Upgrade chrome's OpenSSL to same version Android ships with.

openssl/doc/apps/x509.pod

 
 =pod
 
 =head1 NAME
 
 x509 - Certificate display and signing utility
 
 =head1 SYNOPSIS
 
 B<openssl> B<x509>
 [B<-inform DER|PEM|NET>]
 [B<-outform DER|PEM|NET>]
 [B<-keyform DER|PEM>]
 [B<-CAform DER|PEM>]
 [B<-CAkeyform DER|PEM>]
 [B<-in filename>]
 [B<-out filename>]
 [B<-serial>]
 [B<-hash>]
 [B<-subject_hash>]
 [B<-issuer_hash>]
 [B<-subject>]
 [B<-issuer>]
 [B<-nameopt option>]
 [B<-email>]
+[B<-ocsp_uri>]
 [B<-startdate>]
 [B<-enddate>]
 [B<-purpose>]
 [B<-dates>]
 [B<-modulus>]
 [B<-fingerprint>]
 [B<-alias>]
 [B<-noout>]
 [B<-trustout>]
 [B<-clrtrust>]
@@ skipping 60 matching lines @@
 
 =item B<-md2|-md5|-sha1|-mdc2>
 
 the digest to use. This affects any signing or display option that uses a message
 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
 specified then SHA1 is used. If the key being used to sign with is a DSA key
 then this option has no effect: SHA1 is always used with DSA keys.
 
 =item B<-engine id>
 
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<x509>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =back
 
 =head2 DISPLAY OPTIONS
 
 Note: the B<-alias> and B<-purpose> options are also display options
 but are described in the B<TRUST SETTINGS> section.
@@ skipping 33 matching lines @@
 name.
 
 =item B<-issuer_hash>
 
 outputs the "hash" of the certificate issuer name.
 
 =item B<-hash>
 
 synonym for "-subject_hash" for backward compatibility reasons.
 
+=item B<-subject_hash_old>
+
+outputs the "hash" of the certificate subject name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
+=item B<-issuer_hash_old>
+
+outputs the "hash" of the certificate issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-subject>
 
 outputs the subject name.
 
 =item B<-issuer>
 
 outputs the issuer name.
 
 =item B<-nameopt option>
 
 option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the B<NAME OPTIONS> section for more information.
 
 =item B<-email>
 
 outputs the email address(es) if any.
 
+=item B<-ocsp_uri>
+
+outputs the OCSP responder address(es) if any.
+
 =item B<-startdate>
 
 prints out the start date of the certificate, that is the notBefore date.
 
 =item B<-enddate>
 
 prints out the expiry date of the certificate, that is the notAfter date.
 
 =item B<-dates>
 
@@ skipping 180 matching lines @@
 =item B<-extfile filename>
 
 file containing certificate extensions to use. If not specified then
 no extensions are added to the certificate.
 
 =item B<-extensions section>
 
 the section to add certificate extensions from. If this option is not
 specified then the extensions should either be contained in the unnamed
 (default) section or the default section should contain a variable called
-"extensions" which contains the section to use.
+"extensions" which contains the section to use. See the
+L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+extension section format.
 
 =back
 
 =head2 NAME OPTIONS
 
 The B<nameopt> command line switch determines how the subject and issuer
 names are displayed. If no B<nameopt> switch is present the default "oneline"
 format is used which is compatible with previous versions of OpenSSL.
 Each option is described in detail below, all options can be preceded by
 a B<-> to turn the option off. Only the first four will normally be used.
@@ skipping 426 matching lines @@
 dates rather than an offset from the current time.
 
 The code to implement the verify behaviour described in the B<TRUST SETTINGS>
 is currently being developed. It thus describes the intended behaviour rather
 than the current behaviour. It is hoped that it will represent reality in
 OpenSSL 0.9.5 and later.
 
 =head1 SEE ALSO
 
 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>
+L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>,
+L<x509v3_config(5)|x509v3_config(5)> 
 
 =head1 HISTORY
 
 Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
 
+The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
+before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
+canonical version of the DN using SHA1. This means that any directories using
+the old form must have their links rebuilt using B<c_rehash> or similar. 
+
 =cut