Upgrade chrome's OpenSSL to same version Android ships with.

openssl/doc/apps/ca.pod

 
 =pod
 
 =head1 NAME
 
 ca - sample minimal CA application
 
 =head1 SYNOPSIS
 
 B<openssl> B<ca>
@@ skipping 187 matching lines @@
 
 this sets the batch mode. In this mode no questions will be asked
 and all certificates will be certified automatically.
 
 =item B<-extensions section>
 
 the section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to B<x509_extensions>
 unless the B<-extfile> option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created.
+is present (even if it is empty), then a V3 certificate is created. See the:w
+L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+extension section format.
 
 =item B<-extfile file>
 
 an additional configuration file to read certificate extensions from
 (using the default section unless the B<-extensions> option is also
 used).
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<ca>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-subj arg>
 
 supersedes subject name given in the request.
 The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
 characters may be escaped by \ (backslash), no spaces are skipped.
 
@@ skipping 63 matching lines @@
 This is the same as B<crl_compromise> except the revocation reason is set to
 B<CACompromise>.
 
 =item B<-crlexts section>
 
 the section of the configuration file containing CRL extensions to
 include. If no CRL extension section is present then a V1 CRL is
 created, if the CRL extension section is present (even if it is
 empty) then a V2 CRL is created. The CRL extensions specified are
 CRL extensions and B<not> CRL entry extensions.  It should be noted
-that some software (for example Netscape) can't handle V2 CRLs. 
+that some software (for example Netscape) can't handle V2 CRLs. See
+L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+extension section format.
 
 =back
 
 =head1 CONFIGURATION FILE OPTIONS
 
 The section of the configuration file containing options for B<ca>
 is found as follows: If the B<-name> command line option is used,
 then it names the section to be used. Otherwise the section to
 be used must be named in the B<default_ca> option of the B<ca> section
 of the configuration file (or in the default section of the
@@ skipping 346 matching lines @@
 Additional restrictions can be placed on the CA certificate itself.
 For example if the CA certificate has:
 
  basicConstraints = CA:TRUE, pathlen:0
 
 then even if a certificate is issued with CA:TRUE it will not be valid.
 
 =head1 SEE ALSO
 
 L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
-L<config(5)|config(5)>
+L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)> 
 
 =cut