Add command line password options to the reamining utilities,
amend docs.
diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index 9eca325..fe3c5b4 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -4,11 +4,12 @@
 
 genrsa - generate an RSA private key
 
-
 =head1 SYNOPSIS
 
 B<openssl> B<genrsa>
 [B<-out filename>]
+[B<-passout password>]
+[B<-envpassout var>]
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
@@ -25,11 +26,26 @@
 
 =over 4
 
+=item B<-out filename>
+
+the output filename. If this argument is not specified then standard output is
+used.  
+
+=item B<-passout password>
+
+the output file password. Since certain utilities like "ps" make the command line
+visible this option should be used with caution.
+
+=item B<-envpassout var>
+
+read the output file password from the environment variable B<var>.
+
 =item B<-des|-des3|-idea>
 
 These options encrypt the private key with the DES, triple DES, or the 
-IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
-If none of these options is specified no encryption is used.
+IDEA ciphers respectively before outputting it. If none of these options is
+specified no encryption is used. If encryption is used a pass phrase is prompted
+for if it is not supplied via the B<-passout> or B<-envpassout> arguments.
 
 =item B<-F4|-3>
 
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index 3643a19..3d2ed36 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -37,6 +37,10 @@
 [B<-keysig>]
 [B<-password password>]
 [B<-envpass var>]
+[B<-passin password>]
+[B<-envpassin var>]
+[B<-passout password>]
+[B<-envpassout var>]
 
 =head1 DESCRIPTION
 
@@ -64,15 +68,24 @@
 The filename to write certificates and private keys to, standard output by default.
 They are all written in PEM format.
 
-=item B<-pass password>
+=item B<-pass password>, B<-passin password>
 
-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
+the command line visible this option should be used with caution.
 
-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassin password>
 
 read the PKCS#12 file password from the environment variable B<var>.
 
+=item B<-passout password>
+
+pass phrase to encrypt any outputed private keys with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpass var>, B<-envpassin password>
+
+read the outputed private keys file password from the environment variable B<var>.
+
 =item B<-noout>
 
 this option inhibits output of the keys and certificates to the output file version
@@ -169,15 +182,24 @@
 appear. Netscape ignores friendly names on other certificates whereas MSIE
 displays them.
 
-=item B<-pass password>
+=item B<-pass password>, B<-passout password>
 
-the PKCS#12 file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
+make the command line visible this option should be used with caution.
 
-=item B<-envpass var>
+=item B<-envpass var>, B<-envpassout var>
 
 read the PKCS#12 file password from the environment variable B<var>.
 
+=item B<-passin password>
+
+pass phrase to decrypt the input private key with. Since certain utilities like
+"ps" make the command line visible this option should be used with caution.
+
+=item B<-envpassin password>
+
+read the input private key file password from the environment variable B<var>.
+
 =item B<-chain>
 
 if this option is present then an attempt is made to include the entire
@@ -277,9 +299,6 @@
 
 Some would argue that the PKCS#12 standard is one big bug :-)
 
-Need password options for the PEM files: this will probably be fixed before
-release.
-
 =head1 SEE ALSO
 
 L<pkcs8(1)|pkcs8(1)>
diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod
index c58768e..846b9a9 100644
--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -10,6 +10,8 @@
 [B<-in filename>]
 [B<-out filename>]
 [B<-key keyfile>]
+[B<-passin password>]
+[B<-envpassin var>]
 [B<-challenge string>]
 [B<-pubkey>]
 [B<-spkac spkacname>]
@@ -44,6 +46,17 @@
 B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
 present.
 
+=item B<-passin password>
+
+the private key file password. Since certain utilities like "ps" make the
+command line visible this option should be used with caution. Ignored if
+the B<-key> argument is not used.
+
+=item B<-envpassin var>
+
+read the private key file password from the environment variable B<var>.
+Ignored if the B<-key> argument is not used.
+
 =item B<-challenge string>
 
 specifies the challenge string if an SPKAC is being created.