Blame SOURCES/0042-Add-long-command-line-options-to-man-pages.patch

5e5f7c
From 2a6ede56ad8c29181fde7691904f226102d43e54 Mon Sep 17 00:00:00 2001
5e5f7c
From: Rob Crittenden <rcritten@redhat.com>
5e5f7c
Date: Thu, 14 May 2020 14:15:17 -0400
5e5f7c
Subject: [PATCH 42/43] Add long command-line options to man pages
5e5f7c
5e5f7c
The man pages almost universally only documented the short
5e5f7c
options even though the long options were all defined in
5e5f7c
the popt configuration.
5e5f7c
5e5f7c
Also do a bit of minor bit of reformatting and added a lint
5e5f7c
option. I'm not going to require mandoc as a requirement as
5e5f7c
the linting is pretty minor at the moment but it's better than
5e5f7c
nothing.
5e5f7c
5e5f7c
https://bugzilla.redhat.com/show_bug.cgi?id=1782838
5e5f7c
---
5e5f7c
 src/Makefile.am                               |   6 +
5e5f7c
 src/certmaster-getcert.1.in                   |  72 ++---
5e5f7c
 src/certmonger-certmaster-submit.8.in         |  59 ++--
5e5f7c
 ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 288 +++++++++++-------
5e5f7c
 src/certmonger-dogtag-submit.8.in             | 252 ++++++++-------
5e5f7c
 src/certmonger-ipa-submit.8.in                | 115 ++++---
5e5f7c
 src/certmonger-local-submit.8.in              |  62 ++--
5e5f7c
 src/certmonger-scep-submit.8.in               | 124 ++++----
5e5f7c
 src/certmonger.8.in                           |  86 +++---
5e5f7c
 src/certmonger.conf.5.in                      |  20 +-
5e5f7c
 src/getcert-add-ca.1.in                       |  48 +--
5e5f7c
 src/getcert-add-scep-ca.1.in                  |  80 ++---
5e5f7c
 src/getcert-list-cas.1.in                     |  44 +--
5e5f7c
 src/getcert-list.1.in                         |  84 ++---
5e5f7c
 src/getcert-modify-ca.1.in                    |  46 +--
5e5f7c
 src/getcert-refresh-ca.1.in                   |  50 +--
5e5f7c
 src/getcert-refresh.1.in                      |  52 ++--
5e5f7c
 src/getcert-rekey.1.in                        | 107 ++++---
5e5f7c
 src/getcert-remove-ca.1.in                    |  44 +--
5e5f7c
 src/getcert-request.1.in                      | 157 ++++++----
5e5f7c
 src/getcert-resubmit.1.in                     | 112 ++++---
5e5f7c
 src/getcert-start-tracking.1.in               | 134 ++++----
5e5f7c
 src/getcert-status.1.in                       |  54 ++--
5e5f7c
 src/getcert-stop-tracking.1.in                |  65 ++--
5e5f7c
 src/getcert.1.in                              |  54 ++--
5e5f7c
 src/ipa-getcert.1.in                          |  74 ++---
5e5f7c
 src/local-getcert.1.in                        |  76 ++---
5e5f7c
 src/selfsign-getcert.1.in                     |  74 ++---
5e5f7c
 28 files changed, 1321 insertions(+), 1118 deletions(-)
5e5f7c
5e5f7c
diff --git a/src/Makefile.am b/src/Makefile.am
5e5f7c
index fe3b235..5343dbc 100644
5e5f7c
--- a/src/Makefile.am
5e5f7c
+++ b/src/Makefile.am
5e5f7c
@@ -266,3 +266,9 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN
5e5f7c
 submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h
5e5f7c
 submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \
5e5f7c
 		 $(POPT_LIBS)
5e5f7c
+
5e5f7c
+.PHONY: manlint
5e5f7c
+manlint: $(man_MANS)
5e5f7c
+	for page in $(MANS); do \
5e5f7c
+		mandoc -T lint $${page}; \
5e5f7c
+	done
5e5f7c
diff --git a/src/certmaster-getcert.1.in b/src/certmaster-getcert.1.in
5e5f7c
index ef1c14a..7a038f9 100644
5e5f7c
--- a/src/certmaster-getcert.1.in
5e5f7c
+++ b/src/certmaster-getcert.1.in
5e5f7c
@@ -1,20 +1,20 @@
5e5f7c
-.TH certmonger 1 "23 November 2009" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 1 "November 23, 2009" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-certmaster-getcert
5e5f7c
+certmaster\-getcert
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
- certmaster-getcert request [options]
5e5f7c
- certmaster-getcert resubmit [options]
5e5f7c
- certmaster-getcert start-tracking [options]
5e5f7c
- certmaster-getcert status [options]
5e5f7c
- certmaster-getcert stop-tracking [options]
5e5f7c
- certmaster-getcert list [options]
5e5f7c
- certmaster-getcert list-cas [options]
5e5f7c
- certmaster-getcert refresh-cas [options]
5e5f7c
+ certmaster\-getcert request [options]
5e5f7c
+ certmaster\-getcert resubmit [options]
5e5f7c
+ certmaster\-getcert start\-tracking [options]
5e5f7c
+ certmaster\-getcert status [options]
5e5f7c
+ certmaster\-getcert stop\-tracking [options]
5e5f7c
+ certmaster\-getcert list [options]
5e5f7c
+ certmaster\-getcert list\-cas [options]
5e5f7c
+ certmaster\-getcert refresh\-cas [options]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
-The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@
5e5f7c
+The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
5e5f7c
 service on behalf of the invoking user.  It can ask the service to begin
5e5f7c
 enrollment, optionally generating a key pair to use, it can ask the
5e5f7c
 service to begin monitoring a certificate in a specified location for
5e5f7c
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
5e5f7c
 list the set of certificates that the service is already monitoring, or
5e5f7c
 it can list the set of CAs that the service is capable of using.
5e5f7c
 
5e5f7c
-If no command is given as the first command-line argument,
5e5f7c
-\fIcertmaster-getcert\fR will print short usage information for each of
5e5f7c
+If no command is given as the first command\-line argument,
5e5f7c
+\fIcertmaster\-getcert\fR will print short usage information for each of
5e5f7c
 its functions.
5e5f7c
 
5e5f7c
-The \fIcertmaster-getcert\fR tool behaves identically to the generic
5e5f7c
-\fIgetcert\fR tool when it is used with the \fB-c
5e5f7c
+The \fIcertmaster\-getcert\fR tool behaves identically to the generic
5e5f7c
+\fIgetcert\fR tool when it is used with the \fB\-c
5e5f7c
 \fI@CM_CERTMASTER_CA_NAME@\fR option.
5e5f7c
 
5e5f7c
 There is no standard authenticated method for obtaining the root certificate
5e5f7c
 from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
5e5f7c
-information from them.  While the \fB-F\fR and \fB-a\fR options will still
5e5f7c
+information from them.  While the \fB\-F\fR and \fB\-a\fR options will still
5e5f7c
 be recognized, they will effectively be ignored.
5e5f7c
 
5e5f7c
 .SH BUGS
5e5f7c
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-request\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-request\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger-certmaster-submit.8.in b/src/certmonger-certmaster-submit.8.in
5e5f7c
index aec8b83..e3e990f 100644
5e5f7c
--- a/src/certmonger-certmaster-submit.8.in
5e5f7c
+++ b/src/certmonger-certmaster-submit.8.in
5e5f7c
@@ -1,17 +1,17 @@
5e5f7c
-.TH certmonger 8 "7 June 2010" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "June 7, 2010" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-certmaster-submit
5e5f7c
+certmaster\-submit
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile]
5e5f7c
+certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
-\fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make
5e5f7c
-requests to certmaster-based CAs.  It is not normally run interactively,
5e5f7c
+\fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make
5e5f7c
+requests to certmaster\-based CAs.  It is not normally run interactively,
5e5f7c
 but it can be for troubleshooting purposes.  The signing request which is
5e5f7c
 to be submitted should either be in a file whose name is given as an argument,
5e5f7c
-or fed into \fIcertmaster-submit\fR via stdin.
5e5f7c
+or fed into \fIcertmaster\-submit\fR via stdin.
5e5f7c
 
5e5f7c
 There is no standard authenticated method for obtaining the root certificate
5e5f7c
 from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
5e5f7c
@@ -19,21 +19,24 @@ information from them.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-h\fR serverHost
5e5f7c
+\fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR
5e5f7c
 Submit the request to the certmaster instance running on the named host.  The
5e5f7c
 default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR
5e5f7c
 is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR
5e5f7c
 if that file is not found.
5e5f7c
 .TP
5e5f7c
-\fB\-c\fR cafile
5e5f7c
+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
5e5f7c
 Submit the request over HTTPS instead of HTTP, and only trust the server
5e5f7c
 if its certificate was issued by the CA whose certificate is in the named file.
5e5f7c
 .TP
5e5f7c
-\fB\-C\fR capath
5e5f7c
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
5e5f7c
 Submit the request over HTTPS instead of HTTP, and only trust the server
5e5f7c
 if its certificate was issued by a CA whose certificate is in a file in
5e5f7c
 the named directory.
5e5f7c
-
5e5f7c
+.TP
5e5f7c
+\fB\-v\fR, \fB\-\-verbose\fR
5e5f7c
+Be verbose about errors.  Normally, the details of an error received from
5e5f7c
+the daemon will be suppressed if the client can make a diagnostic suggestion.
5e5f7c
 .SH EXIT STATUS
5e5f7c
 .TP
5e5f7c
 0
5e5f7c
@@ -73,22 +76,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
5e5f7c
index 84c8b0d..33e0648 100644
5e5f7c
--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
5e5f7c
+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
5e5f7c
@@ -1,44 +1,51 @@
5e5f7c
-.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-dogtag-ipa-renew-agent-submit
5e5f7c
+dogtag\-ipa\-renew\-agent\-submit
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL
5e5f7c
-[-d dbdir]
5e5f7c
-[-n nickname]
5e5f7c
-[-i cainfo]
5e5f7c
-[-C capath]
5e5f7c
-[-c certfile]
5e5f7c
-[-k keyfile]
5e5f7c
-[-p pinfile]
5e5f7c
-[-P pin]
5e5f7c
-[-s serial (hex)]
5e5f7c
-[-D serial (decimal)]
5e5f7c
-[-S state]
5e5f7c
-[-T profile]
5e5f7c
-[-O param=value]
5e5f7c
-[-N | -R]
5e5f7c
-[-t]
5e5f7c
-[-o option=value]
5e5f7c
-[-v]
5e5f7c
+dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL
5e5f7c
+[\-d dbdir]
5e5f7c
+[\-n nickname]
5e5f7c
+[\-i cainfo]
5e5f7c
+[\-C capath]
5e5f7c
+[\-c certfile]
5e5f7c
+[\-k keyfile]
5e5f7c
+[\-p pinfile]
5e5f7c
+[\-P pin]
5e5f7c
+[\-s serial (hex)]
5e5f7c
+[\-D serial (decimal)]
5e5f7c
+[\-S state]
5e5f7c
+[\-T profile]
5e5f7c
+[\-O param=value]
5e5f7c
+[\-N | \-R]
5e5f7c
+[\-t]
5e5f7c
+[\-o option=value]
5e5f7c
+[\-a]
5e5f7c
+[\-u uid]
5e5f7c
+[\-U udn]
5e5f7c
+[\-W pwd]
5e5f7c
+[\-w pwdfile]
5e5f7c
+[\-Y pin]
5e5f7c
+[\-y pinfile]
5e5f7c
 [csrfile]
5e5f7c
 
5e5f7c
+
5e5f7c
 .SH DESCRIPTION
5e5f7c
-\fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses
5e5f7c
+\fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses
5e5f7c
 to make certificate renewal requests to Dogtag instances running on IPA
5e5f7c
 servers.  It is not normally run interactively, but it can be for
5e5f7c
 troubleshooting purposes.
5e5f7c
 
5e5f7c
-The preferred option is to request a renewal of an already-issued certificate,
5e5f7c
-using its serial number, which can be read from a PEM-formatted certificate
5e5f7c
+The preferred option is to request a renewal of an already\-issued certificate,
5e5f7c
+using its serial number, which can be read from a PEM\-formatted certificate
5e5f7c
 provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
5e5f7c
-\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
5e5f7c
+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
5e5f7c
 provided, then the client will attempt to obtain a new certificate by
5e5f7c
 submitting a signing request to the CA.
5e5f7c
 
5e5f7c
 The signing request which is to be submitted should either be in a file whose
5e5f7c
-name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR
5e5f7c
+name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR
5e5f7c
 via stdin.
5e5f7c
 
5e5f7c
 \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
5e5f7c
@@ -46,8 +53,8 @@ CAs.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-E\fR EE-URL
5e5f7c
-The top-level URL for the end-entity interface provided by the CA.  In IPA
5e5f7c
+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
5e5f7c
+The top\-level URL for the end\-entity interface provided by the CA.  In IPA
5e5f7c
 installations, this is typically
5e5f7c
 \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
5e5f7c
 If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
5e5f7c
@@ -58,8 +65,8 @@ and the value of \fBEEPORT\fR will be inferred based on the value of the
5e5f7c
 if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will
5e5f7c
 be set to 8080.  Otherwise it will be 9180.
5e5f7c
 .TP
5e5f7c
-\fB\-A\fR AGENT-URL
5e5f7c
-The top-level URL for the agent interface provided by the CA.  In IPA
5e5f7c
+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
5e5f7c
+The top\-level URL for the agent interface provided by the CA.  In IPA
5e5f7c
 installations, this is typically
5e5f7c
 \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
5e5f7c
 If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
5e5f7c
@@ -70,96 +77,159 @@ and the value of \fBAGENTPORT\fR will be inferred based on the value of the
5e5f7c
 if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will
5e5f7c
 be set to 8443.  Otherwise it will be 9443.
5e5f7c
 .TP
5e5f7c
-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
5e5f7c
-The location of the key and certificate which the client should use to
5e5f7c
-authenticate to the CA's agent interface.  Exactly which values are
5e5f7c
-meaningful depend on which cryptography library your copy of libcurl was
5e5f7c
-linked with.
5e5f7c
-
5e5f7c
-If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR,
5e5f7c
-\fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is
5e5f7c
-used:
5e5f7c
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
5e5f7c
- \fB-d\fR \fI/etc/httpd/alias\fR
5e5f7c
- \fB-n\fR \fIipaCert\fR
5e5f7c
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
5e5f7c
-.TP
5e5f7c
-\fB\-p\fR pinfile
5e5f7c
-The name of a file which contains a PIN/password which will be needed in
5e5f7c
-order to make use of the agent credentials.
5e5f7c
-
5e5f7c
-If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR,
5e5f7c
-\fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set
5e5f7c
-of defaults is used:
5e5f7c
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
5e5f7c
- \fB-d\fR \fI/etc/httpd/alias\fR
5e5f7c
- \fB-n\fR \fIipaCert\fR
5e5f7c
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
5e5f7c
-.TP
5e5f7c
-\fB\-i\fR cainfo \fB\-C\fR capath
5e5f7c
+\fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR
5e5f7c
 The location of a file containing a copy of the CA's certificate, against which
5e5f7c
-the CA server's certificate will be verified, or a directory containing, among
5e5f7c
-other things, such a file.
5e5f7c
-
5e5f7c
-If these options are not specified, and none of the \fB-d\fR, \fB-n\fR,
5e5f7c
-\fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set
5e5f7c
-of defaults is used:
5e5f7c
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
5e5f7c
- \fB-d\fR \fI/etc/httpd/alias\fR
5e5f7c
- \fB-n\fR \fIipaCert\fR
5e5f7c
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
5e5f7c
-.TP
5e5f7c
-\fB-s\fR serial
5e5f7c
-The serial number of an already-issued certificate for which the client should
5e5f7c
-attempt to obtain a new certificate, in hexadecimal form, if one can not be
5e5f7c
+the CA server's certificate will be verified. The default is
5e5f7c
+\fB/etc/ipa/ca.crt\fR.
5e5f7c
+.TP
5e5f7c
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
5e5f7c
+The location of a directory containing a copy of the CA's certificate,
5e5f7c
+against which the CA server's certificate will be verified.
5e5f7c
+.TP
5e5f7c
+\fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB
5e5f7c
+The serial number of an already\-issued certificate for which the client should
5e5f7c
+attempt to obtain a new certificate, in hexidecimal form, if one can not be
5e5f7c
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
5e5f7c
 .TP
5e5f7c
-\fB-D\fR serial
5e5f7c
-The serial number of an already-issued certificate for which the client should
5e5f7c
+\fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB
5e5f7c
+The serial number of an already\-issued certificate for which the client should
5e5f7c
 attempt to obtain a new certificate, in decimal form, if one can not be
5e5f7c
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
5e5f7c
 .TP
5e5f7c
-\fB-S\fR state
5e5f7c
+\fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR
5e5f7c
 A cookie value provided by a previous instance of this helper, if the helper
5e5f7c
-is being asked to continue a multi-step enrollment process.  If the
5e5f7c
+is being asked to continue a multi\-step enrollment process.  If the
5e5f7c
 \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
5e5f7c
 .TP
5e5f7c
-\fB-T\fR profile/template
5e5f7c
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
5e5f7c
 The name of the type of certificate which the client should request from the CA
5e5f7c
-if it is not renewing a certificate (per the \fB-s\fR option above).  If the
5e5f7c
+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
5e5f7c
 \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
5e5f7c
 Otherwise, the default value is \fBcaServerCert\fP.
5e5f7c
 .TP
5e5f7c
-\fB-O\fR param=value
5e5f7c
+\fB\-t\fR, \fB\-\-profile\-list\fR
5e5f7c
+Instead of attempting to obtain a new certificate, query the server for a list
5e5f7c
+of the enabled enrollment profiles.
5e5f7c
+.TP
5e5f7c
+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR
5e5f7c
 An additional parameter to pass to the server when approving the signing
5e5f7c
-request using the agent's credentials.  By default, any server-supplied default
5e5f7c
+request using the agent's credentials.  By default, any server\-supplied default
5e5f7c
 settings are applied.  This option can be used either to override a
5e5f7c
-server-supplied default setting, or to supply one which would otherwise have
5e5f7c
+server\-supplied default setting, or to supply one which would otherwise have
5e5f7c
 not been used.
5e5f7c
 .TP
5e5f7c
-\fB-N\fR
5e5f7c
-Even if an already-issued certificate is available in the
5e5f7c
+\fB\-N\fR, \fB\-\-force\-new\fR
5e5f7c
+Even if an already\-issued certificate is available in the
5e5f7c
 \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
5e5f7c
 provided, don't attempt to renew a certificate using its serial number.
5e5f7c
 Instead, attempt to obtain a new certificate using the signing request.
5e5f7c
 The default behavior is to request a renewal if possible.
5e5f7c
 .TP
5e5f7c
-\fB-R\fR
5e5f7c
-Negates the effect of the \fB-N\fR flag.
5e5f7c
-.TP
5e5f7c
-\fB-t\fR
5e5f7c
-Instead of attempting to obtain a new certificate, query the server for a list
5e5f7c
-of the enabled enrollment profiles.
5e5f7c
+\fB\-R\fR, \fB\-\-force\-renew\fR
5e5f7c
+Negates the effect of the \fB\-N\fR flag.
5e5f7c
 .TP
5e5f7c
-\fB-o\fR param=value
5e5f7c
+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
5e5f7c
 When initially submitting a request to the CA, add the specified parameter and
5e5f7c
 value along with any request parameters which would otherwise be sent.  This
5e5f7c
 option is not typically used.
5e5f7c
 .TP
5e5f7c
-\fB-v\fR
5e5f7c
+\fB\-a\fR, \fB\-\-agent\-submit\fR
5e5f7c
+Use agent credentials, specified using some combination of the \fB\-d\fR,
5e5f7c
+\fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
5e5f7c
+initially submitting a request to the CA or retrieving the list of enabled
5e5f7c
+enrollment profiles.
5e5f7c
+This is typically required when the enrollment profile being used uses
5e5f7c
+\fIAgentCertAuth\fR\-based
5e5f7c
+authentication,
5e5f7c
+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
5e5f7c
+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
5e5f7c
+.TP
5e5f7c
+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
5e5f7c
+When initially submitting a request to the CA, supply the specified value as a user name.
5e5f7c
+This is typically required when the enrollment profile being used uses
5e5f7c
+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
5e5f7c
+authentication..TP
5e5f7c
+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
5e5f7c
+When initially submitting a request to the CA, supply the specified value as the DN
5e5f7c
+(distinguished name) of the user's entry in a directory server which the CA is
5e5f7c
+configured to use for checking the user's password.
5e5f7c
+This is typically required when the enrollment profile being used uses
5e5f7c
+\fIUdnPwdDirAuth\fR\-based
5e5f7c
+authentication.
5e5f7c
+.TP
5e5f7c
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
5e5f7c
+When initially submitting a request to the CA, supply the specified value as the password
5e5f7c
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
5e5f7c
+specified with the \fB\-U\fR option.
5e5f7c
+This is typically only required when the enrollment profile being used uses
5e5f7c
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
5e5f7c
+authentication.
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
+will not be encrypted.
5e5f7c
+.TP
5e5f7c
+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
5e5f7c
+When initially submitting a request to the CA, read from the specified file a
5e5f7c
+password to supply for the user whose name is specified with the \fB\-u\fR
5e5f7c
+option, or whose DN is specified with the \fB\-U\fR option.
5e5f7c
+This is typically only required when the enrollment profile being used uses
5e5f7c
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
5e5f7c
+authentication.
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
+will not be encrypted.
5e5f7c
+.TP
5e5f7c
+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
5e5f7c
+When initially submitting a request to the CA, supply the specified value as the PIN
5e5f7c
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
5e5f7c
+specified with the \fB\-U\fR option.
5e5f7c
+This is typically only required when the enrollment profile being used uses
5e5f7c
+\fIUidPwdPinDirAuth\fR\-based
5e5f7c
+authentication.
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
+will not be encrypted.
5e5f7c
+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
5e5f7c
+When initially submitting a request to the CA, read from the specified file a
5e5f7c
+PIN to supply for the user whose name is specified with the \fB\-u\fR
5e5f7c
+option, or whose DN is specified with the \fB\-U\fR option.
5e5f7c
+This is typically only required when the enrollment profile being used uses
5e5f7c
+\fIUidPwdPinDirAuth\fR\-based
5e5f7c
+authentication.  If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
+will not be encrypted.
5e5f7c
+.TP
5e5f7c
+\fB\-v\fR, \fB\-\-verbose\fR
5e5f7c
 Increases the logging level.  Use twice for more logging.  This option is mainly
5e5f7c
 useful for troubleshooting.
5e5f7c
-
5e5f7c
+.SH AGENT KEY AND CERTIFICATE OPTIONS
5e5f7c
+Options that provide the location for the private key and public certificate
5e5f7c
+which the client should use to authenticate to the CA's agent interface.
5e5f7c
+The values to use depend on which cryptography library your copy of libcurl
5e5f7c
+was linked with.
5e5f7c
+.TP
5e5f7c
+If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used:
5e5f7c
+ \fB\-i\fR \fI/etc/ipa/ca.crt\fR
5e5f7c
+ \fB\-d\fR \fI/etc/httpd/alias\fR
5e5f7c
+ \fB\-n\fR \fIipaCert\fR
5e5f7c
+ \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
5e5f7c
+.TP
5e5f7c
+\fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR
5e5f7c
+Use an NSS database in the specified directory for this certificate
5e5f7c
+and key. Only valid with \-n.
5e5f7c
+.TP
5e5f7c
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
5e5f7c
+Use the NSS key with this nickname. Only valid with \-d.
5e5f7c
+.TP
5e5f7c
+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
5e5f7c
+The PEM file that contains the public certificate. Only valid with \-k.
5e5f7c
+.TP
5e5f7c
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
5e5f7c
+The PEM file that contains the private certificate. Only valid with \-c.
5e5f7c
+.TP
5e5f7c
+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
5e5f7c
+The name of a file which contains a PIN/password which will be needed in
5e5f7c
+order to make use of the agent credentials.
5e5f7c
+.TP
5e5f7c
+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
5e5f7c
+The name of a file which contains a PIN/password which will be needed in
5e5f7c
+order to make use of the agent credentials.
5e5f7c
 .SH EXIT STATUS
5e5f7c
 .TP
5e5f7c
 0
5e5f7c
@@ -189,7 +259,7 @@ pair.
5e5f7c
 .TP
5e5f7c
 .I /etc/ipa/default.conf
5e5f7c
 is the IPA client configuration file.  This file is consulted to determine
5e5f7c
-the URL for the Dogtag server's end-entity and agent interfaces if they are
5e5f7c
+the URL for the Dogtag server's end\-entity and agent interfaces if they are
5e5f7c
 not supplied as arguments.
5e5f7c
 
5e5f7c
 .SH BUGS
5e5f7c
@@ -198,22 +268,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in
5e5f7c
index 19ecab7..e92de67 100644
5e5f7c
--- a/src/certmonger-dogtag-submit.8.in
5e5f7c
+++ b/src/certmonger-dogtag-submit.8.in
5e5f7c
@@ -1,196 +1,214 @@
5e5f7c
-.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-dogtag-submit
5e5f7c
+dogtag\-submit
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-dogtag-submit -E EE-URL -A AGENT-URL
5e5f7c
-[-d dbdir]
5e5f7c
-[-n nickname]
5e5f7c
-[-i cainfo]
5e5f7c
-[-C capath]
5e5f7c
-[-c certfile]
5e5f7c
-[-k keyfile]
5e5f7c
-[-p pinfile]
5e5f7c
-[-P pin]
5e5f7c
-[-s serial (hex)]
5e5f7c
-[-D serial (decimal)]
5e5f7c
-[-S state]
5e5f7c
-[-T profile]
5e5f7c
-[-O param=value]
5e5f7c
-[-N | -R]
5e5f7c
-[-t]
5e5f7c
-[-o option=value]
5e5f7c
-[-a ]
5e5f7c
-[-u username]
5e5f7c
-[-U userdn]
5e5f7c
-[-W userpassword]
5e5f7c
-[-w userpasswordfile]
5e5f7c
-[-Y userpin]
5e5f7c
-[-y userpinfile]
5e5f7c
-[-v]
5e5f7c
+dogtag\-submit \-E EE\-URL \-A AGENT\-URL
5e5f7c
+[\-d DIR]
5e5f7c
+[\-n NAME]
5e5f7c
+[\-i FILE]
5e5f7c
+[\-C DIR]
5e5f7c
+[\-c FILE]
5e5f7c
+[\-k FILE]
5e5f7c
+[\-p FILE]
5e5f7c
+[\-P PIN]
5e5f7c
+[\-s serial (hex)]
5e5f7c
+[\-D serial (decimal)]
5e5f7c
+[\-S state]
5e5f7c
+[\-T profile]
5e5f7c
+[\-O param=value]
5e5f7c
+[\-N | \-R]
5e5f7c
+[\-t]
5e5f7c
+[\-o option=value]
5e5f7c
+[\-a]
5e5f7c
+[\-u username]
5e5f7c
+[\-U userdn]
5e5f7c
+[\-W PASSWORD]
5e5f7c
+[\-w FILE]
5e5f7c
+[\-Y PIN]
5e5f7c
+[\-y FILE]
5e5f7c
+[\-v]
5e5f7c
 [csrfile]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
-\fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make
5e5f7c
+\fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make
5e5f7c
 certificate enrollment and renewal requests to Dogtag servers.  It is not
5e5f7c
 normally run interactively, but it can be for troubleshooting purposes.
5e5f7c
 
5e5f7c
-The preferred option is to request a renewal of an already-issued certificate,
5e5f7c
-using its serial number, which can be read from a PEM-formatted certificate
5e5f7c
+The preferred option is to request a renewal of an already\-issued certificate,
5e5f7c
+using its serial number, which can be read from a PEM\-formatted certificate
5e5f7c
 provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
5e5f7c
-\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
5e5f7c
+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
5e5f7c
 provided, then the client will attempt to obtain a new certificate by
5e5f7c
 submitting a signing request to the CA.
5e5f7c
 
5e5f7c
 The signing request which is to be submitted should either be in a file whose
5e5f7c
-name is given as an argument, or fed into \fIdogtag-submit\fR via stdin.
5e5f7c
+name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin.
5e5f7c
 
5e5f7c
 \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
5e5f7c
 CAs.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-E\fR EE-URL
5e5f7c
-The top-level URL for the end-entity interface provided by the CA, through
5e5f7c
+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
5e5f7c
+The top\-level URL for the end\-entity interface provided by the CA, through
5e5f7c
 which the initial enrollment request will be submitted.  This is typically
5e5f7c
 \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
5e5f7c
 .TP
5e5f7c
-\fB\-A\fR AGENT-URL
5e5f7c
-The top-level URL for the agent interface provided by the CA, through which the
5e5f7c
+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
5e5f7c
+The top\-level URL for the agent interface provided by the CA, through which the
5e5f7c
 request can be approved using agent credentials.  This is typically
5e5f7c
 \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
5e5f7c
 .TP
5e5f7c
-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
5e5f7c
-The location of the key and certificate which the client should use to
5e5f7c
-authenticate to the CA's agent interface.  Exactly which values are
5e5f7c
-meaningful depend on which cryptography library your copy of libcurl was
5e5f7c
-linked with.
5e5f7c
-.TP
5e5f7c
-\fB\-p\fR pinfile
5e5f7c
-The name of a file which contains a PIN/password which will be needed in
5e5f7c
-order to make use of the agent credentials.
5e5f7c
-.TP
5e5f7c
-\fB\-i\fR cainfo \fB\-C\fR capath
5e5f7c
+\fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
5e5f7c
 The location of a file containing a copy of the CA's certificate, against which
5e5f7c
-the CA server's certificate will be verified, or a directory containing, among
5e5f7c
-other things, such a file.
5e5f7c
+the CA server's certificate will be verified.
5e5f7c
 .TP
5e5f7c
-\fB-s\fR serial
5e5f7c
-The serial number of an already-issued certificate for which the client should
5e5f7c
-attempt to obtain a new certificate, in hexadecimal form, if one can not be
5e5f7c
-read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
5e5f7c
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
5e5f7c
+The location of a directory containing a copy of the CA's certificate(s),
5e5f7c
+against which the CA server's certificate will be verified.
5e5f7c
 .TP
5e5f7c
-\fB-D\fR serial
5e5f7c
-The serial number of an already-issued certificate for which the client should
5e5f7c
+\fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR
5e5f7c
+The serial number of an already\-issued certificate for which the client should
5e5f7c
 attempt to obtain a new certificate, in decimal form, if one can not be
5e5f7c
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
5e5f7c
 .TP
5e5f7c
-\fB-S\fR state
5e5f7c
+\fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR
5e5f7c
+The serial number of an already\-issued certificate for which the client should
5e5f7c
+attempt to obtain a new certificate, in hexadecimal form, if one can not be
5e5f7c
+read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
5e5f7c
+.TP
5e5f7c
+\fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR
5e5f7c
 A cookie value provided by a previous instance of this helper, if the helper
5e5f7c
-is being asked to continue a multi-step enrollment process.  If the
5e5f7c
+is being asked to continue a multi\-step enrollment process.  If the
5e5f7c
 \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
5e5f7c
 .TP
5e5f7c
-\fB-T\fR profile/template
5e5f7c
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
5e5f7c
 The name of the type of certificate which the client should request from the CA
5e5f7c
-if it is not renewing a certificate (per the \fB-s\fR option above).  If the
5e5f7c
+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
5e5f7c
 \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
5e5f7c
 Otherwise, the default value is \fBcaServerCert\fP.
5e5f7c
 .TP
5e5f7c
-\fB-O\fR param=value
5e5f7c
+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR
5e5f7c
 An additional parameter to pass to the server when approving the signing
5e5f7c
-request using agent credentials.  By default, any server-supplied default
5e5f7c
+request using agent credentials.  By default, any server\-supplied default
5e5f7c
 settings are applied.  This option can be used either to override a
5e5f7c
-server-supplied default setting, or to supply one which would otherwise have
5e5f7c
-not been used.  Requires the \fB-A\fR option.
5e5f7c
+server\-supplied default setting, or to supply one which would otherwise have
5e5f7c
+not been used.  Requires the \fB\-A\fR option.
5e5f7c
 .TP
5e5f7c
-\fB-N\fR
5e5f7c
-Even if an already-issued certificate is available in the
5e5f7c
+\fB\-N\fR, \fB\-\-force\-new\fR
5e5f7c
+Even if an already\-issued certificate is available in the
5e5f7c
 \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
5e5f7c
 provided, don't attempt to renew a certificate using its serial number.
5e5f7c
 Instead, attempt to obtain a new certificate using the signing request.
5e5f7c
 The default behavior is to request a renewal if possible.
5e5f7c
 .TP
5e5f7c
-\fB-R\fR
5e5f7c
-Negates the effect of the \fB-N\fR flag.
5e5f7c
+\fB\-R\fR, \fB\-\-force\-renew\fR
5e5f7c
+Negates the effect of the \fB\-N\fR flag.
5e5f7c
 .TP
5e5f7c
-\fB-t\fR
5e5f7c
+\fB\-t\fR, \fB\-\-profile\-list\fR
5e5f7c
 Instead of attempting to obtain a new certificate, query the server for a list
5e5f7c
 of the enabled enrollment profiles.
5e5f7c
 .TP
5e5f7c
-\fB-o\fR param=value
5e5f7c
+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
5e5f7c
 When initially submitting a request to the CA, add the specified parameter and
5e5f7c
 value along with any request parameters which would otherwise be sent.
5e5f7c
 .TP
5e5f7c
-\fB-a\fR
5e5f7c
+\fB\-a\fR, \fB\-\-agent\-submit\fR
5e5f7c
 Use agent credentials, specified using some combination of the \fB\-d\fR,
5e5f7c
 \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
5e5f7c
 initially submitting a request to the CA or retrieving the list of enabled
5e5f7c
 enrollment profiles.
5e5f7c
 This is typically required when the enrollment profile being used uses
5e5f7c
-\fIAgentCertAuth\fR-based
5e5f7c
+\fIAgentCertAuth\fR\-based
5e5f7c
 authentication,
5e5f7c
-and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL,
5e5f7c
-or when the URL specified using the \fB-E\fR flag is an HTTPS URL.
5e5f7c
+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
5e5f7c
+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
5e5f7c
 .TP
5e5f7c
-\fB-u username\fR
5e5f7c
+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
5e5f7c
 When initially submitting a request to the CA, supply the specified value as a user name.
5e5f7c
 This is typically required when the enrollment profile being used uses
5e5f7c
-\fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based
5e5f7c
+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
5e5f7c
 authentication.
5e5f7c
 .TP
5e5f7c
-\fB-U userdn\fR
5e5f7c
+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
5e5f7c
 When initially submitting a request to the CA, supply the specified value as the DN
5e5f7c
 (distinguished name) of the user's entry in a directory server which the CA is
5e5f7c
 configured to use for checking the user's password.
5e5f7c
 This is typically required when the enrollment profile being used uses
5e5f7c
-\fIUdnPwdDirAuth\fR-based
5e5f7c
+\fIUdnPwdDirAuth\fR\-based
5e5f7c
 authentication.
5e5f7c
 .TP
5e5f7c
-\fB-W userpassword\fR
5e5f7c
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
5e5f7c
 When initially submitting a request to the CA, supply the specified value as the password
5e5f7c
-for the user whose name is specified with the \fB-u\fR option, or whose DN is
5e5f7c
-specified with the \fB-U\fR option.
5e5f7c
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
5e5f7c
+specified with the \fB\-U\fR option.
5e5f7c
 This is typically only required when the enrollment profile being used uses
5e5f7c
-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
5e5f7c
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
5e5f7c
 authentication.
5e5f7c
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
 will not be encrypted.
5e5f7c
 .TP
5e5f7c
-\fB-w userpasswordfile\fR
5e5f7c
+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
5e5f7c
 When initially submitting a request to the CA, read from the specified file a
5e5f7c
-password to supply for the user whose name is specified with the \fB-u\fR
5e5f7c
-option, or whose DN is specified with the \fB-U\fR option.
5e5f7c
+password to supply for the user whose name is specified with the \fB\-u\fR
5e5f7c
+option, or whose DN is specified with the \fB\-U\fR option.
5e5f7c
 This is typically only required when the enrollment profile being used uses
5e5f7c
-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
5e5f7c
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
5e5f7c
 authentication.
5e5f7c
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
 will not be encrypted.
5e5f7c
 .TP
5e5f7c
-\fB-Y userpin\fR
5e5f7c
+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
5e5f7c
 When initially submitting a request to the CA, supply the specified value as the PIN
5e5f7c
-for the user whose name is specified with the \fB-u\fR option, or whose DN is
5e5f7c
-specified with the \fB-U\fR option.
5e5f7c
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
5e5f7c
+specified with the \fB\-U\fR option.
5e5f7c
 This is typically only required when the enrollment profile being used uses
5e5f7c
-\fIUidPwdPinDirAuth\fR-based
5e5f7c
+\fIUidPwdPinDirAuth\fR\-based
5e5f7c
 authentication.
5e5f7c
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
 will not be encrypted.
5e5f7c
 .TP
5e5f7c
-\fB-y userpinfile\fR
5e5f7c
+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
5e5f7c
 When initially submitting a request to the CA, read from the specified file a
5e5f7c
-PIN to supply for the user whose name is specified with the \fB-u\fR
5e5f7c
-option, or whose DN is specified with the \fB-U\fR option.
5e5f7c
+PIN to supply for the user whose name is specified with the \fB\-u\fR
5e5f7c
+option, or whose DN is specified with the \fB\-U\fR option.
5e5f7c
 This is typically only required when the enrollment profile being used uses
5e5f7c
-\fIUidPwdPinDirAuth\fR-based
5e5f7c
+\fIUidPwdPinDirAuth\fR\-based
5e5f7c
 authentication.
5e5f7c
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
5e5f7c
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
5e5f7c
 will not be encrypted.
5e5f7c
 .TP
5e5f7c
-\fB-v\fR
5e5f7c
+\fB\-v\fR, \fB\-\-verbose\fR
5e5f7c
 Increases the logging level.  Use twice for more logging.  This option is mainly
5e5f7c
 useful for troubleshooting.
5e5f7c
-
5e5f7c
+.SH AGENT KEY AND CERTIFICATE OPTIONS
5e5f7c
+Options that provide the location for the private key and public certificate
5e5f7c
+which the client should use to authenticate to the CA's agent interface.
5e5f7c
+The values to use depend on which cryptography library your copy of libcurl
5e5f7c
+was linked with.
5e5f7c
+.TP
5e5f7c
+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
5e5f7c
+Use an NSS database in the specified directory for this certificate
5e5f7c
+and key. Only valid with \-n.
5e5f7c
+.TP
5e5f7c
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
5e5f7c
+Use the NSS key with this nickname. Only valid with \-d.
5e5f7c
+.TP
5e5f7c
+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
5e5f7c
+The PEM file that contains the public certificate. Only valid with \-k.
5e5f7c
+.TP
5e5f7c
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
5e5f7c
+The PEM file that contains the private certificate. Only valid with \-c.
5e5f7c
+.TP
5e5f7c
+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
5e5f7c
+The name of a file which contains a PIN/password which will be needed in
5e5f7c
+order to make use of the agent credentials.
5e5f7c
+.TP
5e5f7c
+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
5e5f7c
+The name of a file which contains a PIN/password which will be needed in
5e5f7c
+order to make use of the agent credentials.
5e5f7c
 .SH EXIT STATUS
5e5f7c
 .TP
5e5f7c
 0
5e5f7c
@@ -222,22 +240,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in
5e5f7c
index 7915142..0e1c90f 100644
5e5f7c
--- a/src/certmonger-ipa-submit.8.in
5e5f7c
+++ b/src/certmonger-ipa-submit.8.in
5e5f7c
@@ -1,21 +1,23 @@
5e5f7c
-.TH certmonger 8 "16 April 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "April 16, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-ipa-submit
5e5f7c
+ipa\-submit
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath]
5e5f7c
-[[-K]  | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]
5e5f7c
+ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn]
5e5f7c
+[\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]]
5e5f7c
+[\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile]
5e5f7c
+[\-X issuer] [csrfile]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
-\fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make
5e5f7c
-requests to IPA-based CAs.  It is not normally run interactively,
5e5f7c
+\fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make
5e5f7c
+requests to IPA\-based CAs.  It is not normally run interactively,
5e5f7c
 but it can be for troubleshooting purposes.  The signing request which is
5e5f7c
 to be submitted should either be in a file whose name is given as an argument,
5e5f7c
-or fed into \fIipa-submit\fR via stdin.
5e5f7c
+or fed into \fIipa\-submit\fR via stdin.
5e5f7c
 
5e5f7c
 \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
5e5f7c
-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
5e5f7c
+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
5e5f7c
 specifying where those certificates should be stored on the local system.
5e5f7c
 Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of
5e5f7c
 entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA
5e5f7c
@@ -24,27 +26,27 @@ LDAP server's directory tree, where $BASE defaults to the value of the
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-P\fR csrPrincipal
5e5f7c
+\fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR
5e5f7c
 Identifies the principal name of the service for which the certificate is being
5e5f7c
 issued.  This setting is required by IPA and must always be specified.
5e5f7c
 .TP
5e5f7c
-\fB\-X\fR issuer
5e5f7c
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR
5e5f7c
 Requests that the certificate be processed by the specified certificate issuer.
5e5f7c
 By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR
5e5f7c
 variable is set in the environment, then the value of the environment variable
5e5f7c
 will be used.  This setting is optional, and if a server returns error 3005,
5e5f7c
 indicating that it does not understand multiple profiles, the request will be
5e5f7c
-re-submitted without specifying an issuer name.
5e5f7c
+re\-submitted without specifying an issuer name.
5e5f7c
 .TP
5e5f7c
-\fB\-T\fR profile
5e5f7c
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
5e5f7c
 Requests that the certificate be processed using the specified certificate profile.
5e5f7c
 By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR
5e5f7c
 variable is set in the environment, then the value of the environment variable
5e5f7c
 will be used.  This setting is optional, and if a server returns error 3005,
5e5f7c
 indicating that it does not understand multiple profiles, the request will be
5e5f7c
-re-submitted without specifying a profile.
5e5f7c
+re\-submitted without specifying a profile.
5e5f7c
 .TP
5e5f7c
-\fB\-h\fR serverHost
5e5f7c
+\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR
5e5f7c
 Submit the request to the IPA server running on the named host.  The default is
5e5f7c
 to read the location of the host from \fB/etc/ipa/default.conf\fR.
5e5f7c
 If no server is configured, or the configured server cannot be reached, the
5e5f7c
@@ -53,7 +55,7 @@ domain.  If servers are found, they will be searched for entries pointing to
5e5f7c
 IPA masters running the "CA" service, and the client will attempt to contact
5e5f7c
 each of those in turn.
5e5f7c
 .TP
5e5f7c
-\fB\-H\fR serverURL
5e5f7c
+\fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR
5e5f7c
 Submit the request to the IPA server at the specified location.  The default is
5e5f7c
 to read the location of the host from \fB/etc/ipa/default.conf\fR.
5e5f7c
 If no server is configured, or the configured server cannot be reached, the
5e5f7c
@@ -62,49 +64,64 @@ domain.  If servers are found, they will be searched for entries pointing to
5e5f7c
 IPA masters running the "CA" service, and the client will attempt to contact
5e5f7c
 each of those in turn.
5e5f7c
 .TP
5e5f7c
-\fB\-c\fR cafile
5e5f7c
+\fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR
5e5f7c
+Provide the IPA LDAP service location rather than using DNS discovery.
5e5f7c
+The default is to read the location of the host from
5e5f7c
+\fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of
5e5f7c
+_ldap._tcp.DOMAIN values and pick one for use.
5e5f7c
+.TP
5e5f7c
+\fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
5e5f7c
+Use this domain when doing DNS discovery to locate LDAP servers for the IPA
5e5f7c
+installation. The default is to read the location of the host from
5e5f7c
+\fB/etc/ipa/default.conf\fR.
5e5f7c
+.TP
5e5f7c
+\fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR
5e5f7c
+Use this basedn to search for an IPA installation in LDAP. The default is to
5e5f7c
+read the location of the host from \fB/etc/ipa/default.conf\fR.
5e5f7c
+.TP
5e5f7c
+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
5e5f7c
 The server's certificate was issued by the CA whose certificate is in the named
5e5f7c
 file.  The default value is \fI/etc/ipa/ca.crt\fR.
5e5f7c
 .TP
5e5f7c
-\fB\-C\fR capath
5e5f7c
+\fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR
5e5f7c
 Trust the server if its certificate was issued by a CA whose certificate is in
5e5f7c
 a file in the named directory.  There is no default for this option, and it
5e5f7c
 is not expected to be necessary.
5e5f7c
 .TP
5e5f7c
-\fB\-t\fR keytab
5e5f7c
+\fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR
5e5f7c
 Authenticate to the IPA server using Kerberos with credentials derived from
5e5f7c
 keys stored in the named keytab.  The default value can vary, but it is usually
5e5f7c
 \fI/etc/krb5.keytab\fR.
5e5f7c
-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
5e5f7c
+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
5e5f7c
 options.
5e5f7c
 .TP
5e5f7c
-\fB\-k\fR authPrincipal
5e5f7c
+\fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR
5e5f7c
 Authenticate to the IPA server using Kerberos with credentials derived from
5e5f7c
 keys stored in the named keytab for this principal name.  The default value is
5e5f7c
 the \fBhost\fR service for the local host in the local realm.
5e5f7c
-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
5e5f7c
+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
5e5f7c
 options.
5e5f7c
 .TP
5e5f7c
-\fB\-K\fR
5e5f7c
+\fB\-K\fR, \fB\-\-use\-ccache\-creds\fR
5e5f7c
 Authenticate to the IPA server using Kerberos with credentials derived from the
5e5f7c
 default credential cache rather than a keytab.
5e5f7c
-This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
5e5f7c
+This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
5e5f7c
 options.
5e5f7c
 .TP
5e5f7c
-\fB\-u\fR uid
5e5f7c
+\fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR
5e5f7c
 Authenticate to the IPA server using a user name and password, using the
5e5f7c
 specified value as the user name.
5e5f7c
-This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options.
5e5f7c
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options.
5e5f7c
 .TP
5e5f7c
-\fB\-W\fR pwd
5e5f7c
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR
5e5f7c
 Authenticate to the IPA server using a user name and password, using the
5e5f7c
 specified value as the password.
5e5f7c
-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options.
5e5f7c
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options.
5e5f7c
 .TP
5e5f7c
-\fB\-w\fR pwdfile
5e5f7c
+\fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR
5e5f7c
 Authenticate to the IPA server using a user name and password, reading the
5e5f7c
 password from the specified file.
5e5f7c
-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options.
5e5f7c
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options.
5e5f7c
 
5e5f7c
 .SH EXIT STATUS
5e5f7c
 .TP
5e5f7c
@@ -131,7 +148,7 @@ pair.
5e5f7c
 .TP
5e5f7c
 .I /etc/ipa/default.conf
5e5f7c
 is the IPA client configuration file.  This file is consulted to determine
5e5f7c
-the URL for the IPA server's XML-RPC interface.
5e5f7c
+the URL for the IPA server's XML\-RPC interface.
5e5f7c
 
5e5f7c
 .SH BUGS
5e5f7c
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
5e5f7c
@@ -139,23 +156,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-request\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-request\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger-local-submit.8.in b/src/certmonger-local-submit.8.in
5e5f7c
index 59ed245..b68ffc3 100644
5e5f7c
--- a/src/certmonger-local-submit.8.in
5e5f7c
+++ b/src/certmonger-local-submit.8.in
5e5f7c
@@ -1,35 +1,35 @@
5e5f7c
-.TH certmonger 8 "7 June 2014" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "June 7, 2014" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-local-submit
5e5f7c
+local\-submit
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-local-submit [-d state-directory] [-v] [csrfile]
5e5f7c
+local\-submit [\-d state\-directory] [\-v] [csrfile]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
-\fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement
5e5f7c
+\fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement
5e5f7c
 its local signer.  It is not normally run interactively, but it can be for
5e5f7c
 troubleshooting purposes.  The signing request which is to be submitted
5e5f7c
 should either be in a file whose name is given as an argument, or fed into
5e5f7c
-\fIlocal-submit\fR via stdin.
5e5f7c
+\fIlocal\-submit\fR via stdin.
5e5f7c
 
5e5f7c
-The local signer is currently hard-coded to generate and use a
5e5f7c
-@CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based
5e5f7c
+The local signer is currently hard\-coded to generate and use a
5e5f7c
+@CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based
5e5f7c
 on a UUID, replacing that key and certificate at roughly the midpoint of their
5e5f7c
 useful lifetime.
5e5f7c
 
5e5f7c
-\fBcertmonger\fR supports retrieving the list of current and previously-used
5e5f7c
-local CA certificates.  See \fBgetcert-request\fR(1) and
5e5f7c
-\fBgetcert-resubmit\fR(1) for information about specifying where those
5e5f7c
+\fBcertmonger\fR supports retrieving the list of current and previously\-used
5e5f7c
+local CA certificates.  See \fBgetcert\-request\fR(1) and
5e5f7c
+\fBgetcert\-resubmit\fR(1) for information about specifying where those
5e5f7c
 certificates should be stored.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-d\fR state-directory
5e5f7c
+\fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR
5e5f7c
 Identifies the directory which contains the local signer's private key,
5e5f7c
 certificates, and other data used by the local signer.
5e5f7c
 .TP
5e5f7c
-\fB\-v\fR
5e5f7c
+\fB\-v\fR, \fB\-\-verbose\fR
5e5f7c
 Increases the verbosity of the tool's diagnostic logging.
5e5f7c
 
5e5f7c
 .SH EXIT STATUS
5e5f7c
@@ -47,7 +47,7 @@ if critical configuration information is missing.  An error message may be print
5e5f7c
 .TP
5e5f7c
 .I creds
5e5f7c
 is currently a PKCS#12 bundle containing the local signer's current signing key
5e5f7c
-and current and previously-used signer certificates.  It should not be modified
5e5f7c
+and current and previously\-used signer certificates.  It should not be modified
5e5f7c
 except by the local signer.  A new key is currently generated when ever a new
5e5f7c
 signer certificate is needed.
5e5f7c
 .TP
5e5f7c
@@ -61,22 +61,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
5e5f7c
index 42ffcd6..5b8b917 100644
5e5f7c
--- a/src/certmonger-scep-submit.8.in
5e5f7c
+++ b/src/certmonger-scep-submit.8.in
5e5f7c
@@ -1,98 +1,98 @@
5e5f7c
-.TH certmonger 8 "20 June 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "June 20, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-scep-submit
5e5f7c
+scep\-submit
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-scep-submit -u SERVER-URL
5e5f7c
-[-r ra-cert-file]
5e5f7c
-[-R ca-cert-file]
5e5f7c
-[-I other-certs-file]
5e5f7c
-[-N ca-cert-file]
5e5f7c
-[-i ca-identifier]
5e5f7c
-[-v]
5e5f7c
-[-n]
5e5f7c
-[-c|-C|-g|-p]
5e5f7c
-[pkimessage-filename]
5e5f7c
+scep\-submit \-u SERVER\-URL
5e5f7c
+[\-r ra\-cert\-file]
5e5f7c
+[\-R ca\-cert\-file]
5e5f7c
+[\-I other\-certs\-file]
5e5f7c
+[\-N ca\-cert\-file]
5e5f7c
+[\-i ca\-identifier]
5e5f7c
+[\-v]
5e5f7c
+[\-n]
5e5f7c
+[\-c|\-C|\-g|\-p]
5e5f7c
+[pkimessage\-filename]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
-\fIscep-submit\fR is the helper which \fIcertmonger\fR can use to
5e5f7c
+\fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to
5e5f7c
 transmit certificate enrollment and renewal requests to servers using
5e5f7c
 SCEP.  It is not normally run interactively, but it can be for
5e5f7c
 troubleshooting purposes.
5e5f7c
 
5e5f7c
-The request which is to be submitted should be a PEM-encoded SCEP
5e5f7c
+The request which is to be submitted should be a PEM\-encoded SCEP
5e5f7c
 pkiMessage either in a file whose name is given as an argument, or fed
5e5f7c
-into \fIscep-submit\fR via stdin.
5e5f7c
+into \fIscep\-submit\fR via stdin.
5e5f7c
 
5e5f7c
 .SH MODES
5e5f7c
 .TP
5e5f7c
-\fB\-c\fR
5e5f7c
+\fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR
5e5f7c
 \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and
5e5f7c
 print the results.
5e5f7c
 .TP
5e5f7c
-\fB\-C\fR
5e5f7c
-\fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR
5e5f7c
-requests to the server, parse the responses, and then print, in order,
5e5f7c
+\fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR
5e5f7c
+\fIscep-submit\fR will issue a \fIGetCACert\fR
5e5f7c
+request to the server, parse the response, and then print, in order,
5e5f7c
 the RA certificate, the CA certificate, and any additional certificates.
5e5f7c
 .TP
5e5f7c
-\fB\-p\fR
5e5f7c
-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
5e5f7c
-using the passed-in message as the message content.  It will parse the
5e5f7c
+\fB\-p\fR, \fB\-\-pki\-message\fR
5e5f7c
+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
5e5f7c
+using the passed\-in message as the message content.  It will parse the
5e5f7c
 server's response, verify the signature, and if the response includes an
5e5f7c
 issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
5e5f7c
 format.  If the response indicates an error, it will print the error.
5e5f7c
 .TP
5e5f7c
-\fB\-g\fR
5e5f7c
-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
5e5f7c
-using the passed-in message as the message content.  It will parse the
5e5f7c
+\fB\-g\fR, \fB\-\-get\-initial\-cert\fR
5e5f7c
+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
5e5f7c
+using the passed\-in message as the message content.  It will parse the
5e5f7c
 server's response, verify the signature, and if the response includes an
5e5f7c
 issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
5e5f7c
 format.  If the response indicates an error, it will print the error.
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-u\fR SERVER-URL
5e5f7c
+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
5e5f7c
 The location of the SCEP interface provided by the CA.  This is
5e5f7c
-typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
5e5f7c
+typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or
5e5f7c
 \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR.  This option is
5e5f7c
 always required.
5e5f7c
 .TP
5e5f7c
-\fB\-R\fR CA-certificate-file
5e5f7c
+\fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR
5e5f7c
 The location of the CA certificate which was used to issue the SCEP web
5e5f7c
 server's certificate in PEM form. If the URL specified with the
5e5f7c
-\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
5e5f7c
+\fB\-u\fR option is an \fIhttps\fR URL, then this option is required.
5e5f7c
 .TP
5e5f7c
-\fB\-N\fR ca-certificate-file
5e5f7c
-The location of a PEM-formatted copy of the SCEP server's CA certificate.
5e5f7c
+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
5e5f7c
+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
5e5f7c
 A discovered value is normally supplied by the certmonger daemon, but one can
5e5f7c
 be specified for troubleshooting purposes.
5e5f7c
 .TP
5e5f7c
-\fB\-r\fR RA-certificate-file
5e5f7c
+\fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR
5e5f7c
 The location of the SCEP server's RA certificate, which is expected to
5e5f7c
 be used for signing responses sent by the SCEP server back to the
5e5f7c
-client.  This option is required when either the \fB-g\fR flag or the
5e5f7c
-\fB-p\fR flag is specified.
5e5f7c
+client.  This option is required when either the \fB\-g\fR flag or the
5e5f7c
+\fB\-p\fR flag is specified.
5e5f7c
 .TP
5e5f7c
-\fB\-I\fR other-certificates-file
5e5f7c
-The location of a file containing other PEM-formatted certificates which
5e5f7c
+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
5e5f7c
+The location of a file containing other PEM\-formatted certificates which
5e5f7c
 may be needed in order to properly verify signed responses sent by the
5e5f7c
 SCEP server back to the client.  This option may be necessary when
5e5f7c
-either the \fB-g\fR flag or the \fB-p\fR flag is specified.
5e5f7c
+either the \fB\-g\fR flag or the \fB\-p\fR flag is specified.
5e5f7c
 .TP
5e5f7c
-\fB\-i\fR ca-identifier
5e5f7c
-When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to
5e5f7c
+\fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR
5e5f7c
+When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to
5e5f7c
 specify the CA identifier which is passed to the server as part of the client's
5e5f7c
 request.  The default is "0".
5e5f7c
 .TP
5e5f7c
-\fB\-n\fR
5e5f7c
-The SCEP Renewal feature allows a client with a previously-issued certificate
5e5f7c
+\fB\-n\fR, \fB\-\-non\-renewal\fR
5e5f7c
+The SCEP Renewal feature allows a client with a previously\-issued certificate
5e5f7c
 to use that certificate and the associated private key to request a new
5e5f7c
 certificate for a different key pair, and can be used to support
5e5f7c
 \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
5e5f7c
-it.  This option forces the \fIscep-submit\fR helper to prefer to issue
5e5f7c
+it.  This option forces the \fIscep\-submit\fR helper to prefer to issue
5e5f7c
 requests which do not make use of this feature.
5e5f7c
 .TP
5e5f7c
-\fB-v\fR
5e5f7c
+\fB-v\fR, \fB\-\-verbose\fR
5e5f7c
 Increases the logging level.  Use twice for more logging.  This option
5e5f7c
 is mainly useful for troubleshooting.
5e5f7c
 
5e5f7c
@@ -100,7 +100,7 @@ is mainly useful for troubleshooting.
5e5f7c
 .TP
5e5f7c
 0
5e5f7c
 if the certificate was issued. The pkcsPKIEnvelope will be printed in
5e5f7c
-PEM-encoded form.
5e5f7c
+PEM\-encoded form.
5e5f7c
 .TP
5e5f7c
 1
5e5f7c
 if the CA is still thinking.  A cookie (state) value will be printed.
5e5f7c
@@ -131,22 +131,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger.8.in b/src/certmonger.8.in
5e5f7c
index 8c00d5a..a726e3b 100644
5e5f7c
--- a/src/certmonger.8.in
5e5f7c
+++ b/src/certmonger.8.in
5e5f7c
@@ -1,14 +1,14 @@
5e5f7c
-.TH certmonger 8 "14 June 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 8 "June 14, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
 certmonger
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v]
5e5f7c
+certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
 The \fIcertmonger\fR daemon monitors certificates for impending
5e5f7c
-expiration, and can optionally refresh soon-to-be-expired certificates
5e5f7c
+expiration, and can optionally refresh soon\-to\-be\-expired certificates
5e5f7c
 with the help of a CA.  If told to, it can drive the entire enrollment
5e5f7c
 process from key generation through enrollment and refresh.
5e5f7c
 
5e5f7c
@@ -17,58 +17,58 @@ service, with which client tools such as \fBgetcert\fR(1) interact.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
--s
5e5f7c
+\fB\-s\fR, \fB\-\-session\fR
5e5f7c
 Listen on the session bus rather than the system bus.
5e5f7c
 .TP
5e5f7c
--S
5e5f7c
+\fB\-S\fR, \fB\-\-system\fR
5e5f7c
 Listen on the system bus rather than the session bus.  This is the default.
5e5f7c
 .TP
5e5f7c
--l
5e5f7c
+\fB\-l\fR, \fB\-\-listening\-socket\fR
5e5f7c
 Also listen on a private socket for connections from clients running under the
5e5f7c
 same UID.
5e5f7c
 .TP
5e5f7c
--L
5e5f7c
+\fB\-L\fR, \fB\-\-only\-listening\-socket\fR
5e5f7c
 Listen only on a private socket for connections from clients running under the
5e5f7c
 same UID, and skip connecting to a bus.
5e5f7c
 .TP
5e5f7c
--P
5e5f7c
+\fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR
5e5f7c
 Specify a location for the private listening socket.  If the location beings
5e5f7c
 with a '/' character, it will be prefixed with 'unix:path=', otherwise it will
5e5f7c
 be prefixed with 'unix:'.  If this option is not specified, the listening
5e5f7c
 socket, if one is created, will be placed in the abstract namespace.
5e5f7c
 .TP
5e5f7c
--b TIMEOUT
5e5f7c
-Behave as a bus-activated service: if there are no certificates to be monitored
5e5f7c
+\fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR
5e5f7c
+Behave as a bus\-activated service: if there are no certificates to be monitored
5e5f7c
 or obtained, and no requests are received within TIMEOUT seconds, exit.  Not
5e5f7c
-compatible with the -c option.
5e5f7c
+compatible with the \-c option.
5e5f7c
 .TP
5e5f7c
--B
5e5f7c
-Don't behave as a bus-activated service.  This is the default.
5e5f7c
+\fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR
5e5f7c
+Don't behave as a bus\-activated service.  This is the default.
5e5f7c
 .TP
5e5f7c
--n
5e5f7c
+\fB\-n\fR, \fB\-\-nofork\fR
5e5f7c
 Don't fork, and log messages to stderr rather than syslog.
5e5f7c
 .TP
5e5f7c
--f
5e5f7c
+\fB\-f\fR, \fB\-\-fork\fR
5e5f7c
 Do fork, and log messages to syslog rather than stderr.  This is the default.
5e5f7c
 .TP
5e5f7c
--d LEVEL
5e5f7c
-Set debugging level.  Higher values produce more debugging output.  Implies -n.
5e5f7c
+\fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR
5e5f7c
+Set debugging level.  Higher values produce more debugging output.  Implies \-n.
5e5f7c
 .TP
5e5f7c
--p FILE
5e5f7c
+\fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR
5e5f7c
 Store the daemon's process ID in the named file.
5e5f7c
 .TP
5e5f7c
--F
5e5f7c
+\fB\-F\fR, \fB\-\-fips\fR
5e5f7c
 Force NSS to be initialized in FIPS mode.  The default behavior is to heed
5e5f7c
 the setting stored in \fI/proc/sys/crypto/fips_enabled\fR.
5e5f7c
 .TP
5e5f7c
--c cmd
5e5f7c
+\fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
5e5f7c
 After the service has initialized, run the specified command, then shut down
5e5f7c
-the service after the command exits.  If the -l or -L option was also
5e5f7c
+the service after the command exits.  If the \-l or \-L option was also
5e5f7c
 specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR
5e5f7c
 environment variable set to the listening socket's location.  Not compatible
5e5f7c
-with the -b option.
5e5f7c
+with the \-b option.
5e5f7c
 .TP
5e5f7c
--v
5e5f7c
+\fB\-v\fR, \fB\-\-version\fR
5e5f7c
 Print version information and exit.
5e5f7c
 
5e5f7c
 .SH FILES
5e5f7c
@@ -89,24 +89,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-request\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-request\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-start\-tracking\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
5e5f7c
index 241f48b..80de748 100644
5e5f7c
--- a/src/certmonger.conf.5.in
5e5f7c
+++ b/src/certmonger.conf.5.in
5e5f7c
@@ -1,18 +1,18 @@
5e5f7c
-.TH certmonger.conf 5 "12 May 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 5 "May 12, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
-certmonger.conf - configuration file for certmonger
5e5f7c
+certmonger.conf \- configuration file for certmonger
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
 The \fIcertmonger.conf\fR file contains default settings used by certmonger.
5e5f7c
-Its format is more or less that of a typical INI-style file.  The only sections
5e5f7c
+Its format is more or less that of a typical INI\-style file.  The only sections
5e5f7c
 currently of note are named \fIdefaults\fR and \fIselfsign\fR.
5e5f7c
 
5e5f7c
 .SH DEFAULTS
5e5f7c
 Within the \fIdefaults\fR section, these variables and values are recognized:
5e5f7c
 
5e5f7c
 .IP notify_ttls
5e5f7c
-This is the list of times, given in seconds, before a certificate's not-after
5e5f7c
+This is the list of times, given in seconds, before a certificate's not\-after
5e5f7c
 validity date
5e5f7c
 (often referred to as its expiration time) when \fIcertmonger\fR should warn
5e5f7c
 that the certificate will soon no longer be valid.
5e5f7c
@@ -20,7 +20,7 @@ If this value is not specified, \fIcertmonger\fR will attempt to use the value
5e5f7c
 of the \fIttls\fR setting.  The default list of values is "@CM_DEFAULT_TTL_LIST@".
5e5f7c
 
5e5f7c
 .IP enroll_ttls
5e5f7c
-This is the list of times, given in seconds, before a certificate's not-after
5e5f7c
+This is the list of times, given in seconds, before a certificate's not\-after
5e5f7c
 validity date
5e5f7c
 (often referred to as its expiration time) when \fIcertmonger\fR should attempt
5e5f7c
 to automatically renew the certificate, if it is configured to do so.
5e5f7c
@@ -43,7 +43,7 @@ an email address, or it can be a command to run.  The default value is
5e5f7c
 
5e5f7c
 .IP key_type
5e5f7c
 This is the type of key pair which will be generated, used in certificate
5e5f7c
-signing requests, and used when self-signing certificates.
5e5f7c
+signing requests, and used when self\-signing certificates.
5e5f7c
 @NO_MAN_DSA@\fIRSA\fR is supported.
5e5f7c
 @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported.
5e5f7c
 @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported.
5e5f7c
@@ -58,7 +58,7 @@ software.
5e5f7c
 
5e5f7c
 .IP digest
5e5f7c
 This is the digest algorithm which will be used when signing certificate
5e5f7c
-signing requests and self-signed certificates.  Recognized values include
5e5f7c
+signing requests and self\-signed certificates.  Recognized values include
5e5f7c
 \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP.  The default is
5e5f7c
 \fIsha256\fP.  It is not recommended that this value be changed except in cases
5e5f7c
 where the default is incompatible with other software.
5e5f7c
@@ -95,14 +95,14 @@ There is effectively no default for this setting.
5e5f7c
 Within the \fIselfsign\fR section, these variables and values are recognized:
5e5f7c
 
5e5f7c
 .IP validity_period
5e5f7c
-This is the validity period given to self-signed certificates.
5e5f7c
+This is the validity period given to self\-signed certificates.
5e5f7c
 The value is specified as a combination of years (y), months (M), weeks (w),
5e5f7c
 days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
5e5f7c
 specified, seconds are assumed.
5e5f7c
 The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
5e5f7c
 
5e5f7c
 .IP populate_unique_id
5e5f7c
-This controls whether or not self-signed certificates will have their
5e5f7c
+This controls whether or not self\-signed certificates will have their
5e5f7c
 subjectUniqueID and issuerUniqueID fields populated.  While RFC5280 prohibits
5e5f7c
 their use, they may be needed and/or used by older applications.  The default
5e5f7c
 value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
5e5f7c
@@ -111,7 +111,7 @@ value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
5e5f7c
 Within the \fIlocal\fR section, these variables and values are recognized:
5e5f7c
 
5e5f7c
 .IP validity_period
5e5f7c
-This is the validity period given to the locally-signed CA's certificate when it
5e5f7c
+This is the validity period given to the locally\-signed CA's certificate when it
5e5f7c
 is generated.
5e5f7c
 The value is specified as a combination of years (y), months (M), weeks (w),
5e5f7c
 days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
5e5f7c
diff --git a/src/getcert-add-ca.1.in b/src/getcert-add-ca.1.in
5e5f7c
index 31b3b93..54f55f5 100644
5e5f7c
--- a/src/getcert-add-ca.1.in
5e5f7c
+++ b/src/getcert-add-ca.1.in
5e5f7c
@@ -1,10 +1,10 @@
5e5f7c
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
 getcert
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-getcert add-ca [options]
5e5f7c
+getcert add\-ca [options]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
 Adds a CA configuration to \fIcertmonger\fR, which can subsequently be
5e5f7c
@@ -12,17 +12,17 @@ used to enroll certificates.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-c\fR NAME
5e5f7c
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
5e5f7c
 The nickname to give to this CA configuration.  This same value can later be
5e5f7c
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
5e5f7c
-\fIstart-tracking\fR commands using the \fB-c\fR flag.
5e5f7c
+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
5e5f7c
 .TP
5e5f7c
-\fB\-e\fR COMMAND
5e5f7c
+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
5e5f7c
 The helper command to run for communicating with the CA.  The helper will be
5e5f7c
 used to pass signing requests to the CA, relay the CA's responses back to the
5e5f7c
 \fIcertmonger\fR service, and to read information about the CA.
5e5f7c
 .TP
5e5f7c
-\fB\-v\fR
5e5f7c
+\fB\-v\fR, \fB\-\-verbose\fR
5e5f7c
 Be verbose about errors.  Normally, the details of an error received from
5e5f7c
 the daemon will be suppressed if the client can make a diagnostic suggestion.
5e5f7c
 
5e5f7c
@@ -32,22 +32,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-request\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-scep\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-request\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
5e5f7c
index bf07306..c2751ed 100644
5e5f7c
--- a/src/getcert-add-scep-ca.1.in
5e5f7c
+++ b/src/getcert-add-scep-ca.1.in
5e5f7c
@@ -1,64 +1,64 @@
5e5f7c
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
 getcert
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-getcert add-scep-ca [options]
5e5f7c
+getcert add\-scep\-ca [options]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
 Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to
5e5f7c
-enroll certificates.  The configuration will use the bundled \fIscep-submit\fR
5e5f7c
-helper.  The \fIadd-scep-ca\fR command is more or less a wrapper for the
5e5f7c
-\fIadd-ca\fR command.
5e5f7c
+enroll certificates.  The configuration will use the bundled \fIscep\-submit\fR
5e5f7c
+helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
5e5f7c
+\fIadd\-ca\fR command.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-c\fR NAME
5e5f7c
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
5e5f7c
 The nickname to give to this CA configuration.  This same value can later be
5e5f7c
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
5e5f7c
-\fIstart-tracking\fR commands using the \fB-c\fR flag.
5e5f7c
+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
5e5f7c
 .TP
5e5f7c
-\fB\-u\fR URL
5e5f7c
+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
5e5f7c
 The location of the SCEP server's enrollment interface.  This option must be
5e5f7c
 specified.
5e5f7c
 .TP
5e5f7c
-\fB\-R\fR ca-certificate-file
5e5f7c
-The location of a PEM-formatted copy of the CA's certificate used to verify
5e5f7c
+\fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR
5e5f7c
+The location of a PEM\-formatted copy of the CA's certificate used to verify
5e5f7c
 the TLS connection the SCEP server.
5e5f7c
 
5e5f7c
 This option must be specified if the URL is an \fIhttps\fR location.
5e5f7c
 .TP
5e5f7c
-\fB\-N\fR ca-certificate-file
5e5f7c
-The location of a PEM-formatted copy of the SCEP server's CA certificate.
5e5f7c
+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
5e5f7c
+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
5e5f7c
 A discovered value is normally supplied by the certmonger daemon, but one can
5e5f7c
 be specified for troubleshooting purposes.
5e5f7c
 .TP
5e5f7c
-\fB\-r\fR ra-certificate-file
5e5f7c
-The location of a PEM-formatted copy of the SCEP server's RA's certificate.
5e5f7c
+\fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR
5e5f7c
+The location of a PEM\-formatted copy of the SCEP server's RA's certificate.
5e5f7c
 A discovered value is normally supplied by the certmonger daemon, but one can
5e5f7c
 be specified for troubleshooting purposes.
5e5f7c
 .TP
5e5f7c
-\fB\-I\fR other-certificates-file
5e5f7c
-The location of a file containing other PEM-formatted certificates which may be
5e5f7c
+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
5e5f7c
+The location of a file containing other PEM\-formatted certificates which may be
5e5f7c
 needed in order to properly verify signed responses sent by the SCEP server
5e5f7c
 back to the client.  A discovered set is normally supplied by the certmonger
5e5f7c
 daemon, but can be specified for troubleshooting purposes.
5e5f7c
 .TP
5e5f7c
-\fB\-i\fR identifier
5e5f7c
+\fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR
5e5f7c
 A CA identifier value which will passed to the server when the
5e5f7c
-\fIscep-submit\fR helper is used to retrieve copies of the server's
5e5f7c
+\fIscep\-submit\fR helper is used to retrieve copies of the server's
5e5f7c
 certificates.
5e5f7c
 .TP
5e5f7c
-\fB\-n\fR
5e5f7c
-The SCEP Renewal feature allows a client with a previously-issued certificate
5e5f7c
+\fB\-n\fR, \fB\-\-non\-renewal\fR
5e5f7c
+The SCEP Renewal feature allows a client with a previously\-issued certificate
5e5f7c
 to use that certificate and the associated private key to request a new
5e5f7c
 certificate for a different key pair, and can be used to support
5e5f7c
 \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
5e5f7c
-it.  This option forces the \fIscep-submit\fR helper to issue requests without
5e5f7c
+it.  This option forces the \fIscep\-submit\fR helper to issue requests without
5e5f7c
 making use of this feature.
5e5f7c
 .TP
5e5f7c
-\fB\-v\fR
5e5f7c
+\fB\-v\fR, \fB\-\-verbose\fR
5e5f7c
 Be verbose about errors.  Normally, the details of an error received from
5e5f7c
 the daemon will be suppressed if the client can make a diagnostic suggestion.
5e5f7c
 
5e5f7c
@@ -68,22 +68,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-list-cas\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-request\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
5e5f7c
-\fBcertmonger-dogtag-submit\fR(8)
5e5f7c
-\fBcertmonger-ipa-submit\fR(8)
5e5f7c
-\fBcertmonger-local-submit\fR(8)
5e5f7c
-\fBcertmonger-scep-submit\fR(8)
5e5f7c
+\fBgetcert\-add\-ca\fR(1)
5e5f7c
+\fBgetcert\-list\-cas\fR(1)
5e5f7c
+\fBgetcert\-list\fR(1)
5e5f7c
+\fBgetcert\-modify\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\-ca\fR(1)
5e5f7c
+\fBgetcert\-refresh\fR(1)
5e5f7c
+\fBgetcert\-rekey\fR(1)
5e5f7c
+\fBgetcert\-remove\-ca\fR(1)
5e5f7c
+\fBgetcert\-request\fR(1)
5e5f7c
+\fBgetcert\-resubmit\fR(1)
5e5f7c
+\fBgetcert\-status\fR(1)
5e5f7c
+\fBgetcert\-stop\-tracking\fR(1)
5e5f7c
+\fBcertmonger\-certmaster\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
5e5f7c
+\fBcertmonger\-dogtag\-submit\fR(8)
5e5f7c
+\fBcertmonger\-ipa\-submit\fR(8)
5e5f7c
+\fBcertmonger\-local\-submit\fR(8)
5e5f7c
+\fBcertmonger\-scep\-submit\fR(8)
5e5f7c
 \fBcertmonger_selinux\fR(8)
5e5f7c
diff --git a/src/getcert-list-cas.1.in b/src/getcert-list-cas.1.in
5e5f7c
index 7f250e5..ff4e14f 100644
5e5f7c
--- a/src/getcert-list-cas.1.in
5e5f7c
+++ b/src/getcert-list-cas.1.in
5e5f7c
@@ -1,17 +1,17 @@
5e5f7c
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
5e5f7c
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
5e5f7c
 
5e5f7c
 .SH NAME
5e5f7c
 getcert
5e5f7c
 
5e5f7c
 .SH SYNOPSIS
5e5f7c
-getcert list-cas [options]
5e5f7c
+getcert list\-cas [options]
5e5f7c
 
5e5f7c
 .SH DESCRIPTION
5e5f7c
 Queries \fIcertmonger\fR for a list of known CAs.
5e5f7c
 
5e5f7c
 .SH OPTIONS
5e5f7c
 .TP
5e5f7c
-\fB\-c\fR NAME
5e5f7c
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
5e5f7c
 List only information about the CA which has the specified nickname.
5e5f7c
 
5e5f7c
 .SH BUGS
5e5f7c
@@ -20,23 +20,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
5e5f7c
 .SH SEE ALSO
5e5f7c
 \fBcertmonger\fR(8)
5e5f7c
 \fBgetcert\fR(1)
5e5f7c
-\fBgetcert-add-ca\fR(1)
5e5f7c
-\fBgetcert-add-scep-ca\fR(1)
5e5f7c
-\fBgetcert-list\fR(1)
5e5f7c
-\fBgetcert-modify-ca\fR(1)
5e5f7c
-\fBgetcert-refresh-ca\fR(1)
5e5f7c
-\fBgetcert-refresh\fR(1)
5e5f7c
-\fBgetcert-rekey\fR(1)
5e5f7c
-\fBgetcert-remove-ca\fR(1)
5e5f7c
-\fBgetcert-request\fR(1)
5e5f7c
-\fBgetcert-resubmit\fR(1)
5e5f7c
-\fBgetcert-start-tracking\fR(1)
5e5f7c
-\fBgetcert-status\fR(1)
5e5f7c
-\fBgetcert-stop-tracking\fR(1)
5e5f7c
-\fBcertmonger-certmaster-submit\fR(8)