doc/man1/openssl-cmp.pod.in

70 Client authentication and protection options:
540 when validating signature-based protection of CMP response messages.
542 It provides more flexibility than B<-srvcert> because the CMP protection
566 CMP message protection) and when validating newly enrolled certificates.
574 expired) when verifying signature-based protection of CMP response messages.
599 signature-based protection of incoming CMP messages.
604 Accept missing or invalid protection of negative responses from the server.
628 used to protect a message [...] because other protection, external to PKIX, will
634 =item * appendix D.4 shows PKIConf message having protection
662 Provides the source of a secret value to use with MAC-based message protection.
664 The secret is used for creating MAC-based protection of outgoing messages
665 and for validating incoming messages that have MAC-based protection.
686 When performing signature-based message protection,
687 this "protection certificate", also called "signer certificate",
718 This will be used for signature-based message protection unless the B<-secret>
719 option indicating MAC-based protection or B<-unprotected_requests> is given.
736 If applicable, this is used for message protection and
760 Send request messages without CMP-level protection.
914 This causes re-protection (if protecting requests is required).
1065 Send response messages without CMP-level protection.
1075 Accept missing or invalid protection of requests.
1107 or B<-secret> for MAC-based protection.
1112 check the protection of the CMP response message.
1178 using MAC-based protection with PBM or
1182 using signature-based protection.