Command docs: fix up command references

Almost all OpenSSL commands are in reality 'openssl cmd', so make sure
they are refered to like that and not just as the sub-command.

Self-references are avoided as much as is possible, and replaced with
"this command".  In some cases, we even avoid that with a slight
rewrite of the sentence or paragrah they were in.  However, in the few
cases where a self-reference is still admissible, they are done in
bold, i.e. openssl-speed.pod references itself like this:

    B<openssl speed>

References to other commands are done as manual links, i.e. CA.pl.pod
references 'openssl req' like this: L<openssl-req(1)>

Some commands are examples rather than references; we enclose those in
C<>.

While we are it, we abolish "utility", replacing it with "command", or
remove it entirely in some cases.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)

53 files changed, 334 insertions, 332 deletions

diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod
index 1e4d223ddb..235e341886 100644
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -32,7 +32,7 @@ B<CA.pl> B<-revoke> [B<-extra-ca> I<extra-params>] I<certfile> [I<reason>]
 =head1 DESCRIPTION
 
 The B<CA.pl> script is a perl script that supplies the relevant command line
-arguments to the B<openssl> command for some common certificate operations.
+arguments to the L<openssl(1)> command for some common certificate operations.
 It is intended to simplify the process of certificate creation and management
 by the use of some simple options.
 
@@ -48,18 +48,18 @@ Prints a usage message.
 
 Creates a new self signed certificate. The private key is written to the file
 "newkey.pem" and the request written to the file "newreq.pem".
-This argument invokes B<openssl req> command.
+This argument invokes L<openssl-req(1)> command.
 
 =item B<-newreq>
 
 Creates a new certificate request. The private key is written to the file
 "newkey.pem" and the request written to the file "newreq.pem".
-Executes B<openssl req> command below the hood.
+Executes L<openssl-req(1)> command below the hood.
 
 =item B<-newreq-nodes>
 
 Is like B<-newreq> except that the private key will not be encrypted.
-Uses B<openssl req> command.
+Uses L<openssl-req(1)> command.
 
 =item B<-newca>
 
@@ -68,7 +68,7 @@ and B<-xsign> options). The user is prompted to enter the filename of the CA
 certificates (which should also contain the private key) or by hitting ENTER
 details of the CA will be prompted for. The relevant files and directories
 are created in a directory called "demoCA" in the current directory.
-B<openssl req> and B<openssl ca> commands are get invoked.
+L<openssl-req(1)> and L<openssl-ca(1)> commands are get invoked.
 
 =item B<-pkcs12>
 
@@ -80,31 +80,31 @@ B<-sign> option. The PKCS#12 file can be imported directly into a browser.
 If there is an additional argument on the command line it will be used as the
 "friendly name" for the certificate (which is typically displayed in the browser
 list box), otherwise the name "My Certificate" is used.
-Delegates work to B<openssl pkcs12> command.
+Delegates work to L<openssl-pkcs12(1)> command.
 
 =item B<-sign>, B<-signcert>, B<-xsign>
 
-Calls the B<ca> program to sign a certificate request. It expects the request
-to be in the file "newreq.pem". The new certificate is written to the file
-"newcert.pem" except in the case of the B<-xsign> option when it is written
-to standard output. Leverages B<openssl ca> command.
+Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the
+request to be in the file "newreq.pem". The new certificate is written to the
+file "newcert.pem" except in the case of the B<-xsign> option when it is
+written to standard output. Leverages L<openssl-ca(1)> command.
 
 =item B<-signCA>
 
 This option is the same as the B<-signreq> option except it uses the
 configuration file section B<v3_ca> and so makes the signed request a
 valid CA certificate. This is useful when creating intermediate CA from
-a root CA.  Extra params are passed on to B<openssl ca> command.
+a root CA.  Extra params are passed on to L<openssl-ca(1)> command.
 
 =item B<-signcert>
 
 This option is the same as B<-sign> except it expects a self signed certificate
 to be present in the file "newreq.pem".
-Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
+Extra params are passed on to L<openssl-x509(1)> and L<openssl-ca(1)> commands.
 
 =item B<-crl>
 
-Generate a CRL. Executes B<openssl ca> command.
+Generate a CRL. Executes L<openssl-ca(1)> command.
 
 =item B<-revoke> I<certfile> [I<reason>]
 
@@ -112,23 +112,23 @@ Revoke the certificate contained in the specified B<certfile>. An optional
 reason may be specified, and must be one of: B<unspecified>,
 B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
 B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
-Leverages B<openssl ca> command.
+Leverages L<openssl-ca(1)> command.
 
 =item B<-verify>
 
 Verifies certificates against the CA certificate for "demoCA". If no
 certificates are specified on the command line it tries to verify the file
-"newcert.pem".  Invokes B<openssl verify> command.
+"newcert.pem".  Invokes L<openssl-verify(1)> command.
 
 =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
 
 The purpose of these parameters is to allow optional parameters to be supplied
-to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
-option being used and the B<openssl> command getting invoked. For example
-when this command invokes B<openssl req> extra parameters can be passed on
+to L<openssl(1)> that this command executes. The B<-extra-cmd> are specific to
+the option being used and the L<openssl(1)> command getting invoked. For example
+when this command invokes L<openssl-req(1)> extra parameters can be passed on
 with the B<-extra-req> parameter. The
-B<openssl> commands being invoked per option are documented below.
-Users should consult B<openssl> command documentation for more information.
+L<openssl(1)> commands being invoked per option are documented below.
+Users should consult L<openssl(1)> command documentation for more information.
 
 =back
 
@@ -193,9 +193,10 @@ be wrong. In this case the command:
 can be used and the B<OPENSSL_CONF> environment variable changed to point to
 the correct path of the configuration file.
 
-The script is intended as a simple front end for the B<openssl> program for use
-by a beginner. Its behaviour isn't always what is wanted. For more control over the
-behaviour of the certificate commands call the B<openssl> command directly.
+The script is intended as a simple front end for the L<openssl(1)> program for
+use by a beginner. Its behaviour isn't always what is wanted. For more control
+over the behaviour of the certificate commands call the L<openssl(1)> command
+directly.
 
 =head1 SEE ALSO
 
diff --git a/doc/man1/openssl-asn1parse.pod b/doc/man1/openssl-asn1parse.pod
index 7b81c51f49..4b99338ccd 100644
--- a/doc/man1/openssl-asn1parse.pod
+++ b/doc/man1/openssl-asn1parse.pod
@@ -26,8 +26,8 @@ B<openssl> B<asn1parse>
 
 =head1 DESCRIPTION
 
-The B<asn1parse> command is a diagnostic utility that can parse ASN.1
-structures. It can also be used to extract data from ASN.1 formatted data.
+This command is a diagnostic utility that can parse ASN.1 structures.
+It can also be used to extract data from ASN.1 formatted data.
 
 =head1 OPTIONS
 
@@ -157,7 +157,7 @@ allows additional OIDs to be included. Each line consists of three columns,
 the first column is the OID in numerical format and should be followed by white
 space. The second column is the "short name" which is a single word followed
 by white space. The final column is the rest of the line and is the
-"long name". B<asn1parse> displays the long name. Example:
+"long name". Example:
 
 C<1.2.3.4       shortName       A long name>
 
diff --git a/doc/man1/openssl-ca.pod b/doc/man1/openssl-ca.pod
index 4780f2aa97..bf5dc57034 100644
--- a/doc/man1/openssl-ca.pod
+++ b/doc/man1/openssl-ca.pod
@@ -63,7 +63,7 @@ B<openssl> B<ca>
 
 =head1 DESCRIPTION
 
-The B<ca> command is a minimal CA application. It can be used
+This command is a minimal CA application. It can be used
 to sign certificate requests in a variety of forms and generate
 CRLs it also maintains a text database of issued certificates
 and their status.
@@ -193,7 +193,7 @@ The number of days to certify the certificate for.
 =item B<-md> I<alg>
 
 The message digest to use.
-Any digest supported by the OpenSSL B<dgst> command can be used. For signing
+Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
 algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
 digest that is set is ignored. This option also applies to CRLs.
 
@@ -206,8 +206,8 @@ for more information.
 
 =item B<-msie_hack>
 
-This is a deprecated option to make B<ca> work with very old versions of
-the IE certificate enrollment control "certenr3". It used UniversalStrings
+This is a deprecated option to make this command work with very old versions
+of the IE certificate enrollment control "certenr3". It used UniversalStrings
 for almost everything. Since the old control has various security bugs
 its use is strongly discouraged.
 
@@ -393,7 +393,7 @@ extension section format.
 
 =head1 CONFIGURATION FILE OPTIONS
 
-The section of the configuration file containing options for B<ca>
+The section of the configuration file containing options for this command
 is found as follows: If the B<-name> command line option is used,
 then it names the section to be used. Otherwise the section to
 be used must be named in the B<default_ca> option of the B<ca> section
@@ -581,7 +581,7 @@ this can be regarded more of a quirk than intended behaviour.
 The input to the B<-spkac> command line option is a Netscape
 signed public key and challenge. This will usually come from
 the B<KEYGEN> tag in an HTML form to create a new private key.
-It is however possible to create SPKACs using the B<spkac> utility.
+It is however possible to create SPKACs using L<openssl-spkac(1)>.
 
 The file should contain the variable SPKAC set to the value of
 the SPKAC and also the required DN components as name value pairs.
@@ -594,11 +594,11 @@ flag is used.
 
 =head1 EXAMPLES
 
-Note: these examples assume that the B<ca> directory structure is
-already set up and the relevant files already exist. This usually
-involves creating a CA certificate and private key with B<req>, a
-serial number file and an empty index file and placing them in
-the relevant directories.
+Note: these examples assume that the directory structure this command
+assumes is already set up and the relevant files already exist. This
+usually involves creating a CA certificate and private key with
+L<openssl-req(1)>, a serial number file and an empty index file and
+placing them in the relevant directories.
 
 To use the sample configuration file below the directories demoCA,
 demoCA/private and demoCA/newcerts would be created. The CA
@@ -640,7 +640,7 @@ A sample SPKAC file (the SPKAC line has been truncated for clarity):
  0.OU=OpenSSL Group
  1.OU=Another Group
 
-A sample configuration file with the relevant sections for B<ca>:
+A sample configuration file with the relevant sections for this command:
 
  [ ca ]
  default_ca      = CA_default            # The default ca section
@@ -711,7 +711,7 @@ The use of an in-memory text database can cause problems when large
 numbers of certificates are present because, as the name implies
 the database has to be kept in memory.
 
-The B<ca> command really needs rewriting or the required functionality
+This command really needs rewriting or the required functionality
 exposed at either a command or interface level so a more friendly utility
 (perl script or GUI) can handle things properly. The script
 B<CA.pl> helps a little but not very much.
@@ -728,15 +728,15 @@ create an empty file.
 
 =head1 WARNINGS
 
-The B<ca> command is quirky and at times downright unfriendly.
+This command is quirky and at times downright unfriendly.
 
-The B<ca> utility was originally meant as an example of how to do things
-in a CA. It was not supposed to be used as a full blown CA itself:
+This command was originally meant as an example of how to do
+things in a CA. It was not supposed to be used as a full blown CA itself:
 nevertheless some people are using it for this purpose.
 
-The B<ca> command is effectively a single user command: no locking is
-done on the various files and attempts to run more than one B<ca> command
-on the same database can have unpredictable results.
+This command command is effectively a single user command: no locking
+is done on the various files and attempts to run more than one B<openssl ca>
+command on the same database can have unpredictable results.
 
 The B<copy_extensions> option should be used with caution. If care is
 not taken then it can be a security risk. For example if a certificate
diff --git a/doc/man1/openssl-ciphers.pod b/doc/man1/openssl-ciphers.pod
index ca1f8fc0c4..bfc6ff0b70 100644
--- a/doc/man1/openssl-ciphers.pod
+++ b/doc/man1/openssl-ciphers.pod
@@ -28,9 +28,9 @@ B<openssl> B<ciphers>
 
 =head1 DESCRIPTION
 
-The B<ciphers> command converts textual OpenSSL cipher lists into ordered
-SSL cipher preference lists. It can be used as a test tool to determine
-the appropriate cipherlist.
+This command converts textual OpenSSL cipher lists into
+ordered SSL cipher preference lists. It can be used as a test tool to
+determine the appropriate cipherlist.
 
 =head1 OPTIONS
 
@@ -761,7 +761,7 @@ L<ssl(7)>
 
 =head1 HISTORY
 
-The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
+The B<-V> option was added in OpenSSL 1.0.0.
 
 The B<-stdname> is only available if OpenSSL is built with tracing enabled
 (B<enable-ssl-trace> argument to Configure) before OpenSSL 1.1.1.
diff --git a/doc/man1/openssl-cms.pod b/doc/man1/openssl-cms.pod
index 24cf797702..ddadbc5bb3 100644
--- a/doc/man1/openssl-cms.pod
+++ b/doc/man1/openssl-cms.pod
@@ -107,8 +107,8 @@ B<openssl> B<cms>
 
 =head1 DESCRIPTION
 
-The B<cms> command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and
-verify, compress and uncompress S/MIME messages.
+This command handles S/MIME v3.1 mail. It can encrypt, decrypt,
+sign and verify, compress and uncompress S/MIME messages.
 
 =head1 OPTIONS
 
@@ -629,10 +629,10 @@ the signers certificates.
 
 =head1 COMPATIBILITY WITH PKCS#7 FORMAT
 
-The B<smime> utility can only process the older B<PKCS#7> format. The B<cms>
-utility supports Cryptographic Message Syntax format. Use of some features
-will result in messages which cannot be processed by applications which only
-support the older format. These are detailed below.
+L<openssl-smime(1)> can only process the older B<PKCS#7> format.
+B<openssl cms> supports Cryptographic Message Syntax format.
+Use of some features will result in messages which cannot be processed by
+applications which only support the older format. These are detailed below.
 
 The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
 
@@ -647,7 +647,7 @@ The use of PSS with B<-sign>.
 The use of OAEP or non-RSA keys with B<-encrypt>.
 
 Additionally the B<-EncryptedData_create> and B<-data_create> type cannot
-be processed by the older B<smime> command.
+be processed by the older L<openssl-smime(1)> command.
 
 =head1 EXAMPLES
 
diff --git a/doc/man1/openssl-crl.pod b/doc/man1/openssl-crl.pod
index acf3465b55..5394a2af1c 100644
--- a/doc/man1/openssl-crl.pod
+++ b/doc/man1/openssl-crl.pod
@@ -26,7 +26,7 @@ B<openssl> B<crl>
 
 =head1 DESCRIPTION
 
-The B<crl> command processes CRL files in DER or PEM format.
+This command processes CRL files in DER or PEM format.
 
 =head1 OPTIONS
 
@@ -101,8 +101,8 @@ I<file>.
 
 Verify the signature on a CRL by looking up the issuing certificate in
 I<dir>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using B<x509 -hash>) should be linked
-to each certificate.
+is a hash of each subject name (using the L<openssl-x509(1)> B<-hash> option)
+should be linked to each certificate.
 
 =back
 
diff --git a/doc/man1/openssl-crl2pkcs7.pod b/doc/man1/openssl-crl2pkcs7.pod
index 32248e5e21..8b0f33bbd1 100644
--- a/doc/man1/openssl-crl2pkcs7.pod
+++ b/doc/man1/openssl-crl2pkcs7.pod
@@ -17,7 +17,7 @@ B<openssl> B<crl2pkcs7>
 
 =head1 DESCRIPTION
 
-The B<crl2pkcs7> command takes an optional CRL and one or more
+This command takes an optional CRL and one or more
 certificates and converts them into a PKCS#7 degenerate "certificates
 only" structure.
 
@@ -82,7 +82,7 @@ different certificates:
 The output file is a PKCS#7 signed data structure containing no signers and
 just certificates and an optional CRL.
 
-This utility can be used to send certificates and CAs to Netscape as part of
+This command can be used to send certificates and CAs to Netscape as part of
 the certificate enrollment process. This involves sending the DER encoded output
 as MIME type application/x-x509-user-cert.
 
diff --git a/doc/man1/openssl-dgst.pod b/doc/man1/openssl-dgst.pod
index 436b2fd1fe..729548a4c1 100644
--- a/doc/man1/openssl-dgst.pod
+++ b/doc/man1/openssl-dgst.pod
@@ -33,16 +33,15 @@ B<openssl> I<digest> [B<...>]
 
 =head1 DESCRIPTION
 
-The digest functions output the message digest of a supplied file or files
-in hexadecimal.  The digest functions also generate and verify digital
+This command output the message digest of a supplied file or files
+in hexadecimal, and also generates and verifies digital
 signatures using message digests.
 
-The generic name, B<dgst>, may be used with an option specifying the
+The generic name, B<openssl dgst>, may be used with an option specifying the
 algorithm to be used.
 The default digest is B<sha256>.
-A supported I<digest> name may also be used as the command name.
-To see the list of supported algorithms, use the I<list --digest-commands>
-command.
+A supported I<digest> name may also be used as the sub-command name.
+To see the list of supported algorithms, use C<openssl list -digest-commands>
 
 =head1 OPTIONS
 
@@ -79,7 +78,7 @@ Output the digest or signature in binary form.
 =item B<-r>
 
 Output the digest in the "coreutils" format, including newlines.
-Used by programs like B<sha1sum>.
+Used by programs like L<sha1sum(1)>.
 
 =item B<-out> I<filename>
 
@@ -88,8 +87,8 @@ Filename to output to, or standard output by default.
 =item B<-sign> I<filename>
 
 Digitally sign the digest using the private key in "filename". Note this option
-does not support Ed25519 or Ed448 private keys. Use the B<pkeyutl> command
-instead for this.
+does not support Ed25519 or Ed448 private keys. Use the L<openssl-pkeyutl(1)>
+command instead for this.
 
 =item B<-keyform> I<arg>
 
@@ -215,13 +214,13 @@ To verify a signature:
 
 The digest mechanisms that are available will depend on the options
 used when building OpenSSL.
-The B<list digest-commands> command can be used to list them.
+The C<openssl list -digest-commands> command can be used to list them.
 
 New or agile applications should use probably use SHA-256. Other digests,
 particularly SHA-1 and MD5, are still widely used for interoperating
 with existing formats and protocols.
 
-When signing a file, B<dgst> will automatically determine the algorithm
+When signing a file, this command will automatically determine the algorithm
 (RSA, ECC, etc) to use for signing based on the private key's ASN.1 info.
 When verifying signatures, it only handles the RSA, DSA, or ECDSA signature
 itself, not the related data to identify the signer and algorithm used in
diff --git a/doc/man1/openssl-dhparam.pod b/doc/man1/openssl-dhparam.pod
index 0abd0d9748..01eab5cc91 100644
--- a/doc/man1/openssl-dhparam.pod
+++ b/doc/man1/openssl-dhparam.pod
@@ -131,10 +131,10 @@ for all available algorithms.
 
 =head1 WARNINGS
 
-The program B<dhparam> combines the functionality of the programs B<dh> and
-B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
-programs are retained for now but may have different purposes in future
-versions of OpenSSL.
+This command combines the functionality of the L<openssl-dh(1)> and the
+L<openssl-gendh(1)> commands in previous OpenSSL versions.
+The L<openssl-dh(1)> and L<openssl-gendh(1)> commands are retained for now but
+may have different purposes in future versions of OpenSSL.
 
 =head1 NOTES
 
diff --git a/doc/man1/openssl-dsa.pod b/doc/man1/openssl-dsa.pod
index 6f7ccb6ef7..55127db6e9 100644
--- a/doc/man1/openssl-dsa.pod
+++ b/doc/man1/openssl-dsa.pod
@@ -37,7 +37,7 @@ B<openssl> B<dsa>
 
 =head1 DESCRIPTION
 
-The B<dsa> command processes DSA keys. They can be converted between various
+This command processes DSA keys. They can be converted between various
 forms and their components printed out. B<Note> This command uses the
 traditional SSLeay compatible format for private key encryption: newer
 applications should use the more secure PKCS#8 format using the B<pkcs8>
@@ -95,9 +95,9 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 These options encrypt the private key with the specified
 cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
-means that using the B<dsa> utility to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
 These options can only be used with PEM format output files.
 
 =item B<-text>
@@ -125,7 +125,7 @@ a public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<dsa>
+Specifying an engine (by its unique I<id> string) will cause L<openssl-dsa(1)>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-dsaparam.pod b/doc/man1/openssl-dsaparam.pod
index 5ae64ae83a..cc5570f333 100644
--- a/doc/man1/openssl-dsaparam.pod
+++ b/doc/man1/openssl-dsaparam.pod
@@ -90,7 +90,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-ec.pod b/doc/man1/openssl-ec.pod
index dfc01bc490..a519367925 100644
--- a/doc/man1/openssl-ec.pod
+++ b/doc/man1/openssl-ec.pod
@@ -32,11 +32,11 @@ B<openssl> B<ec>
 
 =head1 DESCRIPTION
 
-The B<ec> command processes EC keys. They can be converted between various
-forms and their components printed out. B<Note> OpenSSL uses the
+The L<openssl-ec(1)> command processes EC keys. They can be converted between
+various forms and their components printed out. B<Note> OpenSSL uses the
 private key format specified in 'SEC 1: Elliptic Curve Cryptography'
 (http://www.secg.org/). To convert an OpenSSL EC private key into the
-PKCS#8 private key format use the B<pkcs8> command.
+PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
 
 =head1 OPTIONS
 
@@ -89,7 +89,7 @@ These options encrypt the private key with the DES, triple DES, IDEA or
 any other cipher supported by OpenSSL before outputting it. A pass phrase is
 prompted for.
 If none of these options is specified the key is written in plain text. This
-means that using the B<ec> utility to read in an encrypted key with no
+means that using this command to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
 setting the encryption options it can be use to add or change the pass phrase.
 These options can only be used with PEM format output files.
@@ -143,7 +143,7 @@ This option checks the consistency of an EC private or public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<ec>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-ecparam.pod b/doc/man1/openssl-ecparam.pod
index 46a93ca95b..46c0af7f58 100644
--- a/doc/man1/openssl-ecparam.pod
+++ b/doc/man1/openssl-ecparam.pod
@@ -93,8 +93,7 @@ to get a list of all currently implemented EC parameters.
 
 =item B<-list_curves>
 
-If this options is specified B<ecparam> will print out a list of all
-currently implemented EC parameters names and exit.
+Print out a list of all currently implemented EC parameters names and exit.
 
 =item B<-conv_form> I<arg>
 
@@ -154,7 +153,7 @@ PEM format EC parameters use the header and footer lines:
  -----END EC PARAMETERS-----
 
 OpenSSL is currently not able to generate new groups and therefore
-B<ecparam> can only create EC parameters from known (named) curves.
+B<openssl ecparam> can only create EC parameters from known (named) curves.
 
 =head1 EXAMPLES
 
diff --git a/doc/man1/openssl-enc.pod b/doc/man1/openssl-enc.pod
index 8c6f279b04..5a992046f8 100644
--- a/doc/man1/openssl-enc.pod
+++ b/doc/man1/openssl-enc.pod
@@ -201,11 +201,11 @@ This can be used with a subsequent B<-rand> flag.
 
 =head1 NOTES
 
-The program can be called either as B<openssl cipher> or
-B<openssl enc -I<cipher>>. The first form doesn't work with
+The program can be called either as C<openssl I<cipher>> or
+C<openssl enc -I<cipher>>. The first form doesn't work with
 engine-provided ciphers, because this form is processed before the
 configuration file is read and any ENGINEs loaded.
-Use the B<list> command to get a list of supported ciphers.
+Use the L<openssl-list(1)> command to get a list of supported ciphers.
 
 Engines which provide entirely new encryption algorithms (such as the ccgost
 engine which provides gost89 algorithm) should be configured in the
@@ -250,27 +250,26 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
 Note that some of these ciphers can be disabled at compile time
 and some are available only if an appropriate engine is configured
-in the configuration file. The output of the B<enc> command run with
-the B<-I<ciphers>> option (that is B<openssl enc -I<ciphers>>) produces a
-list of ciphers, supported by your version of OpenSSL, including
+in the configuration file. The output when invoking this command
+with the B<-ciphers> option (that is C<openssl enc -ciphers>) is
+a list of ciphers, supported by your version of OpenSSL, including
 ones provided by configured engines.
 
-The B<enc> program does not support authenticated encryption modes
+This command does not support authenticated encryption modes
 like CCM and GCM, and will not support such modes in the future.
-The B<enc> interface by necessity must begin streaming output (e.g.,
-to standard output when B<-out> is not used) before the authentication
-tag could be validated, leading to the usage of B<enc> in pipelines
-that begin processing untrusted data and are not capable of rolling
-back upon authentication failure.  The AEAD modes currently in common
-use also suffer from catastrophic failure of confidentiality and/or
-integrity upon reuse of key/iv/nonce, and since B<enc> places the
+This is due to having to begin streaming output (e.g., to standard output
+when B<-out> is not used) before the authentication tag could be validated.
+When this command is used in a pipeline, the receiveing end will not be
+able to roll back upon authentication failure.  The AEAD modes currently in
+common use also suffer from catastrophic failure of confidentiality and/or
+integrity upon reuse of key/iv/nonce, and since B<openssl enc> places the
 entire burden of key/iv/nonce management upon the user, the risk of
 exposing AEAD modes is too great to allow.  These key/iv/nonce
-management issues also affect other modes currently exposed in B<enc>,
+management issues also affect other modes currently exposed in this command,
 but the failure modes are less extreme in these cases, and the
 functionality cannot be removed with a stable release branch.
 For bulk encryption of data, whether using authenticated encryption
-modes or other modes, L<cms(1)> is recommended, as it provides a
+modes or other modes, L<openssl-cms(1)> is recommended, as it provides a
 standard data format and performs the needed key/iv/nonce management.
 
 
@@ -412,7 +411,7 @@ Base64 decode a file then decrypt it using a password supplied in a file:
 
 The B<-A> option when used with large files doesn't work properly.
 
-The B<enc> program only supports a fixed number of algorithms with
+The B<openssl enc> command only supports a fixed number of algorithms with
 certain parameters. So if, for example, you want to use RC2 with a
 76 bit key or RC4 with an 84 bit key you can't use this program.
 
diff --git a/doc/man1/openssl-engine.pod b/doc/man1/openssl-engine.pod
index f04baf720d..29a5ea1641 100644
--- a/doc/man1/openssl-engine.pod
+++ b/doc/man1/openssl-engine.pod
@@ -21,8 +21,8 @@ B<openssl engine>
 
 =head1 DESCRIPTION
 
-The B<engine> command is used to query the status and capabilities
-of the specified I<engine>'s.
+This command is used to query the status and capabilities
+of the specified I<engine>s.
 Engines may be specified before and after all other command-line flags.
 Only those specified are queried.
 
diff --git a/doc/man1/openssl-errstr.pod b/doc/man1/openssl-errstr.pod
index 97ac1eb0bc..b19b9da75c 100644
--- a/doc/man1/openssl-errstr.pod
+++ b/doc/man1/openssl-errstr.pod
@@ -11,9 +11,9 @@ B<openssl errstr> I<error_code>
 =head1 DESCRIPTION
 
 Sometimes an application will not load error message and only
-numerical forms will be available. The B<errstr> utility can be used to
-display the meaning of the hex code. The hex code is the hex digits after the
-second colon.
+numerical forms will be available. This command can be
+used to display the meaning of the hex code. The hex code is the hex digits
+after the second colon.
 
 =head1 OPTIONS
 
diff --git a/doc/man1/openssl-fipsinstall.pod b/doc/man1/openssl-fipsinstall.pod
index c6e2cde2fe..7237e967fd 100644
--- a/doc/man1/openssl-fipsinstall.pod
+++ b/doc/man1/openssl-fipsinstall.pod
@@ -19,7 +19,7 @@ B<openssl fipsinstall>
 
 =head1 DESCRIPTION
 
-This utility is used to generate a FIPS module configuration file.
+This command is used to generate a FIPS module configuration file.
 The generated configuration file consists of:
 
 =over 4
@@ -71,8 +71,8 @@ Name of the section inside the configuration file.
 =item B<-mac_name> I<name>
 
 Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command I<list -mac-algorithms>.
-The default is "HMAC".
+To see the list of supported MAC's use the command
+C<openssl list -mac-algorithms>.  The default is B<HMAC>.
 
 =item B<-macopt> I<nm>:I<v>
 
@@ -101,7 +101,8 @@ A key must be specified for every MAC algorithm.
 Used by HMAC as an alphanumeric string (use if the key contains printable
 characters only).
 The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command I<list -digest-commands>.
+To see the list of supported digests, use the command
+C<openssl list -digest-commands>.
 
 =back
 
@@ -126,7 +127,7 @@ Verify that the configuration file 'fips.conf' contains the correct info:
 
 The MAC mechanisms that are available will depend on the options
 used when building OpenSSL.
-The B<list -mac-algorithms> command can be used to list them.
+The command C<openssl list -mac-algorithms> command can be used to list them.
 
 =head1 SEE ALSO
 
diff --git a/doc/man1/openssl-gendsa.pod b/doc/man1/openssl-gendsa.pod
index 80367d961e..8fc91cf64c 100644
--- a/doc/man1/openssl-gendsa.pod
+++ b/doc/man1/openssl-gendsa.pod
@@ -31,8 +31,8 @@ B<openssl> B<gendsa>
 
 =head1 DESCRIPTION
 
-The B<gendsa> command generates a DSA private key from a DSA parameter file
-(which will be typically generated by the B<openssl dsaparam> command).
+This command generates a DSA private key from a DSA parameter file
+(which will be typically generated by the L<openssl-dsaparam(1)> command).
 
 =head1 OPTIONS
 
@@ -67,7 +67,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<gendsa>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -80,7 +80,7 @@ Print extra details about the operations being performed.
 
 The DSA parameter file to use. The parameters in this file determine
 the size of the private key. DSA parameters can be generated and
-examined using the B<openssl dsaparam> command.
+examined using the L<openssl-dsaparam(1)> command.
 
 =back
 
diff --git a/doc/man1/openssl-genpkey.pod b/doc/man1/openssl-genpkey.pod
index 0e586741be..fdec91e064 100644
--- a/doc/man1/openssl-genpkey.pod
+++ b/doc/man1/openssl-genpkey.pod
@@ -23,7 +23,7 @@ B<openssl> B<genpkey>
 
 =head1 DESCRIPTION
 
-The B<genpkey> command generates a private key.
+This command generates a private key.
 
 =head1 OPTIONS
 
@@ -54,7 +54,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<genpkey>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. If used this option should precede all other
diff --git a/doc/man1/openssl-genrsa.pod b/doc/man1/openssl-genrsa.pod
index 575990dd4e..39e221c9a9 100644
--- a/doc/man1/openssl-genrsa.pod
+++ b/doc/man1/openssl-genrsa.pod
@@ -34,7 +34,7 @@ B<openssl> B<genrsa>
 
 =head1 DESCRIPTION
 
-The B<genrsa> command generates an RSA private key.
+This command generates an RSA private key.
 
 =head1 OPTIONS
 
@@ -79,7 +79,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<genrsa>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-info.pod b/doc/man1/openssl-info.pod
index 3040d0add8..6e16bb809f 100644
--- a/doc/man1/openssl-info.pod
+++ b/doc/man1/openssl-info.pod
@@ -76,7 +76,7 @@ Outputs the OpenSSL CPU settings info.
 
 =head1 HISTORY
 
-The B<openssl info> command was added in OpenSSL 3.0.
+This command was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man1/openssl-mac.pod b/doc/man1/openssl-mac.pod
index e7df184055..ce2af2d934 100644
--- a/doc/man1/openssl-mac.pod
+++ b/doc/man1/openssl-mac.pod
@@ -69,7 +69,7 @@ A key must be specified for every MAC algorithm.
 Used by HMAC as an alphanumeric string (use if the key contains printable
 characters only).
 The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command I<list -digest-commands>.
+To see the list of supported digests, use C<openssl list -digest-commands>.
 
 =item B<cipher:>I<string>
 
@@ -102,7 +102,8 @@ The default is the empty string "".
 =item I<mac_name>
 
 Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command I<list -mac-algorithms>.
+To see the list of supported MAC's use the command C<opensssl list
+-mac-algorithms>.
 
 =back
 
@@ -136,7 +137,7 @@ To create a hex-encoded GMAC-AES-128-GCM with a IV from a file: \
 
 The MAC mechanisms that are available will depend on the options
 used when building OpenSSL.
-The B<list -mac-algorithms> command can be used to list them.
+Use C<openssl list -mac-algorithms> to list them.
 
 =head1 SEE ALSO
 
diff --git a/doc/man1/openssl-nseq.pod b/doc/man1/openssl-nseq.pod
index 40f8f56591..6a5f266987 100644
--- a/doc/man1/openssl-nseq.pod
+++ b/doc/man1/openssl-nseq.pod
@@ -14,7 +14,7 @@ B<openssl> B<nseq>
 
 =head1 DESCRIPTION
 
-The B<nseq> command takes a file containing a Netscape certificate
+This command takes a file containing a Netscape certificate
 sequence and prints out the certificates contained in it or takes a
 file of certificates and converts it into a Netscape certificate
 sequence.
diff --git a/doc/man1/openssl-ocsp.pod b/doc/man1/openssl-ocsp.pod
index 23b5968729..1963824d83 100644
--- a/doc/man1/openssl-ocsp.pod
+++ b/doc/man1/openssl-ocsp.pod
@@ -97,7 +97,7 @@ B<openssl> B<ocsp>
 The Online Certificate Status Protocol (OCSP) enables applications to
 determine the (revocation) state of an identified certificate (RFC 2560).
 
-The B<ocsp> command performs many common OCSP tasks. It can be used
+This command performs many common OCSP tasks. It can be used
 to print out requests and responses, create requests and send queries
 to an OCSP responder and behave like a mini OCSP server itself.
 
@@ -309,7 +309,7 @@ By default this additional check is not performed.
 =item B<-rcid> I<digest>
 
 This option sets the digest algorithm to use for certificate identification
-in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can
+in the OCSP response. Any digest supported by the L<openssl-dgst(1)> command can
 be used. The default is the same digest algorithm used in the request.
 
 =item B<-I<digest>>
@@ -330,8 +330,8 @@ digest used by subsequent certificate identifiers.
 The I<indexfile> parameter is the name of a text index file in B<ca>
 format containing certificate revocation information.
 
-If the B<-index> option is specified the B<ocsp> utility is in responder
-mode, otherwise it is in client mode. The request(s) the responder
+If the B<-index> option is specified then this command switches to
+responder mode, otherwise it is in client mode. The request(s) the responder
 processes can be either specified on the command line (using B<-issuer>
 and B<-serial> options), supplied in a file (using the B<-reqin> option)
 or via external OCSP clients (if B<-port> or B<-url> is specified).
@@ -452,7 +452,7 @@ new requests until it has processed the current one. The text index file
 format of revocation is also inefficient for large quantities of revocation
 data.
 
-It is possible to run the B<ocsp> application in responder mode via a CGI
+It is possible to run this command in responder mode via a CGI
 script using the B<-reqin> and B<-respout> options.
 
 =head1 EXAMPLES
diff --git a/doc/man1/openssl-passwd.pod b/doc/man1/openssl-passwd.pod
index 43a1ba966f..27a5c1bf61 100644
--- a/doc/man1/openssl-passwd.pod
+++ b/doc/man1/openssl-passwd.pod
@@ -28,7 +28,7 @@ B<openssl passwd>
 
 =head1 DESCRIPTION
 
-The B<passwd> command computes the hash of a password typed at
+This command computes the hash of a password typed at
 run-time or the hash of each password in a list.  The password list is
 taken from the named file for option B<-in>, from stdin for
 option B<-stdin>, or from the command line, or from the terminal otherwise.
diff --git a/doc/man1/openssl-pkcs12.pod b/doc/man1/openssl-pkcs12.pod
index c64c3249b4..e3c52f3539 100644
--- a/doc/man1/openssl-pkcs12.pod
+++ b/doc/man1/openssl-pkcs12.pod
@@ -48,7 +48,7 @@ B<openssl> B<pkcs12>
 
 =head1 DESCRIPTION
 
-The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
+This command allows PKCS#12 files (sometimes referred to as
 PFX files) to be created and parsed. PKCS#12 files are used by several
 programs including Netscape, MSIE and MS Outlook.
 
@@ -234,7 +234,7 @@ unless RC2 is disabled in which case triple DES is used.
 These options allow the algorithm used to encrypt the private key and
 certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
 can be used (see B<NOTES> section for more information). If a cipher name
-(as output by the B<list-cipher-algorithms> command is specified then it
+(as output by C<openssl list -cipher-algorithms>) is specified then it
 is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
 use PKCS#12 algorithms.
 
@@ -299,8 +299,8 @@ CA storage as a file.
 =item B<-CApath> I<dir>
 
 CA storage as a directory. This directory must be a standard certificate
-directory: that is a hash of each subject name (using B<x509 -hash>) should be
-linked to each certificate.
+directory: that is a hash of each subject name (using C<openssl x509 -hash>)
+should be linked to each certificate.
 
 =item B<-no-CAfile>
 
@@ -338,7 +338,7 @@ algorithms for private keys and certificates to be specified. Normally
 the defaults are fine but occasionally software can't handle triple DES
 encrypted private keys, then the option B<-keypbe> I<PBE-SHA1-RC2-40> can
 be used to reduce the private key encryption to 40 bit RC2. A complete
-description of all algorithms is contained in the B<pkcs8> manual page.
+description of all algorithms is contained in L<openssl-pkcs8(1)>.
 
 Prior 1.1 release passwords containing non-ASCII characters were encoded
 in non-compliant manner, which limited interoperability, in first hand
@@ -348,7 +348,7 @@ this reason even legacy encodings is attempted when reading the
 data. If you use PKCS#12 files in production application you are advised
 to convert the data, because implemented heuristic approach is not
 MT-safe, its sole goal is to facilitate the data upgrade with this
-utility.
+command.
 
 =head1 EXAMPLES
 
diff --git a/doc/man1/openssl-pkcs7.pod b/doc/man1/openssl-pkcs7.pod
index 680cec70a3..b21feeea5f 100644
--- a/doc/man1/openssl-pkcs7.pod
+++ b/doc/man1/openssl-pkcs7.pod
@@ -21,7 +21,7 @@ B<openssl> B<pkcs7>
 
 =head1 DESCRIPTION
 
-The B<pkcs7> command processes PKCS#7 files in DER or PEM format.
+This command processes PKCS#7 files in DER or PEM format.
 
 =head1 OPTIONS
 
@@ -69,7 +69,7 @@ is B<-print_certs> is set).
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-pkcs8.pod b/doc/man1/openssl-pkcs8.pod
index fe8ff8ea38..601a638eaf 100644
--- a/doc/man1/openssl-pkcs8.pod
+++ b/doc/man1/openssl-pkcs8.pod
@@ -34,7 +34,7 @@ B<openssl> B<pkcs8>
 
 =head1 DESCRIPTION
 
-The B<pkcs8> command processes private keys in PKCS#8 format. It can handle
+This command processes private keys in PKCS#8 format. It can handle
 both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
 format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
 
@@ -142,7 +142,7 @@ If not specified PKCS#5 v2.0 form is used.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<pkcs8>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -162,7 +162,7 @@ Sets the scrypt I<N>, I<r> or I<p> parameters.
 
 =head1 KEY FORMATS
 
-Various different formats are used by the pkcs8 utility. These are detailed
+Various different formats are used by this command. These are detailed
 below.
 
 If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
diff --git a/doc/man1/openssl-pkey.pod b/doc/man1/openssl-pkey.pod
index 8aa39d7353..49925c2a01 100644
--- a/doc/man1/openssl-pkey.pod
+++ b/doc/man1/openssl-pkey.pod
@@ -29,8 +29,8 @@ B<openssl> B<pkey>
 
 =head1 DESCRIPTION
 
-The B<pkey> command processes public or private keys. They can be converted
-between various forms and their components printed out.
+This command processes public or private keys. They can be
+converted between various forms and their components printed out.
 
 =head1 OPTIONS
 
@@ -109,7 +109,7 @@ the input is a public key.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<pkey>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-pkeyparam.pod b/doc/man1/openssl-pkeyparam.pod
index 7ebd803079..9b69c7bbf7 100644
--- a/doc/man1/openssl-pkeyparam.pod
+++ b/doc/man1/openssl-pkeyparam.pod
@@ -19,7 +19,7 @@ B<openssl> B<pkeyparam>
 
 =head1 DESCRIPTION
 
-The B<pkeyparam> command processes public key algorithm parameters.
+This command processes public key algorithm parameters.
 They can be checked for correctness and their components printed out.
 
 =head1 OPTIONS
@@ -50,7 +50,7 @@ Do not output the encoded version of the parameters.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<pkeyparam>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-pkeyutl.pod b/doc/man1/openssl-pkeyutl.pod
index cbda869d2c..73a67e49d4 100644
--- a/doc/man1/openssl-pkeyutl.pod
+++ b/doc/man1/openssl-pkeyutl.pod
@@ -42,8 +42,8 @@ B<openssl> B<pkeyutl>
 
 =head1 DESCRIPTION
 
-The B<pkeyutl> command can be used to perform low level public key operations
-using any supported algorithm.
+This command can be used to perform low level public key
+operations using any supported algorithm.
 
 =head1 OPTIONS
 
@@ -73,7 +73,7 @@ signature algorithm does not require one (for instance, EdDSA). If this option
 is omitted but the signature algorithm requires one, a default value will be
 used. For signature algorithms like RSA, DSA and ECDSA, SHA-256 will be the
 default digest algorithm. For SM2, it will be SM3. If this option is present,
-then the B<-rawin> option must be also specified to B<pkeyutl>.
+then the B<-rawin> option must be also specified.
 
 =item B<-out> I<filename>
 
@@ -191,7 +191,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<pkeyutl>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -213,10 +213,10 @@ which specifies the digest in use for sign, verify and verifyrecover operations.
 The value I<alg> should represent a digest name as used in the
 EVP_get_digestbyname() function for example B<sha1>. This value is not used to
 hash the input data. It is used (by some algorithms) for sanity-checking the
-lengths of data passed in to the B<pkeyutl> and for creating the structures that
-make up the signature (e.g. B<DigestInfo> in RSASSA PKCS#1 v1.5 signatures).
+lengths of data passed in and for creating the structures that make up the
+signature (e.g. B<DigestInfo> in RSASSA PKCS#1 v1.5 signatures).
 
-This utility does not hash the input data (except where -rawin is used) but
+This command does not hash the input data (except where -rawin is used) but
 rather it will use the data directly as input to the signature algorithm.
 Depending on the key type, signature type, and mode of padding, the maximum
 acceptable lengths of input data differ. The signed data can't be longer than
diff --git a/doc/man1/openssl-prime.pod b/doc/man1/openssl-prime.pod
index 61b7a8ff85..c11bcc9c84 100644
--- a/doc/man1/openssl-prime.pod
+++ b/doc/man1/openssl-prime.pod
@@ -17,7 +17,7 @@ B<openssl prime>
 
 =head1 DESCRIPTION
 
-The B<prime> command checks if the specified numbers are prime.
+This command checks if the specified numbers are prime.
 
 If no numbers are given on the command line, the B<-generate> flag should
 be used to generate primes according to the requirements specified by the
diff --git a/doc/man1/openssl-provider.pod b/doc/man1/openssl-provider.pod
index 570319e5e4..b29d2f5a26 100644
--- a/doc/man1/openssl-provider.pod
+++ b/doc/man1/openssl-provider.pod
@@ -15,8 +15,8 @@ B<openssl provider>
 
 =head1 DESCRIPTION
 
-The B<provider> command is used to query the capabilities of the specified
-I<provider>'s.
+This command is used to query the capabilities of the
+specified I<provider>'s.
 
 =head1 OPTIONS
 
diff --git a/doc/man1/openssl-rand.pod b/doc/man1/openssl-rand.pod
index ca62afb415..d8b60c0f8a 100644
--- a/doc/man1/openssl-rand.pod
+++ b/doc/man1/openssl-rand.pod
@@ -19,7 +19,7 @@ I<num>
 
 =head1 DESCRIPTION
 
-The B<rand> command outputs I<num> pseudo-random bytes after seeding
+This command outputs I<num> pseudo-random bytes after seeding
 the random number generator once.  As in other B<openssl> command
 line tools, PRNG seeding uses the file I<$HOME/>B<.rnd> or B<.rnd>
 in addition to the files given in the B<-rand> option.  A new
diff --git a/doc/man1/openssl-rehash.pod b/doc/man1/openssl-rehash.pod
index 9d09bfabf1..d29590bf99 100644
--- a/doc/man1/openssl-rehash.pod
+++ b/doc/man1/openssl-rehash.pod
@@ -23,16 +23,16 @@ I<flags...>
 
 =head1 DESCRIPTION
 
-On some platforms, the OpenSSL B<rehash> command is available as
-an external script called B<c_rehash>.  They are functionally equivalent,
-except for minor differences noted below.
+On some platforms, this command isn't available, and the external
+script B<c_rehash> has to be used instead.  They are functionally
+equivalent, except for minor differences noted below.
 
-B<rehash> scans directories and calculates a hash value of each
-C<.pem>, C<.crt>, C<.cer>, or C<.crl>
+B<openssl rehash> scans directories and calculates a hash value of
+each C<.pem>, C<.crt>, C<.cer>, or C<.crl>
 file in the specified directory list and creates symbolic links
 for each file, where the name of the link is the hash value.
 (If the platform does not support symbolic links, a copy is made.)
-This utility is useful as many programs that use OpenSSL require
+This command is useful as many programs that use OpenSSL require
 directories to be set up like this in order to find certificates.
 
 If any directories are named on the command line, then those are
@@ -47,9 +47,9 @@ permissions on that directory, otherwise an error will be generated.
 
 The links created are of the form I<HHHHHHHH.D>, where each I<H>
 is a hexadecimal character and I<D> is a single decimal digit.
-When processing a directory, B<rehash> will first remove all links
-that have a name in that syntax, even if they are being used for some
-other purpose.
+When a directory is processed, all links in it that have a name
+in that syntax are first removed, even if they are being used for
+some other purpose.
 To skip the removal step, use the B<-n> flag.
 Hashes for CRL's look similar except the letter B<r> appears after
 the period, like this: I<HHHHHHHH.>B<r>I<D>.
@@ -107,7 +107,7 @@ releases.
 =item B<-v>
 
 Print messages about old links removed and new links created.
-By default, B<rehash> only lists each directory as it is processed.
+By default, this command only lists each directory as it is processed.
 
 =back
 
diff --git a/doc/man1/openssl-req.pod b/doc/man1/openssl-req.pod
index d380be7147..ef90a78db8 100644
--- a/doc/man1/openssl-req.pod
+++ b/doc/man1/openssl-req.pod
@@ -55,7 +55,7 @@ B<openssl> B<req>
 
 =head1 DESCRIPTION
 
-The B<req> command primarily creates and processes certificate requests
+This command primarily creates and processes certificate requests
 in PKCS#10 format. It can additionally create self signed certificates
 for use as root CAs for example.
 
@@ -164,7 +164,7 @@ in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
 the default key size, specified in the configuration file is used.
 
 All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
-may be an algorithm parameter file, created with B<genpkey -genparam>
+may be an algorithm parameter file, created with C<openssl genpkey -genparam>
 or an X.509 certificate for a key with appropriate algorithm.
 
 B<param:>I<file> generates a key using the parameter file or certificate
@@ -331,7 +331,7 @@ Print extra details about the operations being performed.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<req>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -485,8 +485,8 @@ just consist of field names and values: for example,
  OU=My Organization
  emailAddress=someone@somewhere.org
 
-This allows external programs (e.g. GUI based) to generate a template file
-with all the field names and values and just pass it to B<req>. An example
+This allows external programs (e.g. GUI based) to generate a template file with
+all the field names and values and just pass it to this command. An example
 of this kind of configuration file is contained in the B<EXAMPLES> section.
 
 Alternatively if the B<prompt> option is absent or not set to B<no> then the
diff --git a/doc/man1/openssl-rsa.pod b/doc/man1/openssl-rsa.pod
index 52655fa365..6da5345663 100644
--- a/doc/man1/openssl-rsa.pod
+++ b/doc/man1/openssl-rsa.pod
@@ -40,11 +40,11 @@ B<openssl> B<rsa>
 
 =head1 DESCRIPTION
 
-The B<rsa> command processes RSA keys. They can be converted between various
-forms and their components printed out. B<Note> this command uses the
+This command processes RSA keys. They can be converted between
+various forms and their components printed out. B<Note> this command uses the
 traditional SSLeay compatible format for private key encryption: newer
-applications should use the more secure PKCS#8 format using the B<pkcs8>
-utility.
+applications should use the more secure PKCS#8 format using the
+L<openssl-pkcs8(1)> command.
 
 =head1 OPTIONS
 
@@ -95,9 +95,9 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 These options encrypt the private key with the specified
 cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
-means that using the B<rsa> utility to read in an encrypted key with no
-encryption option can be used to remove the pass phrase from a key, or by
-setting the encryption options it can be use to add or change the pass phrase.
+means that this command can be used to remove the pass phrase from a key
+by not giving any encryption option is given, or to add or change the pass
+phrase by setting them.
 These options can only be used with PEM format output files.
 
 =item B<-text>
@@ -134,7 +134,7 @@ Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<rsa>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/openssl-rsautl.pod b/doc/man1/openssl-rsautl.pod
index 9c2f6577e4..43f8e845b3 100644
--- a/doc/man1/openssl-rsautl.pod
+++ b/doc/man1/openssl-rsautl.pod
@@ -30,7 +30,7 @@ B<openssl> B<rsautl>
 
 =head1 DESCRIPTION
 
-The B<rsautl> command can be used to sign, verify, encrypt and decrypt
+This command can be used to sign, verify, encrypt and decrypt
 data using the RSA algorithm.
 
 =head1 OPTIONS
@@ -116,7 +116,7 @@ B<-verify> option.
 
 =head1 NOTES
 
-B<rsautl> because it uses the RSA algorithm directly can only be
+Since this command uses the RSA algorithm directly, it can only be
 used to sign or verify small pieces of data.
 
 =head1 EXAMPLES
@@ -147,8 +147,9 @@ encrypt and decrypt the block would have been of type 2 (the second byte)
 and random padding data visible instead of the 0xff bytes.
 
 It is possible to analyse the signature of certificates using this
-utility in conjunction with B<asn1parse>. Consider the self signed
-example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
+utility in conjunction with L<openssl-asn1parse(1)>. Consider the self signed
+example in certs/pca-cert.pem . Running L<openssl-asn1parse(1)> as follows
+yields:
 
  openssl asn1parse -in pca-cert.pem
 
diff --git a/doc/man1/openssl-s_client.pod b/doc/man1/openssl-s_client.pod
index 506411854b..dd462360a7 100644
--- a/doc/man1/openssl-s_client.pod
+++ b/doc/man1/openssl-s_client.pod
@@ -151,13 +151,13 @@ B<openssl> B<s_client>
 
 =head1 DESCRIPTION
 
-The B<s_client> command implements a generic SSL/TLS client which connects
-to a remote host using SSL/TLS. It is a I<very> useful diagnostic tool for
-SSL servers.
+This command implements a generic SSL/TLS client which
+connects to a remote host using SSL/TLS. It is a I<very> useful diagnostic
+tool for SSL servers.
 
 =head1 OPTIONS
 
-In addition to the options below the B<s_client> utility also supports the
+In addition to the options below, this command also supports the
 common and client only options documented
 in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
 manual page.
@@ -499,7 +499,7 @@ Note that this will only work if TLSv1.3 is negotiated.
 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
-By default B<s_client> will negotiate the highest mutually supported protocol
+By default, this command will negotiate the highest mutually supported protocol
 version.
 When a specific TLS version is required, only that version will be offered to
 and accepted from the server.
@@ -508,8 +508,8 @@ OpenSSL was built.
 
 =item B<-dtls>, B<-dtls1>, B<-dtls1_2>
 
-These options make B<s_client> use DTLS protocols instead of TLS.
-With B<-dtls>, B<s_client> will negotiate any supported DTLS protocol version,
+These options make this command use DTLS protocols instead of TLS.
+With B<-dtls>, it will negotiate any supported DTLS protocol version,
 whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
 respectively.
 
@@ -607,16 +607,16 @@ ultimately selected by the server. For a list of all curves, use:
 This allows the TLSv1.2 and below cipher list sent by the client to be modified.
 This list will be combined with any TLSv1.3 ciphersuites that have been
 configured. Although the server determines which ciphersuite is used it should
-take the first supported cipher in the list sent by the client. See the
-B<ciphers> command for more information.
+take the first supported cipher in the list sent by the client. See
+L<openssl-ciphers(1)> for more information.
 
 =item B<-ciphersuites> I<val>
 
 This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
 list will be combined with any TLSv1.2 and below ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
-take the first supported cipher in the list sent by the client. See the
-B<ciphers> command for more information. The format for this list is a simple
+take the first supported cipher in the list sent by the client. See
+L<openssl-ciphers(1)> for more information. The format for this list is a simple
 colon (":") separated list of TLSv1.3 ciphersuite names.
 
 =item B<-starttls> I<protocol>
@@ -668,7 +668,7 @@ connection from this session.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<s_client>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -783,7 +783,7 @@ Send a key update message to the server and request one back (TLSv1.3 only)
 
 =head1 NOTES
 
-B<s_client> can be used to debug SSL servers. To connect to an SSL HTTP
+This command can be used to debug SSL servers. To connect to an SSL HTTP
 server the command:
 
  openssl s_client -connect servername:443
@@ -801,7 +801,7 @@ A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
 list to choose from. This is normally because the server is not sending
 the clients certificate authority in its "acceptable CA list" when it
-requests a certificate. By using B<s_client> the CA list can be viewed
+requests a certificate. By using this command, the CA list can be viewed
 and checked. However some servers only request client authentication
 after a specific URL is requested. To obtain the list in this case it
 is necessary to use the B<-prexit> option and send an HTTP request
@@ -816,7 +816,7 @@ If there are problems verifying a server certificate then the
 B<-showcerts> option can be used to show all the certificates sent by the
 server.
 
-The B<s_client> utility is a test tool and is designed to continue the
+This command is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
 accept any certificate chain (trusted or not) sent by the peer. None test
 applications should B<not> do this as it makes them vulnerable to a MITM
@@ -829,8 +829,8 @@ connections to come from some particular address and or port.
 =head1 BUGS
 
 Because this program has a lot of options and also because some of the
-techniques used are rather old, the C source of B<s_client> is rather hard to
-read and not a model of how things should be done.
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
 A typical SSL client program would be much simpler.
 
 The B<-prexit> option is a bit of a hack. We should really report
diff --git a/doc/man1/openssl-s_server.pod b/doc/man1/openssl-s_server.pod
index 09eb501c37..14ab307e16 100644
--- a/doc/man1/openssl-s_server.pod
+++ b/doc/man1/openssl-s_server.pod
@@ -197,13 +197,13 @@ B<openssl> B<s_server>
 
 =head1 DESCRIPTION
 
-The B<s_server> command implements a generic SSL/TLS server which listens
-for connections on a given port using SSL/TLS.
+This command implements a generic SSL/TLS server which
+listens for connections on a given port using SSL/TLS.
 
 =head1 OPTIONS
 
-In addition to the options below the B<s_server> utility also supports the
-common and server only options documented
+In addition to the options below, this command also supports
+the common and server only options documented
 in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
 manual page.
 
@@ -542,8 +542,8 @@ further information).
 =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
-By default B<s_server> will negotiate the highest mutually supported protocol
-version.
+By default, this command will negotiate the highest mutually supported
+protocol version.
 When a specific TLS version is required, only that version will be accepted
 from the client.
 Note that not all protocols and flags may be available, depending on how
@@ -609,7 +609,7 @@ modified. This list is combined with any TLSv1.3 ciphersuites that have been
 configured. When the client sends a list of supported ciphers the first client
 cipher also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist is irrelevant. See
-the B<ciphers> command for more information.
+L<openssl-ciphers(1)> for more information.
 
 =item B<-ciphersuites> I<val>
 
@@ -618,16 +618,16 @@ This list is combined with any TLSv1.2 and below ciphersuites that have been
 configured. When the client sends a list of supported ciphers the first client
 cipher also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist is irrelevant. See
-the B<ciphers> command for more information. The format for this list is a
-simple colon (":") separated list of TLSv1.3 ciphersuite names.
+L<openssl-ciphers(1)> command for more information. The format for this list is
+a simple colon (":") separated list of TLSv1.3 ciphersuite names.
 
 =item B<-dhparam> I<infile>
 
 The DH parameter file to use. The ephemeral DH cipher suites generate keys
 using a set of DH parameters. If not specified then an attempt is made to
 load the parameters from the server certificate file.
-If this fails then a static set of parameters hard coded into the B<s_server>
-program will be used.
+If this fails then a static set of parameters hard coded into this command
+will be used.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
 B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
@@ -675,19 +675,20 @@ Note that this will only work if TLSv1.3 is negotiated.
 =item B<-listen>
 
 This option can only be used in conjunction with one of the DTLS options above.
-With this option B<s_server> will listen on a UDP port for incoming connections.
+With this option, this command will listen on a UDP port for incoming
+connections.
 Any ClientHellos that arrive will be checked to see if they have a cookie in
 them or not.
 Any without a cookie will be responded to with a HelloVerifyRequest.
-If a ClientHello with a cookie is received then B<s_server> will connect to
-that peer and complete the handshake.
+If a ClientHello with a cookie is received then this command will
+connect to that peer and complete the handshake.
 
 =item B<-dtls>, B<-dtls1>, B<-dtls1_2>
 
-These options make B<s_server> use DTLS protocols instead of TLS.
-With B<-dtls>, B<s_server> will negotiate any supported DTLS protocol version,
-whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and DTLSv1.2
-respectively.
+These options make this command use DTLS protocols instead of TLS.
+With B<-dtls>, it will negotiate any supported DTLS protocol
+version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and
+DTLSv1.2 respectively.
 
 =item B<-sctp>
 
@@ -721,10 +722,10 @@ The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 
 =item B<-engine> I<val>
 
-Specifying an engine (by its unique id string in I<val>) will cause B<s_server>
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed. The engine will then be set as the default
-for all available algorithms.
+Specifying an engine (by its unique id string in I<val>) will cause
+this command to attempt to obtain a functional reference to the
+specified engine, thus initialising it if needed. The engine will then be
+set as the default for all available algorithms.
 
 =item B<-keylogfile> I<outfile>
 
@@ -813,8 +814,8 @@ Send a certificate request to the client (TLSv1.3 only)
 
 =head1 NOTES
 
-B<s_server> can be used to debug SSL clients. To accept connections from
-a web browser the command:
+This command can be used to debug SSL clients. To accept connections
+from a web browser the command:
 
  openssl s_server -accept 443 -www
 
@@ -824,20 +825,20 @@ Although specifying an empty list of CAs when requesting a client certificate
 is strictly speaking a protocol violation, some SSL clients interpret this to
 mean any CA is acceptable. This is useful for debugging purposes.
 
-The session parameters can printed out using the B<sess_id> program.
+The session parameters can printed out using the L<openssl-sess_id(1)> command.
 
 =head1 BUGS
 
 Because this program has a lot of options and also because some of the
-techniques used are rather old, the C source of B<s_server> is rather hard to
-read and not a model of how things should be done.
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
 A typical SSL server program would be much simpler.
 
 The output of common ciphers is wrong: it just gives the list of ciphers that
 OpenSSL recognizes and the client supports.
 
-There should be a way for the B<s_server> program to print out details of any
-unknown cipher suites a client says it supports.
+There should be a way for this command to print out details
+of any unknown cipher suites a client says it supports.
 
 =head1 SEE ALSO
 
diff --git a/doc/man1/openssl-s_time.pod b/doc/man1/openssl-s_time.pod
index bc01903986..fc192b2518 100644
--- a/doc/man1/openssl-s_time.pod
+++ b/doc/man1/openssl-s_time.pod
@@ -34,11 +34,12 @@ B<openssl> B<s_time>
 
 =head1 DESCRIPTION
 
-The B<s_time> command implements a generic SSL/TLS client which connects to a
-remote host using SSL/TLS. It can request a page from the server and includes
-the time to transfer the payload data in its timing measurements. It measures
-the number of connections within a given timeframe, the amount of data
-transferred (if any), and calculates the average time spent for one connection.
+This command implements a generic SSL/TLS client which
+connects to a remote host using SSL/TLS. It can request a page from the server
+and includes the time to transfer the payload data in its timing measurements.
+It measures the number of connections within a given timeframe, the amount of
+data transferred (if any), and calculates the average time spent for one
+connection.
 
 =head1 OPTIONS
 
@@ -55,9 +56,9 @@ This specifies the host and optional port to connect to.
 =item B<-www> I<page>
 
 This specifies the page to GET from the server. A value of '/' gets the
-index.htm[l] page. If this parameter is not specified, then B<s_time> will only
-perform the handshake to establish SSL connections but not transfer any
-payload data.
+index.htm[l] page. If this parameter is not specified, then this command
+will only perform the handshake to establish SSL connections but not transfer
+any payload data.
 
 =item B<-cert> I<certname>
 
@@ -87,8 +88,8 @@ set multiple options. See the L<x509(1)> manual page for details.
 =item B<-CApath> I<directory>
 
 The directory to use for server certificate verification. This directory
-must be in "hash format", see B<verify> for more information. These are
-also used when building the client certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the client certificate chain.
 
 =item B<-CAfile> I<file>
 
@@ -118,8 +119,8 @@ specified, they are both on by default and executed in sequence.
 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
 
 These options enable specific SSL or TLS protocol versions for the handshake
-initiated by B<s_time>.
-By default B<s_time> negotiates the highest mutually supported protocol
+initiated by this command.
+By default, it negotiates the highest mutually supported protocol
 version.
 Note that not all protocols and flags may be available, depending on how
 OpenSSL was built.
@@ -148,21 +149,22 @@ colon (":") separated list of TLSv1.3 ciphersuite names.
 
 =item B<-time> I<length>
 
-Specifies how long (in seconds) B<s_time> should establish connections and
-optionally transfer payload data from a server. Server and client performance
-and the link speed determine how many connections B<s_time> can establish.
+Specifies how long (in seconds) this command should establish connections
+and optionally transfer payload data from a server. Server and client
+performance and the link speed determine how many connections it
+can establish.
 
 =back
 
 =head1 NOTES
 
-B<s_time> can be used to measure the performance of an SSL connection.
+This command can be used to measure the performance of an SSL connection.
 To connect to an SSL HTTP server and get the default page the command
 
  openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
 
 would typically be used (https uses port 443). I<commoncipher> is a cipher to
-which both client and server can agree, see the L<ciphers(1)> command
+which both client and server can agree, see the L<openssl-ciphers(1)> command
 for details.
 
 If the handshake fails then there are several possible causes, if it is
diff --git a/doc/man1/openssl-sess_id.pod b/doc/man1/openssl-sess_id.pod
index 259b9aae77..9e0b74f512 100644
--- a/doc/man1/openssl-sess_id.pod
+++ b/doc/man1/openssl-sess_id.pod
@@ -18,11 +18,11 @@ B<openssl> B<sess_id>
 
 =head1 DESCRIPTION
 
-The B<sess_id> process the encoded version of the SSL session structure
-and optionally prints out SSL session details (for example the SSL session
-master key) in human readable format. Since this is a diagnostic tool that
-needs some knowledge of the SSL protocol to use properly, most users will
-not need to use it.
+This command processes the encoded version of the SSL session
+structure and optionally prints out SSL session details (for example
+the SSL session master key) in human readable format. Since this is a
+diagnostic tool that needs some knowledge of the SSL protocol to use
+properly, most users will not need to use it.
 
 =head1 OPTIONS
 
diff --git a/doc/man1/openssl-smime.pod b/doc/man1/openssl-smime.pod
index 559b7aafc5..872e202556 100644
--- a/doc/man1/openssl-smime.pod
+++ b/doc/man1/openssl-smime.pod
@@ -74,8 +74,8 @@ I<cert.pem> ...
 
 =head1 DESCRIPTION
 
-The B<smime> command handles S/MIME mail. It can encrypt, decrypt, sign and
-verify S/MIME messages.
+This command handles S/MIME mail. It can encrypt, decrypt, sign
+and verify S/MIME messages.
 
 =head1 OPTIONS
 
@@ -187,7 +187,7 @@ A file containing trusted CA certificates, only used with B<-verify>.
 
 A directory containing trusted CA certificates, only used with
 B<-verify>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using B<x509 -hash>) should be linked
+is a hash of each subject name (using C<openssl x509 -hash>) should be linked
 to each certificate.
 
 =item B<-no-CAfile>
@@ -208,7 +208,7 @@ default digest algorithm for the signing key will be used (usually SHA1).
 The encryption algorithm to use. For example DES  (56 bits) - B<-des>,
 triple DES (168 bits) - B<-des3>,
 EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
+example B<-aes-128-cbc>. See L<openssl-enc(1)> for list of ciphers
 supported by your version of OpenSSL.
 
 If not specified triple DES is used. Only used with B<-encrypt>.
diff --git a/doc/man1/openssl-speed.pod b/doc/man1/openssl-speed.pod
index 0165dd1290..fd78872996 100644
--- a/doc/man1/openssl-speed.pod
+++ b/doc/man1/openssl-speed.pod
@@ -26,8 +26,8 @@ B<openssl speed>
 =head1 DESCRIPTION
 
 This command is used to test the performance of cryptographic algorithms.
-To see the list of supported algorithms, use the I<list --digest-commands>
-or I<list --cipher-commands> command. The global CSPRNG is denoted by
+To see the list of supported algorithms, use C<openssl list -digest-commands>
+or C<openssl list -cipher-commands> command. The global CSPRNG is denoted by
 the B<rand> algorithm name.
 
 =head1 OPTIONS
@@ -40,7 +40,7 @@ Print out a usage message.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<speed>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -64,7 +64,8 @@ Time the HMAC algorithm using the specified message digest.
 
 =item B<-cmac> I<cipher>
 
-Time the CMAC algorithm using the specified cipher e.g. B<speed -cmac aes128>.
+Time the CMAC algorithm using the specified cipher e.g.
+C<openssl speed -cmac aes128>.
 
 =item B<-decrypt>
 
@@ -97,7 +98,7 @@ Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
 
 =item I<algorithm> ...
 
-If any options are given, B<speed> tests those algorithms, otherwise a
+If any I<algorithm> is given, then those algorithms are tested, otherwise a
 pre-compiled grand selection is tested.
 
 =back
diff --git a/doc/man1/openssl-spkac.pod b/doc/man1/openssl-spkac.pod
index e4ad670b5e..fb64a6793c 100644
--- a/doc/man1/openssl-spkac.pod
+++ b/doc/man1/openssl-spkac.pod
@@ -25,7 +25,7 @@ B<openssl> B<spkac>
 
 =head1 DESCRIPTION
 
-The B<spkac> command processes Netscape signed public key and challenge
+This command processes Netscape signed public key and challenge
 (SPKAC) files. It can print out their contents, verify the signature and
 produce its own SPKACs from a supplied private key.
 
@@ -94,7 +94,7 @@ Verifies the digital signature on the supplied SPKAC.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<spkac>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -126,8 +126,8 @@ Example of an SPKAC, (long lines split up for clarity):
 
 =head1 NOTES
 
-A created SPKAC with suitable DN components appended can be fed into
-the B<ca> utility.
+A created SPKAC with suitable DN components appended can be fed to
+L<openssl-ca(1)>.
 
 SPKACs are typically generated by Netscape when a form is submitted
 containing the B<KEYGEN> tag as part of the certificate enrollment
diff --git a/doc/man1/openssl-srp.pod b/doc/man1/openssl-srp.pod
index 926f96b44d..dfaadd31f2 100644
--- a/doc/man1/openssl-srp.pod
+++ b/doc/man1/openssl-srp.pod
@@ -26,8 +26,7 @@ B<openssl srp>
 
 =head1 DESCRIPTION
 
-The B<srp> command is used to maintain an SRP (secure remote password)
-file.
+This command is used to maintain an SRP (secure remote password) file.
 At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
 can be specified.
 These options take zero or more usernames as parameters and perform the
diff --git a/doc/man1/openssl-storeutl.pod b/doc/man1/openssl-storeutl.pod
index 79e65c4efa..7133dd7a66 100644
--- a/doc/man1/openssl-storeutl.pod
+++ b/doc/man1/openssl-storeutl.pod
@@ -27,8 +27,8 @@ I<uri> ...
 
 =head1 DESCRIPTION
 
-The B<storeutl> command can be used to display the contents (after decryption
-as the case may be) fetched from the given URIs.
+This command can be used to display the contents (after
+decryption as the case may be) fetched from the given URIs.
 
 =head1 OPTIONS
 
@@ -55,11 +55,11 @@ see L<openssl(1)/Pass phrase options>.
 =item B<-text>
 
 Prints out the objects in text form, similarly to the B<-text> output from
-B<openssl x509>, B<openssl pkey>, etc.
+L<openssl-x509(1)>, L<openssl-pkey(1)>, etc.
 
 =item B<-engine> I<id>
 
-specifying an engine (by its unique I<id> string) will cause B<storeutl>
+specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed.
 The engine will then be set as the default for all available algorithms.
@@ -118,7 +118,7 @@ L<openssl(1)>
 
 =head1 HISTORY
 
-The B<openssl> B<storeutl> app was added in OpenSSL 1.1.1.
+This command was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man1/openssl-ts.pod b/doc/man1/openssl-ts.pod
index 99995b2730..6e9087bd18 100644
--- a/doc/man1/openssl-ts.pod
+++ b/doc/man1/openssl-ts.pod
@@ -86,8 +86,8 @@ I<verify options:>
 
 =head1 DESCRIPTION
 
-The B<ts> command is a basic Time Stamping Authority (TSA) client and server
-application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A
+This command is a basic Time Stamping Authority (TSA) client and
+server application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A
 TSA can be part of a PKI deployment and its role is to provide long
 term proof of the existence of a certain datum before a particular
 time. Here is a brief description of the protocol:
@@ -116,7 +116,7 @@ value that it had sent to the TSA.
 
 There is one DER encoded protocol data unit defined for transporting a time
 stamp request to the TSA and one for sending the timestamp response
-back to the client. The B<ts> command has three main functions:
+back to the client. This command has three main functions:
 creating a timestamp request based on a data file,
 creating a timestamp response based on a request, verifying if a
 response corresponds to a particular request or a data file.
@@ -169,7 +169,7 @@ in use. (Optional)
 =item B<-I<digest>>
 
 The message digest to apply to the data file.
-Any digest supported by the OpenSSL B<dgst> command can be used.
+Any digest supported by the L<openssl-dgst(1)> command can be used.
 The default is SHA-256. (Optional)
 
 =item B<-tspolicy> I<object_id>
@@ -314,7 +314,7 @@ instead of DER. (Optional)
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<ts>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. Default is built-in. (Optional)
@@ -391,7 +391,7 @@ B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>,
 B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>,
 B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
 B<-verify_name>, and B<-x509_strict> can be used to control timestamp
-verification.  See L<verify(1)>.
+verification.  See L<openssl-verify(1)>.
 
 =back
 
diff --git a/doc/man1/openssl-tsget.pod b/doc/man1/openssl-tsget.pod
index 2806762926..10595db07c 100644
--- a/doc/man1/openssl-tsget.pod
+++ b/doc/man1/openssl-tsget.pod
@@ -23,15 +23,14 @@ B<-h> server_url
 
 =head1 DESCRIPTION
 
-The B<tsget> command can be used for sending a timestamp request, as
-specified in B<RFC 3161>, to a timestamp server over HTTP or HTTPS and storing
-the timestamp response in a file. This tool cannot be used for creating the
-requests and verifying responses, you can use the OpenSSL B<ts(1)> command to
-do that. B<tsget> can send several requests to the server without closing
-the TCP connection if more than one requests are specified on the command
-line.
+This command can be used for sending a timestamp request, as specified
+in B<RFC 3161>, to a timestamp server over HTTP or HTTPS and storing the
+timestamp response in a file. It cannot be used for creating the requests
+and verifying responses, you have to use L<openssl-ts(1)> to do that. This
+command can send several requests to the server without closing the TCP
+connection if more than one requests are specified on the command line.
 
-The tool sends the following HTTP request for each timestamp request:
+This command sends the following HTTP request for each timestamp request:
 
         POST url HTTP/1.1
         User-Agent: OpenTSA tsget.pl/<version>
@@ -43,7 +42,7 @@ The tool sends the following HTTP request for each timestamp request:
 
         ...binary request specified by the user...
 
-B<tsget> expects a response of type application/timestamp-reply, which is
+It expects a response of type application/timestamp-reply, which is
 written to a file without any interpretation.
 
 =head1 OPTIONS
@@ -88,8 +87,8 @@ be specified. (Optional)
 =item B<-p> key_password
 
 (HTTPS) Specifies the passphrase for the private key specified by the B<-k>
-argument. If this option is omitted and the key is passphrase protected B<tsget>
-will ask for it. (Optional)
+argument. If this option is omitted and the key is passphrase protected,
+it will be prompted for. (Optional)
 
 =item B<-c> client_cert.pem
 
@@ -107,9 +106,8 @@ Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
 =item B<-P> CA_path
 
 (HTTPS) The path containing the trusted CA certificates to verify the peer's
-certificate. The directory must be prepared with the B<c_rehash>
-OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
-HTTPS. (Optional)
+certificate. The directory must be prepared with L<openssl-rehash(1)>. Either
+option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
 
 =item B<-rand> file:file...
 
diff --git a/doc/man1/openssl-verify.pod b/doc/man1/openssl-verify.pod
index 91c369e0b4..6c1f3ed74c 100644
--- a/doc/man1/openssl-verify.pod
+++ b/doc/man1/openssl-verify.pod
@@ -58,7 +58,7 @@ B<openssl> B<verify>
 
 =head1 DESCRIPTION
 
-The B<verify> command verifies certificate chains.
+This command verifies certificate chains.
 
 =head1 OPTIONS
 
@@ -76,10 +76,10 @@ The file should contain one or more certificates in PEM format.
 =item B<-CApath> I<directory>
 
 A directory of trusted certificates. The certificates should have names
-of the form: F<I<hash>.0> or have symbolic links to them of this
-form (I<hash> is the hashed certificate subject name: see the B<-hash> option
-of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
-create symbolic links to a directory of certificates.
+of the form: F<I<hash>.0> or have symbolic links to them of this form
+(I<hash> is the hashed certificate subject name: see the L<openssl-x509(1)>
+B<-hash> option). Under Unix, L<openssl-rehash(1)> will automatically create
+symbolic links to a directory of certificates.
 
 =item B<-no-CAfile>
 
@@ -126,7 +126,7 @@ to look up valid CRLs.
 
 =item B<-engine> I<id>
 
-Specifying an engine I<id> will cause L<verify(1)> to attempt to load the
+Specifying an engine I<id> will cause this command to attempt to load the
 specified engine.
 The engine will then be set as the default for all its supported algorithms.
 If you want to load certificates or CRLs that require engine support via any of
@@ -192,7 +192,8 @@ Print out diagnostics related to policy processing.
 =item B<-purpose> I<purpose>
 
 The intended use for the certificate. If this option is not specified,
-B<verify> will not consider certificate purpose during chain verification.
+this command will not consider certificate purpose during chain
+verification.
 Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
 B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
 information.
@@ -298,8 +299,7 @@ Use default verification policies like trust model and required certificate
 policies identified by I<name>.
 The trust model determines which auxiliary trust or reject OIDs are applicable
 to verifying the given certificate chain.
-See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line
-utility.
+See the B<-addtrust> and B<-addreject> options for L<openssl-x509(1)>.
 Supported policy names include: B<default>, B<pkcs7>, B<smime_sign>,
 B<ssl_client>, B<ssl_server>.
 These mimics the combinations of purpose and trust settings used in SSL, CMS
@@ -337,22 +337,22 @@ with a B<->.
 
 =item I<certificate> ...
 
-One or more certificates to verify. If no certificates are given, B<verify>
-will attempt to read a certificate from standard input. Certificates must be
-in PEM format.
+One or more certificates to verify. If no certificates are given,
+this command will attempt to read a certificate from standard input.
+Certificates must be in PEM format.
 
 =back
 
 =head1 VERIFY OPERATION
 
-The B<verify> program uses the same functions as the internal SSL and S/MIME
-verification, therefore this description applies to these verify operations
-too.
+This command uses the same functions as the internal SSL
+and S/MIME verification, therefore this description applies to these verify
+operations too.
 
 There is one crucial difference between the verify operations performed
-by the B<verify> program: wherever possible an attempt is made to continue
-after an error whereas normally the verify operation would halt on the
-first error. This allows all the problems with a certificate chain to be
+by this command: wherever possible an attempt is made to
+continue after an error whereas normally the verify operation would halt on
+the first error. This allows all the problems with a certificate chain to be
 determined.
 
 The verify operation consists of a number of separate steps.
diff --git a/doc/man1/openssl-version.pod b/doc/man1/openssl-version.pod
index 278769423e..62d50ce701 100644
--- a/doc/man1/openssl-version.pod
+++ b/doc/man1/openssl-version.pod
@@ -80,7 +80,7 @@ The OpenSSL CPU settings info.
 
 =head1 NOTES
 
-The output of B<openssl version -a> would typically be used when sending
+The output of C<openssl version -a> would typically be used when sending
 in a bug report.
 
 =head1 COPYRIGHT
diff --git a/doc/man1/openssl-x509.pod b/doc/man1/openssl-x509.pod
index a3ea203520..a5e133fd46 100644
--- a/doc/man1/openssl-x509.pod
+++ b/doc/man1/openssl-x509.pod
@@ -72,8 +72,8 @@ B<openssl> B<x509>
 
 =head1 DESCRIPTION
 
-The B<x509> command is a multi purpose certificate utility. It can be
-used to display certificate information, convert certificates to
+This command is a multi purpose certificate utility. It can
+be used to display certificate information, convert certificates to
 various forms, sign certificate requests like a "mini CA" or edit
 certificate trust settings.
 
@@ -118,7 +118,7 @@ default.
 The digest to use.
 This affects any signing or display option that uses a message
 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
-Any digest supported by the OpenSSL B<dgst> command can be used.
+Any digest supported by the L<openssl-dgst(1)> command can be used.
 If not specified then SHA1 is used with B<-fingerprint> or
 the default digest for the signing algorithm is used, typically SHA256.
 
@@ -136,7 +136,7 @@ This can be used with a subsequent B<-rand> flag.
 
 =item B<-engine> I<id>
 
-Specifying an engine (by its unique I<id> string) will cause B<x509>
+Specifying an engine (by its unique I<id> string) will cause this command
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -289,8 +289,8 @@ Trust settings currently are only used with a root CA. They allow a finer
 control over the purposes the root CA can be used for. For example a CA
 may be trusted for SSL client but not SSL server use.
 
-See the description of the B<verify> utility for more information on the
-meaning of trust settings.
+See the description in L<openssl-verify(1)> for more information
+on the meaning of trust settings.
 
 Future versions of OpenSSL will recognize trust settings on any
 certificate: not just root CAs.
@@ -300,7 +300,7 @@ certificate: not just root CAs.
 
 =item B<-trustout>
 
-This causes B<x509> to output a B<trusted> certificate. An ordinary
+Output a B<trusted> certificate rather than an ordinary. An ordinary
 or trusted certificate can be input but by default an ordinary
 certificate is output and any trust settings are discarded. With the
 B<-trustout> option a trusted certificate is output. A trusted
@@ -348,7 +348,7 @@ EXTENSIONS> section.
 
 =head2 Signing Options
 
-The B<x509> utility can be used to sign certificates and requests: it
+This command can be used to sign certificates and requests: it
 can thus behave like a "mini CA".
 
 =over 4
@@ -414,8 +414,8 @@ The serial number can be decimal or hex (if preceded by B<0x>).
 =item B<-CA> I<filename>
 
 Specifies the CA certificate to be used for signing. When this option is
-present B<x509> behaves like a "mini CA". The input file is signed by this
-CA using this option: that is its issuer name is set to the subject name
+present, this command behaves like a "mini CA". The input file is signed by
+this CA using this option: that is its issuer name is set to the subject name
 of the CA and it is digitally signed using the CAs private key.
 
 This option is normally combined with the B<-req> option. Without the
@@ -717,7 +717,7 @@ Hex dump unsupported extensions.
 
 =item B<ca_default>
 
-The value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
+The value used by L<openssl-ca(1)>, equivalent to B<no_issuer>, B<no_pubkey>,
 B<no_header>, and B<no_version>.
 
 =back
@@ -952,9 +952,9 @@ L<x509v3_config(5)>
 
 The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
 before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
-of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
-canonical version of the DN using SHA1. This means that any directories using
-the old form must have their links rebuilt using B<c_rehash> or similar.
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
+version of the DN using SHA1. This means that any directories using the old
+form must have their links rebuilt using L<openssl-rehash(1)> or similar.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index a8643a9733..fad0e85b0d 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -55,7 +55,7 @@ was built.
 The list options B<-standard-commands>, B<-digest-commands>,
 and B<-cipher-commands> output a list (one entry per line) of the names
 of all standard commands, message digest commands, or cipher commands,
-respectively, that are available in the present B<openssl> utility.
+respectively, that are available.
 
 The list parameters B<-cipher-algorithms>, B<-digest-algorithms>,
 and B<-mac-algorithms> list all cipher, message digest, and message