fBs_server\fR program to print out details of any
-unknown cipher suites a client says it supports.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fBSSL_CONF_cmd\fR\|(3), \fBsess_id\fR\|(1), \fBs_client\fR\|(1), \fBciphers\fR\|(1)
-\&\fBSSL_CTX_set_max_send_fragment\fR\|(3),
-\&\fBSSL_CTX_set_split_send_fragment\fR\|(3),
-\&\fBSSL_CTX_set_max_pipelines\fR\|(3)
-.SH "HISTORY"
-.IX Header "HISTORY"
-The \-no_alt_chains option was added in OpenSSL 1.1.0.
-.PP
-The
-\&\-allow\-no\-dhe\-kex and \-prioritize_chacha options were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1
index 16c0d1b75138..4bf62b102c20 100644
--- a/secure/usr.bin/openssl/man/tsget.1
+++ b/secure/usr.bin/openssl/man/tsget.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -68,8 +68,6 @@
 .    \}
 .\}
 .rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
 .    \" fudge factors for nroff and troff
 .if n \{\
@@ -132,41 +130,40 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "TSGET 1"
-.TH TSGET 1 "2022-06-21" "1.1.1p" "OpenSSL"
+.IX Title "TSGET 1ossl"
+.TH TSGET 1ossl "2023-09-19" "3.0.11" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-openssl\-tsget, tsget \- Time Stamping HTTP/HTTPS client
+tsget \- Time Stamping HTTP/HTTPS client
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBtsget\fR
-\&\fB\-h\fR server_url
-[\fB\-e\fR extension]
-[\fB\-o\fR output]
+\&\fB\-h\fR \fIserver_url\fR
+[\fB\-e\fR \fIextension\fR]
+[\fB\-o\fR \fIoutput\fR]
 [\fB\-v\fR]
 [\fB\-d\fR]
-[\fB\-k\fR private_key.pem]
-[\fB\-p\fR key_password]
-[\fB\-c\fR client_cert.pem]
-[\fB\-C\fR CA_certs.pem]
-[\fB\-P\fR CA_path]
-[\fB\-r\fR file:file...]
-[\fB\-g\fR EGD_socket]
-[request]...
+[\fB\-k\fR \fIprivate_key.pem\fR]
+[\fB\-p\fR \fIkey_password\fR]
+[\fB\-c\fR \fIclient_cert.pem\fR]
+[\fB\-C\fR \fICA_certs.pem\fR]
+[\fB\-P\fR \fICA_path\fR]
+[\fB\-r\fR \fIfiles\fR]
+[\fB\-g\fR \fIEGD_socket\fR]
+[\fIrequest\fR ...]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBtsget\fR command can be used for sending a timestamp request, as
-specified in \fB\s-1RFC 3161\s0\fR, to a timestamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing
-the timestamp response in a file. This tool cannot be used for creating the
-requests and verifying responses, you can use the OpenSSL \fB\fBts\fB\|(1)\fR command to
-do that. \fBtsget\fR can send several requests to the server without closing
-the \s-1TCP\s0 connection if more than one requests are specified on the command
-line.
+This command can be used for sending a timestamp request, as specified
+in \s-1RFC 3161,\s0 to a timestamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing the
+timestamp response in a file. It cannot be used for creating the requests
+and verifying responses, you have to use \fBopenssl\-ts\fR\|(1) to do that. This
+command can send several requests to the server without closing the \s-1TCP\s0
+connection if more than one requests are specified on the command line.
 .PP
-The tool sends the following \s-1HTTP\s0 request for each timestamp request:
+This command sends the following \s-1HTTP\s0 request for each timestamp request:
 .PP
 .Vb 7
 \&        POST url HTTP/1.1
@@ -180,19 +177,19 @@ The tool sends the following \s-1HTTP\s0 request for each timestamp request:
 \&        ...binary request specified by the user...
 .Ve
 .PP
-\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is
+It expects a response of type application/timestamp\-reply, which is
 written to a file without any interpretation.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.IP "\fB\-h\fR server_url" 4
+.IP "\fB\-h\fR \fIserver_url\fR" 4
 .IX Item "-h server_url"
 The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for timestamp requests.
-.IP "\fB\-e\fR extension" 4
+.IP "\fB\-e\fR \fIextension\fR" 4
 .IX Item "-e extension"
 If the \fB\-o\fR option is not given this argument specifies the extension of the
 output files. The base name of the output file will be the same as those of
-the input files. Default extension is '.tsr'. (Optional)
-.IP "\fB\-o\fR output" 4
+the input files. Default extension is \fI.tsr\fR. (Optional)
+.IP "\fB\-o\fR \fIoutput\fR" 4
 .IX Item "-o output"
 This option can be specified only when just one request is sent to the
 server. The timestamp response will be written to the given output file. '\-'
@@ -205,49 +202,47 @@ The name of the currently processed request is printed on standard
 error. (Optional)
 .IP "\fB\-d\fR" 4
 .IX Item "-d"
-Switches on verbose mode for the underlying \fBcurl\fR library. You can see
-detailed debug messages for the connection. (Optional)
-.IP "\fB\-k\fR private_key.pem" 4
+Switches on verbose mode for the underlying perl module WWW::Curl::Easy.
+You can see detailed debug messages for the connection. (Optional)
+.IP "\fB\-k\fR \fIprivate_key.pem\fR" 4
 .IX Item "-k private_key.pem"
 (\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
-<private_key.pem> must contain the private key of the user. The private key
+\&\fIprivate_key.pem\fR must contain the private key of the user. The private key
 file can optionally be protected by a passphrase. The \fB\-c\fR option must also
 be specified. (Optional)
-.IP "\fB\-p\fR key_password" 4
+.IP "\fB\-p\fR \fIkey_password\fR" 4
 .IX Item "-p key_password"
 (\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR
-argument. If this option is omitted and the key is passphrase protected \fBtsget\fR
-will ask for it. (Optional)
-.IP "\fB\-c\fR client_cert.pem" 4
+argument. If this option is omitted and the key is passphrase protected,
+it will be prompted for. (Optional)
+.IP "\fB\-c\fR \fIclient_cert.pem\fR" 4
 .IX Item "-c client_cert.pem"
 (\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
-<client_cert.pem> must contain the X.509 certificate of the user.  The \fB\-k\fR
+\&\fIclient_cert.pem\fR must contain the X.509 certificate of the user.  The \fB\-k\fR
 option must also be specified. If this option is not specified no
 certificate-based client authentication will take place. (Optional)
-.IP "\fB\-C\fR CA_certs.pem" 4
+.IP "\fB\-C\fR \fICA_certs.pem\fR" 4
 .IX Item "-C CA_certs.pem"
 (\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's
 certificate must include one of the \s-1CA\s0 certificates specified in this file.
 Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS.\s0 (Optional)
-.IP "\fB\-P\fR CA_path" 4
+.IP "\fB\-P\fR \fICA_path\fR" 4
 .IX Item "-P CA_path"
 (\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's
-certificate. The directory must be prepared with the \fBc_rehash\fR
-OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of
-\&\s-1HTTPS.\s0 (Optional)
-.IP "\fB\-rand\fR file:file..." 4
-.IX Item "-rand file:file..."
-The files containing random data for seeding the random number
-generator. Multiple files can be specified, the separator is \fB;\fR for
-MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional)
-.IP "\fB\-g\fR EGD_socket" 4
+certificate. The directory must be prepared with \fBopenssl\-rehash\fR\|(1). Either
+option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS.\s0 (Optional)
+.IP "\fB\-r\fR \fIfiles\fR" 4
+.IX Item "-r files"
+See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for more information.
+.IP "\fB\-g\fR \fIEGD_socket\fR" 4
 .IX Item "-g EGD_socket"
 The name of an \s-1EGD\s0 socket to get random data from. (Optional)
-.IP "[request]..." 4
-.IX Item "[request]..."
-List of files containing \fB\s-1RFC 3161\s0\fR DER-encoded timestamp requests. If no
-requests are specified only one request will be sent to the server and it will be
-read from the standard input. (Optional)
+.IP "\fIrequest\fR ..." 4
+.IX Item "request ..."
+List of files containing \s-1RFC 3161\s0 DER-encoded timestamp requests. If no
+requests are specified only one request will be sent to the server and it will
+be read from the standard input.
+(Optional)
 .SH "ENVIRONMENT VARIABLES"
 .IX Header "ENVIRONMENT VARIABLES"
 The \fB\s-1TSGET\s0\fR environment variable can optionally contain default
@@ -255,28 +250,28 @@ arguments. The content of this variable is added to the list of command line
 arguments.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
-The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid
+The examples below presume that \fIfile1.tsq\fR and \fIfile2.tsq\fR contain valid
 timestamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests
 and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa
 absolute path.
 .PP
-Get a timestamp response for file1.tsq over \s-1HTTP,\s0 output is written to
-file1.tsr:
+Get a timestamp response for \fIfile1.tsq\fR over \s-1HTTP,\s0 output is written to
+\&\fIfile1.tsr\fR:
 .PP
 .Vb 1
 \&  tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq
 .Ve
 .PP
-Get a timestamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing
-progress, output is written to file1.reply and file2.reply respectively:
+Get a timestamp response for \fIfile1.tsq\fR and \fIfile2.tsq\fR over \s-1HTTP\s0 showing
+progress, output is written to \fIfile1.reply\fR and \fIfile2.reply\fR respectively:
 .PP
 .Vb 2
 \&  tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e
 \&        file1.tsq file2.tsq
 .Ve
 .PP
-Create a timestamp request, write it to file3.tsq, send it to the server and
-write the response to file3.tsr:
+Create a timestamp request, write it to \fIfile3.tsq\fR, send it to the server and
+write the response to \fIfile3.tsr\fR:
 .PP
 .Vb 3
 \&  openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e
@@ -284,7 +279,7 @@ write the response to file3.tsr:
 \&        \-o file3.tsr
 .Ve
 .PP
-Get a timestamp response for file1.tsq over \s-1HTTPS\s0 without client
+Get a timestamp response for \fIfile1.tsq\fR over \s-1HTTPS\s0 without client
 authentication:
 .PP
 .Vb 2
@@ -292,8 +287,8 @@ authentication:
 \&        \-C cacerts.pem file1.tsq
 .Ve
 .PP
-Get a timestamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based
-client authentication (it will ask for the passphrase if client_key.pem is
+Get a timestamp response for \fIfile1.tsq\fR over \s-1HTTPS\s0 with certificate-based
+client authentication (it will ask for the passphrase if \fIclient_key.pem\fR is
 protected):
 .PP
 .Vb 2
@@ -313,13 +308,15 @@ example:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBopenssl\fR\|(1), \fBts\fR\|(1), \fBcurl\fR\|(1),
-\&\fB\s-1RFC 3161\s0\fR
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-ts\fR\|(1),
+WWW::Curl::Easy,
+<https://www.rfc\-editor.org/rfc/rfc3161.html>
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
 Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file \s-1LICENSE\s0 in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
deleted file mode 100644
index 7178d57d9dab..000000000000
--- a/secure/usr.bin/openssl/man/verify.1
+++ /dev/null
@@ -1,787 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "VERIFY 1"
-.TH VERIFY 1 "2022-06-21" "1.1.1p" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-openssl\-verify, verify \- Utility to verify certificates
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBopenssl\fR \fBverify\fR
-[\fB\-help\fR]
-[\fB\-CAfile file\fR]
-[\fB\-CApath directory\fR]
-[\fB\-no\-CAfile\fR]
-[\fB\-no\-CApath\fR]
-[\fB\-allow_proxy_certs\fR]
-[\fB\-attime timestamp\fR]
-[\fB\-check_ss_sig\fR]
-[\fB\-CRLfile file\fR]
-[\fB\-crl_download\fR]
-[\fB\-crl_check\fR]
-[\fB\-crl_check_all\fR]
-[\fB\-engine id\fR]
-[\fB\-explicit_policy\fR]
-[\fB\-extended_crl\fR]
-[\fB\-ignore_critical\fR]
-[\fB\-inhibit_any\fR]
-[\fB\-inhibit_map\fR]
-[\fB\-nameopt option\fR]
-[\fB\-no_check_time\fR]
-[\fB\-partial_chain\fR]
-[\fB\-policy arg\fR]
-[\fB\-policy_check\fR]
-[\fB\-policy_print\fR]
-[\fB\-purpose purpose\fR]
-[\fB\-suiteB_128\fR]
-[\fB\-suiteB_128_only\fR]
-[\fB\-suiteB_192\fR]
-[\fB\-trusted_first\fR]
-[\fB\-no_alt_chains\fR]
-[\fB\-untrusted file\fR]
-[\fB\-trusted file\fR]
-[\fB\-use_deltas\fR]
-[\fB\-verbose\fR]
-[\fB\-auth_level level\fR]
-[\fB\-verify_depth num\fR]
-[\fB\-verify_email email\fR]
-[\fB\-verify_hostname hostname\fR]
-[\fB\-verify_ip ip\fR]
-[\fB\-verify_name name\fR]
-[\fB\-x509_strict\fR]
-[\fB\-show_chain\fR]
-[\fB\-\fR]
-[certificates]
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The \fBverify\fR command verifies certificate chains.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-.IP "\fB\-help\fR" 4
-.IX Item "-help"
-Print out a usage message.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A \fBfile\fR of trusted certificates.
-The file should contain one or more certificates in \s-1PEM\s0 format.
-.IP "\fB\-CApath directory\fR" 4
-.IX Item "-CApath directory"
-A directory of trusted certificates. The certificates should have names
-of the form: hash.0 or have symbolic links to them of this
-form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
-of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
-create symbolic links to a directory of certificates.
-.IP "\fB\-no\-CAfile\fR" 4
-.IX Item "-no-CAfile"
-Do not load the trusted \s-1CA\s0 certificates from the default file location.
-.IP "\fB\-no\-CApath\fR" 4
-.IX Item "-no-CApath"
-Do not load the trusted \s-1CA\s0 certificates from the default directory location.
-.IP "\fB\-allow_proxy_certs\fR" 4
-.IX Item "-allow_proxy_certs"
-Allow the verification of proxy certificates.
-.IP "\fB\-attime timestamp\fR" 4
-.IX Item "-attime timestamp"
-Perform validation checks using time specified by \fBtimestamp\fR and not
-current system time. \fBtimestamp\fR is the number of seconds since
-01.01.1970 (\s-1UNIX\s0 time).
-.IP "\fB\-check_ss_sig\fR" 4
-.IX Item "-check_ss_sig"
-Verify the signature of
-the last certificate in a chain if the certificate is supposedly self-signed.
-This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
-certificate with key usage restrictions not including the keyCertSign bit.
-This verification is disabled by default because it doesn't add any security.
-.IP "\fB\-CRLfile file\fR" 4
-.IX Item "-CRLfile file"
-The \fBfile\fR should contain one or more CRLs in \s-1PEM\s0 format.
-This option can be specified more than once to include CRLs from multiple
-\&\fBfiles\fR.
-.IP "\fB\-crl_download\fR" 4
-.IX Item "-crl_download"
-Attempt to download \s-1CRL\s0 information for this certificate.
-.IP "\fB\-crl_check\fR" 4
-.IX Item "-crl_check"
-Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
-If a valid \s-1CRL\s0 cannot be found an error occurs.
-.IP "\fB\-crl_check_all\fR" 4
-.IX Item "-crl_check_all"
-Checks the validity of \fBall\fR certificates in the chain by attempting
-to look up valid CRLs.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine \fBid\fR will cause \fBverify\fR\|(1) to attempt to load the
-specified engine.
-The engine will then be set as the default for all its supported algorithms.
-If you want to load certificates or CRLs that require engine support via any of
-the \fB\-trusted\fR, \fB\-untrusted\fR or \fB\-CRLfile\fR options, the \fB\-engine\fR option
-must be specified before those options.
-.IP "\fB\-explicit_policy\fR" 4
-.IX Item "-explicit_policy"
-Set policy variable require-explicit-policy (see \s-1RFC5280\s0).
-.IP "\fB\-extended_crl\fR" 4
-.IX Item "-extended_crl"
-Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
-signing keys.
-.IP "\fB\-ignore_critical\fR" 4
-.IX Item "-ignore_critical"
-Normally if an unhandled critical extension is present which is not
-supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0).
-If this option is set critical extensions are ignored.
-.IP "\fB\-inhibit_any\fR" 4
-.IX Item "-inhibit_any"
-Set policy variable inhibit-any-policy (see \s-1RFC5280\s0).
-.IP "\fB\-inhibit_map\fR" 4
-.IX Item "-inhibit_map"
-Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
-.IP "\fB\-nameopt option\fR" 4
-.IX Item "-nameopt option"
-Option which determines how the subject or issuer names are displayed. The
-\&\fBoption\fR argument can be a single option or multiple options separated by
-commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fBx509\fR\|(1) manual page for details.
-.IP "\fB\-no_check_time\fR" 4
-.IX Item "-no_check_time"
-This option suppresses checking the validity period of certificates and CRLs
-against the current time. If option \fB\-attime timestamp\fR is used to specify
-a verification time, the check is not suppressed.
-.IP "\fB\-partial_chain\fR" 4
-.IX Item "-partial_chain"
-Allow verification to succeed even if a \fIcomplete\fR chain cannot be built to a
-self-signed trust-anchor, provided it is possible to construct a chain to a
-trusted certificate that might not be self-signed.
-.IP "\fB\-policy arg\fR" 4
-.IX Item "-policy arg"
-Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
-\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form.
-This argument can appear more than once.
-.IP "\fB\-policy_check\fR" 4
-.IX Item "-policy_check"
-Enables certificate policy processing.
-.IP "\fB\-policy_print\fR" 4
-.IX Item "-policy_print"
-Print out diagnostics related to policy processing.
-.IP "\fB\-purpose purpose\fR" 4
-.IX Item "-purpose purpose"
-The intended use for the certificate. If this option is not specified,
-\&\fBverify\fR will not consider certificate purpose during chain verification.
-Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR,
-\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more
-information.
-.IP "\fB\-suiteB_128_only\fR, \fB\-suiteB_128\fR, \fB\-suiteB_192\fR" 4
-.IX Item "-suiteB_128_only, -suiteB_128, -suiteB_192"
-Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
-192 bit, or only 192 bit Level of Security respectively.
-See \s-1RFC6460\s0 for details. In particular the supported signature algorithms are
-reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384\s0 and only the elliptic curves
-P\-256 and P\-384.
-.IP "\fB\-trusted_first\fR" 4
-.IX Item "-trusted_first"
-When constructing the certificate chain, use the trusted certificates specified
-via \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-trusted\fR before any certificates specified via
-\&\fB\-untrusted\fR.
-This can be useful in environments with Bridge or Cross-Certified CAs.
-As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
-.IP "\fB\-no_alt_chains\fR" 4
-.IX Item "-no_alt_chains"
-By default, unless \fB\-trusted_first\fR is specified, when building a certificate
-chain, if the first certificate chain found is not trusted, then OpenSSL will
-attempt to replace untrusted issuer certificates with certificates from the
-trust store to see if an alternative chain can be found that is trusted.
-As of OpenSSL 1.1.0, with \fB\-trusted_first\fR always on, this option has no
-effect.
-.IP "\fB\-untrusted file\fR" 4
-.IX Item "-untrusted file"
-A \fBfile\fR of additional untrusted certificates (intermediate issuer CAs) used
-to construct a certificate chain from the subject certificate to a trust-anchor.
-The \fBfile\fR should contain one or more certificates in \s-1PEM\s0 format.
-This option can be specified more than once to include untrusted certificates
-from multiple \fBfiles\fR.
-.IP "\fB\-trusted file\fR" 4
-.IX Item "-trusted file"
-A \fBfile\fR of trusted certificates, which must be self-signed, unless the
-\&\fB\-partial_chain\fR option is specified.
-The \fBfile\fR contains one or more certificates in \s-1PEM\s0 format.
-With this option, no additional (e.g., default) certificate lists are
-consulted.
-That is, the only trust-anchors are those listed in \fBfile\fR.
-This option can be specified more than once to include trusted certificates
-from multiple \fBfiles\fR.
-This option implies the \fB\-no\-CAfile\fR and \fB\-no\-CApath\fR options.
-This option cannot be used in combination with either of the \fB\-CAfile\fR or
-\&\fB\-CApath\fR options.
-.IP "\fB\-use_deltas\fR" 4
-.IX Item "-use_deltas"
-Enable support for delta CRLs.
-.IP "\fB\-verbose\fR" 4
-.IX Item "-verbose"
-Print extra information about the operations being performed.
-.IP "\fB\-auth_level level\fR" 4
-.IX Item "-auth_level level"
-Set the certificate chain authentication security level to \fBlevel\fR.
-The authentication security level determines the acceptable signature and
-public key strength when verifying certificate chains.
-For a certificate chain to validate, the public keys of all the certificates
-must meet the specified security \fBlevel\fR.
-The signature algorithm security level is enforced for all the certificates in
-the chain except for the chain's \fItrust anchor\fR, which is either directly
-trusted or validated by means other than its signature.
-See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available
-levels.
-The default security level is \-1, or \*(L"not set\*(R".
-At security level 0 or lower all algorithms are acceptable.
-Security level 1 requires at least 80\-bit\-equivalent security and is broadly
-interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys
-shorter than 1024 bits.
-.IP "\fB\-verify_depth num\fR" 4
-.IX Item "-verify_depth num"
-Limit the certificate chain to \fBnum\fR intermediate \s-1CA\s0 certificates.
-A maximal depth chain can have up to \fBnum+2\fR certificates, since neither the
-end-entity certificate nor the trust-anchor certificate count against the
-\&\fB\-verify_depth\fR limit.
-.IP "\fB\-verify_email email\fR" 4
-.IX Item "-verify_email email"
-Verify if the \fBemail\fR matches the email address in Subject Alternative Name or
-the email in the subject Distinguished Name.
-.IP "\fB\-verify_hostname hostname\fR" 4
-.IX Item "-verify_hostname hostname"
-Verify if the \fBhostname\fR matches \s-1DNS\s0 name in Subject Alternative Name or
-Common Name in the subject certificate.
-.IP "\fB\-verify_ip ip\fR" 4
-.IX Item "-verify_ip ip"
-Verify if the \fBip\fR matches the \s-1IP\s0 address in Subject Alternative Name of
-the subject certificate.
-.IP "\fB\-verify_name name\fR" 4
-.IX Item "-verify_name name"
-Use default verification policies like trust model and required certificate
-policies identified by \fBname\fR.
-The trust model determines which auxiliary trust or reject OIDs are applicable
-to verifying the given certificate chain.
-See the \fB\-addtrust\fR and \fB\-addreject\fR options of the \fBx509\fR\|(1) command-line
-utility.
-Supported policy names include: \fBdefault\fR, \fBpkcs7\fR, \fBsmime_sign\fR,
-\&\fBssl_client\fR, \fBssl_server\fR.
-These mimics the combinations of purpose and trust settings used in \s-1SSL, CMS\s0
-and S/MIME.
-As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not
-specified, so the \fB\-verify_name\fR options are functionally equivalent to the
-corresponding \fB\-purpose\fR settings.
-.IP "\fB\-x509_strict\fR" 4
-.IX Item "-x509_strict"
-For strict X.509 compliance, disable non-compliant workarounds for broken
-certificates.
-.IP "\fB\-show_chain\fR" 4
-.IX Item "-show_chain"
-Display information about the certificate chain that has been built (if
-successful). Certificates in the chain that came from the untrusted list will be
-flagged as \*(L"untrusted\*(R".
-.IP "\fB\-\fR" 4
-.IX Item "-"
-Indicates the last option. All arguments following this are assumed to be
-certificate files. This is useful if the first certificate filename begins
-with a \fB\-\fR.
-.IP "\fBcertificates\fR" 4
-.IX Item "certificates"
-One or more certificates to verify. If no certificates are given, \fBverify\fR
-will attempt to read a certificate from standard input. Certificates must be
-in \s-1PEM\s0 format.
-.SH "VERIFY OPERATION"
-.IX Header "VERIFY OPERATION"
-The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME
-verification, therefore, this description applies to these verify operations
-too.
-.PP
-There is one crucial difference between the verify operations performed
-by the \fBverify\fR program: wherever possible an attempt is made to continue
-after an error whereas normally the verify operation would halt on the
-first error. This allows all the problems with a certificate chain to be
-determined.
-.PP
-The verify operation consists of a number of separate steps.
-.PP
-Firstly a certificate chain is built up starting from the supplied certificate
-and ending in the root \s-1CA.\s0
-It is an error if the whole chain cannot be built up.
-The chain is built up by looking up the issuers certificate of the current
-certificate.
-If a certificate is found which is its own issuer it is assumed to be the root
-\&\s-1CA.\s0
-.PP
-The process of 'looking up the issuers certificate' itself involves a number of
-steps.
-After all certificates whose subject name matches the issuer name of the current
-certificate are subject to further tests.
-The relevant authority key identifier components of the current certificate (if
-present) must match the subject key identifier (if present) and issuer and
-serial number of the candidate issuer, in addition the keyUsage extension of
-the candidate issuer (if present) must permit certificate signing.
-.PP
-The lookup first looks in the list of untrusted certificates and if no match
-is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0
-is always looked up in the trusted certificate list: if the certificate to
-verify is a root certificate then an exact match must be found in the trusted
-list.
-.PP
-The second operation is to check every untrusted certificate's extensions for
-consistency with the supplied purpose. If the \fB\-purpose\fR option is not included
-then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
-compatible with the supplied purpose and all other certificates must also be valid
-\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
-the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility.
-.PP
-The third operation is to check the trust settings on the root \s-1CA.\s0 The root \s-1CA\s0
-should be trusted for the supplied purpose.
-For compatibility with previous versions of OpenSSL, a certificate with no
-trust settings is considered to be valid for all purposes.
-.PP
-The final operation is to check the validity of the certificate chain.
-For each element in the chain, including the root \s-1CA\s0 certificate,
-the validity period as specified by the \f(CW\*(C`notBefore\*(C'\fR and \f(CW\*(C`notAfter\*(C'\fR fields
-is checked against the current system time.
-The \fB\-attime\fR flag may be used to use a reference time other than \*(L"now.\*(R"
-The certificate signature is checked as well
-(except for the signature of the typically self-signed root \s-1CA\s0 certificate,
-which is verified only if the \fB\-check_ss_sig\fR option is given).
-.PP
-If all operations complete successfully then certificate is considered valid. If
-any operation fails then the certificate is not valid.
-.SH "DIAGNOSTICS"
-.IX Header "DIAGNOSTICS"
-When a verify operation fails the output messages can be somewhat cryptic. The
-general form of the error message is:
-.PP
-.Vb 2
-\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-\& error 24 at 1 depth lookup:invalid CA certificate
-.Ve
-.PP
-The first line contains the name of the certificate being verified followed by
-the subject name of the certificate. The second line contains the error number
-and the depth. The depth is number of the certificate being verified when a
-problem was detected starting with zero for the certificate being verified itself
-then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version
-of the error number is presented.
-.PP
-A partial list of the error codes and messages is shown below, this also
-includes the name of the error code as defined in the header file x509_vfy.h
-Some of the error codes are defined but never returned: these are described
-as \*(L"unused\*(R".
-.IP "\fBX509_V_OK\fR" 4
-.IX Item "X509_V_OK"
-The operation was successful.
-.IP "\fBX509_V_ERR_UNSPECIFIED\fR" 4
-.IX Item "X509_V_ERR_UNSPECIFIED"
-Unspecified error; should not happen.
-.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"
-The issuer certificate of a looked up certificate could not be found. This
-normally means the list of trusted certificates is not complete.
-.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL"
-The \s-1CRL\s0 of a certificate could not be found.
-.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE"
-The certificate signature could not be decrypted. This means that the
-actual signature value could not be determined rather than it not matching
-the expected value, this is only meaningful for \s-1RSA\s0 keys.
-.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE"
-The \s-1CRL\s0 signature could not be decrypted: this means that the actual
-signature value could not be determined rather than it not matching the
-expected value. Unused.
-.IP "\fBX509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY"
-The public key in the certificate SubjectPublicKeyInfo could not be read.
-.IP "\fBX509_V_ERR_CERT_SIGNATURE_FAILURE\fR" 4
-.IX Item "X509_V_ERR_CERT_SIGNATURE_FAILURE"
-The signature of the certificate is invalid.
-.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE\fR" 4
-.IX Item "X509_V_ERR_CRL_SIGNATURE_FAILURE"
-The signature of the certificate is invalid.
-.IP "\fBX509_V_ERR_CERT_NOT_YET_VALID\fR" 4
-.IX Item "X509_V_ERR_CERT_NOT_YET_VALID"
-The certificate is not yet valid: the notBefore date is after the
-current time.
-.IP "\fBX509_V_ERR_CERT_HAS_EXPIRED\fR" 4
-.IX Item "X509_V_ERR_CERT_HAS_EXPIRED"
-The certificate has expired: that is the notAfter date is before the
-current time.
-.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID\fR" 4
-.IX Item "X509_V_ERR_CRL_NOT_YET_VALID"
-The \s-1CRL\s0 is not yet valid.
-.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED\fR" 4
-.IX Item "X509_V_ERR_CRL_HAS_EXPIRED"
-The \s-1CRL\s0 has expired.
-.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD\fR" 4
-.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD"
-The certificate notBefore field contains an invalid time.
-.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD\fR" 4
-.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD"
-The certificate notAfter field contains an invalid time.
-.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD\fR" 4
-.IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD"
-The \s-1CRL\s0 lastUpdate field contains an invalid time.
-.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD\fR" 4
-.IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD"
-The \s-1CRL\s0 nextUpdate field contains an invalid time.
-.IP "\fBX509_V_ERR_OUT_OF_MEM\fR" 4
-.IX Item "X509_V_ERR_OUT_OF_MEM"
-An error occurred trying to allocate memory. This should never happen.
-.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT\fR" 4
-.IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"
-The passed certificate is self-signed and the same certificate cannot
-be found in the list of trusted certificates.
-.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\fR" 4
-.IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN"
-The certificate chain could be built up using the untrusted certificates
-but the root could not be found locally.
-.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
-The issuer certificate could not be found: this occurs if the issuer
-certificate of an untrusted certificate cannot be found.
-.IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
-No signatures could be verified because the chain contains only one
-certificate and it is not self signed.
-.IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG\fR" 4
-.IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG"
-The certificate chain length is greater than the supplied maximum
-depth. Unused.
-.IP "\fBX509_V_ERR_CERT_REVOKED\fR" 4
-.IX Item "X509_V_ERR_CERT_REVOKED"
-The certificate has been revoked.
-.IP "\fBX509_V_ERR_INVALID_CA\fR" 4
-.IX Item "X509_V_ERR_INVALID_CA"
-A \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions
-are not consistent with the supplied purpose.
-.IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED\fR" 4
-.IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED"
-The basicConstraints pathlength parameter has been exceeded.
-.IP "\fBX509_V_ERR_INVALID_PURPOSE\fR" 4
-.IX Item "X509_V_ERR_INVALID_PURPOSE"
-The supplied certificate cannot be used for the specified purpose.
-.IP "\fBX509_V_ERR_CERT_UNTRUSTED\fR" 4
-.IX Item "X509_V_ERR_CERT_UNTRUSTED"
-The root \s-1CA\s0 is not marked as trusted for the specified purpose.
-.IP "\fBX509_V_ERR_CERT_REJECTED\fR" 4
-.IX Item "X509_V_ERR_CERT_REJECTED"
-The root \s-1CA\s0 is marked to reject the specified purpose.
-.IP "\fBX509_V_ERR_SUBJECT_ISSUER_MISMATCH\fR" 4
-.IX Item "X509_V_ERR_SUBJECT_ISSUER_MISMATCH"
-Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
-\&\fB\-issuer_checks\fR option.
-.IP "\fBX509_V_ERR_AKID_SKID_MISMATCH\fR" 4
-.IX Item "X509_V_ERR_AKID_SKID_MISMATCH"
-Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
-\&\fB\-issuer_checks\fR option.
-.IP "\fBX509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH\fR" 4
-.IX Item "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH"
-Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
-\&\fB\-issuer_checks\fR option.
-.IP "\fBX509_V_ERR_KEYUSAGE_NO_CERTSIGN\fR" 4
-.IX Item "X509_V_ERR_KEYUSAGE_NO_CERTSIGN"
-Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
-\&\fB\-issuer_checks\fR option.
-.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL_ISSUER\fR" 4
-.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER"
-Unable to get \s-1CRL\s0 issuer certificate.
-.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_EXTENSION\fR" 4
-.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
-Unhandled critical extension.
-.IP "\fBX509_V_ERR_KEYUSAGE_NO_CRL_SIGN\fR" 4
-.IX Item "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN"
-Key usage does not include \s-1CRL\s0 signing.
-.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION\fR" 4
-.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION"
-Unhandled critical \s-1CRL\s0 extension.
-.IP "\fBX509_V_ERR_INVALID_NON_CA\fR" 4
-.IX Item "X509_V_ERR_INVALID_NON_CA"
-Invalid non-CA certificate has \s-1CA\s0 markings.
-.IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED\fR" 4
-.IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED"
-Proxy path length constraint exceeded.
-.IP "\fBX509_V_ERR_PROXY_SUBJECT_INVALID\fR" 4
-.IX Item "X509_V_ERR_PROXY_SUBJECT_INVALID"
-Proxy certificate subject is invalid.  It \s-1MUST\s0 be the same as the issuer
-with a single \s-1CN\s0 component added.
-.IP "\fBX509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE\fR" 4
-.IX Item "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE"
-Key usage does not include digital signature.
-.IP "\fBX509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED\fR" 4
-.IX Item "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED"
-Proxy certificates not allowed, please use \fB\-allow_proxy_certs\fR.
-.IP "\fBX509_V_ERR_INVALID_EXTENSION\fR" 4
-.IX Item "X509_V_ERR_INVALID_EXTENSION"
-Invalid or inconsistent certificate extension.
-.IP "\fBX509_V_ERR_INVALID_POLICY_EXTENSION\fR" 4
-.IX Item "X509_V_ERR_INVALID_POLICY_EXTENSION"
-Invalid or inconsistent certificate policy extension.
-.IP "\fBX509_V_ERR_NO_EXPLICIT_POLICY\fR" 4
-.IX Item "X509_V_ERR_NO_EXPLICIT_POLICY"
-No explicit policy.
-.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE\fR" 4
-.IX Item "X509_V_ERR_DIFFERENT_CRL_SCOPE"
-Different \s-1CRL\s0 scope.
-.IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE\fR" 4
-.IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE"
-Unsupported extension feature.
-.IP "\fBX509_V_ERR_UNNESTED_RESOURCE\fR" 4
-.IX Item "X509_V_ERR_UNNESTED_RESOURCE"
-\&\s-1RFC 3779\s0 resource not subset of parent's resources.
-.IP "\fBX509_V_ERR_PERMITTED_VIOLATION\fR" 4
-.IX Item "X509_V_ERR_PERMITTED_VIOLATION"
-Permitted subtree violation.
-.IP "\fBX509_V_ERR_EXCLUDED_VIOLATION\fR" 4
-.IX Item "X509_V_ERR_EXCLUDED_VIOLATION"
-Excluded subtree violation.
-.IP "\fBX509_V_ERR_SUBTREE_MINMAX\fR" 4
-.IX Item "X509_V_ERR_SUBTREE_MINMAX"
-Name constraints minimum and maximum not supported.
-.IP "\fBX509_V_ERR_APPLICATION_VERIFICATION\fR" 4
-.IX Item "X509_V_ERR_APPLICATION_VERIFICATION"
-Application verification failure. Unused.
-.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE\fR" 4
-.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE"
-Unsupported name constraint type.
-.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX\fR" 4
-.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX"
-Unsupported or invalid name constraint syntax.
-.IP "\fBX509_V_ERR_UNSUPPORTED_NAME_SYNTAX\fR" 4
-.IX Item "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX"
-Unsupported or invalid name syntax.
-.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR\fR" 4
-.IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
-\&\s-1CRL\s0 path validation error.
-.IP "\fBX509_V_ERR_PATH_LOOP\fR" 4
-.IX Item "X509_V_ERR_PATH_LOOP"
-Path loop.
-.IP "\fBX509_V_ERR_SUITE_B_INVALID_VERSION\fR" 4
-.IX Item "X509_V_ERR_SUITE_B_INVALID_VERSION"
-Suite B: certificate version invalid.
-.IP "\fBX509_V_ERR_SUITE_B_INVALID_ALGORITHM\fR" 4
-.IX Item "X509_V_ERR_SUITE_B_INVALID_ALGORITHM"
-Suite B: invalid public key algorithm.
-.IP "\fBX509_V_ERR_SUITE_B_INVALID_CURVE\fR" 4
-.IX Item "X509_V_ERR_SUITE_B_INVALID_CURVE"
-Suite B: invalid \s-1ECC\s0 curve.
-.IP "\fBX509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM\fR" 4
-.IX Item "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM"
-Suite B: invalid signature algorithm.
-.IP "\fBX509_V_ERR_SUITE_B_LOS_NOT_ALLOWED\fR" 4
-.IX Item "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED"
-Suite B: curve not allowed for this \s-1LOS.\s0
-.IP "\fBX509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256\fR" 4
-.IX Item "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256"
-Suite B: cannot sign P\-384 with P\-256.
-.IP "\fBX509_V_ERR_HOSTNAME_MISMATCH\fR" 4
-.IX Item "X509_V_ERR_HOSTNAME_MISMATCH"
-Hostname mismatch.
-.IP "\fBX509_V_ERR_EMAIL_MISMATCH\fR" 4
-.IX Item "X509_V_ERR_EMAIL_MISMATCH"
-Email address mismatch.
-.IP "\fBX509_V_ERR_IP_ADDRESS_MISMATCH\fR" 4
-.IX Item "X509_V_ERR_IP_ADDRESS_MISMATCH"
-\&\s-1IP\s0 address mismatch.
-.IP "\fBX509_V_ERR_DANE_NO_MATCH\fR" 4
-.IX Item "X509_V_ERR_DANE_NO_MATCH"
-\&\s-1DANE TLSA\s0 authentication is enabled, but no \s-1TLSA\s0 records matched the
-certificate chain.
-This error is only possible in \fBs_client\fR\|(1).
-.IP "\fBX509_V_ERR_EE_KEY_TOO_SMALL\fR" 4
-.IX Item "X509_V_ERR_EE_KEY_TOO_SMALL"
-\&\s-1EE\s0 certificate key too weak.
-.IP "\fBX509_ERR_CA_KEY_TOO_SMALL\fR" 4
-.IX Item "X509_ERR_CA_KEY_TOO_SMALL"
-\&\s-1CA\s0 certificate key too weak.
-.IP "\fBX509_ERR_CA_MD_TOO_WEAK\fR" 4
-.IX Item "X509_ERR_CA_MD_TOO_WEAK"
-\&\s-1CA\s0 signature digest algorithm too weak.
-.IP "\fBX509_V_ERR_INVALID_CALL\fR" 4
-.IX Item "X509_V_ERR_INVALID_CALL"
-nvalid certificate verification context.
-.IP "\fBX509_V_ERR_STORE_LOOKUP\fR" 4
-.IX Item "X509_V_ERR_STORE_LOOKUP"
-Issuer certificate lookup error.
-.IP "\fBX509_V_ERR_NO_VALID_SCTS\fR" 4
-.IX Item "X509_V_ERR_NO_VALID_SCTS"
-Certificate Transparency required, but no valid SCTs found.
-.IP "\fBX509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION\fR" 4
-.IX Item "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION"
-Proxy subject name violation.
-.IP "\fBX509_V_ERR_OCSP_VERIFY_NEEDED\fR" 4
-.IX Item "X509_V_ERR_OCSP_VERIFY_NEEDED"
-Returned by the verify callback to indicate an \s-1OCSP\s0 verification is needed.
-.IP "\fBX509_V_ERR_OCSP_VERIFY_FAILED\fR" 4
-.IX Item "X509_V_ERR_OCSP_VERIFY_FAILED"
-Returned by the verify callback to indicate \s-1OCSP\s0 verification failed.
-.IP "\fBX509_V_ERR_OCSP_CERT_UNKNOWN\fR" 4
-.IX Item "X509_V_ERR_OCSP_CERT_UNKNOWN"
-Returned by the verify callback to indicate that the certificate is not recognized
-by the \s-1OCSP\s0 responder.
-.SH "BUGS"
-.IX Header "BUGS"
-Although the issuer checks are a considerable improvement over the old
-technique they still suffer from limitations in the underlying X509_LOOKUP
-\&\s-1API.\s0 One consequence of this is that trusted certificates with matching
-subject name must either appear in a file (as specified by the \fB\-CAfile\fR
-option) or a directory (as specified by \fB\-CApath\fR). If they occur in
-both then only the certificates in the file will be recognised.
-.PP
-Previous versions of OpenSSL assume certificates with matching subject
-name are identical and mishandled them.
-.PP
-Previous versions of this documentation swapped the meaning of the
-\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and
-\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fBx509\fR\|(1)
-.SH "HISTORY"
-.IX Header "HISTORY"
-The \fB\-show_chain\fR option was added in OpenSSL 1.1.0.
-.PP
-The \fB\-issuer_checks\fR option is deprecated as of OpenSSL 1.1.0 and
-is silently ignored.
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
deleted file mode 100644
index 8eb5d69cb3fe..000000000000
--- a/secure/usr.bin/openssl/man/x509.1
+++ /dev/null
@@ -1,955 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "X509 1"
-.TH X509 1 "2022-06-21" "1.1.1p" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-openssl\-x509, x509 \- Certificate display and signing utility
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBopenssl\fR \fBx509\fR
-[\fB\-help\fR]
-[\fB\-inform DER|PEM\fR]
-[\fB\-outform DER|PEM\fR]
-[\fB\-keyform DER|PEM|ENGINE\fR]
-[\fB\-CAform DER|PEM\fR]
-[\fB\-CAkeyform DER|PEM\fR]
-[\fB\-in filename\fR]
-[\fB\-out filename\fR]
-[\fB\-serial\fR]
-[\fB\-hash\fR]
-[\fB\-subject_hash\fR]
-[\fB\-issuer_hash\fR]
-[\fB\-ocspid\fR]
-[\fB\-subject\fR]
-[\fB\-issuer\fR]
-[\fB\-nameopt option\fR]
-[\fB\-email\fR]
-[\fB\-ocsp_uri\fR]
-[\fB\-startdate\fR]
-[\fB\-enddate\fR]
-[\fB\-purpose\fR]
-[\fB\-dates\fR]
-[\fB\-checkend num\fR]
-[\fB\-modulus\fR]
-[\fB\-pubkey\fR]
-[\fB\-fingerprint\fR]
-[\fB\-alias\fR]
-[\fB\-noout\fR]
-[\fB\-trustout\fR]
-[\fB\-clrtrust\fR]
-[\fB\-clrreject\fR]
-[\fB\-addtrust arg\fR]
-[\fB\-addreject arg\fR]
-[\fB\-setalias arg\fR]
-[\fB\-days arg\fR]
-[\fB\-set_serial n\fR]
-[\fB\-signkey arg\fR]
-[\fB\-passin arg\fR]
-[\fB\-x509toreq\fR]
-[\fB\-req\fR]
-[\fB\-CA filename\fR]
-[\fB\-CAkey filename\fR]
-[\fB\-CAcreateserial\fR]
-[\fB\-CAserial filename\fR]
-[\fB\-force_pubkey key\fR]
-[\fB\-text\fR]
-[\fB\-ext extensions\fR]
-[\fB\-certopt option\fR]
-[\fB\-C\fR]
-[\fB\-\f(BIdigest\fB\fR]
-[\fB\-clrext\fR]
-[\fB\-extfile filename\fR]
-[\fB\-extensions section\fR]
-[\fB\-sigopt nm:v\fR]
-[\fB\-rand file...\fR]
-[\fB\-writerand file\fR]
-[\fB\-engine id\fR]
-[\fB\-preserve_dates\fR]
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The \fBx509\fR command is a multi purpose certificate utility. It can be
-used to display certificate information, convert certificates to
-various forms, sign certificate requests like a \*(L"mini \s-1CA\*(R"\s0 or edit
-certificate trust settings.
-.PP
-Since there are a large number of options they will split up into
-various sections.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-.SS "Input, Output, and General Purpose Options"
-.IX Subsection "Input, Output, and General Purpose Options"
-.IP "\fB\-help\fR" 4
-.IX Item "-help"
-Print out a usage message.
-.IP "\fB\-inform DER|PEM\fR" 4
-.IX Item "-inform DER|PEM"
-This specifies the input format normally the command will expect an X509
-certificate but this can change if other options such as \fB\-req\fR are
-present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0
-is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
-added. The default format is \s-1PEM.\s0
-.IP "\fB\-outform DER|PEM\fR" 4
-.IX Item "-outform DER|PEM"
-This specifies the output format, the options have the same meaning and default
-as the \fB\-inform\fR option.
-.IP "\fB\-in filename\fR" 4
-.IX Item "-in filename"
-This specifies the input filename to read a certificate from or standard input
-if this option is not specified.
-.IP "\fB\-out filename\fR" 4
-.IX Item "-out filename"
-This specifies the output filename to write to or standard output by
-default.
-.IP "\fB\-\f(BIdigest\fB\fR" 4
-.IX Item "-digest"
-The digest to use.
-This affects any signing or display option that uses a message
-digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options.
-Any digest supported by the OpenSSL \fBdgst\fR command can be used.
-If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
-the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
-.IP "\fB\-rand file...\fR" 4
-.IX Item "-rand file..."
-A file or files containing random data used to seed the random number
-generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
-all others.
-.IP "[\fB\-writerand file\fR]" 4
-.IX Item "[-writerand file]"
-Writes random data to the specified \fIfile\fR upon exit.
-This can be used with a subsequent \fB\-rand\fR flag.
-.IP "\fB\-engine id\fR" 4
-.IX Item "-engine id"
-Specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
-.IP "\fB\-preserve_dates\fR" 4
-.IX Item "-preserve_dates"
-When signing a certificate, preserve the \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates instead
-of adjusting them to current time and duration. Cannot be used with the \fB\-days\fR option.
-.SS "Display Options"
-.IX Subsection "Display Options"
-Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
-but are described in the \fB\s-1TRUST SETTINGS\s0\fR section.
-.IP "\fB\-text\fR" 4
-.IX Item "-text"
-Prints out the certificate in text form. Full details are output including the
-public key, signature algorithms, issuer and subject names, serial number
-any extensions present and any trust settings.
-.IP "\fB\-ext extensions\fR" 4
-.IX Item "-ext extensions"
-Prints out the certificate extensions in text form. Extensions are specified
-with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R".
-See the \fBx509v3_config\fR\|(5) manual page for the extension names.
-.IP "\fB\-certopt option\fR" 4
-.IX Item "-certopt option"
-Customise the output format used with \fB\-text\fR. The \fBoption\fR argument
-can be a single option or multiple options separated by commas. The
-\&\fB\-certopt\fR switch may be also be used more than once to set multiple
-options. See the \fB\s-1TEXT OPTIONS\s0\fR section for more information.
-.IP "\fB\-noout\fR" 4
-.IX Item "-noout"
-This option prevents output of the encoded version of the certificate.
-.IP "\fB\-pubkey\fR" 4
-.IX Item "-pubkey"
-Outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
-.IP "\fB\-modulus\fR" 4
-.IX Item "-modulus"
-This option prints out the value of the modulus of the public key
-contained in the certificate.
-.IP "\fB\-serial\fR" 4
-.IX Item "-serial"
-Outputs the certificate serial number.
-.IP "\fB\-subject_hash\fR" 4
-.IX Item "-subject_hash"
-Outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
-form an index to allow certificates in a directory to be looked up by subject
-name.
-.IP "\fB\-issuer_hash\fR" 4
-.IX Item "-issuer_hash"
-Outputs the \*(L"hash\*(R" of the certificate issuer name.
-.IP "\fB\-ocspid\fR" 4
-.IX Item "-ocspid"
-Outputs the \s-1OCSP\s0 hash values for the subject name and public key.
-.IP "\fB\-hash\fR" 4
-.IX Item "-hash"
-Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
-.IP "\fB\-subject_hash_old\fR" 4
-.IX Item "-subject_hash_old"
-Outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
-as used by OpenSSL before version 1.0.0.
-.IP "\fB\-issuer_hash_old\fR" 4
-.IX Item "-issuer_hash_old"
-Outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
-as used by OpenSSL before version 1.0.0.
-.IP "\fB\-subject\fR" 4
-.IX Item "-subject"
-Outputs the subject name.
-.IP "\fB\-issuer\fR" 4
-.IX Item "-issuer"
-Outputs the issuer name.
-.IP "\fB\-nameopt option\fR" 4
-.IX Item "-nameopt option"
-Option which determines how the subject or issuer names are displayed. The
-\&\fBoption\fR argument can be a single option or multiple options separated by
-commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information.
-.IP "\fB\-email\fR" 4
-.IX Item "-email"
-Outputs the email address(es) if any.
-.IP "\fB\-ocsp_uri\fR" 4
-.IX Item "-ocsp_uri"
-Outputs the \s-1OCSP\s0 responder address(es) if any.
-.IP "\fB\-startdate\fR" 4
-.IX Item "-startdate"
-Prints out the start date of the certificate, that is the notBefore date.
-.IP "\fB\-enddate\fR" 4
-.IX Item "-enddate"
-Prints out the expiry date of the certificate, that is the notAfter date.
-.IP "\fB\-dates\fR" 4
-.IX Item "-dates"
-Prints out the start and expiry dates of a certificate.
-.IP "\fB\-checkend arg\fR" 4
-.IX Item "-checkend arg"
-Checks if the certificate expires within the next \fBarg\fR seconds and exits
-nonzero if yes it will expire or zero if not.
-.IP "\fB\-fingerprint\fR" 4
-.IX Item "-fingerprint"
-Calculates and outputs the digest of the \s-1DER\s0 encoded version of the entire
-certificate (see digest options).
-This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
-digests, the fingerprint of a certificate is unique to that certificate and
-two certificates with the same fingerprint can be considered to be the same.
-.IP "\fB\-C\fR" 4
-.IX Item "-C"
-This outputs the certificate in the form of a C source file.
-.SS "Trust Settings"
-.IX Subsection "Trust Settings"
-A \fBtrusted certificate\fR is an ordinary certificate which has several
-additional pieces of information attached to it such as the permitted
-and prohibited uses of the certificate and an \*(L"alias\*(R".
-.PP
-Normally when a certificate is being verified at least one certificate
-must be \*(L"trusted\*(R". By default a trusted certificate must be stored
-locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
-is then usable for any purpose.
-.PP
-Trust settings currently are only used with a root \s-1CA.\s0 They allow a finer
-control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0
-may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
-.PP
-See the description of the \fBverify\fR utility for more information on the
-meaning of trust settings.
-.PP
-Future versions of OpenSSL will recognize trust settings on any
-certificate: not just root CAs.
-.IP "\fB\-trustout\fR" 4
-.IX Item "-trustout"
-This causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
-or trusted certificate can be input but by default an ordinary
-certificate is output and any trust settings are discarded. With the
-\&\fB\-trustout\fR option a trusted certificate is output. A trusted
-certificate is automatically output if any trust settings are modified.
-.IP "\fB\-setalias arg\fR" 4
-.IX Item "-setalias arg"
-Sets the alias of the certificate. This will allow the certificate
-to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
-.IP "\fB\-alias\fR" 4
-.IX Item "-alias"
-Outputs the certificate alias, if any.
-.IP "\fB\-clrtrust\fR" 4
-.IX Item "-clrtrust"
-Clears all the permitted or trusted uses of the certificate.
-.IP "\fB\-clrreject\fR" 4
-.IX Item "-clrreject"
-Clears all the prohibited or rejected uses of the certificate.
-.IP "\fB\-addtrust arg\fR" 4
-.IX Item "-addtrust arg"
-Adds a trusted certificate use.
-Any object name can be used here but currently only \fBclientAuth\fR (\s-1SSL\s0 client
-use), \fBserverAuth\fR (\s-1SSL\s0 server use), \fBemailProtection\fR (S/MIME email) and
-\&\fBanyExtendedKeyUsage\fR are used.
-As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
-enables all purposes when trusted.
-Other OpenSSL applications may define additional uses.
-.IP "\fB\-addreject arg\fR" 4
-.IX Item "-addreject arg"
-Adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
-option.
-.IP "\fB\-purpose\fR" 4
-.IX Item "-purpose"
-This option performs tests on the certificate extensions and outputs
-the results. For a more complete description see the \fB\s-1CERTIFICATE
-EXTENSIONS\s0\fR section.
-.SS "Signing Options"
-.IX Subsection "Signing Options"
-The \fBx509\fR utility can be used to sign certificates and requests: it
-can thus behave like a \*(L"mini \s-1CA\*(R".\s0
-.IP "\fB\-signkey arg\fR" 4
-.IX Item "-signkey arg"
-This option causes the input file to be self signed using the supplied
-private key or engine. The private key's format is specified with the
-\&\fB\-keyform\fR option.
-.Sp
-If the input file is a certificate it sets the issuer name to the
-subject name (i.e.  makes it self signed) changes the public key to the
-supplied value and changes the start and end dates. The start date is
-set to the current time and the end date is set to a value determined
-by the \fB\-days\fR option. Any certificate extensions are retained unless
-the \fB\-clrext\fR option is supplied; this includes, for example, any existing
-key identifier extensions.
-.Sp
-If the input is a certificate request then a self signed certificate
-is created using the supplied private key using the subject name in
-the request.
-.IP "\fB\-sigopt nm:v\fR" 4
-.IX Item "-sigopt nm:v"
-Pass options to the signature algorithm during sign or verify operations.
-Names and values of these options are algorithm-specific.
-.IP "\fB\-passin arg\fR" 4
-.IX Item "-passin arg"
-The key password source. For more information about the format of \fBarg\fR
-see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
-.IP "\fB\-clrext\fR" 4
-.IX Item "-clrext"
-Delete any extensions from a certificate. This option is used when a
-certificate is being created from another certificate (for example with
-the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
-retained.
-.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
-.IX Item "-keyform PEM|DER|ENGINE"
-Specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
-\&\fB\-signkey\fR option.
-.IP "\fB\-days arg\fR" 4
-.IX Item "-days arg"
-Specifies the number of days to make a certificate valid for. The default
-is 30 days. Cannot be used with the \fB\-preserve_dates\fR option.
-.IP "\fB\-x509toreq\fR" 4
-.IX Item "-x509toreq"
-Converts a certificate into a certificate request. The \fB\-signkey\fR option
-is used to pass the required private key.
-.IP "\fB\-req\fR" 4
-.IX Item "-req"
-By default a certificate is expected on input. With this option a
-certificate request is expected instead.
-.IP "\fB\-set_serial n\fR" 4
-.IX Item "-set_serial n"
-Specifies the serial number to use. This option can be used with either
-the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
-option the serial number file (as specified by the \fB\-CAserial\fR or
-\&\fB\-CAcreateserial\fR options) is not used.
-.Sp
-The serial number can be decimal or hex (if preceded by \fB0x\fR).
-.IP "\fB\-CA filename\fR" 4
-.IX Item "-CA filename"
-Specifies the \s-1CA\s0 certificate to be used for signing. When this option is
-present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this
-\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
-of the \s-1CA\s0 and it is digitally signed using the CAs private key.
-.Sp
-This option is normally combined with the \fB\-req\fR option. Without the
-\&\fB\-req\fR option the input is a certificate which must be self signed.
-.IP "\fB\-CAkey filename\fR" 4
-.IX Item "-CAkey filename"
-Sets the \s-1CA\s0 private key to sign a certificate with. If this option is
-not specified then it is assumed that the \s-1CA\s0 private key is present in
-the \s-1CA\s0 certificate file.
-.IP "\fB\-CAserial filename\fR" 4
-.IX Item "-CAserial filename"
-Sets the \s-1CA\s0 serial number file to use.
-.Sp
-When the \fB\-CA\fR option is used to sign a certificate it uses a serial
-number specified in a file. This file consists of one line containing
-an even number of hex digits with the serial number to use. After each
-use the serial number is incremented and written out to the file again.
-.Sp
-The default filename consists of the \s-1CA\s0 certificate file base name with
-\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called
-\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
-.IP "\fB\-CAcreateserial\fR" 4
-.IX Item "-CAcreateserial"
-With this option the \s-1CA\s0 serial number file is created if it does not exist:
-it will contain the serial number \*(L"02\*(R" and the certificate being signed will
-have the 1 as its serial number. If the \fB\-CA\fR option is specified
-and the serial number file does not exist a random number is generated;
-this is the recommended practice.
-.IP "\fB\-extfile filename\fR" 4
-.IX Item "-extfile filename"
-File containing certificate extensions to use. If not specified then
-no extensions are added to the certificate.
-.IP "\fB\-extensions section\fR" 4
-.IX Item "-extensions section"
-The section to add certificate extensions from. If this option is not
-specified then the extensions should either be contained in the unnamed
-(default) section or the default section should contain a variable called
-\&\*(L"extensions\*(R" which contains the section to use. See the
-\&\fBx509v3_config\fR\|(5) manual page for details of the
-extension section format.
-.IP "\fB\-force_pubkey key\fR" 4
-.IX Item "-force_pubkey key"
-When a certificate is created set its public key to \fBkey\fR instead of the
-key in the certificate or certificate request. This option is useful for
-creating certificates where the algorithm can't normally sign requests, for
-example \s-1DH.\s0
-.Sp
-The format or \fBkey\fR can be specified using the \fB\-keyform\fR option.
-.SS "Name Options"
-.IX Subsection "Name Options"
-The \fBnameopt\fR command line switch determines how the subject and issuer
-names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
-format is used which is compatible with previous versions of OpenSSL.
-Each option is described in detail below, all options can be preceded by
-a \fB\-\fR to turn the option off. Only the first four will normally be used.
-.IP "\fBcompat\fR" 4
-.IX Item "compat"
-Use the old format.
-.IP "\fB\s-1RFC2253\s0\fR" 4
-.IX Item "RFC2253"
-Displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
-\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
-\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
-.IP "\fBoneline\fR" 4
-.IX Item "oneline"
-A oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to
-specifying the  \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
-\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR
-options.  This is the \fIdefault\fR of no name options are given explicitly.
-.IP "\fBmultiline\fR" 4
-.IX Item "multiline"
-A multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
-\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR.
-.IP "\fBesc_2253\fR" 4
-.IX Item "esc_2253"
-Escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field. That is
-\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
-and a space character at the beginning or end of a string.
-.IP "\fBesc_2254\fR" 4
-.IX Item "esc_2254"
-Escape the \*(L"special\*(R" characters required by \s-1RFC2254\s0 in a field. That is
-the \fB\s-1NUL\s0\fR character as well as and \fB()*\fR.
-.IP "\fBesc_ctrl\fR" 4
-.IX Item "esc_ctrl"
-Escape control characters. That is those with \s-1ASCII\s0 values less than
-0x20 (space) and the delete (0x7f) character. They are escaped using the
-\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
-character value).
-.IP "\fBesc_msb\fR" 4
-.IX Item "esc_msb"
-Escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
-127.
-.IP "\fBuse_quote\fR" 4
-.IX Item "use_quote"
-Escapes some characters by surrounding the whole string with \fB"\fR characters,
-without the option all escaping is done with the \fB\e\fR character.
-.IP "\fButf8\fR" 4
-.IX Item "utf8"
-Convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If
-you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
-of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
-display of multibyte (international) characters. Is this option is not
-present then multibyte characters larger than 0xff will be represented
-using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
-Also if this option is off any UTF8Strings will be converted to their
-character form first.
-.IP "\fBignore_type\fR" 4
-.IX Item "ignore_type"
-This option does not attempt to interpret multibyte characters in any
-way. That is their content octets are merely dumped as though one octet
-represents each character. This is useful for diagnostic purposes but
-will result in rather odd looking output.
-.IP "\fBshow_type\fR" 4
-.IX Item "show_type"
-Show the type of the \s-1ASN1\s0 character string. The type precedes the
-field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
-.IP "\fBdump_der\fR" 4
-.IX Item "dump_der"
-When this option is set any fields that need to be hexdumped will
-be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
-content octets will be displayed. Both options use the \s-1RFC2253\s0
-\&\fB#XXXX...\fR format.
-.IP "\fBdump_nostr\fR" 4
-.IX Item "dump_nostr"
-Dump non character string types (for example \s-1OCTET STRING\s0) if this
-option is not set then non character string types will be displayed
-as though each content octet represents a single character.
-.IP "\fBdump_all\fR" 4
-.IX Item "dump_all"
-Dump all fields. This option when used with \fBdump_der\fR allows the
-\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
-.IP "\fBdump_unknown\fR" 4
-.IX Item "dump_unknown"
-Dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
-.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
-.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
-These options determine the field separators. The first character is
-between RDNs and the second between multiple AVAs (multiple AVAs are
-very rare and their use is discouraged). The options ending in
-\&\*(L"space\*(R" additionally place a space after the separator to make it
-more readable. The \fBsep_multiline\fR uses a linefeed character for
-the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also
-indents the fields by four characters. If no field separator is specified
-then \fBsep_comma_plus_space\fR is used by default.
-.IP "\fBdn_rev\fR" 4
-.IX Item "dn_rev"
-Reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side
-effect this also reverses the order of multiple AVAs but this is
-permissible.
-.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
-.IX Item "nofname, sname, lname, oid"
-These options alter how the field name is displayed. \fBnofname\fR does
-not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
-(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
-\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
-diagnostic purpose.
-.IP "\fBalign\fR" 4
-.IX Item "align"
-Align field values for a more readable output. Only usable with
-\&\fBsep_multiline\fR.
-.IP "\fBspace_eq\fR" 4
-.IX Item "space_eq"
-Places spaces round the \fB=\fR character which follows the field
-name.
-.SS "Text Options"
-.IX Subsection "Text Options"
-As well as customising the name output format, it is also possible to
-customise the actual fields printed using the \fBcertopt\fR options when
-the \fBtext\fR option is present. The default behaviour is to print all fields.
-.IP "\fBcompatible\fR" 4
-.IX Item "compatible"
-Use the old format. This is equivalent to specifying no output options at all.
-.IP "\fBno_header\fR" 4
-.IX Item "no_header"
-Don't print header information: that is the lines saying \*(L"Certificate\*(R"
-and \*(L"Data\*(R".
-.IP "\fBno_version\fR" 4
-.IX Item "no_version"
-Don't print out the version number.
-.IP "\fBno_serial\fR" 4
-.IX Item "no_serial"
-Don't print out the serial number.
-.IP "\fBno_signame\fR" 4
-.IX Item "no_signame"
-Don't print out the signature algorithm used.
-.IP "\fBno_validity\fR" 4
-.IX Item "no_validity"
-Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
-.IP "\fBno_subject\fR" 4
-.IX Item "no_subject"
-Don't print out the subject name.
-.IP "\fBno_issuer\fR" 4
-.IX Item "no_issuer"
-Don't print out the issuer name.
-.IP "\fBno_pubkey\fR" 4
-.IX Item "no_pubkey"
-Don't print out the public key.
-.IP "\fBno_sigdump\fR" 4
-.IX Item "no_sigdump"
-Don't give a hexadecimal dump of the certificate signature.
-.IP "\fBno_aux\fR" 4
-.IX Item "no_aux"
-Don't print out certificate trust information.
-.IP "\fBno_extensions\fR" 4
-.IX Item "no_extensions"
-Don't print out any X509V3 extensions.
-.IP "\fBext_default\fR" 4
-.IX Item "ext_default"
-Retain default extension behaviour: attempt to print out unsupported
-certificate extensions.
-.IP "\fBext_error\fR" 4
-.IX Item "ext_error"
-Print an error message for unsupported certificate extensions.
-.IP "\fBext_parse\fR" 4
-.IX Item "ext_parse"
-\&\s-1ASN1\s0 parse unsupported extensions.
-.IP "\fBext_dump\fR" 4
-.IX Item "ext_dump"
-Hex dump unsupported extensions.
-.IP "\fBca_default\fR" 4
-.IX Item "ca_default"
-The value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
-\&\fBno_header\fR, and \fBno_version\fR.
-.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Note: in these examples the '\e' means the example should be all on one
-line.
-.PP
-Display the contents of a certificate:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-text
-.Ve
-.PP
-Display the \*(L"Subject Alternative Name\*(R" extension of a certificate:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
-.Ve
-.PP
-Display more extensions of a certificate:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
-.Ve
-.PP
-Display the certificate serial number:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-serial
-.Ve
-.PP
-Display the certificate subject name:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-subject
-.Ve
-.PP
-Display the certificate subject name in \s-1RFC2253\s0 form:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
-.Ve
-.PP
-Display the certificate subject name in oneline form on a terminal
-supporting \s-1UTF8:\s0
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
-.Ve
-.PP
-Display the certificate \s-1SHA1\s0 fingerprint:
-.PP
-.Vb 1
-\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
-.Ve
-.PP
-Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
-.Ve
-.PP
-Convert a certificate to a certificate request:
-.PP
-.Vb 1
-\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem
-.Ve
-.PP
-Convert a certificate request into a self signed certificate using
-extensions for a \s-1CA:\s0
-.PP
-.Vb 2
-\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
-\&        \-signkey key.pem \-out cacert.pem
-.Ve
-.PP
-Sign a certificate request using the \s-1CA\s0 certificate above and add user
-certificate extensions:
-.PP
-.Vb 2
-\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
-\&        \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
-.Ve
-.PP
-Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
-\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
-.PP
-.Vb 2
-\& openssl x509 \-in cert.pem \-addtrust clientAuth \e
-\&        \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
-.Ve
-.SH "NOTES"
-.IX Header "NOTES"
-The \s-1PEM\s0 format uses the header and footer lines:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
-\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
-.Ve
-.PP
-it will also handle files containing:
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\-
-\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\-
-.Ve
-.PP
-Trusted certificates have the lines
-.PP
-.Vb 2
-\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\-
-\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\-
-.Ve
-.PP
-The conversion to \s-1UTF8\s0 format used with the name options assumes that
-T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
-and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
-it is more likely to display the majority of certificates correctly.
-.PP
-The \fB\-email\fR option searches the subject name and the subject alternative
-name extension. Only unique email addresses will be printed out: it will
-not print the same address more than once.
-.SH "CERTIFICATE EXTENSIONS"
-.IX Header "CERTIFICATE EXTENSIONS"
-The \fB\-purpose\fR option checks the certificate extensions and determines
-what the certificate can be used for. The actual checks done are rather
-complex and include various hacks and workarounds to handle broken
-certificates and software.
-.PP
-The same code is used when verifying untrusted certificates in chains
-so this section is useful if a chain is rejected by the verify code.
-.PP
-The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
-certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0
-if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the
-\&\s-1CA\s0 flag set to true.
-.PP
-If the basicConstraints extension is absent then the certificate is
-considered to be a \*(L"possible \s-1CA\*(R"\s0 other extensions are checked according
-to the intended use of the certificate. A warning is given in this case
-because the certificate should really not be regarded as a \s-1CA:\s0 however
-it is allowed to be a \s-1CA\s0 to work around some broken software.
-.PP
-If the certificate is a V1 certificate (and thus has no extensions) and
-it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again
-given: this is to work around the problem of Verisign roots which are V1
-self signed certificates.
-.PP
-If the keyUsage extension is present then additional restraints are
-made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
-keyCertSign bit set if the keyUsage extension is present.
-.PP
-The extended key usage extension places additional restrictions on the
-certificate uses. If this extension is present (whether critical or not)
-the key can only be used for the purposes specified.
-.PP
-A complete description of each test is given below. The comments about
-basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
-\&\s-1CA\s0 certificates.
-.IP "\fB\s-1SSL\s0 Client\fR" 4
-.IX Item "SSL Client"
-The extended key usage extension must be absent or include the \*(L"web client
-authentication\*(R" \s-1OID.\s0  keyUsage must be absent or it must have the
-digitalSignature bit set. Netscape certificate type must be absent or it must
-have the \s-1SSL\s0 client bit set.
-.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
-.IX Item "SSL Client CA"
-The extended key usage extension must be absent or include the \*(L"web client
-authentication\*(R" \s-1OID.\s0 Netscape certificate type must be absent or it must have
-the \s-1SSL CA\s0 bit set: this is used as a work around if the basicConstraints
-extension is absent.
-.IP "\fB\s-1SSL\s0 Server\fR" 4
-.IX Item "SSL Server"
-The extended key usage extension must be absent or include the \*(L"web server
-authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  keyUsage must be absent or it
-must have the digitalSignature, the keyEncipherment set or both bits set.
-Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
-.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
-.IX Item "SSL Server CA"
-The extended key usage extension must be absent or include the \*(L"web server
-authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  Netscape certificate type must
-be absent or the \s-1SSL CA\s0 bit must be set: this is used as a work around if the
-basicConstraints extension is absent.
-.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
-.IX Item "Netscape SSL Server"
-For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
-keyEncipherment bit set if the keyUsage extension is present. This isn't
-always valid because some cipher suites use the key for digital signing.
-Otherwise it is the same as a normal \s-1SSL\s0 server.
-.IP "\fBCommon S/MIME Client Tests\fR" 4
-.IX Item "Common S/MIME Client Tests"
-The extended key usage extension must be absent or include the \*(L"email
-protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the
-S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type
-then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
-this is because some Verisign certificates don't set the S/MIME bit.
-.IP "\fBS/MIME Signing\fR" 4
-.IX Item "S/MIME Signing"
-In addition to the common S/MIME client tests the digitalSignature bit or
-the nonRepudiation bit must be set if the keyUsage extension is present.
-.IP "\fBS/MIME Encryption\fR" 4
-.IX Item "S/MIME Encryption"
-In addition to the common S/MIME tests the keyEncipherment bit must be set
-if the keyUsage extension is present.
-.IP "\fBS/MIME \s-1CA\s0\fR" 4
-.IX Item "S/MIME CA"
-The extended key usage extension must be absent or include the \*(L"email
-protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or must have the
-S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
-extension is absent.
-.IP "\fB\s-1CRL\s0 Signing\fR" 4
-.IX Item "CRL Signing"
-The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
-set.
-.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
-.IX Item "CRL Signing CA"
-The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
-must be present.
-.SH "BUGS"
-.IX Header "BUGS"
-Extensions in certificates are not transferred to certificate requests and
-vice versa.
-.PP
-It is possible to produce invalid certificates or requests by specifying the
-wrong private key or using inconsistent options in some cases: these should
-be checked.
-.PP
-There should be options to explicitly set such things as start and end
-dates rather than an offset from the current time.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fBreq\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1),
-\&\fBgendsa\fR\|(1), \fBverify\fR\|(1),
-\&\fBx509v3_config\fR\|(5)
-.SH "HISTORY"
-.IX Header "HISTORY"
-The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
-before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
-of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
-canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using
-the old form must have their links rebuilt using \fBc_rehash\fR or similar.
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.