Imported Upstream version 5.1.1

13 files changed, 1798 insertions, 0 deletions

diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am
new file mode 100644
index 000000000..618bd4093
--- /dev/null
+++ b/src/pki/man/Makefile.am
@@ -0,0 +1,14 @@
+man1_MANS = \
+	pki.1 \
+	pki---gen.1 \
+	pki---self.1 \
+	pki---issue.1 \
+	pki---signcrl.1 \
+	pki---req.1 \
+	pki---pkcs7.1 \
+	pki---keyid.1 \
+	pki---print.1 \
+	pki---pub.1 \
+	pki---verify.1
+
+CLEANFILES = $(man1_MANS)
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
new file mode 100644
index 000000000..ecba4a9b3
--- /dev/null
+++ b/src/pki/man/Makefile.in
@@ -0,0 +1,637 @@
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/pki/man
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(srcdir)/pki.1.in $(srcdir)/pki---gen.1.in \
+	$(srcdir)/pki---issue.1.in $(srcdir)/pki---keyid.1.in \
+	$(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \
+	$(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \
+	$(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \
+	$(srcdir)/pki---verify.1.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \
+	pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \
+	pki---self.1 pki---signcrl.1 pki---verify.1
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+man1dir = $(mandir)/man1
+am__installdirs = "$(DESTDIR)$(man1dir)"
+NROFF = nroff
+MANS = $(man1_MANS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+man1_MANS = \
+	pki.1 \
+	pki---gen.1 \
+	pki---self.1 \
+	pki---issue.1 \
+	pki---signcrl.1 \
+	pki---req.1 \
+	pki---pkcs7.1 \
+	pki---keyid.1 \
+	pki---print.1 \
+	pki---pub.1 \
+	pki---verify.1
+
+CLEANFILES = $(man1_MANS)
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pki/man/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/pki/man/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+pki.1: $(top_builddir)/config.status $(srcdir)/pki.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---gen.1: $(top_builddir)/config.status $(srcdir)/pki---gen.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---issue.1: $(top_builddir)/config.status $(srcdir)/pki---issue.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---keyid.1: $(top_builddir)/config.status $(srcdir)/pki---keyid.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---print.1: $(top_builddir)/config.status $(srcdir)/pki---print.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---pub.1: $(top_builddir)/config.status $(srcdir)/pki---pub.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---req.1: $(top_builddir)/config.status $(srcdir)/pki---req.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man1: $(man1_MANS)
+	@$(NORMAL_INSTALL)
+	@list1='$(man1_MANS)'; \
+	list2=''; \
+	test -n "$(man1dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.1[a-z]*$$/p'; \
+	fi; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man1:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man1_MANS)'; test -n "$(man1dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(man1dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man1
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man
+
+uninstall-man: uninstall-man1
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am tags-am uninstall uninstall-am uninstall-man \
+	uninstall-man1
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in
new file mode 100644
index 000000000..138ab6122
--- /dev/null
+++ b/src/pki/man/pki---gen.1.in
@@ -0,0 +1,112 @@
+.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-gen \- Generate a new RSA or ECDSA private key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-gen
+.OP \-\-type type
+.OP \-\-size bits
+.OP \-\-safe\-primes
+.OP \-\-shares n
+.OP \-\-threshold l
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-gen
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-gen"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to generate a new RSA or ECDSA private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-s, \-\-size " bits
+Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
+For \fIecdsa\fR only three values are currently supported: 256, 384 and 521.
+.TP
+.BI "\-p, \-\-safe\-primes"
+Generate RSA safe primes.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the generated private key. Either \fIder\fR (ASN.1 DER) or \fIpem\fR
+(Base64 PEM), defaults
+to \fIder\fR.
+.PP
+.SS "RSA Threshold Cryptography"
+.TP
+.BI "\-n, \-\-shares " <n>
+Number of private RSA key shares.
+.TP
+.BI "\-l, \-\-threshold " <l>
+Minimum number of participating RSA key shares.
+.
+.SH "PROBLEMS ON HOSTS WITH LOW ENTROPY"
+.
+If the
+.I gmp
+plugin is used to generate RSA private keys the key material is read from
+.I /dev/random
+(via the
+.I random
+plugin). Therefore, the command may block if the system's entropy pool is empty.
+To avoid this, either use a hardware random number generator to feed
+.I /dev/random
+or use OpenSSL (via the
+.I openssl
+plugin or the command line) which is not as strict in regards to the quality of
+the key material (it reads from
+.I /dev/urandom
+if necessary). It is also possible to configure the devices used by the
+.I random
+plugin in
+.BR strongswan.conf (5).
+Setting
+.B libstrongswan.plugins.random.random
+to
+.I /dev/urandom
+forces the plugin to treat bytes read from
+.I /dev/urandom
+as high grade random data, thus avoiding the blocking. Of
+course, this doesn't change the fact that the key material generated this way is
+of lower quality.
+.
+.SH "EXAMPLES"
+.
+.TP
+.B pki \-\-gen \-\-size 3072 > rsa_key.der
+Generates a 3072-bit RSA private key.
+.
+.TP
+.B pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der
+Generates a 256-bit ECDSA private key.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
new file mode 100644
index 000000000..9effd9b15
--- /dev/null
+++ b/src/pki/man/pki---issue.1.in
@@ -0,0 +1,179 @@
+.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-issue \- Issue a certificate using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-issue
+.OP \-\-in file
+.OP \-\-type type
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-dn subject-dn
+.OP \-\-san subjectAltName
+.OP \-\-lifetime days
+.OP \-\-serial hex
+.OP \-\-flag flag
+.OP \-\-digest digest
+.OP \-\-ca
+.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
+.OP \-\-ocsp uri
+.OP \-\-pathlen len
+.OP \-\-nc-permitted name
+.OP \-\-nc-excluded name
+.OP \-\-policy\-mapping mapping
+.OP \-\-policy\-explicit len
+.OP \-\-policy\-inhibit len
+.OP \-\-policy\-any len
+.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-issue
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-issue"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue a certificate using a CA certificate and private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Public key or PKCS#10 certificate request file to issue. If not given the
+key/request is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input. Either \fIpub\fR for a public key, or \fIpkcs10\fR for a
+PKCS#10 certificate request, defaults to \fIpub\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-d, \-\-dn " subject-dn
+Subject distinguished name (DN) of the issued certificate.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in certificate. Can be used multiple times.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days the certificate is valid, default: 1095.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-e, \-\-flag " flag
+Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
+\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.TP
+.BI "\-b, \-\-ca"
+Include CA basicConstraint extension in certificate.
+.TP
+.BI "\-u, \-\-crl " uri
+CRL distribution point URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-I, \-\-crlissuer " issuer
+Optional CRL issuer for the CRL at the preceding distribution point.
+.TP
+.BI "\-o, \-\-ocsp " uri
+OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-p, \-\-pathlen " len
+Set path length constraint.
+.TP
+.BI "\-n, \-\-nc-permitted " name
+Add permitted NameConstraint extension to certificate.
+.TP
+.BI "\-N, \-\-nc-excluded " name
+Add excluded NameConstraint extension to certificate.
+.TP
+.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
+Add policyMapping from issuer to subject OID.
+.TP
+.BI "\-E, \-\-policy-explicit " len
+Add requireExplicitPolicy constraint.
+.TP
+.BI "\-H, \-\-policy-inhibit " len
+Add inhibitPolicyMapping constraint.
+.TP
+.BI "\-A, \-\-policy-any " len
+Add inhibitAnyPolicy constraint.
+.PP
+.SS "Certificate Policy"
+Multiple certificatePolicy extensions can be added. Each with the following
+information:
+.TP
+.BI "\-P, \-\-cert-policy " oid
+OID to include in certificatePolicy extension. Required.
+.TP
+.BI "\-C, \-\-cps-uri " uri
+Certification Practice statement URI for certificatePolicy.
+.TP
+.BI "\-U, \-\-user-notice " text
+User notice for certificatePolicy.
+.
+.SH "EXAMPLES"
+.
+To save repetitive typing, command line options can be stored in files.
+Lets assume
+.I pki.opt
+contains the following contents:
+.PP
+.EX
+  --cacert ca_cert.der --cakey ca_key.der --digest sha256
+  --flag serverAuth --lifetime 1460 --type pkcs10
+.EE
+.PP
+Then the following command can be used to issue a certificate based on a
+given PKCS#10 certificate request and the options above:
+.PP
+.EX
+  pki --issue --options pki.opt --in req.der > cert.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
new file mode 100644
index 000000000..490f7afea
--- /dev/null
+++ b/src/pki/man/pki---keyid.1.in
@@ -0,0 +1,72 @@
+.TH "PKI \-\-KEYID" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-keyid \- Calculate key identifiers of a key or certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-keyid
+.OP \-\-in file
+.OP \-\-type type
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-keyid
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-keyid"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+calculates key identifiers of private keys and certificates.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
+private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
+request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+.
+.SH "EXAMPLES"
+.
+Calculate key identifiers of an RSA private key:
+.PP
+.EX
+  pki --keyid --in key.der
+  subjectKeyIdentifier:      6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
+  subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
+.EE
+.PP
+Calculate key identifiers of an X.509 certificate:
+.PP
+.EX
+  pki --keyid --in cert.der --type x509
+  subjectKeyIdentifier:      6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
+  subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---pkcs7.1.in b/src/pki/man/pki---pkcs7.1.in
new file mode 100644
index 000000000..38186cf70
--- /dev/null
+++ b/src/pki/man/pki---pkcs7.1.in
@@ -0,0 +1,79 @@
+.TH "PKI \-\-PKCS7" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pkcs7 \- Provides PKCS#7 wrap/unwrap functions
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pkcs7
+.BR \-\-sign | \-\-verify | \-\-encrypt | \-\-decrypt | \-\-show
+.OP \-\-in file
+.OP \-\-cert file
+.OP \-\-key file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs7
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pkcs7"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+provides functions to wrap/unwrap PKCS#7 containers.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-s, \-\-sign"
+Create PKCS#7 signed-data.
+.TP
+.BI "\-u, \-\-verify"
+Verify PKCS#7 signed-data.
+.TP
+.BI "\-e, \-\-encrypt"
+Create PKCS#7 enveloped-data.
+.TP
+.BI "\-e, \-\-decrypt"
+Decrypt PKCS#7 enveloped-data.
+.TP
+.BI "\-p, \-\-show"
+Show information about PKCS#7 container, list certificates.
+.TP
+.BI "\-i, \-\-in " file
+PKCS#7 input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-k, \-\-key " file
+Private key used for
+.B \-\-sign
+and
+.BR \-\-decrypt.
+.TP
+.BI "\-c, \-\-cert " file
+Certificate for
+.BR \-\-sign ,
+.B \-\-verify
+and
+.BR \-\-encrypt.
+Can be used multiple times.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
new file mode 100644
index 000000000..8d3345edc
--- /dev/null
+++ b/src/pki/man/pki---print.1.in
@@ -0,0 +1,53 @@
+.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-print \- Print a credential (key, certificate etc.) in human readable form
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-print
+.OP \-\-in file
+.OP \-\-type type
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-print
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-print"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+prints credentials (keys, certificates etc.) in human readable form.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
+private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
+(Certificate Revocation List, CRL), defaults to \fIx509\fR.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
new file mode 100644
index 000000000..c57e03a40
--- /dev/null
+++ b/src/pki/man/pki---pub.1.in
@@ -0,0 +1,77 @@
+.TH "PKI \-\-PUB" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pub \- Extract a public key from a private key or certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pub
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
+.OP \-\-type type
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pub
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pub"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+extracts public keys from a private keys and certificates.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
+private key), \fIpub\fR (public key),
+\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
+defaults to \fIrsa\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
+(Base64 PEM), \fIdnskey\fR (RFC 3110 DNS key), or \fIsshkey\fR (RFC 4253 SSH
+key), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+Extract the public key from an RSA private key:
+.PP
+.EX
+  pki --pub --in key.der > pub.der
+.EE
+.PP
+Extract the public key from an X.509 certificate:
+.PP
+.EX
+  pki --pub --in cert.der --type x509 > pub.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
new file mode 100644
index 000000000..ab144ce2a
--- /dev/null
+++ b/src/pki/man/pki---req.1.in
@@ -0,0 +1,91 @@
+.TH "PKI \-\-REQ" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-req \- Create a PKCS#10 certificate request
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-req
+.OP \-\-in file
+.OP \-\-type type
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-password password
+.OP \-\-digest digest
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-req
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-req"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to create a PKCS#10 certificate request.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Private key input file. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in request. Can be used multiple times.
+.TP
+.BI "\-p, \-\-password " password
+The challengePassword to include in the certificate request.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+Generate a certificate request for an RSA key, with a subjectAltName extension:
+.PP
+.EX
+  pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
+       \-\-san moon@strongswan.org > req.der
+.EE
+.PP
+Generate a certificate request for an ECDSA key and a different digest:
+.PP
+.EX
+  pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\
+      \-\-dn "C=CH, O=strongSwan, CN=carol"  > req.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
new file mode 100644
index 000000000..ee42cf9a0
--- /dev/null
+++ b/src/pki/man/pki---self.1.in
@@ -0,0 +1,148 @@
+.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-self \- Create a self-signed certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-self
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
+.OP \-\-type t
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-lifetime days
+.OP \-\-serial hex
+.OP \-\-flag flag
+.OP \-\-digest digest
+.OP \-\-ca
+.OP \-\-ocsp uri
+.OP \-\-pathlen len
+.OP \-\-nc-permitted name
+.OP \-\-nc-excluded name
+.OP \-\-policy\-mapping mapping
+.OP \-\-policy\-explicit len
+.OP \-\-policy\-inhibit len
+.OP \-\-policy\-any len
+.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-self
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-self"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to create a self-signed certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Private key input file. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-x, \-\-keyid " hex
+Key ID of a private key on a smartcard.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject and issuer distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in certificate. Can be used multiple times.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days the certificate is valid, default: 1095.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-e, \-\-flag " flag
+Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
+\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.TP
+.BI "\-b, \-\-ca"
+Include CA basicConstraint extension in certificate.
+.TP
+.BI "\-o, \-\-ocsp " uri
+OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-p, \-\-pathlen " len
+Set path length constraint.
+.TP
+.BI "\-n, \-\-nc-permitted " name
+Add permitted NameConstraint extension to certificate.
+.TP
+.BI "\-N, \-\-nc-excluded " name
+Add excluded NameConstraint extension to certificate.
+.TP
+.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
+Add policyMapping from issuer to subject OID.
+.TP
+.BI "\-E, \-\-policy-explicit " len
+Add requireExplicitPolicy constraint.
+.TP
+.BI "\-H, \-\-policy-inhibit " len
+Add inhibitPolicyMapping constraint.
+.TP
+.BI "\-A, \-\-policy-any " len
+Add inhibitAnyPolicy constraint.
+.PP
+.SS "Certificate Policy"
+Multiple certificatePolicy extensions can be added. Each with the following
+information:
+.TP
+.BI "\-P, \-\-cert-policy " oid
+OID to include in certificatePolicy extension. Required.
+.TP
+.BI "\-C, \-\-cps-uri " uri
+Certification Practice statement URI for certificatePolicy.
+.TP
+.BI "\-U, \-\-user-notice " text
+User notice for certificatePolicy.
+.
+.SH "EXAMPLES"
+.
+Generate a self-signed certificate using the given RSA key:
+.PP
+.EX
+  pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
+      \-\-san moon.strongswan.org > cert.der
+.EE
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
new file mode 100644
index 000000000..6ba96f6bc
--- /dev/null
+++ b/src/pki/man/pki---signcrl.1.in
@@ -0,0 +1,124 @@
+.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-signcrl
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-lifetime days
+.OP \-\-lastcrl crl
+.OP \-\-basecrl crl
+.OP \-\-crluri uri
+.OP \-\-digest digest
+.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-signcrl
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-signcrl"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue a Certificate Revocation List (CRL) using a CA certificate and
+private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days until the CRL gets a nextUpdate, default: 15.
+.TP
+.BI "\-a, \-\-lastcrl " crl
+CRL of lastUpdate to copy revocations from.
+.TP
+.BI "\-b, \-\-basecrl " crl
+Base CRL to create a delta CRL for.
+.TP
+.BI "\-u, \-\-crluri " uri
+Freshest delta CRL URI to include in CRL. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.PP
+.SS "Revoked Certificates"
+Multiple revoked certificates can be added to the CRL by either providing the
+certificate file or the respective serial number directly.
+A reason and a timestamp can be configured for each revocation (they have to be
+given before each certificate/serial on the command line).
+.TP
+.BI "\-r, \-\-reason " reason
+The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
+\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
+\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
+.TP
+.BI "\-d, \-\-date " ts
+Revocation date as Unix timestamp. Defaults to the current time.
+.TP
+.BI "\-z, \-\-cert " file
+Certificate file to revoke.
+.TP
+.BI "\-s, \-\-serial " hex
+Hexadecimal encoded serial number of the certificate to revoke.
+.
+.SH "EXAMPLES"
+.
+Revoke a certificate:
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-reason superseded \-\-cert cert.der > crl.der
+.EE
+.PP
+Update an existing CRL with two new revocations, using the certificate's serial
+number, but no reason:
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
+.EE
+.PP
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
new file mode 100644
index 000000000..de34acad4
--- /dev/null
+++ b/src/pki/man/pki---verify.1.in
@@ -0,0 +1,56 @@
+.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-verify \- Verify a certificate using a CA certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-verify
+.OP \-\-in file
+.OP \-\-cacert file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-verify
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-verify"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+verifies a certificate using an optional CA certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate to use. If not given the certificate is assumed to be
+self-signed.
+.
+.SH "EXIT STATUS"
+The exit status is 0 if the certificate was verified successfully, and 2 if
+the verification failed.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
\ No newline at end of file
diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in
new file mode 100644
index 000000000..8dfc53af3
--- /dev/null
+++ b/src/pki/man/pki.1.in
@@ -0,0 +1,156 @@
+.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \- Simple public key infrastructure (PKI) management tool
+.
+.SH "SYNOPSIS"
+.
+.SY "pki"
+.I command
+.RI [ option\~ .\|.\|.]
+.YS
+.
+.SY "pki"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+.B pki
+is a suite of commands that allow you to manage a simple public key
+infrastructure (PKI).
+.P
+Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
+containing subjectAltNames, create X.509 self-signed end-entity and root CA
+certificates, issue end-entity and intermediate CA certificates signed by the
+private key of a CA and containing subjectAltNames, CRL distribution points
+and URIs of OCSP servers. You can also extract raw public keys from private
+keys, certificate requests and certificates and compute two kinds of SHA-1-based
+key IDs.
+.
+.SH "COMMANDS"
+.
+.TP
+.B "\-h, \-\-help"
+Prints usage information and a short summary of the available commands.
+.TP
+.B "\-g, \-\-gen"
+Generate a new private key.
+.TP
+.B "\-s, \-\-self"
+Create a self-signed certificate.
+.TP
+.B "\-i, \-\-issue"
+Issue a certificate using a CA certificate and key.
+.TP
+.B "\-c, \-\-signcrl"
+Issue a CRL using a CA certificate and key.
+.TP
+.B "\-r, \-\-req"
+Create a PKCS#10 certificate request.
+.TP
+.B "\-7, \-\-pkcs7"
+Provides PKCS#7 wrap/unwrap functions.
+.TP
+.B "\-k, \-\-keyid"
+Calculate key identifiers of a key or certificate.
+.TP
+.B "\-a, \-\-print"
+Print a credential (key, certificate etc.) in human readable form.
+.TP
+.B "\-p, \-\-pub"
+Extract a public key from a private key or certificate.
+.TP
+.B "\-v, \-\-verify"
+Verify a certificate using a CA certificate.
+.
+.SH "EXAMPLES"
+.
+.SS "Generating a CA Certificate"
+.
+The first step is to generate a private key using the
+.B \-\-gen
+command. By default this generates a 2048-bit RSA key.
+.PP
+.EX
+  pki \-\-gen > ca_key.der
+.EE
+.PP
+This key is used to create the self-signed CA certificate, using the
+.B \-\-self
+command. The distinguished name should be adjusted to your needs.
+.PP
+.EX
+  pki \-\-self \-\-ca \-\-in ca_key.der \\
+      \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
+.EE
+.PP
+.
+.SS "Generating End-Entity Certificates"
+.
+With the root CA certificate and key at hand end-entity certificates for clients
+and servers can be issued. Similarly intermediate CA certificates can be issued,
+which in turn can issue other certificates.
+To generate a certificate for a server, we start by generating a private key.
+.PP
+.EX
+  pki \-\-gen > server_key.der
+.EE
+.PP
+The public key will be included in the certificate so lets extract that from the
+private key.
+.PP
+.EX
+  pki \-\-pub \-\-in server_key.der > server_pub.der
+.EE
+.PP
+The following command will use the CA certificate and private key to issue the
+certificate for this server. Adjust the distinguished name, subjectAltName(s)
+and flags as needed (check
+.BR pki\ \-\-issue (8)
+for more options).
+.PP
+.EX
+  pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
+      \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
+      \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
+.EE
+.PP
+Instead of storing the public key in a separate
+file, the output of
+.B \-\-pub
+may also be piped directly into the above command.
+.
+.SS "Generating Certificate Revocation Lists (CRL)"
+.
+If end-entity certificates have to be revoked, CRLs may be generated using
+the
+.B \-\-signcrl
+command.
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-reason superseded \-\-cert server_cert.der > crl.der
+.EE
+.PP
+The certificate given with \-\-cacert must be either a CA certificate or a
+certificate with the
+.I crlSign
+extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued
+certificates with the \-\-crl option.
+.
+.SH "SEE ALSO"
+.
+.BR pki\ \-\-gen (1),
+.BR pki\ \-\-self (1),
+.BR pki\ \-\-issue (1),
+.BR pki\ \-\-signcrl (1),
+.BR pki\ \-\-req (1),
+.BR pki\ \-\-pkcs7 (1),
+.BR pki\ \-\-keyid (1),
+.BR pki\ \-\-print (1),
+.BR pki\ \-\-pub (1),
+.BR pki\ \-\-verify (1)