1 files changed, 20 insertions, 3 deletions

diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod
index be898c6795..dc0f06d9d3 100644
--- a/doc/man3/PKCS12_create.pod
+++ b/doc/man3/PKCS12_create.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-PKCS12_create - create a PKCS#12 structure
+PKCS12_create, PKCS12_create_ex - create a PKCS#12 structure
 
 =head1 SYNOPSIS
 
@@ -11,6 +11,10 @@ PKCS12_create - create a PKCS#12 structure
  PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey,
                        X509 *cert, STACK_OF(X509) *ca,
                        int nid_key, int nid_cert, int iter, int mac_iter, int keytype);
+ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey,
+                          X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert,
+                          int iter, int mac_iter, int keytype,
+                          OSSL_LIB_CTX *ctx, const char *propq);
 
 =head1 DESCRIPTION
 
@@ -18,7 +22,7 @@ PKCS12_create() creates a PKCS#12 structure.
 
 I<pass> is the passphrase to use. I<name> is the B<friendlyName> to use for
 the supplied certificate and key. I<pkey> is the private key to include in
-the structure and I<cert> its corresponding certificates. I<ca>, if not NULL
+the structure and I<cert> its corresponding certificates. I<ca>, if not B<NULL>
 is an optional set of certificates to also include in the structure.
 
 I<nid_key> and I<nid_cert> are the encryption algorithms that should be used
@@ -27,6 +31,9 @@ GCM, CCM, XTS, and OCB are unsupported. I<iter> is the encryption algorithm
 iteration count to use and I<mac_iter> is the MAC iteration count to use.
 I<keytype> is the type of key.
 
+PKCS12_create_ex() is identical to PKCS12_create() but allows for a library context
+I<ctx> and property query I<propq> to be used to select algorithm implementations.
+
 =head1 NOTES
 
 The parameters I<nid_key>, I<nid_cert>, I<iter>, I<mac_iter> and I<keytype>
@@ -37,6 +44,10 @@ AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key
 derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and
 MAC algorithm HMAC with SHA2-256.
 
+The default MAC iteration count is 1 in order to retain compatibility with
+old software which did not interpret MAC iteration counts. If such compatibility
+is not required then I<mac_iter> should be set to PKCS12_DEFAULT_ITER.
+
 I<keytype> adds a flag to the store private key. This is a non standard extension
 that is only currently interpreted by MSIE. If set to zero the flag is omitted,
 if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX>
@@ -49,7 +60,7 @@ If a certificate contains an I<alias> or I<keyid> then this will be
 used for the corresponding B<friendlyName> or B<localKeyID> in the
 PKCS12 structure.
 
-Either I<pkey>, I<cert> or both can be NULL to indicate that no key or
+Either I<pkey>, I<cert> or both can be B<NULL> to indicate that no key or
 certificate is required. In previous versions both had to be present or
 a fatal error is returned.
 
@@ -66,6 +77,10 @@ See L<passphrase-encoding(7)> for more information.
 
 PKCS12_create() returns a valid B<PKCS12> structure or NULL if an error occurred.
 
+=head1 CONFORMING TO
+
+IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
+
 =head1 SEE ALSO
 
 L<d2i_PKCS12(3)>,
@@ -73,6 +88,8 @@ L<passphrase-encoding(7)>
 
 =head1 HISTORY
 
+PKCS12_create_ex() was added in OpenSSL 3.0.
+
 The defaults for encryption algorithms, MAC algorithm, and the MAC key
 derivation iteration count were changed in OpenSSL 3.0 to more modern
 standards.