rpms / certmonger

Clone
Source Code
GIT

Blame SOURCES/0042-Add-long-command-line-options-to-man-pages.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   8bf71a9c67d455a892d8a916afa3311999d98ee7
  2.   SOURCES
  3.   0042-Add-long-command-line-options-to-man-pages.patch
Blob History Raw
f0b236 
From 2a6ede56ad8c29181fde7691904f226102d43e54 Mon Sep 17 00:00:00 2001
f0b236 
From: Rob Crittenden <rcritten@redhat.com>
f0b236 
Date: Thu, 14 May 2020 14:15:17 -0400
f0b236 
Subject: [PATCH 42/43] Add long command-line options to man pages
f0b236
f0b236 
The man pages almost universally only documented the short
f0b236 
options even though the long options were all defined in
f0b236 
the popt configuration.
f0b236
f0b236 
Also do a bit of minor bit of reformatting and added a lint
f0b236 
option. I'm not going to require mandoc as a requirement as
f0b236 
the linting is pretty minor at the moment but it's better than
f0b236 
nothing.
f0b236
f0b236 
https://bugzilla.redhat.com/show_bug.cgi?id=1782838
f0b236 
---
f0b236 
 src/Makefile.am                               |   6 +
f0b236 
 src/certmaster-getcert.1.in                   |  72 ++---
f0b236 
 src/certmonger-certmaster-submit.8.in         |  59 ++--
f0b236 
 ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 288 +++++++++++-------
f0b236 
 src/certmonger-dogtag-submit.8.in             | 252 ++++++++-------
f0b236 
 src/certmonger-ipa-submit.8.in                | 115 ++++---
f0b236 
 src/certmonger-local-submit.8.in              |  62 ++--
f0b236 
 src/certmonger-scep-submit.8.in               | 124 ++++----
f0b236 
 src/certmonger.8.in                           |  86 +++---
f0b236 
 src/certmonger.conf.5.in                      |  20 +-
f0b236 
 src/getcert-add-ca.1.in                       |  48 +--
f0b236 
 src/getcert-add-scep-ca.1.in                  |  80 ++---
f0b236 
 src/getcert-list-cas.1.in                     |  44 +--
f0b236 
 src/getcert-list.1.in                         |  84 ++---
f0b236 
 src/getcert-modify-ca.1.in                    |  46 +--
f0b236 
 src/getcert-refresh-ca.1.in                   |  50 +--
f0b236 
 src/getcert-refresh.1.in                      |  52 ++--
f0b236 
 src/getcert-rekey.1.in                        | 107 ++++---
f0b236 
 src/getcert-remove-ca.1.in                    |  44 +--
f0b236 
 src/getcert-request.1.in                      | 157 ++++++----
f0b236 
 src/getcert-resubmit.1.in                     | 112 ++++---
f0b236 
 src/getcert-start-tracking.1.in               | 134 ++++----
f0b236 
 src/getcert-status.1.in                       |  54 ++--
f0b236 
 src/getcert-stop-tracking.1.in                |  65 ++--
f0b236 
 src/getcert.1.in                              |  54 ++--
f0b236 
 src/ipa-getcert.1.in                          |  74 ++---
f0b236 
 src/local-getcert.1.in                        |  76 ++---
f0b236 
 src/selfsign-getcert.1.in                     |  74 ++---
f0b236 
 28 files changed, 1321 insertions(+), 1118 deletions(-)
f0b236
f0b236 
diff --git a/src/Makefile.am b/src/Makefile.am
f0b236 
index fe3b235..5343dbc 100644
f0b236 
--- a/src/Makefile.am
f0b236 
+++ b/src/Makefile.am
f0b236 
@@ -266,3 +266,9 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN
f0b236 
 submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h
f0b236 
 submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \
f0b236 
 		 $(POPT_LIBS)
f0b236 
+
f0b236 
+.PHONY: manlint
f0b236 
+manlint: $(man_MANS)
f0b236 
+	for page in $(MANS); do \
f0b236 
+		mandoc -T lint $${page}; \
f0b236 
+	done
f0b236 
diff --git a/src/certmaster-getcert.1.in b/src/certmaster-getcert.1.in
f0b236 
index ef1c14a..7a038f9 100644
f0b236 
--- a/src/certmaster-getcert.1.in
f0b236 
+++ b/src/certmaster-getcert.1.in
f0b236 
@@ -1,20 +1,20 @@
f0b236 
-.TH certmonger 1 "23 November 2009" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "November 23, 2009" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-certmaster-getcert
f0b236 
+certmaster\-getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
- certmaster-getcert request [options]
f0b236 
- certmaster-getcert resubmit [options]
f0b236 
- certmaster-getcert start-tracking [options]
f0b236 
- certmaster-getcert status [options]
f0b236 
- certmaster-getcert stop-tracking [options]
f0b236 
- certmaster-getcert list [options]
f0b236 
- certmaster-getcert list-cas [options]
f0b236 
- certmaster-getcert refresh-cas [options]
f0b236 
+ certmaster\-getcert request [options]
f0b236 
+ certmaster\-getcert resubmit [options]
f0b236 
+ certmaster\-getcert start\-tracking [options]
f0b236 
+ certmaster\-getcert status [options]
f0b236 
+ certmaster\-getcert stop\-tracking [options]
f0b236 
+ certmaster\-getcert list [options]
f0b236 
+ certmaster\-getcert list\-cas [options]
f0b236 
+ certmaster\-getcert refresh\-cas [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
+The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
 service on behalf of the invoking user.  It can ask the service to begin
f0b236 
 enrollment, optionally generating a key pair to use, it can ask the
f0b236 
 service to begin monitoring a certificate in a specified location for
f0b236 
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
f0b236 
 list the set of certificates that the service is already monitoring, or
f0b236 
 it can list the set of CAs that the service is capable of using.
f0b236
f0b236 
-If no command is given as the first command-line argument,
f0b236 
-\fIcertmaster-getcert\fR will print short usage information for each of
f0b236 
+If no command is given as the first command\-line argument,
f0b236 
+\fIcertmaster\-getcert\fR will print short usage information for each of
f0b236 
 its functions.
f0b236
f0b236 
-The \fIcertmaster-getcert\fR tool behaves identically to the generic
f0b236 
-\fIgetcert\fR tool when it is used with the \fB-c
f0b236 
+The \fIcertmaster\-getcert\fR tool behaves identically to the generic
f0b236 
+\fIgetcert\fR tool when it is used with the \fB\-c
f0b236 
 \fI@CM_CERTMASTER_CA_NAME@\fR option.
f0b236
f0b236 
 There is no standard authenticated method for obtaining the root certificate
f0b236 
 from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
f0b236 
-information from them.  While the \fB-F\fR and \fB-a\fR options will still
f0b236 
+information from them.  While the \fB\-F\fR and \fB\-a\fR options will still
f0b236 
 be recognized, they will effectively be ignored.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger-certmaster-submit.8.in b/src/certmonger-certmaster-submit.8.in
f0b236 
index aec8b83..e3e990f 100644
f0b236 
--- a/src/certmonger-certmaster-submit.8.in
f0b236 
+++ b/src/certmonger-certmaster-submit.8.in
f0b236 
@@ -1,17 +1,17 @@
f0b236 
-.TH certmonger 8 "7 June 2010" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "June 7, 2010" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-certmaster-submit
f0b236 
+certmaster\-submit
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile]
f0b236 
+certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-\fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make
f0b236 
-requests to certmaster-based CAs.  It is not normally run interactively,
f0b236 
+\fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make
f0b236 
+requests to certmaster\-based CAs.  It is not normally run interactively,
f0b236 
 but it can be for troubleshooting purposes.  The signing request which is
f0b236 
 to be submitted should either be in a file whose name is given as an argument,
f0b236 
-or fed into \fIcertmaster-submit\fR via stdin.
f0b236 
+or fed into \fIcertmaster\-submit\fR via stdin.
f0b236
f0b236 
 There is no standard authenticated method for obtaining the root certificate
f0b236 
 from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
f0b236 
@@ -19,21 +19,24 @@ information from them.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-h\fR serverHost
f0b236 
+\fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR
f0b236 
 Submit the request to the certmaster instance running on the named host.  The
f0b236 
 default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR
f0b236 
 is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR
f0b236 
 if that file is not found.
f0b236 
 .TP
f0b236 
-\fB\-c\fR cafile
f0b236 
+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
f0b236 
 Submit the request over HTTPS instead of HTTP, and only trust the server
f0b236 
 if its certificate was issued by the CA whose certificate is in the named file.
f0b236 
 .TP
f0b236 
-\fB\-C\fR capath
f0b236 
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
f0b236 
 Submit the request over HTTPS instead of HTTP, and only trust the server
f0b236 
 if its certificate was issued by a CA whose certificate is in a file in
f0b236 
 the named directory.
f0b236 
-
f0b236 
+.TP
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
+Be verbose about errors.  Normally, the details of an error received from
f0b236 
+the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236 
 .SH EXIT STATUS
f0b236 
 .TP
f0b236 
 0
f0b236 
@@ -73,22 +76,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
f0b236 
index 84c8b0d..33e0648 100644
f0b236 
--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
f0b236 
+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
f0b236 
@@ -1,44 +1,51 @@
f0b236 
-.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-dogtag-ipa-renew-agent-submit
f0b236 
+dogtag\-ipa\-renew\-agent\-submit
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL
f0b236 
-[-d dbdir]
f0b236 
-[-n nickname]
f0b236 
-[-i cainfo]
f0b236 
-[-C capath]
f0b236 
-[-c certfile]
f0b236 
-[-k keyfile]
f0b236 
-[-p pinfile]
f0b236 
-[-P pin]
f0b236 
-[-s serial (hex)]
f0b236 
-[-D serial (decimal)]
f0b236 
-[-S state]
f0b236 
-[-T profile]
f0b236 
-[-O param=value]
f0b236 
-[-N | -R]
f0b236 
-[-t]
f0b236 
-[-o option=value]
f0b236 
-[-v]
f0b236 
+dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL
f0b236 
+[\-d dbdir]
f0b236 
+[\-n nickname]
f0b236 
+[\-i cainfo]
f0b236 
+[\-C capath]
f0b236 
+[\-c certfile]
f0b236 
+[\-k keyfile]
f0b236 
+[\-p pinfile]
f0b236 
+[\-P pin]
f0b236 
+[\-s serial (hex)]
f0b236 
+[\-D serial (decimal)]
f0b236 
+[\-S state]
f0b236 
+[\-T profile]
f0b236 
+[\-O param=value]
f0b236 
+[\-N | \-R]
f0b236 
+[\-t]
f0b236 
+[\-o option=value]
f0b236 
+[\-a]
f0b236 
+[\-u uid]
f0b236 
+[\-U udn]
f0b236 
+[\-W pwd]
f0b236 
+[\-w pwdfile]
f0b236 
+[\-Y pin]
f0b236 
+[\-y pinfile]
f0b236 
 [csrfile]
f0b236
f0b236 
+
f0b236 
 .SH DESCRIPTION
f0b236 
-\fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses
f0b236 
+\fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses
f0b236 
 to make certificate renewal requests to Dogtag instances running on IPA
f0b236 
 servers.  It is not normally run interactively, but it can be for
f0b236 
 troubleshooting purposes.
f0b236
f0b236 
-The preferred option is to request a renewal of an already-issued certificate,
f0b236 
-using its serial number, which can be read from a PEM-formatted certificate
f0b236 
+The preferred option is to request a renewal of an already\-issued certificate,
f0b236 
+using its serial number, which can be read from a PEM\-formatted certificate
f0b236 
 provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
f0b236 
-\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
f0b236 
+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
f0b236 
 provided, then the client will attempt to obtain a new certificate by
f0b236 
 submitting a signing request to the CA.
f0b236
f0b236 
 The signing request which is to be submitted should either be in a file whose
f0b236 
-name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR
f0b236 
+name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR
f0b236 
 via stdin.
f0b236
f0b236 
 \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
f0b236 
@@ -46,8 +53,8 @@ CAs.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-E\fR EE-URL
f0b236 
-The top-level URL for the end-entity interface provided by the CA.  In IPA
f0b236 
+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
f0b236 
+The top\-level URL for the end\-entity interface provided by the CA.  In IPA
f0b236 
 installations, this is typically
f0b236 
 \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
f0b236 
 If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
f0b236 
@@ -58,8 +65,8 @@ and the value of \fBEEPORT\fR will be inferred based on the value of the
f0b236 
 if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will
f0b236 
 be set to 8080.  Otherwise it will be 9180.
f0b236 
 .TP
f0b236 
-\fB\-A\fR AGENT-URL
f0b236 
-The top-level URL for the agent interface provided by the CA.  In IPA
f0b236 
+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
f0b236 
+The top\-level URL for the agent interface provided by the CA.  In IPA
f0b236 
 installations, this is typically
f0b236 
 \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
f0b236 
 If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
f0b236 
@@ -70,96 +77,159 @@ and the value of \fBAGENTPORT\fR will be inferred based on the value of the
f0b236 
 if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will
f0b236 
 be set to 8443.  Otherwise it will be 9443.
f0b236 
 .TP
f0b236 
-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
f0b236 
-The location of the key and certificate which the client should use to
f0b236 
-authenticate to the CA's agent interface.  Exactly which values are
f0b236 
-meaningful depend on which cryptography library your copy of libcurl was
f0b236 
-linked with.
f0b236 
-
f0b236 
-If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR,
f0b236 
-\fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is
f0b236 
-used:
f0b236 
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
f0b236 
- \fB-d\fR \fI/etc/httpd/alias\fR
f0b236 
- \fB-n\fR \fIipaCert\fR
f0b236 
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
f0b236 
-.TP
f0b236 
-\fB\-p\fR pinfile
f0b236 
-The name of a file which contains a PIN/password which will be needed in
f0b236 
-order to make use of the agent credentials.
f0b236 
-
f0b236 
-If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR,
f0b236 
-\fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set
f0b236 
-of defaults is used:
f0b236 
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
f0b236 
- \fB-d\fR \fI/etc/httpd/alias\fR
f0b236 
- \fB-n\fR \fIipaCert\fR
f0b236 
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
f0b236 
-.TP
f0b236 
-\fB\-i\fR cainfo \fB\-C\fR capath
f0b236 
+\fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR
f0b236 
 The location of a file containing a copy of the CA's certificate, against which
f0b236 
-the CA server's certificate will be verified, or a directory containing, among
f0b236 
-other things, such a file.
f0b236 
-
f0b236 
-If these options are not specified, and none of the \fB-d\fR, \fB-n\fR,
f0b236 
-\fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set
f0b236 
-of defaults is used:
f0b236 
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
f0b236 
- \fB-d\fR \fI/etc/httpd/alias\fR
f0b236 
- \fB-n\fR \fIipaCert\fR
f0b236 
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
f0b236 
-.TP
f0b236 
-\fB-s\fR serial
f0b236 
-The serial number of an already-issued certificate for which the client should
f0b236 
-attempt to obtain a new certificate, in hexadecimal form, if one can not be
f0b236 
+the CA server's certificate will be verified. The default is
f0b236 
+\fB/etc/ipa/ca.crt\fR.
f0b236 
+.TP
f0b236 
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
f0b236 
+The location of a directory containing a copy of the CA's certificate,
f0b236 
+against which the CA server's certificate will be verified.
f0b236 
+.TP
f0b236 
+\fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB
f0b236 
+The serial number of an already\-issued certificate for which the client should
f0b236 
+attempt to obtain a new certificate, in hexidecimal form, if one can not be
f0b236 
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
f0b236 
 .TP
f0b236 
-\fB-D\fR serial
f0b236 
-The serial number of an already-issued certificate for which the client should
f0b236 
+\fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB
f0b236 
+The serial number of an already\-issued certificate for which the client should
f0b236 
 attempt to obtain a new certificate, in decimal form, if one can not be
f0b236 
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
f0b236 
 .TP
f0b236 
-\fB-S\fR state
f0b236 
+\fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR
f0b236 
 A cookie value provided by a previous instance of this helper, if the helper
f0b236 
-is being asked to continue a multi-step enrollment process.  If the
f0b236 
+is being asked to continue a multi\-step enrollment process.  If the
f0b236 
 \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
f0b236 
 .TP
f0b236 
-\fB-T\fR profile/template
f0b236 
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 The name of the type of certificate which the client should request from the CA
f0b236 
-if it is not renewing a certificate (per the \fB-s\fR option above).  If the
f0b236 
+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
f0b236 
 \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
f0b236 
 Otherwise, the default value is \fBcaServerCert\fP.
f0b236 
 .TP
f0b236 
-\fB-O\fR param=value
f0b236 
+\fB\-t\fR, \fB\-\-profile\-list\fR
f0b236 
+Instead of attempting to obtain a new certificate, query the server for a list
f0b236 
+of the enabled enrollment profiles.
f0b236 
+.TP
f0b236 
+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR
f0b236 
 An additional parameter to pass to the server when approving the signing
f0b236 
-request using the agent's credentials.  By default, any server-supplied default
f0b236 
+request using the agent's credentials.  By default, any server\-supplied default
f0b236 
 settings are applied.  This option can be used either to override a
f0b236 
-server-supplied default setting, or to supply one which would otherwise have
f0b236 
+server\-supplied default setting, or to supply one which would otherwise have
f0b236 
 not been used.
f0b236 
 .TP
f0b236 
-\fB-N\fR
f0b236 
-Even if an already-issued certificate is available in the
f0b236 
+\fB\-N\fR, \fB\-\-force\-new\fR
f0b236 
+Even if an already\-issued certificate is available in the
f0b236 
 \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
f0b236 
 provided, don't attempt to renew a certificate using its serial number.
f0b236 
 Instead, attempt to obtain a new certificate using the signing request.
f0b236 
 The default behavior is to request a renewal if possible.
f0b236 
 .TP
f0b236 
-\fB-R\fR
f0b236 
-Negates the effect of the \fB-N\fR flag.
f0b236 
-.TP
f0b236 
-\fB-t\fR
f0b236 
-Instead of attempting to obtain a new certificate, query the server for a list
f0b236 
-of the enabled enrollment profiles.
f0b236 
+\fB\-R\fR, \fB\-\-force\-renew\fR
f0b236 
+Negates the effect of the \fB\-N\fR flag.
f0b236 
 .TP
f0b236 
-\fB-o\fR param=value
f0b236 
+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
f0b236 
 When initially submitting a request to the CA, add the specified parameter and
f0b236 
 value along with any request parameters which would otherwise be sent.  This
f0b236 
 option is not typically used.
f0b236 
 .TP
f0b236 
-\fB-v\fR
f0b236 
+\fB\-a\fR, \fB\-\-agent\-submit\fR
f0b236 
+Use agent credentials, specified using some combination of the \fB\-d\fR,
f0b236 
+\fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
f0b236 
+initially submitting a request to the CA or retrieving the list of enabled
f0b236 
+enrollment profiles.
f0b236 
+This is typically required when the enrollment profile being used uses
f0b236 
+\fIAgentCertAuth\fR\-based
f0b236 
+authentication,
f0b236 
+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
f0b236 
+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
f0b236 
+.TP
f0b236 
+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
f0b236 
+When initially submitting a request to the CA, supply the specified value as a user name.
f0b236 
+This is typically required when the enrollment profile being used uses
f0b236 
+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
f0b236 
+authentication..TP
f0b236 
+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
f0b236 
+When initially submitting a request to the CA, supply the specified value as the DN
f0b236 
+(distinguished name) of the user's entry in a directory server which the CA is
f0b236 
+configured to use for checking the user's password.
f0b236 
+This is typically required when the enrollment profile being used uses
f0b236 
+\fIUdnPwdDirAuth\fR\-based
f0b236 
+authentication.
f0b236 
+.TP
f0b236 
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
f0b236 
+When initially submitting a request to the CA, supply the specified value as the password
f0b236 
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
f0b236 
+specified with the \fB\-U\fR option.
f0b236 
+This is typically only required when the enrollment profile being used uses
f0b236 
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
f0b236 
+authentication.
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
+will not be encrypted.
f0b236 
+.TP
f0b236 
+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
f0b236 
+When initially submitting a request to the CA, read from the specified file a
f0b236 
+password to supply for the user whose name is specified with the \fB\-u\fR
f0b236 
+option, or whose DN is specified with the \fB\-U\fR option.
f0b236 
+This is typically only required when the enrollment profile being used uses
f0b236 
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
f0b236 
+authentication.
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
+will not be encrypted.
f0b236 
+.TP
f0b236 
+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
f0b236 
+When initially submitting a request to the CA, supply the specified value as the PIN
f0b236 
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
f0b236 
+specified with the \fB\-U\fR option.
f0b236 
+This is typically only required when the enrollment profile being used uses
f0b236 
+\fIUidPwdPinDirAuth\fR\-based
f0b236 
+authentication.
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
+will not be encrypted.
f0b236 
+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
f0b236 
+When initially submitting a request to the CA, read from the specified file a
f0b236 
+PIN to supply for the user whose name is specified with the \fB\-u\fR
f0b236 
+option, or whose DN is specified with the \fB\-U\fR option.
f0b236 
+This is typically only required when the enrollment profile being used uses
f0b236 
+\fIUidPwdPinDirAuth\fR\-based
f0b236 
+authentication.  If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
+will not be encrypted.
f0b236 
+.TP
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Increases the logging level.  Use twice for more logging.  This option is mainly
f0b236 
 useful for troubleshooting.
f0b236 
-
f0b236 
+.SH AGENT KEY AND CERTIFICATE OPTIONS
f0b236 
+Options that provide the location for the private key and public certificate
f0b236 
+which the client should use to authenticate to the CA's agent interface.
f0b236 
+The values to use depend on which cryptography library your copy of libcurl
f0b236 
+was linked with.
f0b236 
+.TP
f0b236 
+If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used:
f0b236 
+ \fB\-i\fR \fI/etc/ipa/ca.crt\fR
f0b236 
+ \fB\-d\fR \fI/etc/httpd/alias\fR
f0b236 
+ \fB\-n\fR \fIipaCert\fR
f0b236 
+ \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
f0b236 
+.TP
f0b236 
+\fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR
f0b236 
+Use an NSS database in the specified directory for this certificate
f0b236 
+and key. Only valid with \-n.
f0b236 
+.TP
f0b236 
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
f0b236 
+Use the NSS key with this nickname. Only valid with \-d.
f0b236 
+.TP
f0b236 
+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
+The PEM file that contains the public certificate. Only valid with \-k.
f0b236 
+.TP
f0b236 
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
f0b236 
+The PEM file that contains the private certificate. Only valid with \-c.
f0b236 
+.TP
f0b236 
+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
f0b236 
+The name of a file which contains a PIN/password which will be needed in
f0b236 
+order to make use of the agent credentials.
f0b236 
+.TP
f0b236 
+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
f0b236 
+The name of a file which contains a PIN/password which will be needed in
f0b236 
+order to make use of the agent credentials.
f0b236 
 .SH EXIT STATUS
f0b236 
 .TP
f0b236 
 0
f0b236 
@@ -189,7 +259,7 @@ pair.
f0b236 
 .TP
f0b236 
 .I /etc/ipa/default.conf
f0b236 
 is the IPA client configuration file.  This file is consulted to determine
f0b236 
-the URL for the Dogtag server's end-entity and agent interfaces if they are
f0b236 
+the URL for the Dogtag server's end\-entity and agent interfaces if they are
f0b236 
 not supplied as arguments.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -198,22 +268,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in
f0b236 
index 19ecab7..e92de67 100644
f0b236 
--- a/src/certmonger-dogtag-submit.8.in
f0b236 
+++ b/src/certmonger-dogtag-submit.8.in
f0b236 
@@ -1,196 +1,214 @@
f0b236 
-.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-dogtag-submit
f0b236 
+dogtag\-submit
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-dogtag-submit -E EE-URL -A AGENT-URL
f0b236 
-[-d dbdir]
f0b236 
-[-n nickname]
f0b236 
-[-i cainfo]
f0b236 
-[-C capath]
f0b236 
-[-c certfile]
f0b236 
-[-k keyfile]
f0b236 
-[-p pinfile]
f0b236 
-[-P pin]
f0b236 
-[-s serial (hex)]
f0b236 
-[-D serial (decimal)]
f0b236 
-[-S state]
f0b236 
-[-T profile]
f0b236 
-[-O param=value]
f0b236 
-[-N | -R]
f0b236 
-[-t]
f0b236 
-[-o option=value]
f0b236 
-[-a ]
f0b236 
-[-u username]
f0b236 
-[-U userdn]
f0b236 
-[-W userpassword]
f0b236 
-[-w userpasswordfile]
f0b236 
-[-Y userpin]
f0b236 
-[-y userpinfile]
f0b236 
-[-v]
f0b236 
+dogtag\-submit \-E EE\-URL \-A AGENT\-URL
f0b236 
+[\-d DIR]
f0b236 
+[\-n NAME]
f0b236 
+[\-i FILE]
f0b236 
+[\-C DIR]
f0b236 
+[\-c FILE]
f0b236 
+[\-k FILE]
f0b236 
+[\-p FILE]
f0b236 
+[\-P PIN]
f0b236 
+[\-s serial (hex)]
f0b236 
+[\-D serial (decimal)]
f0b236 
+[\-S state]
f0b236 
+[\-T profile]
f0b236 
+[\-O param=value]
f0b236 
+[\-N | \-R]
f0b236 
+[\-t]
f0b236 
+[\-o option=value]
f0b236 
+[\-a]
f0b236 
+[\-u username]
f0b236 
+[\-U userdn]
f0b236 
+[\-W PASSWORD]
f0b236 
+[\-w FILE]
f0b236 
+[\-Y PIN]
f0b236 
+[\-y FILE]
f0b236 
+[\-v]
f0b236 
 [csrfile]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-\fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make
f0b236 
+\fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make
f0b236 
 certificate enrollment and renewal requests to Dogtag servers.  It is not
f0b236 
 normally run interactively, but it can be for troubleshooting purposes.
f0b236
f0b236 
-The preferred option is to request a renewal of an already-issued certificate,
f0b236 
-using its serial number, which can be read from a PEM-formatted certificate
f0b236 
+The preferred option is to request a renewal of an already\-issued certificate,
f0b236 
+using its serial number, which can be read from a PEM\-formatted certificate
f0b236 
 provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
f0b236 
-\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
f0b236 
+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
f0b236 
 provided, then the client will attempt to obtain a new certificate by
f0b236 
 submitting a signing request to the CA.
f0b236
f0b236 
 The signing request which is to be submitted should either be in a file whose
f0b236 
-name is given as an argument, or fed into \fIdogtag-submit\fR via stdin.
f0b236 
+name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin.
f0b236
f0b236 
 \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
f0b236 
 CAs.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-E\fR EE-URL
f0b236 
-The top-level URL for the end-entity interface provided by the CA, through
f0b236 
+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
f0b236 
+The top\-level URL for the end\-entity interface provided by the CA, through
f0b236 
 which the initial enrollment request will be submitted.  This is typically
f0b236 
 \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
f0b236 
 .TP
f0b236 
-\fB\-A\fR AGENT-URL
f0b236 
-The top-level URL for the agent interface provided by the CA, through which the
f0b236 
+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
f0b236 
+The top\-level URL for the agent interface provided by the CA, through which the
f0b236 
 request can be approved using agent credentials.  This is typically
f0b236 
 \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
f0b236 
 .TP
f0b236 
-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
f0b236 
-The location of the key and certificate which the client should use to
f0b236 
-authenticate to the CA's agent interface.  Exactly which values are
f0b236 
-meaningful depend on which cryptography library your copy of libcurl was
f0b236 
-linked with.
f0b236 
-.TP
f0b236 
-\fB\-p\fR pinfile
f0b236 
-The name of a file which contains a PIN/password which will be needed in
f0b236 
-order to make use of the agent credentials.
f0b236 
-.TP
f0b236 
-\fB\-i\fR cainfo \fB\-C\fR capath
f0b236 
+\fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
f0b236 
 The location of a file containing a copy of the CA's certificate, against which
f0b236 
-the CA server's certificate will be verified, or a directory containing, among
f0b236 
-other things, such a file.
f0b236 
+the CA server's certificate will be verified.
f0b236 
 .TP
f0b236 
-\fB-s\fR serial
f0b236 
-The serial number of an already-issued certificate for which the client should
f0b236 
-attempt to obtain a new certificate, in hexadecimal form, if one can not be
f0b236 
-read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
f0b236 
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
f0b236 
+The location of a directory containing a copy of the CA's certificate(s),
f0b236 
+against which the CA server's certificate will be verified.
f0b236 
 .TP
f0b236 
-\fB-D\fR serial
f0b236 
-The serial number of an already-issued certificate for which the client should
f0b236 
+\fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR
f0b236 
+The serial number of an already\-issued certificate for which the client should
f0b236 
 attempt to obtain a new certificate, in decimal form, if one can not be
f0b236 
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
f0b236 
 .TP
f0b236 
-\fB-S\fR state
f0b236 
+\fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR
f0b236 
+The serial number of an already\-issued certificate for which the client should
f0b236 
+attempt to obtain a new certificate, in hexadecimal form, if one can not be
f0b236 
+read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
f0b236 
+.TP
f0b236 
+\fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR
f0b236 
 A cookie value provided by a previous instance of this helper, if the helper
f0b236 
-is being asked to continue a multi-step enrollment process.  If the
f0b236 
+is being asked to continue a multi\-step enrollment process.  If the
f0b236 
 \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
f0b236 
 .TP
f0b236 
-\fB-T\fR profile/template
f0b236 
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 The name of the type of certificate which the client should request from the CA
f0b236 
-if it is not renewing a certificate (per the \fB-s\fR option above).  If the
f0b236 
+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
f0b236 
 \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
f0b236 
 Otherwise, the default value is \fBcaServerCert\fP.
f0b236 
 .TP
f0b236 
-\fB-O\fR param=value
f0b236 
+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR
f0b236 
 An additional parameter to pass to the server when approving the signing
f0b236 
-request using agent credentials.  By default, any server-supplied default
f0b236 
+request using agent credentials.  By default, any server\-supplied default
f0b236 
 settings are applied.  This option can be used either to override a
f0b236 
-server-supplied default setting, or to supply one which would otherwise have
f0b236 
-not been used.  Requires the \fB-A\fR option.
f0b236 
+server\-supplied default setting, or to supply one which would otherwise have
f0b236 
+not been used.  Requires the \fB\-A\fR option.
f0b236 
 .TP
f0b236 
-\fB-N\fR
f0b236 
-Even if an already-issued certificate is available in the
f0b236 
+\fB\-N\fR, \fB\-\-force\-new\fR
f0b236 
+Even if an already\-issued certificate is available in the
f0b236 
 \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
f0b236 
 provided, don't attempt to renew a certificate using its serial number.
f0b236 
 Instead, attempt to obtain a new certificate using the signing request.
f0b236 
 The default behavior is to request a renewal if possible.
f0b236 
 .TP
f0b236 
-\fB-R\fR
f0b236 
-Negates the effect of the \fB-N\fR flag.
f0b236 
+\fB\-R\fR, \fB\-\-force\-renew\fR
f0b236 
+Negates the effect of the \fB\-N\fR flag.
f0b236 
 .TP
f0b236 
-\fB-t\fR
f0b236 
+\fB\-t\fR, \fB\-\-profile\-list\fR
f0b236 
 Instead of attempting to obtain a new certificate, query the server for a list
f0b236 
 of the enabled enrollment profiles.
f0b236 
 .TP
f0b236 
-\fB-o\fR param=value
f0b236 
+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
f0b236 
 When initially submitting a request to the CA, add the specified parameter and
f0b236 
 value along with any request parameters which would otherwise be sent.
f0b236 
 .TP
f0b236 
-\fB-a\fR
f0b236 
+\fB\-a\fR, \fB\-\-agent\-submit\fR
f0b236 
 Use agent credentials, specified using some combination of the \fB\-d\fR,
f0b236 
 \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
f0b236 
 initially submitting a request to the CA or retrieving the list of enabled
f0b236 
 enrollment profiles.
f0b236 
 This is typically required when the enrollment profile being used uses
f0b236 
-\fIAgentCertAuth\fR-based
f0b236 
+\fIAgentCertAuth\fR\-based
f0b236 
 authentication,
f0b236 
-and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL,
f0b236 
-or when the URL specified using the \fB-E\fR flag is an HTTPS URL.
f0b236 
+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
f0b236 
+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
f0b236 
 .TP
f0b236 
-\fB-u username\fR
f0b236 
+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
f0b236 
 When initially submitting a request to the CA, supply the specified value as a user name.
f0b236 
 This is typically required when the enrollment profile being used uses
f0b236 
-\fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based
f0b236 
+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
f0b236 
 authentication.
f0b236 
 .TP
f0b236 
-\fB-U userdn\fR
f0b236 
+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
f0b236 
 When initially submitting a request to the CA, supply the specified value as the DN
f0b236 
 (distinguished name) of the user's entry in a directory server which the CA is
f0b236 
 configured to use for checking the user's password.
f0b236 
 This is typically required when the enrollment profile being used uses
f0b236 
-\fIUdnPwdDirAuth\fR-based
f0b236 
+\fIUdnPwdDirAuth\fR\-based
f0b236 
 authentication.
f0b236 
 .TP
f0b236 
-\fB-W userpassword\fR
f0b236 
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
f0b236 
 When initially submitting a request to the CA, supply the specified value as the password
f0b236 
-for the user whose name is specified with the \fB-u\fR option, or whose DN is
f0b236 
-specified with the \fB-U\fR option.
f0b236 
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
f0b236 
+specified with the \fB\-U\fR option.
f0b236 
 This is typically only required when the enrollment profile being used uses
f0b236 
-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
f0b236 
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
f0b236 
 authentication.
f0b236 
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
 will not be encrypted.
f0b236 
 .TP
f0b236 
-\fB-w userpasswordfile\fR
f0b236 
+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
f0b236 
 When initially submitting a request to the CA, read from the specified file a
f0b236 
-password to supply for the user whose name is specified with the \fB-u\fR
f0b236 
-option, or whose DN is specified with the \fB-U\fR option.
f0b236 
+password to supply for the user whose name is specified with the \fB\-u\fR
f0b236 
+option, or whose DN is specified with the \fB\-U\fR option.
f0b236 
 This is typically only required when the enrollment profile being used uses
f0b236 
-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
f0b236 
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
f0b236 
 authentication.
f0b236 
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
 will not be encrypted.
f0b236 
 .TP
f0b236 
-\fB-Y userpin\fR
f0b236 
+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
f0b236 
 When initially submitting a request to the CA, supply the specified value as the PIN
f0b236 
-for the user whose name is specified with the \fB-u\fR option, or whose DN is
f0b236 
-specified with the \fB-U\fR option.
f0b236 
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
f0b236 
+specified with the \fB\-U\fR option.
f0b236 
 This is typically only required when the enrollment profile being used uses
f0b236 
-\fIUidPwdPinDirAuth\fR-based
f0b236 
+\fIUidPwdPinDirAuth\fR\-based
f0b236 
 authentication.
f0b236 
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
 will not be encrypted.
f0b236 
 .TP
f0b236 
-\fB-y userpinfile\fR
f0b236 
+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
f0b236 
 When initially submitting a request to the CA, read from the specified file a
f0b236 
-PIN to supply for the user whose name is specified with the \fB-u\fR
f0b236 
-option, or whose DN is specified with the \fB-U\fR option.
f0b236 
+PIN to supply for the user whose name is specified with the \fB\-u\fR
f0b236 
+option, or whose DN is specified with the \fB\-U\fR option.
f0b236 
 This is typically only required when the enrollment profile being used uses
f0b236 
-\fIUidPwdPinDirAuth\fR-based
f0b236 
+\fIUidPwdPinDirAuth\fR\-based
f0b236 
 authentication.
f0b236 
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
f0b236 
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
f0b236 
 will not be encrypted.
f0b236 
 .TP
f0b236 
-\fB-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Increases the logging level.  Use twice for more logging.  This option is mainly
f0b236 
 useful for troubleshooting.
f0b236 
-
f0b236 
+.SH AGENT KEY AND CERTIFICATE OPTIONS
f0b236 
+Options that provide the location for the private key and public certificate
f0b236 
+which the client should use to authenticate to the CA's agent interface.
f0b236 
+The values to use depend on which cryptography library your copy of libcurl
f0b236 
+was linked with.
f0b236 
+.TP
f0b236 
+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
f0b236 
+Use an NSS database in the specified directory for this certificate
f0b236 
+and key. Only valid with \-n.
f0b236 
+.TP
f0b236 
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
f0b236 
+Use the NSS key with this nickname. Only valid with \-d.
f0b236 
+.TP
f0b236 
+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
+The PEM file that contains the public certificate. Only valid with \-k.
f0b236 
+.TP
f0b236 
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
f0b236 
+The PEM file that contains the private certificate. Only valid with \-c.
f0b236 
+.TP
f0b236 
+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
f0b236 
+The name of a file which contains a PIN/password which will be needed in
f0b236 
+order to make use of the agent credentials.
f0b236 
+.TP
f0b236 
+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
f0b236 
+The name of a file which contains a PIN/password which will be needed in
f0b236 
+order to make use of the agent credentials.
f0b236 
 .SH EXIT STATUS
f0b236 
 .TP
f0b236 
 0
f0b236 
@@ -222,22 +240,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in
f0b236 
index 7915142..0e1c90f 100644
f0b236 
--- a/src/certmonger-ipa-submit.8.in
f0b236 
+++ b/src/certmonger-ipa-submit.8.in
f0b236 
@@ -1,21 +1,23 @@
f0b236 
-.TH certmonger 8 "16 April 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "April 16, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-ipa-submit
f0b236 
+ipa\-submit
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath]
f0b236 
-[[-K]  | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]
f0b236 
+ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn]
f0b236 
+[\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]]
f0b236 
+[\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile]
f0b236 
+[\-X issuer] [csrfile]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-\fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make
f0b236 
-requests to IPA-based CAs.  It is not normally run interactively,
f0b236 
+\fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make
f0b236 
+requests to IPA\-based CAs.  It is not normally run interactively,
f0b236 
 but it can be for troubleshooting purposes.  The signing request which is
f0b236 
 to be submitted should either be in a file whose name is given as an argument,
f0b236 
-or fed into \fIipa-submit\fR via stdin.
f0b236 
+or fed into \fIipa\-submit\fR via stdin.
f0b236
f0b236 
 \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
f0b236 
-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
f0b236 
+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
f0b236 
 specifying where those certificates should be stored on the local system.
f0b236 
 Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of
f0b236 
 entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA
f0b236 
@@ -24,27 +26,27 @@ LDAP server's directory tree, where $BASE defaults to the value of the
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-P\fR csrPrincipal
f0b236 
+\fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR
f0b236 
 Identifies the principal name of the service for which the certificate is being
f0b236 
 issued.  This setting is required by IPA and must always be specified.
f0b236 
 .TP
f0b236 
-\fB\-X\fR issuer
f0b236 
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR
f0b236 
 Requests that the certificate be processed by the specified certificate issuer.
f0b236 
 By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR
f0b236 
 variable is set in the environment, then the value of the environment variable
f0b236 
 will be used.  This setting is optional, and if a server returns error 3005,
f0b236 
 indicating that it does not understand multiple profiles, the request will be
f0b236 
-re-submitted without specifying an issuer name.
f0b236 
+re\-submitted without specifying an issuer name.
f0b236 
 .TP
f0b236 
-\fB\-T\fR profile
f0b236 
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 Requests that the certificate be processed using the specified certificate profile.
f0b236 
 By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR
f0b236 
 variable is set in the environment, then the value of the environment variable
f0b236 
 will be used.  This setting is optional, and if a server returns error 3005,
f0b236 
 indicating that it does not understand multiple profiles, the request will be
f0b236 
-re-submitted without specifying a profile.
f0b236 
+re\-submitted without specifying a profile.
f0b236 
 .TP
f0b236 
-\fB\-h\fR serverHost
f0b236 
+\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR
f0b236 
 Submit the request to the IPA server running on the named host.  The default is
f0b236 
 to read the location of the host from \fB/etc/ipa/default.conf\fR.
f0b236 
 If no server is configured, or the configured server cannot be reached, the
f0b236 
@@ -53,7 +55,7 @@ domain.  If servers are found, they will be searched for entries pointing to
f0b236 
 IPA masters running the "CA" service, and the client will attempt to contact
f0b236 
 each of those in turn.
f0b236 
 .TP
f0b236 
-\fB\-H\fR serverURL
f0b236 
+\fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR
f0b236 
 Submit the request to the IPA server at the specified location.  The default is
f0b236 
 to read the location of the host from \fB/etc/ipa/default.conf\fR.
f0b236 
 If no server is configured, or the configured server cannot be reached, the
f0b236 
@@ -62,49 +64,64 @@ domain.  If servers are found, they will be searched for entries pointing to
f0b236 
 IPA masters running the "CA" service, and the client will attempt to contact
f0b236 
 each of those in turn.
f0b236 
 .TP
f0b236 
-\fB\-c\fR cafile
f0b236 
+\fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR
f0b236 
+Provide the IPA LDAP service location rather than using DNS discovery.
f0b236 
+The default is to read the location of the host from
f0b236 
+\fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of
f0b236 
+_ldap._tcp.DOMAIN values and pick one for use.
f0b236 
+.TP
f0b236 
+\fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
f0b236 
+Use this domain when doing DNS discovery to locate LDAP servers for the IPA
f0b236 
+installation. The default is to read the location of the host from
f0b236 
+\fB/etc/ipa/default.conf\fR.
f0b236 
+.TP
f0b236 
+\fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR
f0b236 
+Use this basedn to search for an IPA installation in LDAP. The default is to
f0b236 
+read the location of the host from \fB/etc/ipa/default.conf\fR.
f0b236 
+.TP
f0b236 
+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
f0b236 
 The server's certificate was issued by the CA whose certificate is in the named
f0b236 
 file.  The default value is \fI/etc/ipa/ca.crt\fR.
f0b236 
 .TP
f0b236 
-\fB\-C\fR capath
f0b236 
+\fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR
f0b236 
 Trust the server if its certificate was issued by a CA whose certificate is in
f0b236 
 a file in the named directory.  There is no default for this option, and it
f0b236 
 is not expected to be necessary.
f0b236 
 .TP
f0b236 
-\fB\-t\fR keytab
f0b236 
+\fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR
f0b236 
 Authenticate to the IPA server using Kerberos with credentials derived from
f0b236 
 keys stored in the named keytab.  The default value can vary, but it is usually
f0b236 
 \fI/etc/krb5.keytab\fR.
f0b236 
-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
f0b236 
+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
f0b236 
 options.
f0b236 
 .TP
f0b236 
-\fB\-k\fR authPrincipal
f0b236 
+\fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR
f0b236 
 Authenticate to the IPA server using Kerberos with credentials derived from
f0b236 
 keys stored in the named keytab for this principal name.  The default value is
f0b236 
 the \fBhost\fR service for the local host in the local realm.
f0b236 
-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
f0b236 
+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
f0b236 
 options.
f0b236 
 .TP
f0b236 
-\fB\-K\fR
f0b236 
+\fB\-K\fR, \fB\-\-use\-ccache\-creds\fR
f0b236 
 Authenticate to the IPA server using Kerberos with credentials derived from the
f0b236 
 default credential cache rather than a keytab.
f0b236 
-This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
f0b236 
+This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
f0b236 
 options.
f0b236 
 .TP
f0b236 
-\fB\-u\fR uid
f0b236 
+\fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR
f0b236 
 Authenticate to the IPA server using a user name and password, using the
f0b236 
 specified value as the user name.
f0b236 
-This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options.
f0b236 
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options.
f0b236 
 .TP
f0b236 
-\fB\-W\fR pwd
f0b236 
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR
f0b236 
 Authenticate to the IPA server using a user name and password, using the
f0b236 
 specified value as the password.
f0b236 
-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options.
f0b236 
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options.
f0b236 
 .TP
f0b236 
-\fB\-w\fR pwdfile
f0b236 
+\fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR
f0b236 
 Authenticate to the IPA server using a user name and password, reading the
f0b236 
 password from the specified file.
f0b236 
-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options.
f0b236 
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options.
f0b236
f0b236 
 .SH EXIT STATUS
f0b236 
 .TP
f0b236 
@@ -131,7 +148,7 @@ pair.
f0b236 
 .TP
f0b236 
 .I /etc/ipa/default.conf
f0b236 
 is the IPA client configuration file.  This file is consulted to determine
f0b236 
-the URL for the IPA server's XML-RPC interface.
f0b236 
+the URL for the IPA server's XML\-RPC interface.
f0b236
f0b236 
 .SH BUGS
f0b236 
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
f0b236 
@@ -139,23 +156,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger-local-submit.8.in b/src/certmonger-local-submit.8.in
f0b236 
index 59ed245..b68ffc3 100644
f0b236 
--- a/src/certmonger-local-submit.8.in
f0b236 
+++ b/src/certmonger-local-submit.8.in
f0b236 
@@ -1,35 +1,35 @@
f0b236 
-.TH certmonger 8 "7 June 2014" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "June 7, 2014" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-local-submit
f0b236 
+local\-submit
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-local-submit [-d state-directory] [-v] [csrfile]
f0b236 
+local\-submit [\-d state\-directory] [\-v] [csrfile]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-\fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement
f0b236 
+\fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement
f0b236 
 its local signer.  It is not normally run interactively, but it can be for
f0b236 
 troubleshooting purposes.  The signing request which is to be submitted
f0b236 
 should either be in a file whose name is given as an argument, or fed into
f0b236 
-\fIlocal-submit\fR via stdin.
f0b236 
+\fIlocal\-submit\fR via stdin.
f0b236
f0b236 
-The local signer is currently hard-coded to generate and use a
f0b236 
-@CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based
f0b236 
+The local signer is currently hard\-coded to generate and use a
f0b236 
+@CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based
f0b236 
 on a UUID, replacing that key and certificate at roughly the midpoint of their
f0b236 
 useful lifetime.
f0b236
f0b236 
-\fBcertmonger\fR supports retrieving the list of current and previously-used
f0b236 
-local CA certificates.  See \fBgetcert-request\fR(1) and
f0b236 
-\fBgetcert-resubmit\fR(1) for information about specifying where those
f0b236 
+\fBcertmonger\fR supports retrieving the list of current and previously\-used
f0b236 
+local CA certificates.  See \fBgetcert\-request\fR(1) and
f0b236 
+\fBgetcert\-resubmit\fR(1) for information about specifying where those
f0b236 
 certificates should be stored.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-d\fR state-directory
f0b236 
+\fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR
f0b236 
 Identifies the directory which contains the local signer's private key,
f0b236 
 certificates, and other data used by the local signer.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Increases the verbosity of the tool's diagnostic logging.
f0b236
f0b236 
 .SH EXIT STATUS
f0b236 
@@ -47,7 +47,7 @@ if critical configuration information is missing.  An error message may be print
f0b236 
 .TP
f0b236 
 .I creds
f0b236 
 is currently a PKCS#12 bundle containing the local signer's current signing key
f0b236 
-and current and previously-used signer certificates.  It should not be modified
f0b236 
+and current and previously\-used signer certificates.  It should not be modified
f0b236 
 except by the local signer.  A new key is currently generated when ever a new
f0b236 
 signer certificate is needed.
f0b236 
 .TP
f0b236 
@@ -61,22 +61,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
f0b236 
index 42ffcd6..5b8b917 100644
f0b236 
--- a/src/certmonger-scep-submit.8.in
f0b236 
+++ b/src/certmonger-scep-submit.8.in
f0b236 
@@ -1,98 +1,98 @@
f0b236 
-.TH certmonger 8 "20 June 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "June 20, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-scep-submit
f0b236 
+scep\-submit
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-scep-submit -u SERVER-URL
f0b236 
-[-r ra-cert-file]
f0b236 
-[-R ca-cert-file]
f0b236 
-[-I other-certs-file]
f0b236 
-[-N ca-cert-file]
f0b236 
-[-i ca-identifier]
f0b236 
-[-v]
f0b236 
-[-n]
f0b236 
-[-c|-C|-g|-p]
f0b236 
-[pkimessage-filename]
f0b236 
+scep\-submit \-u SERVER\-URL
f0b236 
+[\-r ra\-cert\-file]
f0b236 
+[\-R ca\-cert\-file]
f0b236 
+[\-I other\-certs\-file]
f0b236 
+[\-N ca\-cert\-file]
f0b236 
+[\-i ca\-identifier]
f0b236 
+[\-v]
f0b236 
+[\-n]
f0b236 
+[\-c|\-C|\-g|\-p]
f0b236 
+[pkimessage\-filename]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-\fIscep-submit\fR is the helper which \fIcertmonger\fR can use to
f0b236 
+\fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to
f0b236 
 transmit certificate enrollment and renewal requests to servers using
f0b236 
 SCEP.  It is not normally run interactively, but it can be for
f0b236 
 troubleshooting purposes.
f0b236
f0b236 
-The request which is to be submitted should be a PEM-encoded SCEP
f0b236 
+The request which is to be submitted should be a PEM\-encoded SCEP
f0b236 
 pkiMessage either in a file whose name is given as an argument, or fed
f0b236 
-into \fIscep-submit\fR via stdin.
f0b236 
+into \fIscep\-submit\fR via stdin.
f0b236
f0b236 
 .SH MODES
f0b236 
 .TP
f0b236 
-\fB\-c\fR
f0b236 
+\fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR
f0b236 
 \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and
f0b236 
 print the results.
f0b236 
 .TP
f0b236 
-\fB\-C\fR
f0b236 
-\fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR
f0b236 
-requests to the server, parse the responses, and then print, in order,
f0b236 
+\fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR
f0b236 
+\fIscep-submit\fR will issue a \fIGetCACert\fR
f0b236 
+request to the server, parse the response, and then print, in order,
f0b236 
 the RA certificate, the CA certificate, and any additional certificates.
f0b236 
 .TP
f0b236 
-\fB\-p\fR
f0b236 
-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
f0b236 
-using the passed-in message as the message content.  It will parse the
f0b236 
+\fB\-p\fR, \fB\-\-pki\-message\fR
f0b236 
+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
f0b236 
+using the passed\-in message as the message content.  It will parse the
f0b236 
 server's response, verify the signature, and if the response includes an
f0b236 
 issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
f0b236 
 format.  If the response indicates an error, it will print the error.
f0b236 
 .TP
f0b236 
-\fB\-g\fR
f0b236 
-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
f0b236 
-using the passed-in message as the message content.  It will parse the
f0b236 
+\fB\-g\fR, \fB\-\-get\-initial\-cert\fR
f0b236 
+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
f0b236 
+using the passed\-in message as the message content.  It will parse the
f0b236 
 server's response, verify the signature, and if the response includes an
f0b236 
 issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
f0b236 
 format.  If the response indicates an error, it will print the error.
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-u\fR SERVER-URL
f0b236 
+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
f0b236 
 The location of the SCEP interface provided by the CA.  This is
f0b236 
-typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
f0b236 
+typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or
f0b236 
 \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR.  This option is
f0b236 
 always required.
f0b236 
 .TP
f0b236 
-\fB\-R\fR CA-certificate-file
f0b236 
+\fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR
f0b236 
 The location of the CA certificate which was used to issue the SCEP web
f0b236 
 server's certificate in PEM form. If the URL specified with the
f0b236 
-\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
f0b236 
+\fB\-u\fR option is an \fIhttps\fR URL, then this option is required.
f0b236 
 .TP
f0b236 
-\fB\-N\fR ca-certificate-file
f0b236 
-The location of a PEM-formatted copy of the SCEP server's CA certificate.
f0b236 
+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
f0b236 
+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
f0b236 
 A discovered value is normally supplied by the certmonger daemon, but one can
f0b236 
 be specified for troubleshooting purposes.
f0b236 
 .TP
f0b236 
-\fB\-r\fR RA-certificate-file
f0b236 
+\fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR
f0b236 
 The location of the SCEP server's RA certificate, which is expected to
f0b236 
 be used for signing responses sent by the SCEP server back to the
f0b236 
-client.  This option is required when either the \fB-g\fR flag or the
f0b236 
-\fB-p\fR flag is specified.
f0b236 
+client.  This option is required when either the \fB\-g\fR flag or the
f0b236 
+\fB\-p\fR flag is specified.
f0b236 
 .TP
f0b236 
-\fB\-I\fR other-certificates-file
f0b236 
-The location of a file containing other PEM-formatted certificates which
f0b236 
+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
f0b236 
+The location of a file containing other PEM\-formatted certificates which
f0b236 
 may be needed in order to properly verify signed responses sent by the
f0b236 
 SCEP server back to the client.  This option may be necessary when
f0b236 
-either the \fB-g\fR flag or the \fB-p\fR flag is specified.
f0b236 
+either the \fB\-g\fR flag or the \fB\-p\fR flag is specified.
f0b236 
 .TP
f0b236 
-\fB\-i\fR ca-identifier
f0b236 
-When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR
f0b236 
+When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to
f0b236 
 specify the CA identifier which is passed to the server as part of the client's
f0b236 
 request.  The default is "0".
f0b236 
 .TP
f0b236 
-\fB\-n\fR
f0b236 
-The SCEP Renewal feature allows a client with a previously-issued certificate
f0b236 
+\fB\-n\fR, \fB\-\-non\-renewal\fR
f0b236 
+The SCEP Renewal feature allows a client with a previously\-issued certificate
f0b236 
 to use that certificate and the associated private key to request a new
f0b236 
 certificate for a different key pair, and can be used to support
f0b236 
 \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
f0b236 
-it.  This option forces the \fIscep-submit\fR helper to prefer to issue
f0b236 
+it.  This option forces the \fIscep\-submit\fR helper to prefer to issue
f0b236 
 requests which do not make use of this feature.
f0b236 
 .TP
f0b236 
-\fB-v\fR
f0b236 
+\fB-v\fR, \fB\-\-verbose\fR
f0b236 
 Increases the logging level.  Use twice for more logging.  This option
f0b236 
 is mainly useful for troubleshooting.
f0b236
f0b236 
@@ -100,7 +100,7 @@ is mainly useful for troubleshooting.
f0b236 
 .TP
f0b236 
 0
f0b236 
 if the certificate was issued. The pkcsPKIEnvelope will be printed in
f0b236 
-PEM-encoded form.
f0b236 
+PEM\-encoded form.
f0b236 
 .TP
f0b236 
 1
f0b236 
 if the CA is still thinking.  A cookie (state) value will be printed.
f0b236 
@@ -131,22 +131,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger.8.in b/src/certmonger.8.in
f0b236 
index 8c00d5a..a726e3b 100644
f0b236 
--- a/src/certmonger.8.in
f0b236 
+++ b/src/certmonger.8.in
f0b236 
@@ -1,14 +1,14 @@
f0b236 
-.TH certmonger 8 "14 June 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 8 "June 14, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 certmonger
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v]
f0b236 
+certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 The \fIcertmonger\fR daemon monitors certificates for impending
f0b236 
-expiration, and can optionally refresh soon-to-be-expired certificates
f0b236 
+expiration, and can optionally refresh soon\-to\-be\-expired certificates
f0b236 
 with the help of a CA.  If told to, it can drive the entire enrollment
f0b236 
 process from key generation through enrollment and refresh.
f0b236
f0b236 
@@ -17,58 +17,58 @@ service, with which client tools such as \fBgetcert\fR(1) interact.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
--s
f0b236 
+\fB\-s\fR, \fB\-\-session\fR
f0b236 
 Listen on the session bus rather than the system bus.
f0b236 
 .TP
f0b236 
--S
f0b236 
+\fB\-S\fR, \fB\-\-system\fR
f0b236 
 Listen on the system bus rather than the session bus.  This is the default.
f0b236 
 .TP
f0b236 
--l
f0b236 
+\fB\-l\fR, \fB\-\-listening\-socket\fR
f0b236 
 Also listen on a private socket for connections from clients running under the
f0b236 
 same UID.
f0b236 
 .TP
f0b236 
--L
f0b236 
+\fB\-L\fR, \fB\-\-only\-listening\-socket\fR
f0b236 
 Listen only on a private socket for connections from clients running under the
f0b236 
 same UID, and skip connecting to a bus.
f0b236 
 .TP
f0b236 
--P
f0b236 
+\fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR
f0b236 
 Specify a location for the private listening socket.  If the location beings
f0b236 
 with a '/' character, it will be prefixed with 'unix:path=', otherwise it will
f0b236 
 be prefixed with 'unix:'.  If this option is not specified, the listening
f0b236 
 socket, if one is created, will be placed in the abstract namespace.
f0b236 
 .TP
f0b236 
--b TIMEOUT
f0b236 
-Behave as a bus-activated service: if there are no certificates to be monitored
f0b236 
+\fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR
f0b236 
+Behave as a bus\-activated service: if there are no certificates to be monitored
f0b236 
 or obtained, and no requests are received within TIMEOUT seconds, exit.  Not
f0b236 
-compatible with the -c option.
f0b236 
+compatible with the \-c option.
f0b236 
 .TP
f0b236 
--B
f0b236 
-Don't behave as a bus-activated service.  This is the default.
f0b236 
+\fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR
f0b236 
+Don't behave as a bus\-activated service.  This is the default.
f0b236 
 .TP
f0b236 
--n
f0b236 
+\fB\-n\fR, \fB\-\-nofork\fR
f0b236 
 Don't fork, and log messages to stderr rather than syslog.
f0b236 
 .TP
f0b236 
--f
f0b236 
+\fB\-f\fR, \fB\-\-fork\fR
f0b236 
 Do fork, and log messages to syslog rather than stderr.  This is the default.
f0b236 
 .TP
f0b236 
--d LEVEL
f0b236 
-Set debugging level.  Higher values produce more debugging output.  Implies -n.
f0b236 
+\fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR
f0b236 
+Set debugging level.  Higher values produce more debugging output.  Implies \-n.
f0b236 
 .TP
f0b236 
--p FILE
f0b236 
+\fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR
f0b236 
 Store the daemon's process ID in the named file.
f0b236 
 .TP
f0b236 
--F
f0b236 
+\fB\-F\fR, \fB\-\-fips\fR
f0b236 
 Force NSS to be initialized in FIPS mode.  The default behavior is to heed
f0b236 
 the setting stored in \fI/proc/sys/crypto/fips_enabled\fR.
f0b236 
 .TP
f0b236 
--c cmd
f0b236 
+\fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
f0b236 
 After the service has initialized, run the specified command, then shut down
f0b236 
-the service after the command exits.  If the -l or -L option was also
f0b236 
+the service after the command exits.  If the \-l or \-L option was also
f0b236 
 specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR
f0b236 
 environment variable set to the listening socket's location.  Not compatible
f0b236 
-with the -b option.
f0b236 
+with the \-b option.
f0b236 
 .TP
f0b236 
--v
f0b236 
+\fB\-v\fR, \fB\-\-version\fR
f0b236 
 Print version information and exit.
f0b236
f0b236 
 .SH FILES
f0b236 
@@ -89,24 +89,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236
f0b236 
 .SH SEE ALSO
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
f0b236 
index 241f48b..80de748 100644
f0b236 
--- a/src/certmonger.conf.5.in
f0b236 
+++ b/src/certmonger.conf.5.in
f0b236 
@@ -1,18 +1,18 @@
f0b236 
-.TH certmonger.conf 5 "12 May 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 5 "May 12, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-certmonger.conf - configuration file for certmonger
f0b236 
+certmonger.conf \- configuration file for certmonger
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 The \fIcertmonger.conf\fR file contains default settings used by certmonger.
f0b236 
-Its format is more or less that of a typical INI-style file.  The only sections
f0b236 
+Its format is more or less that of a typical INI\-style file.  The only sections
f0b236 
 currently of note are named \fIdefaults\fR and \fIselfsign\fR.
f0b236
f0b236 
 .SH DEFAULTS
f0b236 
 Within the \fIdefaults\fR section, these variables and values are recognized:
f0b236
f0b236 
 .IP notify_ttls
f0b236 
-This is the list of times, given in seconds, before a certificate's not-after
f0b236 
+This is the list of times, given in seconds, before a certificate's not\-after
f0b236 
 validity date
f0b236 
 (often referred to as its expiration time) when \fIcertmonger\fR should warn
f0b236 
 that the certificate will soon no longer be valid.
f0b236 
@@ -20,7 +20,7 @@ If this value is not specified, \fIcertmonger\fR will attempt to use the value
f0b236 
 of the \fIttls\fR setting.  The default list of values is "@CM_DEFAULT_TTL_LIST@".
f0b236
f0b236 
 .IP enroll_ttls
f0b236 
-This is the list of times, given in seconds, before a certificate's not-after
f0b236 
+This is the list of times, given in seconds, before a certificate's not\-after
f0b236 
 validity date
f0b236 
 (often referred to as its expiration time) when \fIcertmonger\fR should attempt
f0b236 
 to automatically renew the certificate, if it is configured to do so.
f0b236 
@@ -43,7 +43,7 @@ an email address, or it can be a command to run.  The default value is
f0b236
f0b236 
 .IP key_type
f0b236 
 This is the type of key pair which will be generated, used in certificate
f0b236 
-signing requests, and used when self-signing certificates.
f0b236 
+signing requests, and used when self\-signing certificates.
f0b236 
 @NO_MAN_DSA@\fIRSA\fR is supported.
f0b236 
 @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported.
f0b236 
 @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported.
f0b236 
@@ -58,7 +58,7 @@ software.
f0b236
f0b236 
 .IP digest
f0b236 
 This is the digest algorithm which will be used when signing certificate
f0b236 
-signing requests and self-signed certificates.  Recognized values include
f0b236 
+signing requests and self\-signed certificates.  Recognized values include
f0b236 
 \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP.  The default is
f0b236 
 \fIsha256\fP.  It is not recommended that this value be changed except in cases
f0b236 
 where the default is incompatible with other software.
f0b236 
@@ -95,14 +95,14 @@ There is effectively no default for this setting.
f0b236 
 Within the \fIselfsign\fR section, these variables and values are recognized:
f0b236
f0b236 
 .IP validity_period
f0b236 
-This is the validity period given to self-signed certificates.
f0b236 
+This is the validity period given to self\-signed certificates.
f0b236 
 The value is specified as a combination of years (y), months (M), weeks (w),
f0b236 
 days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
f0b236 
 specified, seconds are assumed.
f0b236 
 The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
f0b236
f0b236 
 .IP populate_unique_id
f0b236 
-This controls whether or not self-signed certificates will have their
f0b236 
+This controls whether or not self\-signed certificates will have their
f0b236 
 subjectUniqueID and issuerUniqueID fields populated.  While RFC5280 prohibits
f0b236 
 their use, they may be needed and/or used by older applications.  The default
f0b236 
 value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
f0b236 
@@ -111,7 +111,7 @@ value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
f0b236 
 Within the \fIlocal\fR section, these variables and values are recognized:
f0b236
f0b236 
 .IP validity_period
f0b236 
-This is the validity period given to the locally-signed CA's certificate when it
f0b236 
+This is the validity period given to the locally\-signed CA's certificate when it
f0b236 
 is generated.
f0b236 
 The value is specified as a combination of years (y), months (M), weeks (w),
f0b236 
 days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
f0b236 
diff --git a/src/getcert-add-ca.1.in b/src/getcert-add-ca.1.in
f0b236 
index 31b3b93..54f55f5 100644
f0b236 
--- a/src/getcert-add-ca.1.in
f0b236 
+++ b/src/getcert-add-ca.1.in
f0b236 
@@ -1,10 +1,10 @@
f0b236 
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert add-ca [options]
f0b236 
+getcert add\-ca [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Adds a CA configuration to \fIcertmonger\fR, which can subsequently be
f0b236 
@@ -12,17 +12,17 @@ used to enroll certificates.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 The nickname to give to this CA configuration.  This same value can later be
f0b236 
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
f0b236 
-\fIstart-tracking\fR commands using the \fB-c\fR flag.
f0b236 
+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
f0b236 
 .TP
f0b236 
-\fB\-e\fR COMMAND
f0b236 
+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
f0b236 
 The helper command to run for communicating with the CA.  The helper will be
f0b236 
 used to pass signing requests to the CA, relay the CA's responses back to the
f0b236 
 \fIcertmonger\fR service, and to read information about the CA.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236
f0b236 
@@ -32,22 +32,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
f0b236 
index bf07306..c2751ed 100644
f0b236 
--- a/src/getcert-add-scep-ca.1.in
f0b236 
+++ b/src/getcert-add-scep-ca.1.in
f0b236 
@@ -1,64 +1,64 @@
f0b236 
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert add-scep-ca [options]
f0b236 
+getcert add\-scep\-ca [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to
f0b236 
-enroll certificates.  The configuration will use the bundled \fIscep-submit\fR
f0b236 
-helper.  The \fIadd-scep-ca\fR command is more or less a wrapper for the
f0b236 
-\fIadd-ca\fR command.
f0b236 
+enroll certificates.  The configuration will use the bundled \fIscep\-submit\fR
f0b236 
+helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
f0b236 
+\fIadd\-ca\fR command.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 The nickname to give to this CA configuration.  This same value can later be
f0b236 
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
f0b236 
-\fIstart-tracking\fR commands using the \fB-c\fR flag.
f0b236 
+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
f0b236 
 .TP
f0b236 
-\fB\-u\fR URL
f0b236 
+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
f0b236 
 The location of the SCEP server's enrollment interface.  This option must be
f0b236 
 specified.
f0b236 
 .TP
f0b236 
-\fB\-R\fR ca-certificate-file
f0b236 
-The location of a PEM-formatted copy of the CA's certificate used to verify
f0b236 
+\fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR
f0b236 
+The location of a PEM\-formatted copy of the CA's certificate used to verify
f0b236 
 the TLS connection the SCEP server.
f0b236
f0b236 
 This option must be specified if the URL is an \fIhttps\fR location.
f0b236 
 .TP
f0b236 
-\fB\-N\fR ca-certificate-file
f0b236 
-The location of a PEM-formatted copy of the SCEP server's CA certificate.
f0b236 
+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
f0b236 
+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
f0b236 
 A discovered value is normally supplied by the certmonger daemon, but one can
f0b236 
 be specified for troubleshooting purposes.
f0b236 
 .TP
f0b236 
-\fB\-r\fR ra-certificate-file
f0b236 
-The location of a PEM-formatted copy of the SCEP server's RA's certificate.
f0b236 
+\fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR
f0b236 
+The location of a PEM\-formatted copy of the SCEP server's RA's certificate.
f0b236 
 A discovered value is normally supplied by the certmonger daemon, but one can
f0b236 
 be specified for troubleshooting purposes.
f0b236 
 .TP
f0b236 
-\fB\-I\fR other-certificates-file
f0b236 
-The location of a file containing other PEM-formatted certificates which may be
f0b236 
+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
f0b236 
+The location of a file containing other PEM\-formatted certificates which may be
f0b236 
 needed in order to properly verify signed responses sent by the SCEP server
f0b236 
 back to the client.  A discovered set is normally supplied by the certmonger
f0b236 
 daemon, but can be specified for troubleshooting purposes.
f0b236 
 .TP
f0b236 
-\fB\-i\fR identifier
f0b236 
+\fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR
f0b236 
 A CA identifier value which will passed to the server when the
f0b236 
-\fIscep-submit\fR helper is used to retrieve copies of the server's
f0b236 
+\fIscep\-submit\fR helper is used to retrieve copies of the server's
f0b236 
 certificates.
f0b236 
 .TP
f0b236 
-\fB\-n\fR
f0b236 
-The SCEP Renewal feature allows a client with a previously-issued certificate
f0b236 
+\fB\-n\fR, \fB\-\-non\-renewal\fR
f0b236 
+The SCEP Renewal feature allows a client with a previously\-issued certificate
f0b236 
 to use that certificate and the associated private key to request a new
f0b236 
 certificate for a different key pair, and can be used to support
f0b236 
 \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
f0b236 
-it.  This option forces the \fIscep-submit\fR helper to issue requests without
f0b236 
+it.  This option forces the \fIscep\-submit\fR helper to issue requests without
f0b236 
 making use of this feature.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236
f0b236 
@@ -68,22 +68,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-list-cas.1.in b/src/getcert-list-cas.1.in
f0b236 
index 7f250e5..ff4e14f 100644
f0b236 
--- a/src/getcert-list-cas.1.in
f0b236 
+++ b/src/getcert-list-cas.1.in
f0b236 
@@ -1,17 +1,17 @@
f0b236 
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert list-cas [options]
f0b236 
+getcert list\-cas [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Queries \fIcertmonger\fR for a list of known CAs.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 List only information about the CA which has the specified nickname.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -20,23 +20,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-list.1.in b/src/getcert-list.1.in
f0b236 
index eded28a..9bf4826 100644
f0b236 
--- a/src/getcert-list.1.in
f0b236 
+++ b/src/getcert-list.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "28 June 2016" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "June 28, 2016" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -12,35 +12,35 @@ monitoring or attempting to obtain.
f0b236
f0b236 
 .SH ENROLLMENT OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 List only entries which use the specified CA.  The name of the CA should
f0b236 
-correspond to one listed by \fIgetcert list-cas\fR.
f0b236 
+correspond to one listed by \fIgetcert list\-cas\fR.
f0b236
f0b236 
 .SH LISTING OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-r\fR
f0b236 
+\fB\-r\fR, \fB\-\-requests\-only\fR
f0b236 
 List only entries which are either currently being enrolled or refreshed.
f0b236 
 .TP
f0b236 
-\fB\-t\fR
f0b236 
+\fB\-t\fR, \fB\-\-tracking\-only\fR
f0b236 
 List only entries which are not currently being enrolled or refreshed.
f0b236 
 .TP
f0b236 
-\fB\-u\fR|\fB--utc\fR
f0b236 
+\fB\-u\fR, \fB\-\-utc\fR
f0b236 
 Display timestamps in UTC instead of local time.
f0b236
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fBDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
f0b236 
 List only entries which use an NSS database in the specified directory
f0b236 
 for storing the certificate.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
f0b236 
 List only tracking requests which use an NSS database and the specified
f0b236 
 nickname for storing the certificate.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 List only tracking requests which specify that the certificate should be
f0b236 
 stored in the specified file.
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 List only tracking requests which use this request nickname.
f0b236
f0b236 
 .SH STATES
f0b236 
@@ -53,11 +53,11 @@ The service is currently generating a new key pair.
f0b236 
 .TP
f0b236 
 NEED_KEY_GEN_PERMS
f0b236 
 The service encountered a filesystem permission error while attempting
f0b236 
-to save the newly-generated key pair.
f0b236 
+to save the newly\-generated key pair.
f0b236 
 .TP
f0b236 
 NEED_KEY_GEN_PIN
f0b236 
 The service is missing the PIN which is required to access an NSS
f0b236 
-database in order to save the newly-generated key pair, or it has an
f0b236 
+database in order to save the newly\-generated key pair, or it has an
f0b236 
 incorrect PIN for a database.
f0b236 
 .TP
f0b236 
 NEED_KEY_GEN_TOKEN
f0b236 
@@ -75,7 +75,7 @@ The service is currently reading information about the key pair.
f0b236 
 .TP
f0b236 
 NEED_KEYINFO_READ_PIN
f0b236 
 The service is missing the PIN which is required to access an NSS
f0b236 
-database in order to read information about the newly-generated key pair, or
f0b236 
+database in order to read information about the newly\-generated key pair, or
f0b236 
 it has an incorrect PIN for a database, or has an incorrect password for
f0b236 
 accessing a key stored in encrypted PEM format.
f0b236 
 .TP
f0b236 
@@ -161,8 +161,8 @@ The CA approved the signing request, and the service is about to save the
f0b236 
 issued certificate to the location where it has been told to save it.
f0b236 
 .TP
f0b236 
 PRE_SAVE_CERT
f0b236 
-The service is running a configured pre-saving command before saving the
f0b236 
-newly-issued certificate to the location where it has been told to save
f0b236 
+The service is running a configured pre\-saving command before saving the
f0b236 
+newly\-issued certificate to the location where it has been told to save
f0b236 
 it.
f0b236 
 .TP
f0b236 
 START_SAVING_CERT
f0b236 
@@ -175,16 +175,16 @@ where it has been told to save it.
f0b236 
 .TP
f0b236 
 NEED_CERTSAVE_PERMS
f0b236 
 The service encountered a filesystem permission error while attempting
f0b236 
-to save the newly-issued certificate to the location where it has been
f0b236 
+to save the newly\-issued certificate to the location where it has been
f0b236 
 told to save it.
f0b236 
 .TP
f0b236 
 NEED_CERTSAVE_TOKEN
f0b236 
-The service is unable to find the token in which the newly-issued
f0b236 
+The service is unable to find the token in which the newly\-issued
f0b236 
 certificate is to be stored.
f0b236 
 .TP
f0b236 
 NEED_CERTSAVE_PIN
f0b236 
 The service is missing the PIN which is required to access an NSS
f0b236 
-database in order to save the newly-issued certificate to the location
f0b236 
+database in order to save the newly\-issued certificate to the location
f0b236 
 where it has been told to save it.
f0b236 
 .TP
f0b236 
 NEED_TO_SAVE_CA_CERTS
f0b236 
@@ -231,22 +231,22 @@ issuer's certificate to the locations where it has been told to save
f0b236 
 them.
f0b236 
 .TP
f0b236 
 POST_SAVED_CERT
f0b236 
-The service is running a configured post-saving command after saving the
f0b236 
-newly-issued certificate to the location where it has been told to save
f0b236 
+The service is running a configured post\-saving command after saving the
f0b236 
+newly\-issued certificate to the location where it has been told to save
f0b236 
 them.
f0b236 
 .TP
f0b236 
 MONITORING
f0b236 
 The service is monitoring the certificate and waiting for its
f0b236 
-not-valid-after date to approach.  This is expected to be the status
f0b236 
+not\-valid\-after date to approach.  This is expected to be the status
f0b236 
 most often seen.
f0b236 
 .TP
f0b236 
 NEED_TO_NOTIFY_VALIDITY
f0b236 
 The service is about to notify the system administrator that the
f0b236 
-certificate's not-valid-after date is approaching.
f0b236 
+certificate's not\-valid\-after date is approaching.
f0b236 
 .TP
f0b236 
 NOTIFYING_VALIDITY
f0b236 
 The service is notifying the system administrator that the certificate's
f0b236 
-not-valid-after date is approaching.
f0b236 
+not\-valid\-after date is approaching.
f0b236 
 .TP
f0b236 
 NEED_TO_NOTIFY_REJECTION
f0b236 
 The service is about to notify the system administrator that the
f0b236 
@@ -350,23 +350,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-modify-ca.1.in b/src/getcert-modify-ca.1.in
f0b236 
index 36677c5..90bc621 100644
f0b236 
--- a/src/getcert-modify-ca.1.in
f0b236 
+++ b/src/getcert-modify-ca.1.in
f0b236 
@@ -1,23 +1,23 @@
f0b236 
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert modify-ca [options]
f0b236 
+getcert modify\-ca [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Modifies the helper command in a \fIcertmonger\fR CA configuration.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 The nickname of the CA configuration to modify.
f0b236 
 .TP
f0b236 
-\fB\-e\fR COMMAND
f0b236 
+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
f0b236 
 The new helper command to run for communicating with the CA.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236
f0b236 
@@ -27,22 +27,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-refresh-ca.1.in b/src/getcert-refresh-ca.1.in
f0b236 
index 2662adc..86318e7 100644
f0b236 
--- a/src/getcert-refresh-ca.1.in
f0b236 
+++ b/src/getcert-refresh-ca.1.in
f0b236 
@@ -1,21 +1,21 @@
f0b236 
-.TH certmonger 1 "29 May 2014" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "May 29, 2014" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert refresh-ca [options]
f0b236 
+getcert refresh\-ca [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Forces \fIcertmonger\fR to refresh information specific to a CA, such as
f0b236 
-locally-stored copies of its certificates.
f0b236 
+locally\-stored copies of its certificates.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 Refresh information about the CA which has the specified nickname.
f0b236 
 .TP
f0b236 
-\fB\-a\fR
f0b236 
+\fB\-a\fR, \fB\-\-all\fR
f0b236 
 Refresh information about all known CAs.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -24,24 +24,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-refresh.1.in b/src/getcert-refresh.1.in
f0b236 
index 660c2ec..79028c1 100644
f0b236 
--- a/src/getcert-refresh.1.in
f0b236 
+++ b/src/getcert-refresh.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "21 July 2014" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "July 24, 2014" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -13,7 +13,7 @@ waiting for the CA.
f0b236
f0b236 
 .SH SPECIFYING REQUESTS BY NICKNAME
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 Check on the status of the signing request which has this nickname.
f0b236 
 If this option is not specified, and a tracking entry which matches the
f0b236 
 certificate storage options which are specified already exists, that entry
f0b236 
@@ -23,24 +23,24 @@ with the \fB\-f\fR option.
f0b236
f0b236 
 .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \rIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
f0b236 
 The certificate is in the NSS database in the specified directory.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
f0b236 
 The certificate in the NSS database named with \fB\-d\fR has the specified
f0b236 
 nickname.  Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-t\fR TOKEN
f0b236 
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
f0b236 
 If the NSS database has more than one token available, the certificate
f0b236 
 is stored in this token.  This argument only rarely needs to be specified.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 The certificate is stored in the named file.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-a\fR
f0b236 
+\fB\-a\fR, \fB\-\-all\fR
f0b236 
 Refresh information about all requests for which the service will need to
f0b236 
 attempt to contact the CA again.
f0b236
f0b236 
@@ -50,23 +50,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-rekey.1.in b/src/getcert-rekey.1.in
f0b236 
index 39ba761..fd848e7 100644
f0b236 
--- a/src/getcert-rekey.1.in
f0b236 
+++ b/src/getcert-rekey.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "31 July 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "July 31, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -13,7 +13,7 @@ order to replace both a certificate and its private key.
f0b236
f0b236 
 .SH SPECIFYING REQUESTS BY NICKNAME
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 The new key pair will be generated and the new certificate will be obtained for
f0b236 
 the tracking request which has this nickname.  If this option is not specified,
f0b236 
 and a tracking entry which matches the key and certificate storage options
f0b236 
@@ -23,62 +23,61 @@ of the \fB\-d\fR and \fB\-n\fR options, or with the \fB\-f\fR option.
f0b236
f0b236 
 .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
f0b236 
 The certificate is in the NSS database in the specified directory.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
f0b236 
 The certificate in the NSS database named with \fB\-d\fR has the specified
f0b236 
 nickname.  Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-t\fR TOKEN
f0b236 
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
f0b236 
 If the NSS database has more than one token available, the certificate
f0b236 
 is stored in this token.  This argument only rarely needs to be specified.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 The certificate is stored in the named file.
f0b236
f0b236 
 .SH KEY GENERATION OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-G\fR TYPE
f0b236 
+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR
f0b236 
 In case a new key pair needs to be generated, this option specifies the
f0b236 
 type of the keys to be generated.  If not specified, the current key type
f0b236 
 will be used.
f0b236 
 .TP
f0b236 
-\fB\-g\fR BITS
f0b236 
+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR
f0b236 
 This option specifies the size of the new key to be generated.  If not
f0b236 
 specified, a key of the same size as the existing key will be generated.
f0b236
f0b236 
-\fB\-c\fR NAME
f0b236 
 .SH ENROLLMENT OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 Submit the new signing request to the specified CA rather than the one which
f0b236 
 was previously associated with this certificate.  The name of
f0b236 
-the CA should correspond to one listed by \fIgetcert list-cas\fR.
f0b236 
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
f0b236 
 .TP
f0b236 
-\fB\-T\fR NAME
f0b236 
+\fB\-T\fR \fINAME, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 Request a certificate using the named profile, template, or certtype,
f0b236 
 from the specified CA.
f0b236 
 .TP
f0b236 
-\fB\-\-ms-template-spec\fR SPEC
f0b236 
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
f0b236 
 Include a V2 Certificate Template extension in the signing request.
f0b236 
 This datum includes an Object Identifier, a major version number
f0b236 
 (positive integer) and an optional minor version number.  The format
f0b236 
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
f0b236 
 .TP
f0b236 
-\fB\-X\fR NAME
f0b236 
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
f0b236 
 Request a certificate using the named issuer from the specified CA.
f0b236 
 .TP
f0b236 
-\fB\-I\fR NAME
f0b236 
+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR
f0b236 
 Assign the specified nickname to this task, replacing the previous nickname.
f0b236
f0b236 
 .SH SIGNING REQUEST OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-N\fR NAME
f0b236 
+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
f0b236 
 Change the subject name to include in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-u\fR keyUsage
f0b236 
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
f0b236 
 Add an extensionRequest for the specified keyUsage to the
f0b236 
 signing request.  The keyUsage value is expected to be one of these names:
f0b236
f0b236 
@@ -100,62 +99,74 @@ encipherOnly
f0b236
f0b236 
 decipherOnly
f0b236 
 .TP
f0b236 
-\fB\-U\fR EKU
f0b236 
+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
f0b236 
 Change the extendedKeyUsage value specified in an extendedKeyUsage
f0b236 
 extension part of the extensionRequest attribute in the signing
f0b236 
 request.  The EKU value is expected to be an object identifier (OID).
f0b236 
 .TP
f0b236 
-\fB\-K\fR NAME
f0b236 
+\fB\-K\fR \fINAME\fB, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 Change the Kerberos principal name specified as part of a subjectAltName
f0b236 
 extension part of the extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-E\fR EMAIL
f0b236 
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
f0b236 
 Change the email address specified as part of a subjectAltName
f0b236 
 extension part of the extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-D\fR DNSNAME
f0b236 
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
f0b236 
 Change the DNS name specified as part of a subjectAltName extension part of the
f0b236 
 extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-A\fR ADDRESS
f0b236 
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
f0b236 
 Change the IP address specified as part of a subjectAltName extension part of
f0b236 
 the extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-l\fR FILE
f0b236 
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fINAME\fR
f0b236 
 Add an optional ChallengePassword value, read from the file, to the signing
f0b236 
 request.  A ChallengePassword is often required when the CA is accessed using
f0b236 
 SCEP.
f0b236 
 .TP
f0b236 
-\fB\-L\fR PIN
f0b236 
+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
f0b236 
 Add the argument value to the signing request as a ChallengePassword attribute.
f0b236 
 A ChallengePassword is often required when the CA is accessed using SCEP.
f0b236
f0b236 
 .SH OTHER OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-B\fR COMMAND
f0b236 
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user before
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-C\fR COMMAND
f0b236 
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user after
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-a\fR DIR
f0b236 
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, save them to the specified NSS database.
f0b236 
 .TP
f0b236 
-\fB\-F\fR FILE
f0b236 
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, and when the local copies of the
f0b236 
 CA's root certificates are updated, save them to the specified file.
f0b236 
 .TP
f0b236 
-\fB\-w\fR
f0b236 
+\fB\-\-for\-ca\fR
f0b236 
+Request a CA certificate.
f0b236 
+.TP
f0b236 
+\fB\-\-not\-for\-ca\fR
f0b236 
+Request a non\-CA certificate (the default).
f0b236 
+.TP
f0b236 
+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
f0b236 
+Path length for CA certificate. Only valid with \-\-for\-ca.
f0b236 
+.TP
f0b236 
+\fB\-w\fR, \fB\-\-wait\fR
f0b236 
 Wait for the new certificate to be issued and saved, or for the attempt to obtain
f0b236 
 one using the new key to fail.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
f0b236 
+Maximum time to wait for the certificate to be issued.
f0b236 
+.TP
f0b236 
+\fB\-v\fR \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236
f0b236 
@@ -165,22 +176,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-remove-ca.1.in b/src/getcert-remove-ca.1.in
f0b236 
index 4b29db7..1839f84 100644
f0b236 
--- a/src/getcert-remove-ca.1.in
f0b236 
+++ b/src/getcert-remove-ca.1.in
f0b236 
@@ -1,10 +1,10 @@
f0b236 
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert remove-ca [options]
f0b236 
+getcert remove\-ca [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Remove a CA configuration from \fIcertmonger\fR.  Enrollment requests which
f0b236 
@@ -12,10 +12,10 @@ reference the CA will behave as though they have no assigned CA.
f0b236
f0b236 
 .SH OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 The nickname of the CA configuration to remove.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236
f0b236 
@@ -25,22 +25,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in
f0b236 
index ba43016..89bc080 100644
f0b236 
--- a/src/getcert-request.1.in
f0b236 
+++ b/src/getcert-request.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "9 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -14,87 +14,87 @@ CA.
f0b236
f0b236 
 .SH KEY AND CERTIFICATE STORAGE OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
f0b236 
 Use an NSS database in the specified directory for storing this
f0b236 
 certificate and key.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
f0b236 
 Use the key with this nickname to generate the signing request.  If no
f0b236 
 such key is found, generate one.  Give the enrolled certificate this
f0b236 
 nickname, too.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-t\fR TOKEN
f0b236 
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
f0b236 
 If the NSS database has more than one token available, use the token
f0b236 
 with this name for storing and accessing the certificate and key.  This
f0b236 
 argument only rarely needs to be specified.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 Store the issued certificate in this file.  For safety's sake, do not
f0b236 
 use the same file specified with the \fB\-k\fR option.
f0b236 
 .TP
f0b236 
-\fB\-k\fR FILE
f0b236 
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
f0b236 
 Use the key stored in this file to generate the signing request.  If no
f0b236 
 such file is found, generate a new key pair and store them in the file.
f0b236 
 Only valid with \fB\-f\fR.
f0b236
f0b236 
 .SH KEY ENCRYPTION OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-p\fR FILE
f0b236 
+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR
f0b236 
 Encrypt private key files or databases using the PIN stored in the named
f0b236 
 file as the passphrase.
f0b236 
 .TP
f0b236 
-\fB\-P\fR PIN
f0b236 
+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR
f0b236 
 Encrypt private key files or databases using the specified PIN as the
f0b236 
-passphrase.  Because command-line arguments to running processes are
f0b236 
+passphrase.  Because command\-line arguments to running processes are
f0b236 
 trivially discoverable, use of this option is not recommended except
f0b236 
 for testing.
f0b236
f0b236 
 .SH KEY GENERATION OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-G\fR TYPE
f0b236 
+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR
f0b236 
 In case a new key pair needs to be generated, this option specifies the
f0b236 
 type of the keys to be generated.  If not specified, a reasonable default
f0b236 
 (currently \fIRSA\fR) will be used.
f0b236 
 .TP
f0b236 
-\fB\-g\fR BITS
f0b236 
+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR
f0b236 
 In case a new key pair needs to be generated, this option specifies the
f0b236 
 size of the key.  If not specified, a reasonable default (currently
f0b236 
 @CM_DEFAULT_PUBKEY_SIZE@ bits) will be used.
f0b236
f0b236 
 .SH TRACKING OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-r\fR
f0b236 
+\fB\-r\fR, \fB\-\-renew\fR
f0b236 
 Attempt to obtain a new certificate from the CA when the expiration date of a
f0b236 
 certificate nears.  This is the default setting.
f0b236 
 .TP
f0b236 
-\fB\-R\fR
f0b236 
+\fB\-R\fR, \fB\-\-no\-renew\fR
f0b236 
 Don't attempt to obtain a new certificate from the CA when the expiration date
f0b236 
 of a certificate nears.  If this option is specified, an expired certificate
f0b236 
 will simply stay expired.
f0b236 
 .TP
f0b236 
-\fB\-I\fR NAME
f0b236 
+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 Assign the specified nickname to this task.  If this option is not specified,
f0b236 
 a name will be assigned automatically.
f0b236
f0b236 
 .SH ENROLLMENT OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 Enroll with the specified CA rather than a possible default.  The name of
f0b236 
-the CA should correspond to one listed by \fIgetcert list-cas\fR.
f0b236 
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
f0b236 
 .TP
f0b236 
-\fB\-T\fR NAME
f0b236 
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 Request a certificate using the named profile, template, or certtype,
f0b236 
 from the specified CA.
f0b236 
 .TP
f0b236 
-\fB\-\-ms-template-spec\fR SPEC
f0b236 
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
f0b236 
 Include a V2 Certificate Template extension in the signing request.
f0b236 
 This datum includes an Object Identifier, a major version number
f0b236 
 (positive integer) and an optional minor version number.  The format
f0b236 
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
f0b236 
 .TP
f0b236 
-\fB\-X\fR NAME
f0b236 
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
f0b236 
 Request a certificate using the named issuer from the specified CA.
f0b236
f0b236 
 .SH SIGNING REQUEST OPTIONS
f0b236 
@@ -108,11 +108,11 @@ The options \fB\-K\fR, \fB\-E\fR, \fB\-D\fR and \fB\-A\fR may be provided
f0b236 
 multiple times to set multiple subjectAltName of the same type.
f0b236
f0b236 
 .TP
f0b236 
-\fB\-N\fR NAME
f0b236 
+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
f0b236 
 Set the subject name to include in the signing request.  The default
f0b236 
 used is CN=\fIhostname\fR, where \fIhostname\fR is the local hostname.
f0b236 
 .TP
f0b236 
-\fB\-u\fR keyUsage
f0b236 
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
f0b236 
 Add an extensionRequest for the specified keyUsage to the
f0b236 
 signing request.  The keyUsage value is expected to be one of these names:
f0b236
f0b236 
@@ -134,84 +134,113 @@ encipherOnly
f0b236
f0b236 
 decipherOnly
f0b236 
 .TP
f0b236 
-\fB\-U\fR EKU
f0b236 
+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
f0b236 
 Add an extensionRequest for the specified extendedKeyUsage to the
f0b236 
 signing request.  The EKU value is expected to be an object identifier
f0b236 
 (OID), but some specific names are also recognized.  These are some
f0b236 
 names and their associated OID values:
f0b236
f0b236 
-id-kp-serverAuth 1.3.6.1.5.5.7.3.1
f0b236 
+id\-kp\-serverAuth 1.3.6.1.5.5.7.3.1
f0b236
f0b236 
-id-kp-clientAuth 1.3.6.1.5.5.7.3.2
f0b236 
+id\-kp\-clientAuth 1.3.6.1.5.5.7.3.2
f0b236
f0b236 
-id-kp-codeSigning 1.3.6.1.5.5.7.3.3
f0b236 
+id\-kp\-codeSigning 1.3.6.1.5.5.7.3.3
f0b236
f0b236 
-id-kp-emailProtection 1.3.6.1.5.5.7.3.4
f0b236 
+id\-kp\-emailProtection 1.3.6.1.5.5.7.3.4
f0b236
f0b236 
-id-kp-timeStamping 1.3.6.1.5.5.7.3.8
f0b236 
+id\-kp\-timeStamping 1.3.6.1.5.5.7.3.8
f0b236
f0b236 
-id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
f0b236 
+id\-kp\-OCSPSigning 1.3.6.1.5.5.7.3.9
f0b236
f0b236 
-id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
f0b236 
+id\-pkinit\-KPClientAuth 1.3.6.1.5.2.3.4
f0b236
f0b236 
-id-pkinit-KPKdc 1.3.6.1.5.2.3.5
f0b236 
+id\-pkinit\-KPKdc 1.3.6.1.5.2.3.5
f0b236
f0b236 
-id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
f0b236 
+id\-ms\-kp\-sc\-logon 1.3.6.1.4.1.311.20.2.2
f0b236 
 .TP
f0b236 
-\fB\-K\fR NAME
f0b236 
+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified Kerberos
f0b236 
 principal name as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-E\fR EMAIL
f0b236 
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified email
f0b236 
 address as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-D\fR DNSNAME
f0b236 
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified DNS name
f0b236 
 as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-A\fR ADDRESS
f0b236 
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified IP address
f0b236 
 as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-l\fR FILE
f0b236 
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
f0b236 
 Add an optional ChallengePassword value, read from the file, to the signing
f0b236 
 request.  A ChallengePassword is often required when the CA is accessed using
f0b236 
 SCEP.
f0b236 
 .TP
f0b236 
-\fB\-L\fR PIN
f0b236 
+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
f0b236 
 Add the argument value to the signing request as a ChallengePassword attribute.
f0b236 
 A ChallengePassword is often required when the CA is accessed using SCEP.
f0b236
f0b236 
 .SH OTHER OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-B\fR COMMAND
f0b236 
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user before
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-C\fR COMMAND
f0b236 
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user after
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-a\fR DIR
f0b236 
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, save them to the specified NSS database.
f0b236 
 .TP
f0b236 
-\fB\-F\fR FILE
f0b236 
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, and when the local copies of the
f0b236 
 CA's root certificates are updated, save them to the specified file.
f0b236 
 .TP
f0b236 
-\fB\-w\fR
f0b236 
+\fB\-\-for\-ca\fR
f0b236 
+Request a CA certificate.
f0b236 
+.TP
f0b236 
+\fB\-\-not\-for\-ca\fR
f0b236 
+Request a non\-CA certificate (the default).
f0b236 
+.TP
f0b236 
+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
f0b236 
+Path length for CA certificate. Only valid with \-\-for\-ca.
f0b236 
+.TP
f0b236 
+\fB\-w\fR, \fB\-\-wait\fR
f0b236 
 Wait for the certificate to be issued and saved, or for the attempt to obtain
f0b236 
 one to fail.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
f0b236 
+Maximum time to wait for the certificate to be issued.
f0b236 
+.TP
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236 
-
f0b236 
+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
f0b236 
+After generation set the owner on the private key file or database to OWNER.
f0b236 
+.TP
f0b236 
+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
f0b236 
+After generation set the file permissions on the private key file or database to MODE.
f0b236 
+.TP
f0b236 
+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR
f0b236 
+After generation set the owner on the certificate file or database to OWNER.
f0b236 
+.TP
f0b236 
+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR
f0b236 
+After generation set the file permissions on the certificate file or database to MODE.
f0b236 
+.SH BUS OPTIONS
f0b236 
+\fB\-s\fR, \fB\-\-session\fR
f0b236 
+Connect to certmonger on the session bus rather than the system bus.
f0b236 
+.TP
f0b236 
+\fB\-S\fR, \fB\-\-system\fR
f0b236 
+Connect to certmonger on the system bus rather than the session bus.  This
f0b236 
+is the default.
f0b236 
 .SH NOTES
f0b236 
 Locations specified for key and certificate storage need to be
f0b236 
 accessible to the \fIcertmonger\fR daemon process.  When run as a system
f0b236 
@@ -219,7 +248,7 @@ daemon on a system which uses a mandatory access control mechanism such
f0b236 
 as SELinux, the system policy must ensure that the daemon is allowed to
f0b236 
 access the locations where certificates and keys that it will manage
f0b236 
 will be stored (these locations are typically labeled as \fIcert_t\fR or
f0b236 
-an equivalent).  More SELinux-specific information can be found in the
f0b236 
+an equivalent).  More SELinux\-specific information can be found in the
f0b236 
 \fIselinux.txt\fR documentation file for this package.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -228,23 +257,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in
f0b236 
index f9e6bb1..aefea51 100644
f0b236 
--- a/src/getcert-resubmit.1.in
f0b236 
+++ b/src/getcert-resubmit.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "9 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -12,7 +12,7 @@ submit (or resubmit) the signing request to a CA for signing.
f0b236
f0b236 
 .SH SPECIFYING REQUESTS BY NICKNAME
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 Resubmit a signing request for the tracking request which has this nickname.
f0b236 
 If this option is not specified, and a tracking entry which matches the key
f0b236 
 and certificate storage options which are specified already exists, that entry
f0b236 
@@ -22,50 +22,50 @@ with the \fB\-f\fR option.
f0b236
f0b236 
 .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
f0b236 
 The certificate is in the NSS database in the specified directory.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
f0b236 
 The certificate in the NSS database named with \fB\-d\fR has the specified
f0b236 
 nickname.  Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-t\fR TOKEN
f0b236 
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
f0b236 
 If the NSS database has more than one token available, the certificate
f0b236 
 is stored in this token.  This argument only rarely needs to be specified.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 The certificate is stored in the named file.
f0b236
f0b236 
 .SH ENROLLMENT OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 Submit the new signing request to the specified CA rather than the one which
f0b236 
 was previously associated with this certificate.  The name of
f0b236 
-the CA should correspond to one listed by \fIgetcert list-cas\fR.
f0b236 
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
f0b236 
 .TP
f0b236 
-\fB\-T\fR NAME
f0b236 
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 Request a certificate using the named profile, template, or certtype,
f0b236 
 from the specified CA.
f0b236 
 .TP
f0b236 
-\fB\-\-ms-template-spec\fR SPEC
f0b236 
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
f0b236 
 Include a V2 Certificate Template extension in the signing request.
f0b236 
 This datum includes an Object Identifier, a major version number
f0b236 
 (positive integer) and an optional minor version number.  The format
f0b236 
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
f0b236 
 .TP
f0b236 
-\fB\-X\fR NAME
f0b236 
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
f0b236 
 Request a certificate using the named issuer from the specified CA.
f0b236 
 .TP
f0b236 
-\fB\-I\fR NAME
f0b236 
+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 Assign the specified nickname to this task, replacing the previous nickname.
f0b236
f0b236 
 .SH SIGNING REQUEST OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-N\fR NAME
f0b236 
+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
f0b236 
 Change the subject name to include in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-u\fR keyUsage
f0b236 
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
f0b236 
 Add an extensionRequest for the specified keyUsage to the
f0b236 
 signing request.  The keyUsage value is expected to be one of these names:
f0b236
f0b236 
@@ -87,64 +87,84 @@ encipherOnly
f0b236
f0b236 
 decipherOnly
f0b236 
 .TP
f0b236 
-\fB\-U\fR EKU
f0b236 
++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
f0b236 
 Change the extendedKeyUsage value specified in an extendedKeyUsage
f0b236 
 extension part of the extensionRequest attribute in the signing
f0b236 
 request.  The EKU value is expected to be an object identifier (OID).
f0b236 
 .TP
f0b236 
-\fB\-K\fR NAME
f0b236 
+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
f0b236 
 Change the Kerberos principal name specified as part of a subjectAltName
f0b236 
 extension part of the extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-E\fR EMAIL
f0b236 
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
f0b236 
 Change the email address specified as part of a subjectAltName
f0b236 
 extension part of the extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-D\fR DNSNAME
f0b236 
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
f0b236 
 Change the DNS name specified as part of a subjectAltName extension part of the
f0b236 
 extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-A\fR ADDRESS
f0b236 
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
f0b236 
 Change the IP address specified as part of a subjectAltName extension part of
f0b236 
 the extensionRequest attribute in the signing request.
f0b236 
 .TP
f0b236 
-\fB\-l\fR FILE
f0b236 
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
f0b236 
 Add an optional ChallengePassword value, read from the file, to the signing
f0b236 
 request.  A ChallengePassword is often required when the CA is accessed using
f0b236 
 SCEP.
f0b236 
 .TP
f0b236 
-\fB\-L\fR PIN
f0b236 
+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
f0b236 
 Add the argument value to the signing request as a ChallengePassword attribute.
f0b236 
 A ChallengePassword is often required when the CA is accessed using SCEP.
f0b236
f0b236 
 .SH OTHER OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-B\fR COMMAND
f0b236 
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user before
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-C\fR COMMAND
f0b236 
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user after
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-a\fR DIR
f0b236 
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, save them to the specified NSS database.
f0b236 
 .TP
f0b236 
-\fB\-F\fR FILE
f0b236 
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, and when the local copies of the
f0b236 
 CA's root certificates are updated, save them to the specified file.
f0b236 
 .TP
f0b236 
-\fB\-w\fR
f0b236 
+\fB\-\-for\-ca\fR
f0b236 
+Request a CA certificate.
f0b236 
+.TP
f0b236 
+\fB\-\-not\-for\-ca\fR
f0b236 
+Request a non\-CA certificate (the default).
f0b236 
+.TP
f0b236 
+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
f0b236 
+Path length for CA certificate. Only valid with \-\-for\-ca.
f0b236 
+.TP
f0b236 
+\fB\-w\fR, \fB\-\-wait\fR
f0b236 
 Wait for the certificate to be reissued and saved, or for the attempt to obtain
f0b236 
 one to fail.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
f0b236 
+Maximum time to wait for the certificate to be issued.
f0b236 
+.TP
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236 
+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
f0b236 
+After generation set the owner on the private key file or database to OWNER.
f0b236 
+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
f0b236 
+After generation set the file permissions on the private key file or database to MODE.
f0b236 
+\fB\-O\fR \fIOWNER\fR, \fB\-\-cert\-owner\fR=\fIOWNER\fR
f0b236 
+After generation set the owner on the certificate file or database to OWNER.
f0b236 
+\fB\-M\fR \fIMODE\fR, \fB\-\-cert\-perms\fR=\fIMODE\fR
f0b236 
+After generation set the file permissions on the certificate file or database to MODE.
f0b236
f0b236 
 .SH BUGS
f0b236 
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
f0b236 
@@ -152,23 +172,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in
f0b236 
index f60e4a7..fff16f5 100644
f0b236 
--- a/src/getcert-start-tracking.1.in
f0b236 
+++ b/src/getcert-start-tracking.1.in
f0b236 
@@ -1,13 +1,13 @@
f0b236 
-.TH certmonger 1 "9 February 2015" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert start-tracking [options]
f0b236 
+getcert start\-tracking [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-Tells \fIcertmonger\fR to monitor an already-issued certificate.
f0b236 
+Tells \fIcertmonger\fR to monitor an already\-issued certificate.
f0b236 
 Optionally, when the certificate nears expiration, use an existing key
f0b236 
 pair (or to generate one if one is not already found in the specified
f0b236 
 location), to generate a signing request using the key pair and to
f0b236 
@@ -15,7 +15,7 @@ submit them for signing to a CA.
f0b236
f0b236 
 .SH SPECIFYING EXISTING REQUESTS
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 Modify the request which has this nickname.  If this option is not specified,
f0b236 
 and a tracking entry which matches the key and certificate storage options
f0b236 
 which are specified already exists, that entry will be modified.  Otherwise, a
f0b236 
@@ -23,27 +23,27 @@ new tracking entry will be added.
f0b236
f0b236 
 .SH KEY AND CERTIFICATE STORAGE OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
f0b236 
 Use an NSS database in the specified directory for reading this
f0b236 
 certificate and, if possible, the corresponding key.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
f0b236 
 Use the certificate with this nickname, and if a private key with the
f0b236 
 same nickname or which corresponds to the certificate is available, to
f0b236 
 use it, too.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-t\fR TOKEN
f0b236 
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
f0b236 
 If the NSS database has more than one token available, use the token
f0b236 
 with this name for accessing the certificate and key.  This argument
f0b236 
 only rarely needs to be specified.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 Read the certificate from this file.  For safety's sake, do not use the
f0b236 
 same file specified with the \fB\-k\fR option.
f0b236 
 .TP
f0b236 
-\fB\-k\fR FILE
f0b236 
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
f0b236 
 Use the key stored in this file to generate a signing request for
f0b236 
 refreshing the certificate.  If no such file is found when needed,
f0b236 
 generate a new key pair and store them in the file.
f0b236 
@@ -51,58 +51,58 @@ Only valid with \fB\-f\fR.
f0b236
f0b236 
 .SH KEY ENCRYPTION OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-p\fR FILE
f0b236 
+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR
f0b236 
 The private key files or databases are encrypted using the PIN stored in the
f0b236 
 named file as the passphrase.
f0b236 
 .TP
f0b236 
-\fB\-P\fR PIN
f0b236 
+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR
f0b236 
 The private key files or databases are encrypted using the specified PIN as the
f0b236 
-passphrase.  Because command-line arguments to running processes are trivially
f0b236 
+passphrase.  Because command\-line arguments to running processes are trivially
f0b236 
 discoverable, use of this option is not recommended except for testing.
f0b236
f0b236 
 .SH TRACKING OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-I\fR NAME
f0b236 
+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR
f0b236 
 Assign the specified nickname to this task.  If this option is not specified,
f0b236 
 a name will be assigned automatically.
f0b236 
 .TP
f0b236 
-\fB\-r\fR
f0b236 
+\fB\-r\fR, \fB\-\-renew\fR
f0b236 
 Attempt to obtain a new certificate from the CA when the expiration date of a
f0b236 
 certificate nears.  This is the default setting.
f0b236 
 .TP
f0b236 
-\fB\-R\fR
f0b236 
+\fB\-R\fR, \fB\-\-no\-renew\fR
f0b236 
 Don't attempt to obtain a new certificate from the CA when the expiration date
f0b236 
 of a certificate nears.  If this option is specified, an expired certificate
f0b236 
 will simply stay expired.
f0b236
f0b236 
 .SH ENROLLMENT OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-c\fR NAME
f0b236 
+\fB\-c\fR  \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
f0b236 
 Enroll with the specified CA rather than a possible default.  The name of
f0b236 
-the CA should correspond to one listed by \fIgetcert list-cas\fR.  Only
f0b236 
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.  Only
f0b236 
 useful in combination with \fB\-r\fR.
f0b236 
 .TP
f0b236 
-\fB\-T\fR NAME
f0b236 
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
f0b236 
 Request a certificate using the named profile, template, or certtype,
f0b236 
 from the specified CA.
f0b236 
 .TP
f0b236 
-\fB\-\-ms-template-spec\fR SPEC
f0b236 
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
f0b236 
 Include a V2 Certificate Template extension in the signing request.
f0b236 
 This datum includes an Object Identifier, a major version number
f0b236 
 (positive integer) and an optional minor version number.  The format
f0b236 
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
f0b236 
 .TP
f0b236 
-\fB\-X\fR NAME
f0b236 
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
f0b236 
 Request a certificate using the named issuer from the specified CA.
f0b236
f0b236 
 .SH SIGNING REQUEST OPTIONS
f0b236 
 If and when \fIcertmonger\fR attempts to obtain a new certificate to replace
f0b236 
 the one being monitored, the values to be added to the signing request will be
f0b236 
 taken from the current certificate, unless preferred values are set using one
f0b236 
-or more of \fB-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.
f0b236 
+or more of \fB\-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.
f0b236
f0b236 
 .TP
f0b236 
-\fB\-u\fR keyUsage
f0b236 
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
f0b236 
 Add an extensionRequest for the specified keyUsage to the
f0b236 
 signing request.  The keyUsage value is expected to be one of these names:
f0b236
f0b236 
@@ -124,64 +124,86 @@ encipherOnly
f0b236
f0b236 
 decipherOnly
f0b236 
 .TP
f0b236 
-\fB\-U\fR EKU
f0b236 
+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
f0b236 
 Add an extensionRequest for the specified extendedKeyUsage to the
f0b236 
 signing request.  The EKU value is expected to be an object identifier
f0b236 
 (OID).
f0b236 
 .TP
f0b236 
-\fB\-K\fR NAME
f0b236 
+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified Kerberos
f0b236 
 principal name as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-E\fR EMAIL
f0b236 
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified email
f0b236 
 address as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-D\fR DNSNAME
f0b236 
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified DNS name
f0b236 
 as its value, to the signing request.
f0b236 
-\fB\-A\fR ADDRESS
f0b236 
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
f0b236 
 Add an extensionRequest for a subjectAltName, with the specified IP address
f0b236 
 as its value, to the signing request.
f0b236 
 .TP
f0b236 
-\fB\-l\fR FILE
f0b236 
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
f0b236 
 Add an optional ChallengePassword value, read from the file, to the signing
f0b236 
 request.  A ChallengePassword is often required when the CA is accessed using
f0b236 
 SCEP.
f0b236 
 .TP
f0b236 
-\fB\-L\fR PIN
f0b236 
+\fB\-L\fR \fIPASSWORD\fR, \fB\-\-challenge\-password\fR=\fIPASSWORD\fR
f0b236 
 Add the argument value to the signing request as a ChallengePassword attribute.
f0b236 
 A ChallengePassword is often required when the CA is accessed using SCEP.
f0b236
f0b236 
 .SH OTHER OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-B\fR COMMAND
f0b236 
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user before
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-C\fR COMMAND
f0b236 
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
f0b236 
 When ever the certificate or the CA's certificates are saved to the
f0b236 
 specified locations, run the specified command as the client user after
f0b236 
 saving the certificates.
f0b236 
 .TP
f0b236 
-\fB\-a\fR DIR
f0b236 
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, save them to the specified NSS database.
f0b236 
 .TP
f0b236 
-\fB\-F\fR FILE
f0b236 
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
f0b236 
 When ever the certificate is saved to the specified location, if root
f0b236 
 certificates for the CA are available, and when the local copies of the
f0b236 
 CA's root certificates are updated, save them to the specified file.
f0b236 
 .TP
f0b236 
-\fB\-w\fR
f0b236 
+\fB\-w\fR, \fB\-\-wait\fR
f0b236 
 Wait for the certificate to become valid or to be reissued and saved, or for
f0b236 
 the attempt to obtain a new one to fail.
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
f0b236 
+Maximum time to wait for the certificate to be issued.
f0b236 
+.TP
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236 
-
f0b236 
+.TP
f0b236 
+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
f0b236 
+After generation set the owner on the private key file or database to OWNER.
f0b236 
+.TP
f0b236 
+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
f0b236 
+After generation set the file permissions on the private key file or database to MODE.
f0b236 
+.TP
f0b236 
+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR
f0b236 
+After generation set the owner on the certificate file or database to OWNER.
f0b236 
+.TP
f0b236 
+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR
f0b236 
+After generation set the file permissions on the certificate file or database to MODE.
f0b236 
+.SH BUS OPTIONS
f0b236 
+.TP
f0b236 
+\fB\-s\fR, \fB\-\-session\fR
f0b236 
+Connect to certmonger on the session bus rather than the system bus.
f0b236 
+.TP
f0b236 
+\fB\-S\fR, \fB\-\-system\fR
f0b236 
+Connect to certmonger on the system bus rather than the session bus.  This
f0b236 
+is the default.
f0b236 
 .SH NOTES
f0b236 
 Locations specified for key and certificate storage need to be
f0b236 
 accessible to the \fIcertmonger\fR daemon process.  When run as a system
f0b236 
@@ -189,7 +211,7 @@ daemon on a system which uses a mandatory access control mechanism such
f0b236 
 as SELinux, the system policy must ensure that the daemon is allowed to
f0b236 
 access the locations where certificates and keys that it will manage
f0b236 
 will be stored (these locations are typically labeled as \fIcert_t\fR or
f0b236 
-an equivalent).  More SELinux-specific information can be found in the
f0b236 
+an equivalent).  More SELinux\-specific information can be found in the
f0b236 
 \fIselinux.txt\fR documentation file for this package.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -198,23 +220,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-status.1.in b/src/getcert-status.1.in
f0b236 
index 071d393..da2fbc6 100644
f0b236 
--- a/src/getcert-status.1.in
f0b236 
+++ b/src/getcert-status.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "13 June 2014" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "June 13, 2014" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -12,18 +12,18 @@ request and sets an exit status to reflect that status.
f0b236
f0b236 
 .SH SELECTION OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
f0b236 
 Check that status of a certificate in the named NSS database.  Must be
f0b236 
-specified with the \fB-n\fR option.
f0b236 
+specified with the \fB\-n\fR option.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
f0b236 
 Check that status of a certificate in with the specified nickname.  Must be
f0b236 
-specified with the \fB-d\fR option.
f0b236 
+specified with the \fB\-d\fR option.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 Check that status of a certificate stored in the specified PEM file.
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 Check that status of a certificate with the specified request nickname.
f0b236
f0b236 
 .SH EXIT STATUS
f0b236 
@@ -53,24 +53,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert-stop-tracking.1.in b/src/getcert-stop-tracking.1.in
f0b236 
index a8657f3..96345d1 100644
f0b236 
--- a/src/getcert-stop-tracking.1.in
f0b236 
+++ b/src/getcert-stop-tracking.1.in
f0b236 
@@ -1,10 +1,10 @@
f0b236 
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
-getcert stop-tracking [options]
f0b236 
+getcert stop\-tracking [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 Tells \fIcertmonger\fR to stop monitoring or attempting to obtain or
f0b236 
@@ -12,7 +12,7 @@ refresh a certificate.
f0b236
f0b236 
 .SH TRACKING OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-i\fR NAME
f0b236 
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
f0b236 
 The certificate was tracked using the request with the specified nickname.
f0b236 
 If this option is not specified, some combination of \fB\-d\fR and
f0b236 
 \fB\-n\fR or \fB\-f\fR can be used to specify which certificate should
f0b236 
@@ -20,55 +20,62 @@ henceforth be forgotten.
f0b236
f0b236 
 .SH KEY AND CERTIFICATE STORAGE OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-d\fR DIR
f0b236 
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
f0b236 
 The certificate is the one stored in the specified NSS database.
f0b236 
 .TP
f0b236 
-\fB\-n\fR NAME
f0b236 
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
f0b236 
 The certificate is the one which has this nickname.  Only valid with
f0b236 
 \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-t\fR TOKEN
f0b236 
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
f0b236 
 If the NSS database has more than one token available, the certificate
f0b236 
 is stored in this token.  This argument only rarely needs to be
f0b236 
 specified.
f0b236 
 Only valid with \fB\-d\fR.
f0b236 
 .TP
f0b236 
-\fB\-f\fR FILE
f0b236 
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
f0b236 
 The certificate is or was to be stored in this file.
f0b236 
 .TP
f0b236 
-\fB\-k\fR FILE
f0b236 
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
f0b236 
 The private key is or was to be stored in this file.
f0b236 
 Only valid with \fB\-f\fR.
f0b236
f0b236 
 .SH OTHER OPTIONS
f0b236 
 .TP
f0b236 
-\fB\-v\fR
f0b236 
+\fB\-v\fR, \fB\-\-verbose\fR
f0b236 
 Be verbose about errors.  Normally, the details of an error received from
f0b236 
 the daemon will be suppressed if the client can make a diagnostic suggestion.
f0b236 
-
f0b236 
+.SH BUS OPTIONS
f0b236 
+.TP
f0b236 
+\fB\-s\fR, \fB\-\-session\fR
f0b236 
+Connect to certmonger on the session bus rather than the system bus.
f0b236 
+.TP
f0b236 
+\fB\-S\fR, \fB\-\-system\fR
f0b236 
+Connect to certmonger on the system bus rather than the session bus.  This
f0b236 
+is the default.
f0b236 
 .SH BUGS
f0b236 
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
f0b236
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/getcert.1.in b/src/getcert.1.in
f0b236 
index 7380f49..8669c76 100644
f0b236 
--- a/src/getcert.1.in
f0b236 
+++ b/src/getcert.1.in
f0b236 
@@ -1,4 +1,4 @@
f0b236 
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
 getcert
f0b236 
@@ -6,12 +6,12 @@ getcert
f0b236 
 .SH SYNOPSIS
f0b236 
  getcert request [options]
f0b236 
  getcert resubmit [options]
f0b236 
- getcert start-tracking [options]
f0b236 
+ getcert start\-tracking [options]
f0b236 
  getcert status [options]
f0b236 
- getcert stop-tracking [options]
f0b236 
+ getcert stop\-tracking [options]
f0b236 
  getcert list [options]
f0b236 
- getcert list-cas [options]
f0b236 
- getcert refresh-cas [options]
f0b236 
+ getcert list\-cas [options]
f0b236 
+ getcert refresh\-cas [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
 The \fIgetcert\fR tool issues requests to a @CM_DBUS_NAME@ service on
f0b236 
@@ -22,7 +22,7 @@ expiration, and optionally to refresh it when expiration nears, it can
f0b236 
 list the set of certificates that the service is already monitoring, or
f0b236 
 it can list the set of CAs that the service is capable of using.
f0b236
f0b236 
-If no command is given as the first command-line argument, \fIgetcert\fR
f0b236 
+If no command is given as the first command\-line argument, \fIgetcert\fR
f0b236 
 will print short usage information for each of its functions.
f0b236
f0b236 
 If \fIgetcert\fR is invoked by a user with UID 0, and there is no system bus
f0b236 
@@ -32,7 +32,7 @@ available, \fIgetcert\fR will attempt to launch a temporary copy of the
f0b236 
 .SH COMMON ARGUMENTS
f0b236 
 If \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR is set in the environment, \fIgetcert\fR
f0b236 
 contacts the service directly at the specified location.
f0b236 
-All commands can take either the \fB-s\fR or \fB-S\fR arguments, which instruct
f0b236 
+All commands can take either the \fB\-s\fR or \fB\-S\fR arguments, which instruct
f0b236 
 \fIgetcert\fR to contact the @CM_DBUS_NAME@ service on the session or system
f0b236 
 bus, if no value is set.  By default, \fIgetcert\fR consults the @CM_DBUS_NAME@
f0b236 
 service attached to the system bus.
f0b236 
@@ -42,24 +42,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/ipa-getcert.1.in b/src/ipa-getcert.1.in
f0b236 
index a1d36d5..f1b3682 100644
f0b236 
--- a/src/ipa-getcert.1.in
f0b236 
+++ b/src/ipa-getcert.1.in
f0b236 
@@ -1,20 +1,20 @@
f0b236 
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-ipa-getcert
f0b236 
+ipa\-getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
- ipa-getcert request [options]
f0b236 
- ipa-getcert resubmit [options]
f0b236 
- ipa-getcert start-tracking [options]
f0b236 
- ipa-getcert status [options]
f0b236 
- ipa-getcert stop-tracking [options]
f0b236 
- ipa-getcert list [options]
f0b236 
- ipa-getcert list-cas [options]
f0b236 
- ipa-getcert refresh-cas [options]
f0b236 
+ ipa\-getcert request [options]
f0b236 
+ ipa\-getcert resubmit [options]
f0b236 
+ ipa\-getcert start\-tracking [options]
f0b236 
+ ipa\-getcert status [options]
f0b236 
+ ipa\-getcert stop\-tracking [options]
f0b236 
+ ipa\-getcert list [options]
f0b236 
+ ipa\-getcert list\-cas [options]
f0b236 
+ ipa\-getcert refresh\-cas [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-The \fIipa-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
+The \fIipa\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
 service on behalf of the invoking user.  It can ask the service to begin
f0b236 
 enrollment, optionally generating a key pair to use, it can ask the
f0b236 
 service to begin monitoring a certificate in a specified location for
f0b236 
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
f0b236 
 list the set of certificates that the service is already monitoring, or
f0b236 
 it can list the set of CAs that the service is capable of using.
f0b236
f0b236 
-If no command is given as the first command-line argument,
f0b236 
-\fIipa-getcert\fR will print short usage information for each of
f0b236 
+If no command is given as the first command\-line argument,
f0b236 
+\fIipa\-getcert\fR will print short usage information for each of
f0b236 
 its functions.
f0b236
f0b236 
-The \fIipa-getcert\fR tool behaves identically to the generic
f0b236 
-\fIgetcert\fR tool when it is used with the \fB-c
f0b236 
+The \fIipa\-getcert\fR tool behaves identically to the generic
f0b236 
+\fIgetcert\fR tool when it is used with the \fB\-c
f0b236 
 \fI@CM_IPA_CA_NAME@\fR option.
f0b236
f0b236 
 \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
f0b236 
-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
f0b236 
-using the \fB-F\fR and \fB-a\fR options to specify where those certificates
f0b236 
+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
f0b236 
+using the \fB\-F\fR and \fB\-a\fR options to specify where those certificates
f0b236 
 should be stored.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/local-getcert.1.in b/src/local-getcert.1.in
f0b236 
index 526e31f..48a265b 100644
f0b236 
--- a/src/local-getcert.1.in
f0b236 
+++ b/src/local-getcert.1.in
f0b236 
@@ -1,20 +1,20 @@
f0b236 
-.TH certmonger 1 "7 June 2014" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "June 7, 2014" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-local-getcert
f0b236 
+local\-getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
- local-getcert request [options]
f0b236 
- local-getcert resubmit [options]
f0b236 
- local-getcert start-tracking [options]
f0b236 
- local-getcert status [options]
f0b236 
- local-getcert stop-tracking [options]
f0b236 
- local-getcert list [options]
f0b236 
- local-getcert list-cas [options]
f0b236 
- local-getcert refresh-cas [options]
f0b236 
+ local\-getcert request [options]
f0b236 
+ local\-getcert resubmit [options]
f0b236 
+ local\-getcert start\-tracking [options]
f0b236 
+ local\-getcert status [options]
f0b236 
+ local\-getcert stop\-tracking [options]
f0b236 
+ local\-getcert list [options]
f0b236 
+ local\-getcert list\-cas [options]
f0b236 
+ local\-getcert refresh\-cas [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-The \fIlocal-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
+The \fIlocal\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
 service on behalf of the invoking user.  It can ask the service to begin
f0b236 
 enrollment, optionally generating a key pair to use, it can ask the
f0b236 
 service to begin monitoring a certificate in a specified location for
f0b236 
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
f0b236 
 list the set of certificates that the service is already monitoring, or
f0b236 
 it can list the set of CAs that the service is capable of using.
f0b236
f0b236 
-If no command is given as the first command-line argument,
f0b236 
-\fIlocal-getcert\fR will print short usage information for each of
f0b236 
+If no command is given as the first command\-line argument,
f0b236 
+\fIlocal\-getcert\fR will print short usage information for each of
f0b236 
 its functions.
f0b236
f0b236 
-The \fIlocal-getcert\fR tool behaves identically to the generic
f0b236 
-\fIgetcert\fR tool when it is used with the \fB-c
f0b236 
+The \fIlocal\-getcert\fR tool behaves identically to the generic
f0b236 
+\fIgetcert\fR tool when it is used with the \fB\-c
f0b236 
 \fIlocal\fR option.
f0b236
f0b236 
-\fBcertmonger\fR supports retrieving the list of current and previously-used
f0b236 
-local CA certificates.  See \fBgetcert-request\fR(1) and
f0b236 
-\fBgetcert-resubmit\fR(1) for information about using the \fB-F\fR and \fB-a\fR
f0b236 
+\fBcertmonger\fR supports retrieving the list of current and previously\-used
f0b236 
+local CA certificates.  See \fBgetcert\-request\fR(1) and
f0b236 
+\fBgetcert\-resubmit\fR(1) for information about using the \fB\-F\fR and \fB\-a\fR
f0b236 
 options to specify where those certificates should be stored.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
diff --git a/src/selfsign-getcert.1.in b/src/selfsign-getcert.1.in
f0b236 
index 88389e8..d15c398 100644
f0b236 
--- a/src/selfsign-getcert.1.in
f0b236 
+++ b/src/selfsign-getcert.1.in
f0b236 
@@ -1,20 +1,20 @@
f0b236 
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
f0b236 
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
f0b236
f0b236 
 .SH NAME
f0b236 
-selfsign-getcert
f0b236 
+selfsign\-getcert
f0b236
f0b236 
 .SH SYNOPSIS
f0b236 
- selfsign-getcert request [options]
f0b236 
- selfsign-getcert resubmit [options]
f0b236 
- selfsign-getcert start-tracking [options]
f0b236 
- selfsign-getcert status [options]
f0b236 
- selfsign-getcert stop-tracking [options]
f0b236 
- selfsign-getcert list [options]
f0b236 
- selfsign-getcert list-cas [options]
f0b236 
- selfsign-getcert refresh-cas [options]
f0b236 
+ selfsign\-getcert request [options]
f0b236 
+ selfsign\-getcert resubmit [options]
f0b236 
+ selfsign\-getcert start\-tracking [options]
f0b236 
+ selfsign\-getcert status [options]
f0b236 
+ selfsign\-getcert stop\-tracking [options]
f0b236 
+ selfsign\-getcert list [options]
f0b236 
+ selfsign\-getcert list\-cas [options]
f0b236 
+ selfsign\-getcert refresh\-cas [options]
f0b236
f0b236 
 .SH DESCRIPTION
f0b236 
-The \fIselfsign-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
+The \fIselfsign\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
f0b236 
 service on behalf of the invoking user.  It can ask the service to begin
f0b236 
 enrollment, optionally generating a key pair to use, it can ask the
f0b236 
 service to begin monitoring a certificate in a specified location for
f0b236 
@@ -22,16 +22,16 @@ expiration, and optionally to refresh it when expiration nears, it can
f0b236 
 list the set of certificates that the service is already monitoring, or
f0b236 
 it can list the set of CAs that the service is capable of using.
f0b236
f0b236 
-If no command is given as the first command-line argument,
f0b236 
-\fIselfsign-getcert\fR will print short usage information for each of
f0b236 
+If no command is given as the first command\-line argument,
f0b236 
+\fIselfsign\-getcert\fR will print short usage information for each of
f0b236 
 its functions.
f0b236
f0b236 
-The \fIselfsign-getcert\fR tool behaves identically to the generic
f0b236 
-\fIgetcert\fR tool when it is used with the \fB-c
f0b236 
+The \fIselfsign\-getcert\fR tool behaves identically to the generic
f0b236 
+\fIgetcert\fR tool when it is used with the \fB\-c
f0b236 
 \fI@CM_SELF_SIGN_CA_NAME@\fR option.
f0b236
f0b236 
-\fBcertmonger\fR's self-signer doesn't use root certificates.  While the
f0b236 
-\fB-F\fR and \fB-a\fR options will still be recognized, they will effectively
f0b236 
+\fBcertmonger\fR's self\-signer doesn't use root certificates.  While the
f0b236 
+\fB\-F\fR and \fB\-a\fR options will still be recognized, they will effectively
f0b236 
 be ignored.
f0b236
f0b236 
 .SH BUGS
f0b236 
@@ -40,24 +40,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
f0b236 
 .SH SEE ALSO
f0b236 
 \fBcertmonger\fR(8)
f0b236 
 \fBgetcert\fR(1)
f0b236 
-\fBgetcert-add-ca\fR(1)
f0b236 
-\fBgetcert-add-scep-ca\fR(1)
f0b236 
-\fBgetcert-list-cas\fR(1)
f0b236 
-\fBgetcert-list\fR(1)
f0b236 
-\fBgetcert-modify-ca\fR(1)
f0b236 
-\fBgetcert-refresh-ca\fR(1)
f0b236 
-\fBgetcert-refresh\fR(1)
f0b236 
-\fBgetcert-rekey\fR(1)
f0b236 
-\fBgetcert-remove-ca\fR(1)
f0b236 
-\fBgetcert-request\fR(1)
f0b236 
-\fBgetcert-resubmit\fR(1)
f0b236 
-\fBgetcert-start-tracking\fR(1)
f0b236 
-\fBgetcert-status\fR(1)
f0b236 
-\fBgetcert-stop-tracking\fR(1)
f0b236 
-\fBcertmonger-certmaster-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
f0b236 
-\fBcertmonger-dogtag-submit\fR(8)
f0b236 
-\fBcertmonger-ipa-submit\fR(8)
f0b236 
-\fBcertmonger-local-submit\fR(8)
f0b236 
-\fBcertmonger-scep-submit\fR(8)
f0b236 
+\fBgetcert\-add\-ca\fR(1)
f0b236 
+\fBgetcert\-add\-scep\-ca\fR(1)
f0b236 
+\fBgetcert\-list\-cas\fR(1)
f0b236 
+\fBgetcert\-list\fR(1)
f0b236 
+\fBgetcert\-modify\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\-ca\fR(1)
f0b236 
+\fBgetcert\-refresh\fR(1)
f0b236 
+\fBgetcert\-rekey\fR(1)
f0b236 
+\fBgetcert\-remove\-ca\fR(1)
f0b236 
+\fBgetcert\-request\fR(1)
f0b236 
+\fBgetcert\-resubmit\fR(1)
f0b236 
+\fBgetcert\-start\-tracking\fR(1)
f0b236 
+\fBgetcert\-status\fR(1)
f0b236 
+\fBgetcert\-stop\-tracking\fR(1)
f0b236 
+\fBcertmonger\-certmaster\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
f0b236 
+\fBcertmonger\-dogtag\-submit\fR(8)
f0b236 
+\fBcertmonger\-ipa\-submit\fR(8)
f0b236 
+\fBcertmonger\-local\-submit\fR(8)
f0b236 
+\fBcertmonger\-scep\-submit\fR(8)
f0b236 
 \fBcertmonger_selinux\fR(8)
f0b236 
--
f0b236 
2.21.1
f0b236

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation