Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 136 insertions, 53 deletions

diff --git a/upstream/debian-unstable/man1/openssl-cmp.1ssl b/upstream/debian-unstable/man1/openssl-cmp.1ssl
index e0599ea1..68e95f91 100644
--- a/upstream/debian-unstable/man1/openssl-cmp.1ssl
+++ b/upstream/debian-unstable/man1/openssl-cmp.1ssl
@@ -55,7 +55,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-CMP 1SSL"
-.TH OPENSSL-CMP 1SSL 2024-02-03 3.1.5 OpenSSL
+.TH OPENSSL-CMP 1SSL 2024-04-04 3.2.2-dev OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -81,7 +81,6 @@ Certificate enrollment options:
 [\fB\-newkey\fR \fIfilename\fR|\fIuri\fR]
 [\fB\-newkeypass\fR \fIarg\fR]
 [\fB\-subject\fR \fIname\fR]
-[\fB\-issuer\fR \fIname\fR]
 [\fB\-days\fR \fInumber\fR]
 [\fB\-reqexts\fR \fIname\fR]
 [\fB\-sans\fR \fIspec\fR]
@@ -100,6 +99,8 @@ Certificate enrollment options:
 Certificate enrollment and revocation options:
 .PP
 [\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-issuer\fR \fIname\fR]
+[\fB\-serial\fR \fInumber\fR]
 [\fB\-revreason\fR \fInumber\fR]
 .PP
 Message transfer options:
@@ -121,8 +122,13 @@ Server authentication options:
 [\fB\-expect_sender\fR \fIname\fR]
 [\fB\-ignore_keyusage\fR]
 [\fB\-unprotected_errors\fR]
+[\fB\-srvcertout\fR \fIfilename\fR]
 [\fB\-extracertsout\fR \fIfilename\fR]
 [\fB\-cacertsout\fR \fIfilename\fR]
+[\fB\-oldwithold\fR \fIfilename\fR]
+[\fB\-newwithnew\fR \fIfilename\fR]
+[\fB\-newwithold\fR \fIfilename\fR]
+[\fB\-oldwithnew\fR \fIfilename\fR]
 .PP
 Client authentication and protection options:
 .PP
@@ -184,9 +190,13 @@ Mock server options:
 [\fB\-srv_keypass\fR \fIarg\fR]
 [\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR]
 [\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-ref_cert\fR \fIfilename\fR|\fIuri\fR]
 [\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR]
 [\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR]
 [\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR]
+[\fB\-rsp_newwithnew\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-rsp_newwithold\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-rsp_oldwithnew\fR \fIfilename\fR|\fIuri\fR]
 [\fB\-poll_count\fR \fInumber\fR]
 [\fB\-check_after\fR \fInumber\fR]
 [\fB\-grant_implicitconf\fR]
@@ -313,6 +323,7 @@ ITAV \fBinfoType\fRs is printed to stdout.
 .IX Item "-infotype name"
 Set InfoType name to use for requesting specific info in \fBgenm\fR,
 e.g., \f(CW\*(C`signKeyPairTypes\*(C'\fR.
+So far, there is specific support for \f(CW\*(C`caCerts\*(C'\fR and \f(CW\*(C`rootCaCert\*(C'\fR.
 .IP "\fB\-geninfo\fR \fIOID:int:N\fR" 4
 .IX Item "-geninfo OID:int:N"
 generalInfo integer values to place in request PKIHeader with given OID,
@@ -339,15 +350,15 @@ For more information about the format of \fIarg\fR see
 \&\fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-subject\fR \fIname\fR" 4
 .IX Item "-subject name"
-X509 Distinguished Name (DN) of subject to use in the requested certificate
-template.
-If the NULL-DN (\f(CW"/"\fR) is given then no subject is placed in the template.
+X.509 Distinguished Name (DN) to use as subject field
+in the requested certificate template in IR/CR/KUR messages.
+If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no subject is placed in the template.
 Default is the subject DN of any PKCS#10 CSR given with the \fB\-csr\fR option.
 For KUR, a further fallback is the subject DN
 of the reference certificate (see \fB\-oldcert\fR) if provided.
 This fallback is used for IR and CR only if no SANs are set.
 .Sp
-If provided and neither \fB\-cert\fR nor \fB\-oldcert\fR is given,
+If provided and neither of \fB\-cert\fR, \fB\-oldcert\fR, or \fB\-csr\fR is given,
 the subject DN is used as fallback sender of outgoing CMP messages.
 .Sp
 The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
@@ -359,17 +370,6 @@ between the AttributeValueAssertions (AVAs) that specify the members of the set.
 Example:
 .Sp
 \&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
-.IP "\fB\-issuer\fR \fIname\fR" 4
-.IX Item "-issuer name"
-X509 issuer Distinguished Name (DN) of the CA server
-to place in the requested certificate template in IR/CR/KUR.
-If the NULL-DN (\f(CW"/"\fR) is given then no issuer is placed in the template.
-.Sp
-If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given,
-the issuer DN is used as fallback recipient of outgoing CMP messages.
-.Sp
-The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
-For details see the description of the \fB\-subject\fR option.
 .IP "\fB\-days\fR \fInumber\fR" 4
 .IX Item "-days number"
 Number of days the new certificate is requested to be valid for, counting from
@@ -383,7 +383,8 @@ If the \fB\-csr\fR option is present, these extensions augment the extensions
 contained the given PKCS#10 CSR, overriding any extensions with same OIDs.
 .IP "\fB\-sans\fR \fIspec\fR" 4
 .IX Item "-sans spec"
-One or more IP addresses, DNS names, or URIs separated by commas or whitespace
+One or more IP addresses, email addresses, DNS names, or URIs
+separated by commas or whitespace
 (where in the latter case the whole argument must be enclosed in "...")
 to add as Subject Alternative Name(s) (SAN) certificate request extension.
 If the special element "critical" is given the SANs are flagged as critical.
@@ -430,6 +431,8 @@ and the respective public key is placed in the certification request
 PKCS#10 CSR input may also be used with \fB\-cmd\fR \fIrr\fR
 to specify the certificate to be revoked
 via the included subject name and public key.
+Its subject is used as fallback sender in CMP message headers
+if \fB\-cert\fR and \fB\-oldcert\fR are not given.
 .IP "\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
 .IX Item "-out_trusted filenames|uris"
 Trusted certificate(s) to use for validating the newly enrolled certificate.
@@ -453,10 +456,10 @@ to cope with broken servers not supporting implicit confirmation correctly.
 \&\fBWARNING:\fR This leads to behavior violating RFC 4210.
 .IP "\fB\-certout\fR \fIfilename\fR" 4
 .IX Item "-certout filename"
-The file where the newly enrolled certificate should be saved.
+The file where any newly enrolled certificate should be saved.
 .IP "\fB\-chainout\fR \fIfilename\fR" 4
 .IX Item "-chainout filename"
-The file where the chain of the newly enrolled certificate should be saved.
+The file where the chain of any newly enrolled certificate should be saved.
 .SS "Certificate enrollment and revocation options"
 .IX Subsection "Certificate enrollment and revocation options"
 .IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4
@@ -466,6 +469,7 @@ The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
 For KUR the certificate to be updated defaults to \fB\-cert\fR,
 and the resulting certificate is called \fIreference certificate\fR.
 For RR the certificate to be revoked can also be specified using \fB\-csr\fR.
+\&\fB\-oldcert\fR and \fB\-csr\fR is ignored if \fB\-issuer\fR and \fB\-serial\fR is provided.
 .Sp
 The reference certificate, if any, is also used for
 deriving default subject DN and Subject Alternative Names and the
@@ -474,6 +478,21 @@ Its public key is used as a fallback in the template of certification requests.
 Its subject is used as sender of outgoing messages if \fB\-cert\fR is not given.
 Its issuer is used as default recipient in CMP message headers
 if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given.
+.IP "\fB\-issuer\fR \fIname\fR" 4
+.IX Item "-issuer name"
+X.509 Distinguished Name (DN) use as issuer field
+in the requested certificate template in IR/CR/KUR/RR messages.
+If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no issuer is placed in the template.
+.Sp
+If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given,
+the issuer DN is used as fallback recipient of outgoing CMP messages.
+.Sp
+The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
+For details see the description of the \fB\-subject\fR option.
+.IP "\fB\-serial\fR \fInumber\fR" 4
+.IX Item "-serial number"
+Specify the Serial number of certificate to be revoked in revocation request.
+The serial number can be decimal or hex (if preceded by \f(CW\*(C`0x\*(C'\fR)
 .IP "\fB\-revreason\fR \fInumber\fR" 4
 .IX Item "-revreason number"
 Set CRLReason to be included in revocation request (RR); values: \f(CW0\fR..\f(CW10\fR
@@ -500,13 +519,15 @@ Reason numbers defined in RFC 5280 are:
 .IX Subsection "Message transfer options"
 .IP "\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
 .IX Item "-server [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
-The DNS hostname or IP address and optionally port
+The \fIhost\fR domain name or IP address and optionally \fIport\fR
 of the CMP server to connect to using HTTP(S).
+IP address may be for v4 or v6, such as \f(CW127.0.0.1\fR or \f(CW\*(C`[::1]\*(C'\fR for localhost.
+.Sp
 This option excludes \fI\-port\fR and \fI\-use_mock_srv\fR.
 It is ignored if \fI\-rspin\fR is given with enough filename arguments.
 .Sp
-The scheme \f(CW\*(C`https\*(C'\fR may be given only if the \fB\-tls_used\fR option is used.
-In this case the default port is 443, else 80.
+If the scheme \f(CW\*(C`https\*(C'\fR is given, the \fB\-tls_used\fR option is implied.
+When TLS is used, the default port is 443, otherwise 80.
 The optional userinfo and fragment components are ignored.
 Any given query component is handled as part of the path component.
 If a path is included it provides the default value for the \fB\-path\fR option.
@@ -515,9 +536,9 @@ If a path is included it provides the default value for the \fB\-path\fR option.
 The HTTP(S) proxy server to use for reaching the CMP server unless \fB\-no_proxy\fR
 applies, see below.
 The proxy port defaults to 80 or 443 if the scheme is \f(CW\*(C`https\*(C'\fR; apart from that
-the optional \f(CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored (note that TLS may be
-selected by \fB\-tls_used\fR), as well as any path, userinfo, and query, and fragment
-components.
+the optional \f(CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored (note that using TLS
+may be required by \fB\-tls_used\fR or \fB\-server\fR with the prefix \f(CW\*(C`https\*(C'\fR),
+as well as any path, userinfo, and query, and fragment components.
 Defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR
 in case no TLS is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
 This option is ignored if \fI\-server\fR is not given.
@@ -549,11 +570,13 @@ HTTP path at the CMP server (aka CMP alias) to use for POST requests.
 Defaults to any path given with \fB\-server\fR, else \f(CW"/"\fR.
 .IP "\fB\-keep_alive\fR \fIvalue\fR" 4
 .IX Item "-keep_alive value"
-If the given value is 0 then HTTP connections are not kept open
-after receiving a response, which is the default behavior for HTTP 1.0.
-If the value is 1 or 2 then persistent connections are requested.
-If the value is 2 then persistent connections are required,
-i.e., in case the server does not grant them an error occurs.
+If the given value is 0 then HTTP connections are closed after each response
+(which would be the default behavior of HTTP 1.0)
+even if a CMP transaction needs more than one round trip.
+If the value is 1 or 2
+then for each transaction a persistent connection is requested.
+If the value is 2 then a persistent connection is required,
+i.e., an error occurs if the server does not grant it.
 The default value is 1, which means preferring to keep the connection open.
 .IP "\fB\-msg_timeout\fR \fIseconds\fR" 4
 .IX Item "-msg_timeout seconds"
@@ -594,12 +617,13 @@ Non-trusted intermediate CA certificate(s).
 Any extra certificates given with the \fB\-cert\fR option are appended to it.
 All these certificates may be useful for cert path construction
 for the own CMP signer certificate (to include in the extraCerts field of
-request messages) and for the TLS client certificate (if TLS is enabled)
+request messages) and for the TLS client certificate (if TLS is used)
 as well as for chain building
 when validating server certificates (checking signature-based
 CMP message protection) and when validating newly enrolled certificates.
 .Sp
-Multiple filenames or URLs may be given, separated by commas and/or whitespace.
+Multiple sources may be given, separated by commas and/or whitespace
+(where in the latter case the whole argument must be enclosed in "...").
 Each source may contain multiple certificates.
 .IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4
 .IX Item "-srvcert filename|uri"
@@ -662,14 +686,54 @@ appendix D.4 shows PKIConf message having protection
 .RE
 .RS 4
 .RE
+.IP "\fB\-srvcertout\fR \fIfilename\fR" 4
+.IX Item "-srvcertout filename"
+The file where to save the successfully validated certificate, if any,
+that the CMP server used for signature-based response message protection.
+If there is no such certificate, typically because the protection was MAC-based,
+this is indicated by deleting the file (if it existed).
 .IP "\fB\-extracertsout\fR \fIfilename\fR" 4
 .IX Item "-extracertsout filename"
-The file where to save all certificates contained in the extraCerts field
-of the last received response message (except for pollRep and PKIConf).
+The file where to save the list of certificates contained in the extraCerts
+field of the last received response message that is not a pollRep nor PKIConf.
 .IP "\fB\-cacertsout\fR \fIfilename\fR" 4
 .IX Item "-cacertsout filename"
-The file where to save any CA certificates contained in the caPubs field of
-the last received certificate response (i.e., IP, CP, or KUP) message.
+The file where to save the list of CA certificates contained in the caPubs field
+if a positive certificate response (i.e., IP, CP, or KUP) message was received
+or contained in a general response (genp) message with infoType \f(CW\*(C`caCerts\*(C'\fR.
+.IP "\fB\-oldwithold\fR \fIfilename\fR" 4
+.IX Item "-oldwithold filename"
+The root CA certificate to include in a genm request of infoType \f(CW\*(C`rootCaCert\*(C'\fR.
+If present and the optional oldWithNew certificate is received,
+it is verified using the newWithNew certificate as the (only) trust anchor.
+.IP "\fB\-newwithnew\fR \fIfilename\fR" 4
+.IX Item "-newwithnew filename"
+This option must be provided when \fB\-infotype\fR \fIrootCaCert\fR is given.
+It specifies the file to save the newWithNew certificate
+received in a genp message of type \f(CW\*(C`rootCaKeyUpdate\*(C'\fR.
+If on success no such cert was received, this file (if present) is deleted
+to indicate that the requested root CA certificate update is not available.
+.Sp
+Any received newWithNew certificate is verified
+using any received newWithOld certificate as untrusted intermediate certificate
+and the certificate provided with \fB\-oldwithold\fR as the (only) trust anchor,
+or if not provided, using the certificates given with the \fB\-trusted\fR option.
+.Sp
+\&\fBWARNING:\fR
+The newWithNew certificate is meant to be a certificate that will be trusted.
+The trust placed in it cannot be stronger than the trust placed in
+the \fB\-oldwithold\fR certificate if present, otherwise it cannot be stronger than
+the weakest trust placed in any of the \fB\-trusted\fR certificates.
+.IP "\fB\-newwithold\fR \fIfilename\fR" 4
+.IX Item "-newwithold filename"
+The file to save any newWithOld certificate
+received in a genp message of infoType \f(CW\*(C`rootCaKeyUpdate\*(C'\fR.
+If on success no such cert was received, this is indicated by deleting the file.
+.IP "\fB\-oldwithnew\fR \fIfilename\fR" 4
+.IX Item "-oldwithnew filename"
+The file to save any oldWithNew certificate
+received in a genp message of infoType \f(CW\*(C`rootCaKeyUpdate\*(C'\fR.
+If on success no such cert was received, this is indicated by deleting the file.
 .SS "Client authentication options"
 .IX Subsection "Client authentication options"
 .IP "\fB\-ref\fR \fIvalue\fR" 4
@@ -784,7 +848,9 @@ See "Format Options" in \fBopenssl\fR\|(1) for details.
 .IX Item "-otherpass arg"
 Pass phrase source for certificate given with the \fB\-trusted\fR, \fB\-untrusted\fR,
 \&\fB\-own_trusted\fR, \fB\-srvcert\fR, \fB\-out_trusted\fR, \fB\-extracerts\fR,
-\&\fB\-srv_trusted\fR, \fB\-srv_untrusted\fR, \fB\-rsp_extracerts\fR, \fB\-rsp_capubs\fR,
+\&\fB\-srv_trusted\fR, \fB\-srv_untrusted\fR, \fB\-ref_cert\fR, \fB\-rsp_cert\fR,
+\&\fB\-rsp_extracerts\fR, \fB\-rsp_capubs\fR,
+\&\fB\-rsp_newwithnew\fR, \fB\-rsp_newwithold\fR, \fB\-rsp_oldwithnew\fR,
 \&\fB\-tls_extra\fR, and \fB\-tls_trusted\fR options.
 If not given here, the password will be prompted for if needed.
 .Sp
@@ -830,17 +896,17 @@ See "Random State Options" in \fBopenssl\fR\|(1) for details.
 .IX Subsection "TLS connection options"
 .IP \fB\-tls_used\fR 4
 .IX Item "-tls_used"
-Enable using TLS (even when other TLS-related options are not set)
-for message exchange with CMP server via HTTP.
+Make the CMP client use TLS (regardless if other TLS-related options are set)
+for message exchange with the server via HTTP.
 This option is not supported with the \fI\-port\fR option.
-It is ignored if the \fI\-server\fR option is not given or \fI\-use_mock_srv\fR is given
-or \fI\-rspin\fR is given with enough filename arguments.
+It is implied if the \fB\-server\fR option is given with the scheme \f(CW\*(C`https\*(C'\fR.
+It is ignored if the \fB\-server\fR option is not given or \fB\-use_mock_srv\fR is given
+or \fB\-rspin\fR is given with enough filename arguments.
 .Sp
-The following TLS-related options are ignored
-if \fB\-tls_used\fR is not given or does not take effect.
+The following TLS-related options are ignored if TLS is not used.
 .IP "\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR" 4
 .IX Item "-tls_cert filename|uri"
-Client's TLS certificate.
+Client's TLS certificate to use for authenticating to the TLS server.
 If the source includes further certs they are used (along with \fB\-untrusted\fR
 certs) for constructing the client cert chain provided to the TLS server.
 .IP "\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR" 4
@@ -856,7 +922,7 @@ For more information about the format of \fIarg\fR see
 \&\fBopenssl\-passphrase\-options\fR\|(1).
 .IP "\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR" 4
 .IX Item "-tls_extra filenames|uris"
-Extra certificates to provide to TLS server during TLS handshake
+Extra certificates to provide to the TLS server during handshake.
 .IP "\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
 .IX Item "-tls_trusted filenames|uris"
 Trusted certificate(s) to use for validating the TLS server certificate.
@@ -950,8 +1016,9 @@ This excludes the \fB\-server\fR and \fB\-port\fR options.
 .IX Subsection "Mock server options"
 .IP "\fB\-port\fR \fInumber\fR" 4
 .IX Item "-port number"
-Act as HTTP-based CMP server mock-up listening on the given port.
-This excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options.
+Act as HTTP-based CMP server mock-up listening on the given local port.
+The client may address the server via, e.g., \f(CW127.0.0.1\fR or \f(CW\*(C`[::1]\*(C'\fR.
+This option excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options.
 The \fB\-rspin\fR, \fB\-rspout\fR, \fB\-reqin\fR, and \fB\-reqout\fR options
 so far are not supported in this mode.
 .IP "\fB\-max_msgs\fR \fInumber\fR" 4
@@ -986,6 +1053,9 @@ have no effect on the certificate verification enabled via this option.
 .IP "\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
 .IX Item "-srv_untrusted filenames|uris"
 Intermediate CA certs that may be useful when validating client certificates.
+.IP "\fB\-ref_cert\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-ref_cert filename|uri"
+Certificate to be expected for RR messages and any oldCertID in KUR messages.
 .IP "\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR" 4
 .IX Item "-rsp_cert filename|uri"
 Certificate to be returned as mock enrollment result.
@@ -995,6 +1065,15 @@ Extra certificates to be included in mock certification responses.
 .IP "\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR" 4
 .IX Item "-rsp_capubs filenames|uris"
 CA certificates to be included in mock Initialization Response (IP) message.
+.IP "\fB\-rsp_newwithnew\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-rsp_newwithnew filename|uri"
+Certificate to be returned in newWithNew field of genp of type rootCaKeyUpdate.
+.IP "\fB\-rsp_newwithold\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-rsp_newwithold filename|uri"
+Certificate to be returned in newWithOld field of genp of type rootCaKeyUpdate.
+.IP "\fB\-rsp_oldwithnew\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-rsp_oldwithnew filename|uri"
+Certificate to be returned in oldWithNew field of genp of type rootCaKeyUpdate.
 .IP "\fB\-poll_count\fR \fInumber\fR" 4
 .IX Item "-poll_count number"
 Number of times the client must poll before receiving a certificate.
@@ -1052,12 +1131,16 @@ The certificate verification options
 only affect the certificate verification enabled via the \fB\-out_trusted\fR option.
 .SH NOTES
 .IX Header "NOTES"
-When a client obtains from a CMP server CA certificates that it is going to
-trust, for instance via the \f(CW\*(C`caPubs\*(C'\fR field of a certificate response,
+When a client obtains, from a CMP server, CA certificates that it is going to
+trust, for instance via the \f(CW\*(C`caPubs\*(C'\fR field of a certificate response
+or using general messages with infoType \f(CW\*(C`caCerts\*(C'\fR or \f(CW\*(C`rootCaCert\*(C'\fR,
 authentication of the CMP server is particularly critical.
 So special care must be taken setting up server authentication
 using \fB\-trusted\fR and related options for certificate-based authentication
 or \fB\-secret\fR for MAC-based protection.
+If authentication is certificate-based, the \fB\-srvcertout\fR option
+should be used to obtain the validated server certificate
+and perform an authorization check based on it.
 .PP
 When setting up CMP configurations and experimenting with enrollment options
 typically various errors occur until the configuration is correct and complete.
@@ -1069,9 +1152,9 @@ although they usually contain hints that would be helpful for diagnostics.
 For assisting in such cases the CMP client offers a workaround via the
 \&\fB\-unprotected_errors\fR option, which allows accepting such negative messages.
 .PP
-If OpenSSL was built with trace support enabled
+If OpenSSL was built with trace support enabled (e.g., \f(CW\*(C`./config enable\-trace\*(C'\fR)
 and the environment variable \fBOPENSSL_TRACE\fR includes \fBHTTP\fR,
-the request and response headers of HTTP transfers are printed.
+the requests and the response headers transferred via HTTP are printed.
 .SH EXAMPLES
 .IX Header "EXAMPLES"
 .SS "Simple examples using the default OpenSSL configuration file"
@@ -1140,7 +1223,7 @@ In order to update the enrolled certificate one may call
 \&  openssl cmp \-section insta,kur
 .Ve
 .PP
-using MAC-based protection with PBM or
+using with MAC-based protection with PBM or
 .PP
 .Vb 1
 \&  openssl cmp \-section insta,kur,signature