Command docs: replacables are in italics, options always start with a…

… dash

Quite a lot of replacables were still bold, and some options were
mentioned without a beginning dash.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #10065)

doc/man1/CA.pl.pod

@@ -120,7 +120,7 @@ Verifies certificates against the CA certificate for "demoCA". If no
 certificates are specified on the command line it tries to verify the file
 "newcert.pem".  Invokes B<openssl verify> command.
 
-=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
+=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
 
 The purpose of these parameters is to allow optional parameters to be supplied
 to B<openssl> that this command executes. The B<-extra-cmd> are specific to the

doc/man1/openssl-asn1parse.pod

@@ -39,7 +39,7 @@ Print out a usage message.
 
 =item B<-inform> B<DER>|B<PEM>
 
-The input format. I<DER> is binary format and I<PEM> (the default) is base64
+The input format. B<DER> is binary format and B<PEM> (the default) is base64
 encoded.
 
 =item B<-in> I<filename>
@@ -88,12 +88,12 @@ option can be used multiple times to "drill down" into a nested structure.
 
 =item B<-genstr> I<string>, B<-genconf> I<file>
 
-Generate encoded data based on B<string>, B<file> or both using
-L<ASN1_generate_nconf(3)> format. If B<file> only is
+Generate encoded data based on I<string>, I<file> or both using
+L<ASN1_generate_nconf(3)> format. If I<file> only is
 present then the string is obtained from the default section using the name
 B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
 though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option.
+file using the B<-out> option.
 
 =item B<-strictpem>
 
@@ -105,8 +105,8 @@ END marker in a PEM file.
 
 =item B<-item> I<name>
 
-Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
-print out the fields of any supported ASN.1 structure if the type is known.
+Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used
+to print out the fields of any supported ASN.1 structure if the type is known.
 
 =back
 

doc/man1/openssl-ca.pod

@@ -251,15 +251,15 @@ used).
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<ca>
+Specifying an engine (by its unique I<id> string) will cause B<ca>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-subj> I<arg>
 
 Supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
 Keyword characters may be escaped by \ (backslash), and whitespace is retained.
 Empty values are permitted, but the corresponding type will not be included
 in the resulting certificate.
@@ -291,7 +291,7 @@ support for multivalued RDNs. Example:
 
 I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
 
-If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+If B<-multi-rdn> is not used then the UID value is I<123456+CN=John Doe>.
 
 =item B<-rand> I<files>
 
@@ -353,9 +353,9 @@ Updates the database index to purge expired certificates.
 
 =item B<-crl_reason> I<reason>
 
-Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
 B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
-B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
+B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
 insensitive. Setting any revocation reason will make the CRL v2.
 
 In practice B<removeFromCRL> is not particularly useful because it is only used
@@ -364,14 +364,14 @@ in delta CRLs which are not currently implemented.
 =item B<-crl_hold> I<instruction>
 
 This sets the CRL revocation reason code to B<certificateHold> and the hold
-instruction to B<instruction> which must be an OID. Although any OID can be
+instruction to I<instruction> which must be an OID. Although any OID can be
 used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
 B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
 
 =item B<-crl_compromise> I<time>
 
 This sets the revocation reason to B<keyCompromise> and the compromise time to
-B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
+I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
 
 =item B<-crl_CA_compromise> I<time>
 

doc/man1/openssl-ciphers.pod

@@ -22,7 +22,7 @@ B<openssl> B<ciphers>
 [B<-stdname>]
 [B<-convert> I<name>]
 [B<-ciphersuites> I<val>]
-[B<cipherlist>]
+[I<cipherlist>]
 
 =for comment ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp
 
@@ -87,7 +87,7 @@ Precede each cipher suite by its standard name.
 
 =item B<-convert> I<name>
 
-Convert a standard cipher B<name> to its OpenSSL name.
+Convert a standard cipher I<name> to its OpenSSL name.
 
 =item B<-ciphersuites> I<val>
 
@@ -147,8 +147,8 @@ will not moved to the end of the list.
 The cipher string B<@STRENGTH> can be used at any point to sort the current
 cipher list in order of encryption algorithm key length.
 
-The cipher string B<@SECLEVEL=n> can be used at any point to set the security
-level to B<n>, which should be a number between zero and five, inclusive.
+The cipher string B<@SECLEVEL>=I<n> can be used at any point to set the security
+level to I<n>, which should be a number between zero and five, inclusive.
 See L<SSL_CTX_set_security_level> for a description of what each level means.
 
 The cipher list can be prefixed with the B<DEFAULT> keyword, which enables

doc/man1/openssl-cmds.pod

@@ -57,13 +57,13 @@ x509
 
 =for comment generic
 
-B<openssl> B<cmd> [B<-help>] [B<...>]
+B<openssl> I<cmd> B<-help> | [I<-option> | I<-option> I<arg>] ... [I<arg>] ...
 
 =head1 DESCRIPTION
 
-Every B<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
-It has its own detailed manual page at B<openssl-cmd(1)>. For example, to view
-the manual page for the B<openssl dgst> command, type B<man openssl-dgst>.
+Every I<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
+It has its own detailed manual page at B<openssl-I<cmd>>(1). For example, to
+view the manual page for the B<openssl dgst> command, type C<man openssl-dgst>.
 
 =head1 OPTIONS
 
@@ -132,8 +132,8 @@ L<openssl-x509(1)>,
 
 =head1 HISTORY
 
-Initially, the manual page entry for the B<openssl cmd> command used
-to be available at B<cmd(1)>. Later, the alias B<openssl-cmd(1)> was
+Initially, the manual page entry for the C<openssl I<cmd>> command used
+to be available at I<cmd>(1). Later, the alias B<openssl-I<cmd>>(1) was
 introduced, which made it easier to group the openssl commands using
 the L<apropos(1)> command or the shell's tab completion.
 

doc/man1/openssl-cms.pod

@@ -385,7 +385,7 @@ the signers certificates. The certificates should be in PEM format.
 
 =item B<-certsout> I<file>
 
-Any certificates contained in the message are written to B<file>.
+Any certificates contained in the message are written to I<file>.
 
 =item B<-signer> I<file>
 
@@ -446,14 +446,14 @@ content encryption key using an AES key in the B<KEKRecipientInfo> type.
 
 The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
 This option B<must> be present if the B<-secretkey> option is used with
-B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
+B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
 relevant key if it is not supplied then an attempt is used to decrypt any
 B<KEKRecipientInfo> structures.
 
 =item B<-econtent_type> I<type>
 
-Set the encapsulated content type to B<type> if not supplied the B<Data> type
-is used. The B<type> argument can be any valid OID name in either text or
+Set the encapsulated content type to I<type> if not supplied the B<Data> type
+is used. The I<type> argument can be any valid OID name in either text or
 numerical format.
 
 =item B<-inkey> I<file>
@@ -766,7 +766,7 @@ No revocation checking is done on the signer's certificate.
 The use of multiple B<-signer> options and the B<-resign> command were first
 added in OpenSSL 1.0.0.
 
-The B<keyopt> option was added in OpenSSL 1.0.2.
+The B<-keyopt> option was added in OpenSSL 1.0.2.
 
 Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
 

doc/man1/openssl-crl.pod

@@ -95,12 +95,12 @@ Output the nextUpdate field.
 =item B<-CAfile> I<file>
 
 Verify the signature on a CRL by looking up the issuing certificate in
-B<file>.
+I<file>.
 
 =item B<-CApath> I<dir>
 
 Verify the signature on a CRL by looking up the issuing certificate in
-B<dir>. This directory must be a standard certificate directory: that
+I<dir>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 

doc/man1/openssl-dgst.pod

@@ -39,7 +39,7 @@ signatures using message digests.
 
 The generic name, B<dgst>, may be used with an option specifying the
 algorithm to be used.
-The default digest is I<sha256>.
+The default digest is B<sha256>.
 A supported I<digest> name may also be used as the command name.
 To see the list of supported algorithms, use the I<list --digest-commands>
 command.
@@ -60,7 +60,7 @@ supported digests, use the command C<list --digest-commands>.
 =item B<-c>
 
 Print out the digest in two digit groups separated by colons, only relevant if
-B<hex> format output is used.
+the B<-hex> option is given as well.
 
 =item B<-d>
 
@@ -103,7 +103,7 @@ Names and values of these options are algorithm-specific.
 
 =item B<-passin> I<arg>
 
-The private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-verify> I<filename>
@@ -144,13 +144,13 @@ Following options are supported by both by B<HMAC> and B<gost-mac>:
 
 =over 4
 
-=item B<key:string>
+=item B<key>:I<string>
 
 Specifies MAC key as alphanumeric string (use if key contain printable
 characters only). String length must conform to any restrictions of
 the MAC algorithm for example exactly 32 chars for gost-mac.
 
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
 
 Specifies MAC key in hexadecimal form (two hex digits per byte).
 Key length must conform to any restrictions of the MAC algorithm
@@ -179,15 +179,15 @@ Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
 
 =item B<-engine> I<id>
 
-Use engine B<id> for operations (including private key storage).
+Use engine I<id> for operations (including private key storage).
 This engine is not used as source for digest algorithms, unless it is
 also specified in the configuration file or B<-engine_impl> is also
 specified.
 
 =item B<-engine_impl>
 
 When used with the B<-engine> option, it specifies to also use
-engine B<id> for digest operations.
+engine I<id> for digest operations.
 
 =item I<file> ...
 

doc/man1/openssl-dhparam.pod

@@ -83,7 +83,7 @@ displays a warning if not.
 
 The generator to use, either 2, 3 or 5. If present then the
 input file is ignored and parameters are generated instead. If not
-present but B<numbits> is present, parameters are generated with the
+present but I<numbits> is present, parameters are generated with the
 default generator 2.
 
 =item B<-rand> I<files>
@@ -122,7 +122,7 @@ be loaded by calling the get_dhNNNN() function.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<dhparam>
+Specifying an engine (by its unique I<id> string) will cause B<dhparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-dsa.pod

@@ -75,7 +75,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -87,7 +87,7 @@ filename.
 
 =item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
@@ -125,7 +125,7 @@ a public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<dsa>
+Specifying an engine (by its unique I<id> string) will cause B<dsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.

doc/man1/openssl-dsaparam.pod

@@ -49,7 +49,7 @@ as the B<-inform> option.
 =item B<-in> I<filename>
 
 This specifies the input filename to read parameters from or standard input if
-this option is not specified. If the B<numbits> parameter is included then
+this option is not specified. If the I<numbits> parameter is included then
 this option will be ignored.
 
 =item B<-out> I<filename>
@@ -90,7 +90,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique I<id> string) will cause B<dsaparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -99,10 +99,10 @@ for all available algorithms.
 
 Print extra details about the operations being performed.
 
-=item B<numbits>
+=item I<numbits>
 
 This option specifies that a parameter set should be generated of size
-B<numbits>. It must be the last option. If this option is included then
+I<numbits>. It must be the last option. If this option is included then
 the input file (if any) is ignored.
 
 =back

doc/man1/openssl-ec.pod

@@ -68,7 +68,7 @@ prompted for.
 
 =item B<-passin> I<arg>
 
-The input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of I<arg>
 see L<openssl(1)/Pass phrase options>.
 
 =item B<-out> I<filename>
@@ -80,7 +80,7 @@ filename.
 
 =item B<-passout> I<arg>
 
-The output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of I<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-des>|B<-des3>|B<-idea>
@@ -113,7 +113,7 @@ By default a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
 
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
 
 This specifies how the points on the elliptic curve are converted
 into octet strings. Possible values are: B<compressed> (the default
@@ -143,7 +143,7 @@ This option checks the consistency of an EC private or public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<ec>
+Specifying an engine (by its unique I<id> string) will cause B<ec>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.