27 files changed, 2249 insertions, 319 deletions
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index e07938284..efbed9b2b 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -1,4 +1,6 @@
-ipsec_PROGRAMS = pki
+SUBDIRS = man
+
+bin_PROGRAMS = pki
 
 pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/gen.c \
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index f58ad1bce..1101366d1 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-# Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -16,23 +15,51 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__make_dryrun = \
-  { \
-    am__dry=no; \
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
     case $$MAKEFLAGS in \
       *\\[\ \	]*) \
-        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
-          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
-      *) \
-        for am__flg in $$MAKEFLAGS; do \
-          case $$am__flg in \
-            *=*|--*) ;; \
-            *n*) am__dry=yes; break;; \
-          esac; \
-        done;; \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
     esac; \
-    test $$am__dry = yes; \
-  }
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -51,15 +78,17 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-ipsec_PROGRAMS = pki$(EXEEXT)
+bin_PROGRAMS = pki$(EXEEXT)
 subdir = src/pki
-DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
 	$(top_srcdir)/m4/config/ltsugar.m4 \
 	$(top_srcdir)/m4/config/ltversion.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
@@ -70,17 +99,33 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)"
-PROGRAMS = $(ipsec_PROGRAMS)
-am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \
-	issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \
-	self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \
-	pkcs7.$(OBJEXT) verify.$(OBJEXT)
+am__installdirs = "$(DESTDIR)$(bindir)"
+PROGRAMS = $(bin_PROGRAMS)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
+	commands/gen.$(OBJEXT) commands/issue.$(OBJEXT) \
+	commands/keyid.$(OBJEXT) commands/pub.$(OBJEXT) \
+	commands/req.$(OBJEXT) commands/self.$(OBJEXT) \
+	commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \
+	commands/pkcs7.$(OBJEXT) commands/verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
 pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
@@ -93,30 +138,85 @@ LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(AM_CFLAGS) $(CFLAGS)
 AM_V_CC = $(am__v_CC_@AM_V@)
 am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC    " $@;
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
 CCLD = $(CC)
 LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(AM_LDFLAGS) $(LDFLAGS) -o $@
 AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD  " $@;
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN   " $@;
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
 SOURCES = $(pki_SOURCES)
 DIST_SOURCES = $(pki_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+	ctags-recursive dvi-recursive html-recursive info-recursive \
+	install-data-recursive install-dvi-recursive \
+	install-exec-recursive install-html-recursive \
+	install-info-recursive install-pdf-recursive \
+	install-ps-recursive install-recursive installcheck-recursive \
+	installdirs-recursive pdf-recursive ps-recursive \
+	tags-recursive uninstall-recursive
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
     *) (install-info --version) >/dev/null 2>&1;; \
   esac
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+am__recursive_targets = \
+  $(RECURSIVE_TARGETS) \
+  $(RECURSIVE_CLEAN_TARGETS) \
+  $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
+	distdir
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
@@ -190,6 +290,10 @@ PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
@@ -306,6 +410,7 @@ starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
@@ -313,6 +418,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
+SUBDIRS = man
 pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/gen.c \
 	commands/issue.c \
@@ -330,7 +436,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
 
-all: all-am
+all: all-recursive
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
@@ -364,19 +470,21 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
-install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
 	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
 	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p || test -f $$p1; \
-	  then echo "$$p"; echo "$$p"; else :; fi; \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
 	done | \
-	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
 	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
 	sed 'N;N;N;s,\n, ,g' | \
 	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
@@ -387,239 +495,167 @@ install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	while read type dir files; do \
 	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
 	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
 	    } \
 	; done
 
-uninstall-ipsecPROGRAMS:
+uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' `; \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
 	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files
+	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(bindir)" && rm -f $$files
 
-clean-ipsecPROGRAMS:
-	@list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \
+clean-binPROGRAMS:
+	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
 	echo " rm -f" $$list; \
 	rm -f $$list || exit $$?; \
 	test -n "$(EXEEXT)" || exit 0; \
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
+commands/$(am__dirstamp):
+	@$(MKDIR_P) commands
+	@: > commands/$(am__dirstamp)
+commands/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) commands/$(DEPDIR)
+	@: > commands/$(DEPDIR)/$(am__dirstamp)
+commands/gen.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/issue.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/keyid.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/pub.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/req.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/self.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/print.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/signcrl.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+commands/verify.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
+
 pki$(EXEEXT): $(pki_OBJECTS) $(pki_DEPENDENCIES) $(EXTRA_pki_DEPENDENCIES) 
 	@rm -f pki$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(pki_OBJECTS) $(pki_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
+	-rm -f commands/*.$(OBJEXT)
 
 distclean-compile:
 	-rm -f *.tab.c
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/self.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signcrl.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs7.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/print.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pub.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/req.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/self.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/signcrl.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/verify.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-gen.o: commands/gen.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.o -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/gen.c' object='gen.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.o `test -f 'commands/gen.c' || echo '$(srcdir)/'`commands/gen.c
-
-gen.obj: commands/gen.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT gen.obj -MD -MP -MF $(DEPDIR)/gen.Tpo -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/gen.Tpo $(DEPDIR)/gen.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/gen.c' object='gen.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o gen.obj `if test -f 'commands/gen.c'; then $(CYGPATH_W) 'commands/gen.c'; else $(CYGPATH_W) '$(srcdir)/commands/gen.c'; fi`
-
-issue.o: commands/issue.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.o -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/issue.c' object='issue.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.o `test -f 'commands/issue.c' || echo '$(srcdir)/'`commands/issue.c
-
-issue.obj: commands/issue.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT issue.obj -MD -MP -MF $(DEPDIR)/issue.Tpo -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/issue.Tpo $(DEPDIR)/issue.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/issue.c' object='issue.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o issue.obj `if test -f 'commands/issue.c'; then $(CYGPATH_W) 'commands/issue.c'; else $(CYGPATH_W) '$(srcdir)/commands/issue.c'; fi`
-
-keyid.o: commands/keyid.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.o -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/keyid.c' object='keyid.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.o `test -f 'commands/keyid.c' || echo '$(srcdir)/'`commands/keyid.c
-
-keyid.obj: commands/keyid.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT keyid.obj -MD -MP -MF $(DEPDIR)/keyid.Tpo -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/keyid.Tpo $(DEPDIR)/keyid.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/keyid.c' object='keyid.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keyid.obj `if test -f 'commands/keyid.c'; then $(CYGPATH_W) 'commands/keyid.c'; else $(CYGPATH_W) '$(srcdir)/commands/keyid.c'; fi`
-
-pub.o: commands/pub.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.o -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pub.c' object='pub.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.o `test -f 'commands/pub.c' || echo '$(srcdir)/'`commands/pub.c
-
-pub.obj: commands/pub.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pub.obj -MD -MP -MF $(DEPDIR)/pub.Tpo -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pub.Tpo $(DEPDIR)/pub.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pub.c' object='pub.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pub.obj `if test -f 'commands/pub.c'; then $(CYGPATH_W) 'commands/pub.c'; else $(CYGPATH_W) '$(srcdir)/commands/pub.c'; fi`
-
-req.o: commands/req.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.o -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/req.c' object='req.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.o `test -f 'commands/req.c' || echo '$(srcdir)/'`commands/req.c
-
-req.obj: commands/req.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT req.obj -MD -MP -MF $(DEPDIR)/req.Tpo -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/req.Tpo $(DEPDIR)/req.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/req.c' object='req.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o req.obj `if test -f 'commands/req.c'; then $(CYGPATH_W) 'commands/req.c'; else $(CYGPATH_W) '$(srcdir)/commands/req.c'; fi`
-
-self.o: commands/self.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.o -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/self.c' object='self.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.o `test -f 'commands/self.c' || echo '$(srcdir)/'`commands/self.c
-
-self.obj: commands/self.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT self.obj -MD -MP -MF $(DEPDIR)/self.Tpo -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/self.Tpo $(DEPDIR)/self.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/self.c' object='self.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi`
-
-print.o: commands/print.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c
-
-print.obj: commands/print.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi`
-
-signcrl.o: commands/signcrl.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c
-
-signcrl.obj: commands/signcrl.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi`
-
-pkcs7.o: commands/pkcs7.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.o -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pkcs7.c' object='pkcs7.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.o `test -f 'commands/pkcs7.c' || echo '$(srcdir)/'`commands/pkcs7.c
-
-pkcs7.obj: commands/pkcs7.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.obj -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/pkcs7.c' object='pkcs7.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.obj `if test -f 'commands/pkcs7.c'; then $(CYGPATH_W) 'commands/pkcs7.c'; else $(CYGPATH_W) '$(srcdir)/commands/pkcs7.c'; fi`
-
-verify.o: commands/verify.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/verify.c' object='verify.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c
-
-verify.obj: commands/verify.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.obj -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='commands/verify.c' object='verify.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o verify.obj `if test -f 'commands/verify.c'; then $(CYGPATH_W) 'commands/verify.c'; else $(CYGPATH_W) '$(srcdir)/commands/verify.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
 clean-libtool:
 	-rm -rf .libs _libs
 
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+#     (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+	@fail=; \
+	if $(am__make_keepgoing); then \
+	  failcom='fail=yes'; \
+	else \
+	  failcom='exit 1'; \
+	fi; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-recursive
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	set x; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	$(am__define_uniq_tagged_files); \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
@@ -631,15 +667,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	      $$unique; \
 	  fi; \
 	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+ctags: ctags-recursive
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
 	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
 	     $$unique
@@ -648,6 +680,21 @@ GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-recursive
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -682,22 +729,48 @@ distdir: $(DISTFILES)
 	    || exit 1; \
 	  fi; \
 	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
 check-am: all-am
-check: check-am
+check: check-recursive
 all-am: Makefile $(PROGRAMS)
-installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+installdirs: installdirs-recursive
+installdirs-am:
+	for dir in "$(DESTDIR)$(bindir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 
-installcheck: installcheck-am
+installcheck: installcheck-recursive
 install-strip:
 	if test -z '$(STRIP)'; then \
 	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
@@ -715,96 +788,98 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f commands/$(DEPDIR)/$(am__dirstamp)
+	-rm -f commands/$(am__dirstamp)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
+clean: clean-recursive
 
-clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
-	mostlyclean-am
+clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
 
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
+distclean: distclean-recursive
+	-rm -rf ./$(DEPDIR) commands/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
 
-dvi: dvi-am
+dvi: dvi-recursive
 
 dvi-am:
 
-html: html-am
+html: html-recursive
 
 html-am:
 
-info: info-am
+info: info-recursive
 
 info-am:
 
-install-data-am: install-ipsecPROGRAMS
+install-data-am:
 
-install-dvi: install-dvi-am
+install-dvi: install-dvi-recursive
 
 install-dvi-am:
 
-install-exec-am:
+install-exec-am: install-binPROGRAMS
 
-install-html: install-html-am
+install-html: install-html-recursive
 
 install-html-am:
 
-install-info: install-info-am
+install-info: install-info-recursive
 
 install-info-am:
 
 install-man:
 
-install-pdf: install-pdf-am
+install-pdf: install-pdf-recursive
 
 install-pdf-am:
 
-install-ps: install-ps-am
+install-ps: install-ps-recursive
 
 install-ps-am:
 
 installcheck-am:
 
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
+maintainer-clean: maintainer-clean-recursive
+	-rm -rf ./$(DEPDIR) commands/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
-mostlyclean: mostlyclean-am
+mostlyclean: mostlyclean-recursive
 
 mostlyclean-am: mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool
 
-pdf: pdf-am
+pdf: pdf-recursive
 
 pdf-am:
 
-ps: ps-am
+ps: ps-recursive
 
 ps-am:
 
-uninstall-am: uninstall-ipsecPROGRAMS
+uninstall-am: uninstall-binPROGRAMS
 
-.MAKE: install-am install-strip
+.MAKE: $(am__recursive_targets) install-am install-strip
 
-.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-ipsecPROGRAMS clean-libtool ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
+	check-am clean clean-binPROGRAMS clean-generic clean-libtool \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-binPROGRAMS install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-ipsecPROGRAMS
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-binPROGRAMS
 
 pki.o :	$(top_builddir)/config.status
 
diff --git a/src/pki/command.c b/src/pki/command.c
index a5e5b8528..984da59b4 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -258,6 +258,6 @@ int command_dispatch(int c, char *v[])
 			return cmds[i].call();
 		}
 	}
-	return command_usage("invalid operation");
+	return command_usage(c > 1 ? "invalid operation" : NULL);
 }
 
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index e3602f0c3..b74be7d98 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -151,7 +151,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
 		{"  [--type rsa|ecdsa] [--size bits] [--safe-primes]",
-		 "[--shares n] [--threshold l] [--outform der|pem|pgp]"},
+		 "[--shares n] [--threshold l] [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"type",		't', 1, "type of key, default: rsa"},
@@ -159,7 +159,7 @@ static void __attribute__ ((constructor))reg()
 			{"safe-primes", 'p', 0, "generate rsa safe primes"},
 			{"shares",		'n', 1, "number of private rsa key shares"},
 			{"threshold",	'l', 1, "minimum number of participating rsa key shares"},
-			{"outform",		'f', 1, "encoding of generated private key"},
+			{"outform",		'f', 1, "encoding of generated private key, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 5f098ba41..000f63d1a 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -380,9 +380,13 @@ static int issue()
 		}
 		else
 		{
+			chunk_t chunk;
+
+			chunk = chunk_from_fd(0);
 			cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
 										  CERT_PKCS10_REQUEST,
-										  BUILD_FROM_FD, 0, BUILD_END);
+										  BUILD_BLOB, chunk, BUILD_END);
+			free(chunk.ptr);
 		}
 		if (!cert_req)
 		{
@@ -419,8 +423,12 @@ static int issue()
 		}
 		else
 		{
+			chunk_t chunk;
+
+			chunk = chunk_from_fd(0);
 			public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
-										 BUILD_FROM_FD, 0, BUILD_END);
+										 BUILD_BLOB, chunk, BUILD_END);
+			free(chunk.ptr);
 		}
 	}
 	if (!public)
@@ -514,14 +522,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
+		{"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
-		 "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+",
-		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
-		 "[--nc-permitted name] [--nc-excluded name]",
-		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
-		 "[--policy-map issuer-oid:subject-oid]",
+		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
+		 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
+		 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 6d2f7b915..353670e32 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -87,8 +87,12 @@ static int keyid()
 	}
 	else
 	{
+		chunk_t chunk;
+
+		chunk = chunk_from_fd(0);
 		cred = lib->creds->create(lib->creds, type, subtype,
-								  BUILD_FROM_FD, 0, BUILD_END);
+								  BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
 	}
 	if (!cred)
 	{
diff --git a/src/pki/commands/pkcs7.c b/src/pki/commands/pkcs7.c
index 790656c62..6c75693ab 100644
--- a/src/pki/commands/pkcs7.c
+++ b/src/pki/commands/pkcs7.c
@@ -445,8 +445,8 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
-		{"--sign | --verify | --encrypt | --decrypt",
-		 "--certificate+ [--key]"},
+		{"--sign|--verify|--encrypt|--decrypt|--show",
+		 "[--in file] [--cert file]+ [--key file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"sign",	's', 0, "create PKCS#7 signed-data"},
@@ -455,8 +455,8 @@ static void __attribute__ ((constructor))reg()
 			{"decrypt",	'd', 0, "decrypt PKCS#7 enveloped-data"},
 			{"show",	'p', 0, "show info about PKCS#7, print certificates"},
 			{"in",		'i', 1, "input file, default: stdin"},
-			{"key",		'k', 1, "path to private key for sign/decryp"},
-			{"cert",	'c', 1, "path to certificate for sign/verify/encryp"},
+			{"key",		'k', 1, "path to private key for sign/decrypt"},
+			{"cert",	'c', 1, "path to certificate for sign/verify/encrypt"},
 		}
 	});
 }
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 90cf254c8..2261e44ff 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -338,7 +338,7 @@ static void print_crl(crl_t *crl)
 
 	if (crl->is_delta_crl(crl, &chunk))
 	{
-		chunk = chunk_skip_zero(chunk);		
+		chunk = chunk_skip_zero(chunk);
 		printf("delta CRL: for serial %#B\n", &chunk);
 	}
 	chunk = crl->get_authKeyIdentifier(crl);
@@ -508,8 +508,12 @@ static int print()
 	}
 	else
 	{
+		chunk_t chunk;
+
+		chunk = chunk_from_fd(0);
 		cred = lib->creds->create(lib->creds, type, subtype,
-								  BUILD_FROM_FD, 0, BUILD_END);
+								  BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
 	}
 	if (!cred)
 	{
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 9912061f4..7f88055ef 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -51,6 +51,11 @@ static int pub()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
+				else if (streq(arg, "pub"))
+				{
+					type = CRED_PUBLIC_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pkcs10"))
 				{
 					type = CRED_CERTIFICATE;
@@ -96,13 +101,17 @@ static int pub()
 
 		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
 		cred = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
-									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+								  BUILD_PKCS11_KEYID, chunk, BUILD_END);
 		free(chunk.ptr);
 	}
 	else
 	{
+		chunk_t chunk;
+
+		chunk = chunk_from_fd(0);
 		cred = lib->creds->create(lib->creds, type, subtype,
-									 BUILD_FROM_FD, 0, BUILD_END);
+								  BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
 	}
 
 	if (type == CRED_PRIVATE_KEY)
@@ -116,6 +125,15 @@ static int pub()
 		public = private->get_public_key(private);
 		private->destroy(private);
 	}
+	else if (type == CRED_PUBLIC_KEY)
+	{
+		public = cred;
+		if (!public)
+		{
+			fprintf(stderr, "parsing public key failed\n");
+			return 1;
+		}
+	}
 	else
 	{
 		cert = cred;
@@ -157,14 +175,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
-		 "[--outform der|pem|pgp|dnskey]"},
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|pub|pkcs10|x509]",
+		 "[--outform der|pem|dnskey|sshkey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
 			{"keyid",	'x', 1, "keyid on smartcard of private key"},
 			{"type",	't', 1, "type of credential, default: rsa"},
-			{"outform",	'f', 1, "encoding of extracted public key"},
+			{"outform",	'f', 1, "encoding of extracted public key, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index d90ddc251..628463e7b 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -116,8 +116,12 @@ static int req()
 	}
 	else
 	{
+		chunk_t chunk;
+
+		chunk = chunk_from_fd(0);
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-									 BUILD_FROM_FD, 0, BUILD_END);
+									 BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
 	}
 	if (!private)
 	{
@@ -174,9 +178,8 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"[--in file] [--type rsa|ecdsa]",
-		 " --dn distinguished-name [--san subjectAltName]+",
-		 "[--password challengePassword]",
+		{"  [--in file] [--type rsa|ecdsa] --dn distinguished-name",
+		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 448360821..6bf0b1353 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -271,8 +271,12 @@ static int self()
 	}
 	else
 	{
+		chunk_t chunk;
+
+		chunk = chunk_from_fd(0);
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-									 BUILD_FROM_FD, 0, BUILD_END);
+									 BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
 	}
 	if (!private)
 	{
@@ -378,14 +382,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{"[--in file | --keyid hex] [--type rsa|ecdsa]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
 		 "[--nc-permitted name] [--nc-excluded name]",
-		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
 		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
+		 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index f9746cca7..4f9dd291d 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -429,13 +429,13 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		sign_crl, 'c', "signcrl",
 		"issue a CRL using a CA certificate and key",
-		{"--cacert file --cakey file | --cakeyid hex --lifetime days",
-		 "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+",
-		 "[  [--reason key-compromise|ca-compromise|affiliation-changed|",
+		{"--cacert file --cakey file|--cakeyid hex [--lifetime days]",
+		 "  [--lastcrl crl] [--basecrl crl] [--crluri uri]+",
+		 "  [[--reason key-compromise|ca-compromise|affiliation-changed|",
 		 "             superseded|cessation-of-operation|certificate-hold]",
-		 "   [--date timestamp]",
-		 "    --cert file | --serial hex ]*",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		 "   [--date timestamp] --cert file|--serial hex]*",
+		 "  [--digest md5|sha1|sha224|sha256|sha384|sha512]",
+		 "  [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"cacert",		'c', 1, "CA certificate file"},
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 3e983d3ec..96b2b5065 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -55,8 +55,12 @@ static int verify()
 	}
 	else
 	{
+		chunk_t chunk;
+
+		chunk = chunk_from_fd(0);
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-								  BUILD_FROM_FD, 0, BUILD_END);
+								  BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
 	}
 	if (!cert)
 	{
@@ -125,7 +129,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		verify, 'v', "verify",
 		"verify a certificate using the CA certificate",
-		{"[--in file] [--ca file]"},
+		{"[--in file] [--cacert file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
@@ -133,4 +137,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am
new file mode 100644
index 000000000..618bd4093
--- /dev/null
+++ b/src/pki/man/Makefile.am
@@ -0,0 +1,14 @@
+man1_MANS = \
+	pki.1 \
+	pki---gen.1 \
+	pki---self.1 \
+	pki---issue.1 \
+	pki---signcrl.1 \
+	pki---req.1 \
+	pki---pkcs7.1 \
+	pki---keyid.1 \
+	pki---print.1 \
+	pki---pub.1 \
+	pki---verify.1
+
+CLEANFILES = $(man1_MANS)
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
new file mode 100644
index 000000000..ecba4a9b3
--- /dev/null
+++ b/src/pki/man/Makefile.in
@@ -0,0 +1,637 @@
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/pki/man
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(srcdir)/pki.1.in $(srcdir)/pki---gen.1.in \
+	$(srcdir)/pki---issue.1.in $(srcdir)/pki---keyid.1.in \
+	$(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \
+	$(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \
+	$(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \
+	$(srcdir)/pki---verify.1.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \
+	pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \
+	pki---self.1 pki---signcrl.1 pki---verify.1
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+man1dir = $(mandir)/man1
+am__installdirs = "$(DESTDIR)$(man1dir)"
+NROFF = nroff
+MANS = $(man1_MANS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+man1_MANS = \
+	pki.1 \
+	pki---gen.1 \
+	pki---self.1 \
+	pki---issue.1 \
+	pki---signcrl.1 \
+	pki---req.1 \
+	pki---pkcs7.1 \
+	pki---keyid.1 \
+	pki---print.1 \
+	pki---pub.1 \
+	pki---verify.1
+
+CLEANFILES = $(man1_MANS)
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pki/man/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/pki/man/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+pki.1: $(top_builddir)/config.status $(srcdir)/pki.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---gen.1: $(top_builddir)/config.status $(srcdir)/pki---gen.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---issue.1: $(top_builddir)/config.status $(srcdir)/pki---issue.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---keyid.1: $(top_builddir)/config.status $(srcdir)/pki---keyid.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---print.1: $(top_builddir)/config.status $(srcdir)/pki---print.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---pub.1: $(top_builddir)/config.status $(srcdir)/pki---pub.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---req.1: $(top_builddir)/config.status $(srcdir)/pki---req.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in
+	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man1: $(man1_MANS)
+	@$(NORMAL_INSTALL)
+	@list1='$(man1_MANS)'; \
+	list2=''; \
+	test -n "$(man1dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.1[a-z]*$$/p'; \
+	fi; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man1:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man1_MANS)'; test -n "$(man1dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(man1dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man1
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man
+
+uninstall-man: uninstall-man1
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-man1 install-pdf install-pdf-am install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am tags-am uninstall uninstall-am uninstall-man \
+	uninstall-man1
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in
new file mode 100644
index 000000000..138ab6122
--- /dev/null
+++ b/src/pki/man/pki---gen.1.in
@@ -0,0 +1,112 @@
+.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-gen \- Generate a new RSA or ECDSA private key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-gen
+.OP \-\-type type
+.OP \-\-size bits
+.OP \-\-safe\-primes
+.OP \-\-shares n
+.OP \-\-threshold l
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-gen
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-gen"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to generate a new RSA or ECDSA private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-s, \-\-size " bits
+Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
+For \fIecdsa\fR only three values are currently supported: 256, 384 and 521.
+.TP
+.BI "\-p, \-\-safe\-primes"
+Generate RSA safe primes.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the generated private key. Either \fIder\fR (ASN.1 DER) or \fIpem\fR
+(Base64 PEM), defaults
+to \fIder\fR.
+.PP
+.SS "RSA Threshold Cryptography"
+.TP
+.BI "\-n, \-\-shares " <n>
+Number of private RSA key shares.
+.TP
+.BI "\-l, \-\-threshold " <l>
+Minimum number of participating RSA key shares.
+.
+.SH "PROBLEMS ON HOSTS WITH LOW ENTROPY"
+.
+If the
+.I gmp
+plugin is used to generate RSA private keys the key material is read from
+.I /dev/random
+(via the
+.I random
+plugin). Therefore, the command may block if the system's entropy pool is empty.
+To avoid this, either use a hardware random number generator to feed
+.I /dev/random
+or use OpenSSL (via the
+.I openssl
+plugin or the command line) which is not as strict in regards to the quality of
+the key material (it reads from
+.I /dev/urandom
+if necessary). It is also possible to configure the devices used by the
+.I random
+plugin in
+.BR strongswan.conf (5).
+Setting
+.B libstrongswan.plugins.random.random
+to
+.I /dev/urandom
+forces the plugin to treat bytes read from
+.I /dev/urandom
+as high grade random data, thus avoiding the blocking. Of
+course, this doesn't change the fact that the key material generated this way is
+of lower quality.
+.
+.SH "EXAMPLES"
+.
+.TP
+.B pki \-\-gen \-\-size 3072 > rsa_key.der
+Generates a 3072-bit RSA private key.
+.
+.TP
+.B pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der
+Generates a 256-bit ECDSA private key.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
new file mode 100644
index 000000000..9effd9b15
--- /dev/null
+++ b/src/pki/man/pki---issue.1.in
@@ -0,0 +1,179 @@
+.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-issue \- Issue a certificate using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-issue
+.OP \-\-in file
+.OP \-\-type type
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-dn subject-dn
+.OP \-\-san subjectAltName
+.OP \-\-lifetime days
+.OP \-\-serial hex
+.OP \-\-flag flag
+.OP \-\-digest digest
+.OP \-\-ca
+.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
+.OP \-\-ocsp uri
+.OP \-\-pathlen len
+.OP \-\-nc-permitted name
+.OP \-\-nc-excluded name
+.OP \-\-policy\-mapping mapping
+.OP \-\-policy\-explicit len
+.OP \-\-policy\-inhibit len
+.OP \-\-policy\-any len
+.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-issue
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-issue"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue a certificate using a CA certificate and private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Public key or PKCS#10 certificate request file to issue. If not given the
+key/request is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input. Either \fIpub\fR for a public key, or \fIpkcs10\fR for a
+PKCS#10 certificate request, defaults to \fIpub\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-d, \-\-dn " subject-dn
+Subject distinguished name (DN) of the issued certificate.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in certificate. Can be used multiple times.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days the certificate is valid, default: 1095.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-e, \-\-flag " flag
+Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
+\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.TP
+.BI "\-b, \-\-ca"
+Include CA basicConstraint extension in certificate.
+.TP
+.BI "\-u, \-\-crl " uri
+CRL distribution point URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-I, \-\-crlissuer " issuer
+Optional CRL issuer for the CRL at the preceding distribution point.
+.TP
+.BI "\-o, \-\-ocsp " uri
+OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-p, \-\-pathlen " len
+Set path length constraint.
+.TP
+.BI "\-n, \-\-nc-permitted " name
+Add permitted NameConstraint extension to certificate.
+.TP
+.BI "\-N, \-\-nc-excluded " name
+Add excluded NameConstraint extension to certificate.
+.TP
+.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
+Add policyMapping from issuer to subject OID.
+.TP
+.BI "\-E, \-\-policy-explicit " len
+Add requireExplicitPolicy constraint.
+.TP
+.BI "\-H, \-\-policy-inhibit " len
+Add inhibitPolicyMapping constraint.
+.TP
+.BI "\-A, \-\-policy-any " len
+Add inhibitAnyPolicy constraint.
+.PP
+.SS "Certificate Policy"
+Multiple certificatePolicy extensions can be added. Each with the following
+information:
+.TP
+.BI "\-P, \-\-cert-policy " oid
+OID to include in certificatePolicy extension. Required.
+.TP
+.BI "\-C, \-\-cps-uri " uri
+Certification Practice statement URI for certificatePolicy.
+.TP
+.BI "\-U, \-\-user-notice " text
+User notice for certificatePolicy.
+.
+.SH "EXAMPLES"
+.
+To save repetitive typing, command line options can be stored in files.
+Lets assume
+.I pki.opt
+contains the following contents:
+.PP
+.EX
+  --cacert ca_cert.der --cakey ca_key.der --digest sha256
+  --flag serverAuth --lifetime 1460 --type pkcs10
+.EE
+.PP
+Then the following command can be used to issue a certificate based on a
+given PKCS#10 certificate request and the options above:
+.PP
+.EX
+  pki --issue --options pki.opt --in req.der > cert.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
new file mode 100644
index 000000000..490f7afea
--- /dev/null
+++ b/src/pki/man/pki---keyid.1.in
@@ -0,0 +1,72 @@
+.TH "PKI \-\-KEYID" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-keyid \- Calculate key identifiers of a key or certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-keyid
+.OP \-\-in file
+.OP \-\-type type
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-keyid
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-keyid"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+calculates key identifiers of private keys and certificates.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
+private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
+request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+.
+.SH "EXAMPLES"
+.
+Calculate key identifiers of an RSA private key:
+.PP
+.EX
+  pki --keyid --in key.der
+  subjectKeyIdentifier:      6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
+  subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
+.EE
+.PP
+Calculate key identifiers of an X.509 certificate:
+.PP
+.EX
+  pki --keyid --in cert.der --type x509
+  subjectKeyIdentifier:      6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
+  subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---pkcs7.1.in b/src/pki/man/pki---pkcs7.1.in
new file mode 100644
index 000000000..38186cf70
--- /dev/null
+++ b/src/pki/man/pki---pkcs7.1.in
@@ -0,0 +1,79 @@
+.TH "PKI \-\-PKCS7" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pkcs7 \- Provides PKCS#7 wrap/unwrap functions
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pkcs7
+.BR \-\-sign | \-\-verify | \-\-encrypt | \-\-decrypt | \-\-show
+.OP \-\-in file
+.OP \-\-cert file
+.OP \-\-key file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs7
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pkcs7"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+provides functions to wrap/unwrap PKCS#7 containers.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-s, \-\-sign"
+Create PKCS#7 signed-data.
+.TP
+.BI "\-u, \-\-verify"
+Verify PKCS#7 signed-data.
+.TP
+.BI "\-e, \-\-encrypt"
+Create PKCS#7 enveloped-data.
+.TP
+.BI "\-e, \-\-decrypt"
+Decrypt PKCS#7 enveloped-data.
+.TP
+.BI "\-p, \-\-show"
+Show information about PKCS#7 container, list certificates.
+.TP
+.BI "\-i, \-\-in " file
+PKCS#7 input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-k, \-\-key " file
+Private key used for
+.B \-\-sign
+and
+.BR \-\-decrypt.
+.TP
+.BI "\-c, \-\-cert " file
+Certificate for
+.BR \-\-sign ,
+.B \-\-verify
+and
+.BR \-\-encrypt.
+Can be used multiple times.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
new file mode 100644
index 000000000..8d3345edc
--- /dev/null
+++ b/src/pki/man/pki---print.1.in
@@ -0,0 +1,53 @@
+.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-print \- Print a credential (key, certificate etc.) in human readable form
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-print
+.OP \-\-in file
+.OP \-\-type type
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-print
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-print"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+prints credentials (keys, certificates etc.) in human readable form.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
+private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
+(Certificate Revocation List, CRL), defaults to \fIx509\fR.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
new file mode 100644
index 000000000..c57e03a40
--- /dev/null
+++ b/src/pki/man/pki---pub.1.in
@@ -0,0 +1,77 @@
+.TH "PKI \-\-PUB" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pub \- Extract a public key from a private key or certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pub
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
+.OP \-\-type type
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pub
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pub"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+extracts public keys from a private keys and certificates.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
+private key), \fIpub\fR (public key),
+\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
+defaults to \fIrsa\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
+(Base64 PEM), \fIdnskey\fR (RFC 3110 DNS key), or \fIsshkey\fR (RFC 4253 SSH
+key), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+Extract the public key from an RSA private key:
+.PP
+.EX
+  pki --pub --in key.der > pub.der
+.EE
+.PP
+Extract the public key from an X.509 certificate:
+.PP
+.EX
+  pki --pub --in cert.der --type x509 > pub.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
new file mode 100644
index 000000000..ab144ce2a
--- /dev/null
+++ b/src/pki/man/pki---req.1.in
@@ -0,0 +1,91 @@
+.TH "PKI \-\-REQ" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-req \- Create a PKCS#10 certificate request
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-req
+.OP \-\-in file
+.OP \-\-type type
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-password password
+.OP \-\-digest digest
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-req
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-req"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to create a PKCS#10 certificate request.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Private key input file. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in request. Can be used multiple times.
+.TP
+.BI "\-p, \-\-password " password
+The challengePassword to include in the certificate request.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+Generate a certificate request for an RSA key, with a subjectAltName extension:
+.PP
+.EX
+  pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
+       \-\-san moon@strongswan.org > req.der
+.EE
+.PP
+Generate a certificate request for an ECDSA key and a different digest:
+.PP
+.EX
+  pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\
+      \-\-dn "C=CH, O=strongSwan, CN=carol"  > req.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
new file mode 100644
index 000000000..ee42cf9a0
--- /dev/null
+++ b/src/pki/man/pki---self.1.in
@@ -0,0 +1,148 @@
+.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-self \- Create a self-signed certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-self
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
+.OP \-\-type t
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-lifetime days
+.OP \-\-serial hex
+.OP \-\-flag flag
+.OP \-\-digest digest
+.OP \-\-ca
+.OP \-\-ocsp uri
+.OP \-\-pathlen len
+.OP \-\-nc-permitted name
+.OP \-\-nc-excluded name
+.OP \-\-policy\-mapping mapping
+.OP \-\-policy\-explicit len
+.OP \-\-policy\-inhibit len
+.OP \-\-policy\-any len
+.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-self
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-self"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to create a self-signed certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Private key input file. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-x, \-\-keyid " hex
+Key ID of a private key on a smartcard.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject and issuer distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in certificate. Can be used multiple times.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days the certificate is valid, default: 1095.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-e, \-\-flag " flag
+Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
+\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.TP
+.BI "\-b, \-\-ca"
+Include CA basicConstraint extension in certificate.
+.TP
+.BI "\-o, \-\-ocsp " uri
+OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-p, \-\-pathlen " len
+Set path length constraint.
+.TP
+.BI "\-n, \-\-nc-permitted " name
+Add permitted NameConstraint extension to certificate.
+.TP
+.BI "\-N, \-\-nc-excluded " name
+Add excluded NameConstraint extension to certificate.
+.TP
+.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
+Add policyMapping from issuer to subject OID.
+.TP
+.BI "\-E, \-\-policy-explicit " len
+Add requireExplicitPolicy constraint.
+.TP
+.BI "\-H, \-\-policy-inhibit " len
+Add inhibitPolicyMapping constraint.
+.TP
+.BI "\-A, \-\-policy-any " len
+Add inhibitAnyPolicy constraint.
+.PP
+.SS "Certificate Policy"
+Multiple certificatePolicy extensions can be added. Each with the following
+information:
+.TP
+.BI "\-P, \-\-cert-policy " oid
+OID to include in certificatePolicy extension. Required.
+.TP
+.BI "\-C, \-\-cps-uri " uri
+Certification Practice statement URI for certificatePolicy.
+.TP
+.BI "\-U, \-\-user-notice " text
+User notice for certificatePolicy.
+.
+.SH "EXAMPLES"
+.
+Generate a self-signed certificate using the given RSA key:
+.PP
+.EX
+  pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
+      \-\-san moon.strongswan.org > cert.der
+.EE
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
new file mode 100644
index 000000000..6ba96f6bc
--- /dev/null
+++ b/src/pki/man/pki---signcrl.1.in
@@ -0,0 +1,124 @@
+.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-signcrl
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-lifetime days
+.OP \-\-lastcrl crl
+.OP \-\-basecrl crl
+.OP \-\-crluri uri
+.OP \-\-digest digest
+.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-signcrl
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-signcrl"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue a Certificate Revocation List (CRL) using a CA certificate and
+private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days until the CRL gets a nextUpdate, default: 15.
+.TP
+.BI "\-a, \-\-lastcrl " crl
+CRL of lastUpdate to copy revocations from.
+.TP
+.BI "\-b, \-\-basecrl " crl
+Base CRL to create a delta CRL for.
+.TP
+.BI "\-u, \-\-crluri " uri
+Freshest delta CRL URI to include in CRL. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.PP
+.SS "Revoked Certificates"
+Multiple revoked certificates can be added to the CRL by either providing the
+certificate file or the respective serial number directly.
+A reason and a timestamp can be configured for each revocation (they have to be
+given before each certificate/serial on the command line).
+.TP
+.BI "\-r, \-\-reason " reason
+The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
+\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
+\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
+.TP
+.BI "\-d, \-\-date " ts
+Revocation date as Unix timestamp. Defaults to the current time.
+.TP
+.BI "\-z, \-\-cert " file
+Certificate file to revoke.
+.TP
+.BI "\-s, \-\-serial " hex
+Hexadecimal encoded serial number of the certificate to revoke.
+.
+.SH "EXAMPLES"
+.
+Revoke a certificate:
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-reason superseded \-\-cert cert.der > crl.der
+.EE
+.PP
+Update an existing CRL with two new revocations, using the certificate's serial
+number, but no reason:
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
+.EE
+.PP
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
new file mode 100644
index 000000000..de34acad4
--- /dev/null
+++ b/src/pki/man/pki---verify.1.in
@@ -0,0 +1,56 @@
+.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-verify \- Verify a certificate using a CA certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-verify
+.OP \-\-in file
+.OP \-\-cacert file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-verify
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-verify"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+verifies a certificate using an optional CA certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate to use. If not given the certificate is assumed to be
+self-signed.
+.
+.SH "EXIT STATUS"
+The exit status is 0 if the certificate was verified successfully, and 2 if
+the verification failed.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in
new file mode 100644
index 000000000..8dfc53af3
--- /dev/null
+++ b/src/pki/man/pki.1.in
@@ -0,0 +1,156 @@
+.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \- Simple public key infrastructure (PKI) management tool
+.
+.SH "SYNOPSIS"
+.
+.SY "pki"
+.I command
+.RI [ option\~ .\|.\|.]
+.YS
+.
+.SY "pki"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+.B pki
+is a suite of commands that allow you to manage a simple public key
+infrastructure (PKI).
+.P
+Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
+containing subjectAltNames, create X.509 self-signed end-entity and root CA
+certificates, issue end-entity and intermediate CA certificates signed by the
+private key of a CA and containing subjectAltNames, CRL distribution points
+and URIs of OCSP servers. You can also extract raw public keys from private
+keys, certificate requests and certificates and compute two kinds of SHA-1-based
+key IDs.
+.
+.SH "COMMANDS"
+.
+.TP
+.B "\-h, \-\-help"
+Prints usage information and a short summary of the available commands.
+.TP
+.B "\-g, \-\-gen"
+Generate a new private key.
+.TP
+.B "\-s, \-\-self"
+Create a self-signed certificate.
+.TP
+.B "\-i, \-\-issue"
+Issue a certificate using a CA certificate and key.
+.TP
+.B "\-c, \-\-signcrl"
+Issue a CRL using a CA certificate and key.
+.TP
+.B "\-r, \-\-req"
+Create a PKCS#10 certificate request.
+.TP
+.B "\-7, \-\-pkcs7"
+Provides PKCS#7 wrap/unwrap functions.
+.TP
+.B "\-k, \-\-keyid"
+Calculate key identifiers of a key or certificate.
+.TP
+.B "\-a, \-\-print"
+Print a credential (key, certificate etc.) in human readable form.
+.TP
+.B "\-p, \-\-pub"
+Extract a public key from a private key or certificate.
+.TP
+.B "\-v, \-\-verify"
+Verify a certificate using a CA certificate.
+.
+.SH "EXAMPLES"
+.
+.SS "Generating a CA Certificate"
+.
+The first step is to generate a private key using the
+.B \-\-gen
+command. By default this generates a 2048-bit RSA key.
+.PP
+.EX
+  pki \-\-gen > ca_key.der
+.EE
+.PP
+This key is used to create the self-signed CA certificate, using the
+.B \-\-self
+command. The distinguished name should be adjusted to your needs.
+.PP
+.EX
+  pki \-\-self \-\-ca \-\-in ca_key.der \\
+      \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
+.EE
+.PP
+.
+.SS "Generating End-Entity Certificates"
+.
+With the root CA certificate and key at hand end-entity certificates for clients
+and servers can be issued. Similarly intermediate CA certificates can be issued,
+which in turn can issue other certificates.
+To generate a certificate for a server, we start by generating a private key.
+.PP
+.EX
+  pki \-\-gen > server_key.der
+.EE
+.PP
+The public key will be included in the certificate so lets extract that from the
+private key.
+.PP
+.EX
+  pki \-\-pub \-\-in server_key.der > server_pub.der
+.EE
+.PP
+The following command will use the CA certificate and private key to issue the
+certificate for this server. Adjust the distinguished name, subjectAltName(s)
+and flags as needed (check
+.BR pki\ \-\-issue (8)
+for more options).
+.PP
+.EX
+  pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
+      \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
+      \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
+.EE
+.PP
+Instead of storing the public key in a separate
+file, the output of
+.B \-\-pub
+may also be piped directly into the above command.
+.
+.SS "Generating Certificate Revocation Lists (CRL)"
+.
+If end-entity certificates have to be revoked, CRLs may be generated using
+the
+.B \-\-signcrl
+command.
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-reason superseded \-\-cert server_cert.der > crl.der
+.EE
+.PP
+The certificate given with \-\-cacert must be either a CA certificate or a
+certificate with the
+.I crlSign
+extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued
+certificates with the \-\-crl option.
+.
+.SH "SEE ALSO"
+.
+.BR pki\ \-\-gen (1),
+.BR pki\ \-\-self (1),
+.BR pki\ \-\-issue (1),
+.BR pki\ \-\-signcrl (1),
+.BR pki\ \-\-req (1),
+.BR pki\ \-\-pkcs7 (1),
+.BR pki\ \-\-keyid (1),
+.BR pki\ \-\-print (1),
+.BR pki\ \-\-pub (1),
+.BR pki\ \-\-verify (1)
diff --git a/src/pki/pki.c b/src/pki/pki.c
index c3039a649..ecc0702cd 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -81,7 +81,18 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type)
 		switch (type)
 		{
 			case CRED_PUBLIC_KEY:
-				*enc =PUBKEY_DNSKEY;
+				*enc = PUBKEY_DNSKEY;
+				return TRUE;
+			default:
+				return FALSE;
+		}
+	}
+	else if (streq(form, "sshkey"))
+	{
+		switch (type)
+		{
+			case CRED_PUBLIC_KEY:
+				*enc = PUBKEY_SSHKEY;
 				return TRUE;
 			default:
 				return FALSE;