Blob Blame Raw
From 2a6ede56ad8c29181fde7691904f226102d43e54 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 14 May 2020 14:15:17 -0400
Subject: [PATCH 42/43] Add long command-line options to man pages

The man pages almost universally only documented the short
options even though the long options were all defined in
the popt configuration.

Also do a bit of minor bit of reformatting and added a lint
option. I'm not going to require mandoc as a requirement as
the linting is pretty minor at the moment but it's better than
nothing.

https://bugzilla.redhat.com/show_bug.cgi?id=1782838
---
 src/Makefile.am                               |   6 +
 src/certmaster-getcert.1.in                   |  72 ++---
 src/certmonger-certmaster-submit.8.in         |  59 ++--
 ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 288 +++++++++++-------
 src/certmonger-dogtag-submit.8.in             | 252 ++++++++-------
 src/certmonger-ipa-submit.8.in                | 115 ++++---
 src/certmonger-local-submit.8.in              |  62 ++--
 src/certmonger-scep-submit.8.in               | 124 ++++----
 src/certmonger.8.in                           |  86 +++---
 src/certmonger.conf.5.in                      |  20 +-
 src/getcert-add-ca.1.in                       |  48 +--
 src/getcert-add-scep-ca.1.in                  |  80 ++---
 src/getcert-list-cas.1.in                     |  44 +--
 src/getcert-list.1.in                         |  84 ++---
 src/getcert-modify-ca.1.in                    |  46 +--
 src/getcert-refresh-ca.1.in                   |  50 +--
 src/getcert-refresh.1.in                      |  52 ++--
 src/getcert-rekey.1.in                        | 107 ++++---
 src/getcert-remove-ca.1.in                    |  44 +--
 src/getcert-request.1.in                      | 157 ++++++----
 src/getcert-resubmit.1.in                     | 112 ++++---
 src/getcert-start-tracking.1.in               | 134 ++++----
 src/getcert-status.1.in                       |  54 ++--
 src/getcert-stop-tracking.1.in                |  65 ++--
 src/getcert.1.in                              |  54 ++--
 src/ipa-getcert.1.in                          |  74 ++---
 src/local-getcert.1.in                        |  76 ++---
 src/selfsign-getcert.1.in                     |  74 ++---
 28 files changed, 1321 insertions(+), 1118 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index fe3b235..5343dbc 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -266,3 +266,9 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN
 submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h
 submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \
 		 $(POPT_LIBS)
+
+.PHONY: manlint
+manlint: $(man_MANS)
+	for page in $(MANS); do \
+		mandoc -T lint $${page}; \
+	done
diff --git a/src/certmaster-getcert.1.in b/src/certmaster-getcert.1.in
index ef1c14a..7a038f9 100644
--- a/src/certmaster-getcert.1.in
+++ b/src/certmaster-getcert.1.in
@@ -1,20 +1,20 @@
-.TH certmonger 1 "23 November 2009" "certmonger Manual"
+.TH CERTMONGER 1 "November 23, 2009" "certmonger Manual"
 
 .SH NAME
-certmaster-getcert
+certmaster\-getcert
 
 .SH SYNOPSIS
- certmaster-getcert request [options]
- certmaster-getcert resubmit [options]
- certmaster-getcert start-tracking [options]
- certmaster-getcert status [options]
- certmaster-getcert stop-tracking [options]
- certmaster-getcert list [options]
- certmaster-getcert list-cas [options]
- certmaster-getcert refresh-cas [options]
+ certmaster\-getcert request [options]
+ certmaster\-getcert resubmit [options]
+ certmaster\-getcert start\-tracking [options]
+ certmaster\-getcert status [options]
+ certmaster\-getcert stop\-tracking [options]
+ certmaster\-getcert list [options]
+ certmaster\-getcert list\-cas [options]
+ certmaster\-getcert refresh\-cas [options]
 
 .SH DESCRIPTION
-The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@
+The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
 service on behalf of the invoking user.  It can ask the service to begin
 enrollment, optionally generating a key pair to use, it can ask the
 service to begin monitoring a certificate in a specified location for
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
 list the set of certificates that the service is already monitoring, or
 it can list the set of CAs that the service is capable of using.
 
-If no command is given as the first command-line argument,
-\fIcertmaster-getcert\fR will print short usage information for each of
+If no command is given as the first command\-line argument,
+\fIcertmaster\-getcert\fR will print short usage information for each of
 its functions.
 
-The \fIcertmaster-getcert\fR tool behaves identically to the generic
-\fIgetcert\fR tool when it is used with the \fB-c
+The \fIcertmaster\-getcert\fR tool behaves identically to the generic
+\fIgetcert\fR tool when it is used with the \fB\-c
 \fI@CM_CERTMASTER_CA_NAME@\fR option.
 
 There is no standard authenticated method for obtaining the root certificate
 from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
-information from them.  While the \fB-F\fR and \fB-a\fR options will still
+information from them.  While the \fB\-F\fR and \fB\-a\fR options will still
 be recognized, they will effectively be ignored.
 
 .SH BUGS
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger-certmaster-submit.8.in b/src/certmonger-certmaster-submit.8.in
index aec8b83..e3e990f 100644
--- a/src/certmonger-certmaster-submit.8.in
+++ b/src/certmonger-certmaster-submit.8.in
@@ -1,17 +1,17 @@
-.TH certmonger 8 "7 June 2010" "certmonger Manual"
+.TH CERTMONGER 8 "June 7, 2010" "certmonger Manual"
 
 .SH NAME
-certmaster-submit
+certmaster\-submit
 
 .SH SYNOPSIS
-certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile]
+certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile]
 
 .SH DESCRIPTION
-\fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make
-requests to certmaster-based CAs.  It is not normally run interactively,
+\fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make
+requests to certmaster\-based CAs.  It is not normally run interactively,
 but it can be for troubleshooting purposes.  The signing request which is
 to be submitted should either be in a file whose name is given as an argument,
-or fed into \fIcertmaster-submit\fR via stdin.
+or fed into \fIcertmaster\-submit\fR via stdin.
 
 There is no standard authenticated method for obtaining the root certificate
 from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
@@ -19,21 +19,24 @@ information from them.
 
 .SH OPTIONS
 .TP
-\fB\-h\fR serverHost
+\fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR
 Submit the request to the certmaster instance running on the named host.  The
 default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR
 is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR
 if that file is not found.
 .TP
-\fB\-c\fR cafile
+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
 Submit the request over HTTPS instead of HTTP, and only trust the server
 if its certificate was issued by the CA whose certificate is in the named file.
 .TP
-\fB\-C\fR capath
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
 Submit the request over HTTPS instead of HTTP, and only trust the server
 if its certificate was issued by a CA whose certificate is in a file in
 the named directory.
-
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Be verbose about errors.  Normally, the details of an error received from
+the daemon will be suppressed if the client can make a diagnostic suggestion.
 .SH EXIT STATUS
 .TP
 0
@@ -73,22 +76,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
index 84c8b0d..33e0648 100644
--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
@@ -1,44 +1,51 @@
-.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
 
 .SH NAME
-dogtag-ipa-renew-agent-submit
+dogtag\-ipa\-renew\-agent\-submit
 
 .SH SYNOPSIS
-dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL
-[-d dbdir]
-[-n nickname]
-[-i cainfo]
-[-C capath]
-[-c certfile]
-[-k keyfile]
-[-p pinfile]
-[-P pin]
-[-s serial (hex)]
-[-D serial (decimal)]
-[-S state]
-[-T profile]
-[-O param=value]
-[-N | -R]
-[-t]
-[-o option=value]
-[-v]
+dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL
+[\-d dbdir]
+[\-n nickname]
+[\-i cainfo]
+[\-C capath]
+[\-c certfile]
+[\-k keyfile]
+[\-p pinfile]
+[\-P pin]
+[\-s serial (hex)]
+[\-D serial (decimal)]
+[\-S state]
+[\-T profile]
+[\-O param=value]
+[\-N | \-R]
+[\-t]
+[\-o option=value]
+[\-a]
+[\-u uid]
+[\-U udn]
+[\-W pwd]
+[\-w pwdfile]
+[\-Y pin]
+[\-y pinfile]
 [csrfile]
 
+
 .SH DESCRIPTION
-\fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses
+\fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses
 to make certificate renewal requests to Dogtag instances running on IPA
 servers.  It is not normally run interactively, but it can be for
 troubleshooting purposes.
 
-The preferred option is to request a renewal of an already-issued certificate,
-using its serial number, which can be read from a PEM-formatted certificate
+The preferred option is to request a renewal of an already\-issued certificate,
+using its serial number, which can be read from a PEM\-formatted certificate
 provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
-\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
 provided, then the client will attempt to obtain a new certificate by
 submitting a signing request to the CA.
 
 The signing request which is to be submitted should either be in a file whose
-name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR
+name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR
 via stdin.
 
 \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
@@ -46,8 +53,8 @@ CAs.
 
 .SH OPTIONS
 .TP
-\fB\-E\fR EE-URL
-The top-level URL for the end-entity interface provided by the CA.  In IPA
+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
+The top\-level URL for the end\-entity interface provided by the CA.  In IPA
 installations, this is typically
 \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
 If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
@@ -58,8 +65,8 @@ and the value of \fBEEPORT\fR will be inferred based on the value of the
 if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will
 be set to 8080.  Otherwise it will be 9180.
 .TP
-\fB\-A\fR AGENT-URL
-The top-level URL for the agent interface provided by the CA.  In IPA
+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
+The top\-level URL for the agent interface provided by the CA.  In IPA
 installations, this is typically
 \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
 If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
@@ -70,96 +77,159 @@ and the value of \fBAGENTPORT\fR will be inferred based on the value of the
 if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will
 be set to 8443.  Otherwise it will be 9443.
 .TP
-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
-The location of the key and certificate which the client should use to
-authenticate to the CA's agent interface.  Exactly which values are
-meaningful depend on which cryptography library your copy of libcurl was
-linked with.
-
-If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR,
-\fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is
-used:
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
- \fB-d\fR \fI/etc/httpd/alias\fR
- \fB-n\fR \fIipaCert\fR
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
-.TP
-\fB\-p\fR pinfile
-The name of a file which contains a PIN/password which will be needed in
-order to make use of the agent credentials.
-
-If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR,
-\fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set
-of defaults is used:
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
- \fB-d\fR \fI/etc/httpd/alias\fR
- \fB-n\fR \fIipaCert\fR
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
-.TP
-\fB\-i\fR cainfo \fB\-C\fR capath
+\fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR
 The location of a file containing a copy of the CA's certificate, against which
-the CA server's certificate will be verified, or a directory containing, among
-other things, such a file.
-
-If these options are not specified, and none of the \fB-d\fR, \fB-n\fR,
-\fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set
-of defaults is used:
- \fB-i\fR \fI/etc/ipa/ca.crt\fR
- \fB-d\fR \fI/etc/httpd/alias\fR
- \fB-n\fR \fIipaCert\fR
- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
-.TP
-\fB-s\fR serial
-The serial number of an already-issued certificate for which the client should
-attempt to obtain a new certificate, in hexadecimal form, if one can not be
+the CA server's certificate will be verified. The default is
+\fB/etc/ipa/ca.crt\fR.
+.TP
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
+The location of a directory containing a copy of the CA's certificate,
+against which the CA server's certificate will be verified.
+.TP
+\fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB
+The serial number of an already\-issued certificate for which the client should
+attempt to obtain a new certificate, in hexidecimal form, if one can not be
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
 .TP
-\fB-D\fR serial
-The serial number of an already-issued certificate for which the client should
+\fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB
+The serial number of an already\-issued certificate for which the client should
 attempt to obtain a new certificate, in decimal form, if one can not be
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
 .TP
-\fB-S\fR state
+\fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR
 A cookie value provided by a previous instance of this helper, if the helper
-is being asked to continue a multi-step enrollment process.  If the
+is being asked to continue a multi\-step enrollment process.  If the
 \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
 .TP
-\fB-T\fR profile/template
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
 The name of the type of certificate which the client should request from the CA
-if it is not renewing a certificate (per the \fB-s\fR option above).  If the
+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
 \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
 Otherwise, the default value is \fBcaServerCert\fP.
 .TP
-\fB-O\fR param=value
+\fB\-t\fR, \fB\-\-profile\-list\fR
+Instead of attempting to obtain a new certificate, query the server for a list
+of the enabled enrollment profiles.
+.TP
+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR
 An additional parameter to pass to the server when approving the signing
-request using the agent's credentials.  By default, any server-supplied default
+request using the agent's credentials.  By default, any server\-supplied default
 settings are applied.  This option can be used either to override a
-server-supplied default setting, or to supply one which would otherwise have
+server\-supplied default setting, or to supply one which would otherwise have
 not been used.
 .TP
-\fB-N\fR
-Even if an already-issued certificate is available in the
+\fB\-N\fR, \fB\-\-force\-new\fR
+Even if an already\-issued certificate is available in the
 \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
 provided, don't attempt to renew a certificate using its serial number.
 Instead, attempt to obtain a new certificate using the signing request.
 The default behavior is to request a renewal if possible.
 .TP
-\fB-R\fR
-Negates the effect of the \fB-N\fR flag.
-.TP
-\fB-t\fR
-Instead of attempting to obtain a new certificate, query the server for a list
-of the enabled enrollment profiles.
+\fB\-R\fR, \fB\-\-force\-renew\fR
+Negates the effect of the \fB\-N\fR flag.
 .TP
-\fB-o\fR param=value
+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
 When initially submitting a request to the CA, add the specified parameter and
 value along with any request parameters which would otherwise be sent.  This
 option is not typically used.
 .TP
-\fB-v\fR
+\fB\-a\fR, \fB\-\-agent\-submit\fR
+Use agent credentials, specified using some combination of the \fB\-d\fR,
+\fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
+initially submitting a request to the CA or retrieving the list of enabled
+enrollment profiles.
+This is typically required when the enrollment profile being used uses
+\fIAgentCertAuth\fR\-based
+authentication,
+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
+.TP
+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
+When initially submitting a request to the CA, supply the specified value as a user name.
+This is typically required when the enrollment profile being used uses
+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
+authentication..TP
+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
+When initially submitting a request to the CA, supply the specified value as the DN
+(distinguished name) of the user's entry in a directory server which the CA is
+configured to use for checking the user's password.
+This is typically required when the enrollment profile being used uses
+\fIUdnPwdDirAuth\fR\-based
+authentication.
+.TP
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
+When initially submitting a request to the CA, supply the specified value as the password
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
+specified with the \fB\-U\fR option.
+This is typically only required when the enrollment profile being used uses
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
+authentication.
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
+will not be encrypted.
+.TP
+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
+When initially submitting a request to the CA, read from the specified file a
+password to supply for the user whose name is specified with the \fB\-u\fR
+option, or whose DN is specified with the \fB\-U\fR option.
+This is typically only required when the enrollment profile being used uses
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
+authentication.
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
+will not be encrypted.
+.TP
+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
+When initially submitting a request to the CA, supply the specified value as the PIN
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
+specified with the \fB\-U\fR option.
+This is typically only required when the enrollment profile being used uses
+\fIUidPwdPinDirAuth\fR\-based
+authentication.
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
+will not be encrypted.
+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
+When initially submitting a request to the CA, read from the specified file a
+PIN to supply for the user whose name is specified with the \fB\-u\fR
+option, or whose DN is specified with the \fB\-U\fR option.
+This is typically only required when the enrollment profile being used uses
+\fIUidPwdPinDirAuth\fR\-based
+authentication.  If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
+will not be encrypted.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
 Increases the logging level.  Use twice for more logging.  This option is mainly
 useful for troubleshooting.
-
+.SH AGENT KEY AND CERTIFICATE OPTIONS
+Options that provide the location for the private key and public certificate
+which the client should use to authenticate to the CA's agent interface.
+The values to use depend on which cryptography library your copy of libcurl
+was linked with.
+.TP
+If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used:
+ \fB\-i\fR \fI/etc/ipa/ca.crt\fR
+ \fB\-d\fR \fI/etc/httpd/alias\fR
+ \fB\-n\fR \fIipaCert\fR
+ \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
+.TP
+\fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR
+Use an NSS database in the specified directory for this certificate
+and key. Only valid with \-n.
+.TP
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
+Use the NSS key with this nickname. Only valid with \-d.
+.TP
+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
+The PEM file that contains the public certificate. Only valid with \-k.
+.TP
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
+The PEM file that contains the private certificate. Only valid with \-c.
+.TP
+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
+The name of a file which contains a PIN/password which will be needed in
+order to make use of the agent credentials.
+.TP
+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
+The name of a file which contains a PIN/password which will be needed in
+order to make use of the agent credentials.
 .SH EXIT STATUS
 .TP
 0
@@ -189,7 +259,7 @@ pair.
 .TP
 .I /etc/ipa/default.conf
 is the IPA client configuration file.  This file is consulted to determine
-the URL for the Dogtag server's end-entity and agent interfaces if they are
+the URL for the Dogtag server's end\-entity and agent interfaces if they are
 not supplied as arguments.
 
 .SH BUGS
@@ -198,22 +268,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in
index 19ecab7..e92de67 100644
--- a/src/certmonger-dogtag-submit.8.in
+++ b/src/certmonger-dogtag-submit.8.in
@@ -1,196 +1,214 @@
-.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
 
 .SH NAME
-dogtag-submit
+dogtag\-submit
 
 .SH SYNOPSIS
-dogtag-submit -E EE-URL -A AGENT-URL
-[-d dbdir]
-[-n nickname]
-[-i cainfo]
-[-C capath]
-[-c certfile]
-[-k keyfile]
-[-p pinfile]
-[-P pin]
-[-s serial (hex)]
-[-D serial (decimal)]
-[-S state]
-[-T profile]
-[-O param=value]
-[-N | -R]
-[-t]
-[-o option=value]
-[-a ]
-[-u username]
-[-U userdn]
-[-W userpassword]
-[-w userpasswordfile]
-[-Y userpin]
-[-y userpinfile]
-[-v]
+dogtag\-submit \-E EE\-URL \-A AGENT\-URL
+[\-d DIR]
+[\-n NAME]
+[\-i FILE]
+[\-C DIR]
+[\-c FILE]
+[\-k FILE]
+[\-p FILE]
+[\-P PIN]
+[\-s serial (hex)]
+[\-D serial (decimal)]
+[\-S state]
+[\-T profile]
+[\-O param=value]
+[\-N | \-R]
+[\-t]
+[\-o option=value]
+[\-a]
+[\-u username]
+[\-U userdn]
+[\-W PASSWORD]
+[\-w FILE]
+[\-Y PIN]
+[\-y FILE]
+[\-v]
 [csrfile]
 
 .SH DESCRIPTION
-\fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make
+\fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make
 certificate enrollment and renewal requests to Dogtag servers.  It is not
 normally run interactively, but it can be for troubleshooting purposes.
 
-The preferred option is to request a renewal of an already-issued certificate,
-using its serial number, which can be read from a PEM-formatted certificate
+The preferred option is to request a renewal of an already\-issued certificate,
+using its serial number, which can be read from a PEM\-formatted certificate
 provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
-\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
 provided, then the client will attempt to obtain a new certificate by
 submitting a signing request to the CA.
 
 The signing request which is to be submitted should either be in a file whose
-name is given as an argument, or fed into \fIdogtag-submit\fR via stdin.
+name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin.
 
 \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
 CAs.
 
 .SH OPTIONS
 .TP
-\fB\-E\fR EE-URL
-The top-level URL for the end-entity interface provided by the CA, through
+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
+The top\-level URL for the end\-entity interface provided by the CA, through
 which the initial enrollment request will be submitted.  This is typically
 \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
 .TP
-\fB\-A\fR AGENT-URL
-The top-level URL for the agent interface provided by the CA, through which the
+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
+The top\-level URL for the agent interface provided by the CA, through which the
 request can be approved using agent credentials.  This is typically
 \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
 .TP
-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
-The location of the key and certificate which the client should use to
-authenticate to the CA's agent interface.  Exactly which values are
-meaningful depend on which cryptography library your copy of libcurl was
-linked with.
-.TP
-\fB\-p\fR pinfile
-The name of a file which contains a PIN/password which will be needed in
-order to make use of the agent credentials.
-.TP
-\fB\-i\fR cainfo \fB\-C\fR capath
+\fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
 The location of a file containing a copy of the CA's certificate, against which
-the CA server's certificate will be verified, or a directory containing, among
-other things, such a file.
+the CA server's certificate will be verified.
 .TP
-\fB-s\fR serial
-The serial number of an already-issued certificate for which the client should
-attempt to obtain a new certificate, in hexadecimal form, if one can not be
-read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
+The location of a directory containing a copy of the CA's certificate(s),
+against which the CA server's certificate will be verified.
 .TP
-\fB-D\fR serial
-The serial number of an already-issued certificate for which the client should
+\fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR
+The serial number of an already\-issued certificate for which the client should
 attempt to obtain a new certificate, in decimal form, if one can not be
 read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
 .TP
-\fB-S\fR state
+\fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR
+The serial number of an already\-issued certificate for which the client should
+attempt to obtain a new certificate, in hexadecimal form, if one can not be
+read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
+.TP
+\fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR
 A cookie value provided by a previous instance of this helper, if the helper
-is being asked to continue a multi-step enrollment process.  If the
+is being asked to continue a multi\-step enrollment process.  If the
 \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
 .TP
-\fB-T\fR profile/template
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
 The name of the type of certificate which the client should request from the CA
-if it is not renewing a certificate (per the \fB-s\fR option above).  If the
+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
 \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
 Otherwise, the default value is \fBcaServerCert\fP.
 .TP
-\fB-O\fR param=value
+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR
 An additional parameter to pass to the server when approving the signing
-request using agent credentials.  By default, any server-supplied default
+request using agent credentials.  By default, any server\-supplied default
 settings are applied.  This option can be used either to override a
-server-supplied default setting, or to supply one which would otherwise have
-not been used.  Requires the \fB-A\fR option.
+server\-supplied default setting, or to supply one which would otherwise have
+not been used.  Requires the \fB\-A\fR option.
 .TP
-\fB-N\fR
-Even if an already-issued certificate is available in the
+\fB\-N\fR, \fB\-\-force\-new\fR
+Even if an already\-issued certificate is available in the
 \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
 provided, don't attempt to renew a certificate using its serial number.
 Instead, attempt to obtain a new certificate using the signing request.
 The default behavior is to request a renewal if possible.
 .TP
-\fB-R\fR
-Negates the effect of the \fB-N\fR flag.
+\fB\-R\fR, \fB\-\-force\-renew\fR
+Negates the effect of the \fB\-N\fR flag.
 .TP
-\fB-t\fR
+\fB\-t\fR, \fB\-\-profile\-list\fR
 Instead of attempting to obtain a new certificate, query the server for a list
 of the enabled enrollment profiles.
 .TP
-\fB-o\fR param=value
+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
 When initially submitting a request to the CA, add the specified parameter and
 value along with any request parameters which would otherwise be sent.
 .TP
-\fB-a\fR
+\fB\-a\fR, \fB\-\-agent\-submit\fR
 Use agent credentials, specified using some combination of the \fB\-d\fR,
 \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
 initially submitting a request to the CA or retrieving the list of enabled
 enrollment profiles.
 This is typically required when the enrollment profile being used uses
-\fIAgentCertAuth\fR-based
+\fIAgentCertAuth\fR\-based
 authentication,
-and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL,
-or when the URL specified using the \fB-E\fR flag is an HTTPS URL.
+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
 .TP
-\fB-u username\fR
+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
 When initially submitting a request to the CA, supply the specified value as a user name.
 This is typically required when the enrollment profile being used uses
-\fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based
+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
 authentication.
 .TP
-\fB-U userdn\fR
+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
 When initially submitting a request to the CA, supply the specified value as the DN
 (distinguished name) of the user's entry in a directory server which the CA is
 configured to use for checking the user's password.
 This is typically required when the enrollment profile being used uses
-\fIUdnPwdDirAuth\fR-based
+\fIUdnPwdDirAuth\fR\-based
 authentication.
 .TP
-\fB-W userpassword\fR
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
 When initially submitting a request to the CA, supply the specified value as the password
-for the user whose name is specified with the \fB-u\fR option, or whose DN is
-specified with the \fB-U\fR option.
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
+specified with the \fB\-U\fR option.
 This is typically only required when the enrollment profile being used uses
-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
 authentication.
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
 will not be encrypted.
 .TP
-\fB-w userpasswordfile\fR
+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
 When initially submitting a request to the CA, read from the specified file a
-password to supply for the user whose name is specified with the \fB-u\fR
-option, or whose DN is specified with the \fB-U\fR option.
+password to supply for the user whose name is specified with the \fB\-u\fR
+option, or whose DN is specified with the \fB\-U\fR option.
 This is typically only required when the enrollment profile being used uses
-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
 authentication.
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
 will not be encrypted.
 .TP
-\fB-Y userpin\fR
+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
 When initially submitting a request to the CA, supply the specified value as the PIN
-for the user whose name is specified with the \fB-u\fR option, or whose DN is
-specified with the \fB-U\fR option.
+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
+specified with the \fB\-U\fR option.
 This is typically only required when the enrollment profile being used uses
-\fIUidPwdPinDirAuth\fR-based
+\fIUidPwdPinDirAuth\fR\-based
 authentication.
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
 will not be encrypted.
 .TP
-\fB-y userpinfile\fR
+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
 When initially submitting a request to the CA, read from the specified file a
-PIN to supply for the user whose name is specified with the \fB-u\fR
-option, or whose DN is specified with the \fB-U\fR option.
+PIN to supply for the user whose name is specified with the \fB\-u\fR
+option, or whose DN is specified with the \fB\-U\fR option.
 This is typically only required when the enrollment profile being used uses
-\fIUidPwdPinDirAuth\fR-based
+\fIUidPwdPinDirAuth\fR\-based
 authentication.
-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
 will not be encrypted.
 .TP
-\fB-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Increases the logging level.  Use twice for more logging.  This option is mainly
 useful for troubleshooting.
-
+.SH AGENT KEY AND CERTIFICATE OPTIONS
+Options that provide the location for the private key and public certificate
+which the client should use to authenticate to the CA's agent interface.
+The values to use depend on which cryptography library your copy of libcurl
+was linked with.
+.TP
+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
+Use an NSS database in the specified directory for this certificate
+and key. Only valid with \-n.
+.TP
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
+Use the NSS key with this nickname. Only valid with \-d.
+.TP
+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
+The PEM file that contains the public certificate. Only valid with \-k.
+.TP
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
+The PEM file that contains the private certificate. Only valid with \-c.
+.TP
+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
+The name of a file which contains a PIN/password which will be needed in
+order to make use of the agent credentials.
+.TP
+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
+The name of a file which contains a PIN/password which will be needed in
+order to make use of the agent credentials.
 .SH EXIT STATUS
 .TP
 0
@@ -222,22 +240,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in
index 7915142..0e1c90f 100644
--- a/src/certmonger-ipa-submit.8.in
+++ b/src/certmonger-ipa-submit.8.in
@@ -1,21 +1,23 @@
-.TH certmonger 8 "16 April 2015" "certmonger Manual"
+.TH CERTMONGER 8 "April 16, 2015" "certmonger Manual"
 
 .SH NAME
-ipa-submit
+ipa\-submit
 
 .SH SYNOPSIS
-ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath]
-[[-K]  | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]
+ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn]
+[\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]]
+[\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile]
+[\-X issuer] [csrfile]
 
 .SH DESCRIPTION
-\fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make
-requests to IPA-based CAs.  It is not normally run interactively,
+\fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make
+requests to IPA\-based CAs.  It is not normally run interactively,
 but it can be for troubleshooting purposes.  The signing request which is
 to be submitted should either be in a file whose name is given as an argument,
-or fed into \fIipa-submit\fR via stdin.
+or fed into \fIipa\-submit\fR via stdin.
 
 \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
 specifying where those certificates should be stored on the local system.
 Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of
 entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA
@@ -24,27 +26,27 @@ LDAP server's directory tree, where $BASE defaults to the value of the
 
 .SH OPTIONS
 .TP
-\fB\-P\fR csrPrincipal
+\fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR
 Identifies the principal name of the service for which the certificate is being
 issued.  This setting is required by IPA and must always be specified.
 .TP
-\fB\-X\fR issuer
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR
 Requests that the certificate be processed by the specified certificate issuer.
 By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR
 variable is set in the environment, then the value of the environment variable
 will be used.  This setting is optional, and if a server returns error 3005,
 indicating that it does not understand multiple profiles, the request will be
-re-submitted without specifying an issuer name.
+re\-submitted without specifying an issuer name.
 .TP
-\fB\-T\fR profile
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
 Requests that the certificate be processed using the specified certificate profile.
 By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR
 variable is set in the environment, then the value of the environment variable
 will be used.  This setting is optional, and if a server returns error 3005,
 indicating that it does not understand multiple profiles, the request will be
-re-submitted without specifying a profile.
+re\-submitted without specifying a profile.
 .TP
-\fB\-h\fR serverHost
+\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR
 Submit the request to the IPA server running on the named host.  The default is
 to read the location of the host from \fB/etc/ipa/default.conf\fR.
 If no server is configured, or the configured server cannot be reached, the
@@ -53,7 +55,7 @@ domain.  If servers are found, they will be searched for entries pointing to
 IPA masters running the "CA" service, and the client will attempt to contact
 each of those in turn.
 .TP
-\fB\-H\fR serverURL
+\fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR
 Submit the request to the IPA server at the specified location.  The default is
 to read the location of the host from \fB/etc/ipa/default.conf\fR.
 If no server is configured, or the configured server cannot be reached, the
@@ -62,49 +64,64 @@ domain.  If servers are found, they will be searched for entries pointing to
 IPA masters running the "CA" service, and the client will attempt to contact
 each of those in turn.
 .TP
-\fB\-c\fR cafile
+\fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR
+Provide the IPA LDAP service location rather than using DNS discovery.
+The default is to read the location of the host from
+\fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of
+_ldap._tcp.DOMAIN values and pick one for use.
+.TP
+\fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
+Use this domain when doing DNS discovery to locate LDAP servers for the IPA
+installation. The default is to read the location of the host from
+\fB/etc/ipa/default.conf\fR.
+.TP
+\fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR
+Use this basedn to search for an IPA installation in LDAP. The default is to
+read the location of the host from \fB/etc/ipa/default.conf\fR.
+.TP
+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
 The server's certificate was issued by the CA whose certificate is in the named
 file.  The default value is \fI/etc/ipa/ca.crt\fR.
 .TP
-\fB\-C\fR capath
+\fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR
 Trust the server if its certificate was issued by a CA whose certificate is in
 a file in the named directory.  There is no default for this option, and it
 is not expected to be necessary.
 .TP
-\fB\-t\fR keytab
+\fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR
 Authenticate to the IPA server using Kerberos with credentials derived from
 keys stored in the named keytab.  The default value can vary, but it is usually
 \fI/etc/krb5.keytab\fR.
-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
 options.
 .TP
-\fB\-k\fR authPrincipal
+\fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR
 Authenticate to the IPA server using Kerberos with credentials derived from
 keys stored in the named keytab for this principal name.  The default value is
 the \fBhost\fR service for the local host in the local realm.
-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
 options.
 .TP
-\fB\-K\fR
+\fB\-K\fR, \fB\-\-use\-ccache\-creds\fR
 Authenticate to the IPA server using Kerberos with credentials derived from the
 default credential cache rather than a keytab.
-This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
+This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
 options.
 .TP
-\fB\-u\fR uid
+\fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR
 Authenticate to the IPA server using a user name and password, using the
 specified value as the user name.
-This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options.
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options.
 .TP
-\fB\-W\fR pwd
+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR
 Authenticate to the IPA server using a user name and password, using the
 specified value as the password.
-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options.
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options.
 .TP
-\fB\-w\fR pwdfile
+\fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR
 Authenticate to the IPA server using a user name and password, reading the
 password from the specified file.
-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options.
+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options.
 
 .SH EXIT STATUS
 .TP
@@ -131,7 +148,7 @@ pair.
 .TP
 .I /etc/ipa/default.conf
 is the IPA client configuration file.  This file is consulted to determine
-the URL for the IPA server's XML-RPC interface.
+the URL for the IPA server's XML\-RPC interface.
 
 .SH BUGS
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
@@ -139,23 +156,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger-local-submit.8.in b/src/certmonger-local-submit.8.in
index 59ed245..b68ffc3 100644
--- a/src/certmonger-local-submit.8.in
+++ b/src/certmonger-local-submit.8.in
@@ -1,35 +1,35 @@
-.TH certmonger 8 "7 June 2014" "certmonger Manual"
+.TH CERTMONGER 8 "June 7, 2014" "certmonger Manual"
 
 .SH NAME
-local-submit
+local\-submit
 
 .SH SYNOPSIS
-local-submit [-d state-directory] [-v] [csrfile]
+local\-submit [\-d state\-directory] [\-v] [csrfile]
 
 .SH DESCRIPTION
-\fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement
+\fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement
 its local signer.  It is not normally run interactively, but it can be for
 troubleshooting purposes.  The signing request which is to be submitted
 should either be in a file whose name is given as an argument, or fed into
-\fIlocal-submit\fR via stdin.
+\fIlocal\-submit\fR via stdin.
 
-The local signer is currently hard-coded to generate and use a
-@CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based
+The local signer is currently hard\-coded to generate and use a
+@CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based
 on a UUID, replacing that key and certificate at roughly the midpoint of their
 useful lifetime.
 
-\fBcertmonger\fR supports retrieving the list of current and previously-used
-local CA certificates.  See \fBgetcert-request\fR(1) and
-\fBgetcert-resubmit\fR(1) for information about specifying where those
+\fBcertmonger\fR supports retrieving the list of current and previously\-used
+local CA certificates.  See \fBgetcert\-request\fR(1) and
+\fBgetcert\-resubmit\fR(1) for information about specifying where those
 certificates should be stored.
 
 .SH OPTIONS
 .TP
-\fB\-d\fR state-directory
+\fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR
 Identifies the directory which contains the local signer's private key,
 certificates, and other data used by the local signer.
 .TP
-\fB\-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Increases the verbosity of the tool's diagnostic logging.
 
 .SH EXIT STATUS
@@ -47,7 +47,7 @@ if critical configuration information is missing.  An error message may be print
 .TP
 .I creds
 is currently a PKCS#12 bundle containing the local signer's current signing key
-and current and previously-used signer certificates.  It should not be modified
+and current and previously\-used signer certificates.  It should not be modified
 except by the local signer.  A new key is currently generated when ever a new
 signer certificate is needed.
 .TP
@@ -61,22 +61,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
index 42ffcd6..5b8b917 100644
--- a/src/certmonger-scep-submit.8.in
+++ b/src/certmonger-scep-submit.8.in
@@ -1,98 +1,98 @@
-.TH certmonger 8 "20 June 2015" "certmonger Manual"
+.TH CERTMONGER 8 "June 20, 2015" "certmonger Manual"
 
 .SH NAME
-scep-submit
+scep\-submit
 
 .SH SYNOPSIS
-scep-submit -u SERVER-URL
-[-r ra-cert-file]
-[-R ca-cert-file]
-[-I other-certs-file]
-[-N ca-cert-file]
-[-i ca-identifier]
-[-v]
-[-n]
-[-c|-C|-g|-p]
-[pkimessage-filename]
+scep\-submit \-u SERVER\-URL
+[\-r ra\-cert\-file]
+[\-R ca\-cert\-file]
+[\-I other\-certs\-file]
+[\-N ca\-cert\-file]
+[\-i ca\-identifier]
+[\-v]
+[\-n]
+[\-c|\-C|\-g|\-p]
+[pkimessage\-filename]
 
 .SH DESCRIPTION
-\fIscep-submit\fR is the helper which \fIcertmonger\fR can use to
+\fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to
 transmit certificate enrollment and renewal requests to servers using
 SCEP.  It is not normally run interactively, but it can be for
 troubleshooting purposes.
 
-The request which is to be submitted should be a PEM-encoded SCEP
+The request which is to be submitted should be a PEM\-encoded SCEP
 pkiMessage either in a file whose name is given as an argument, or fed
-into \fIscep-submit\fR via stdin.
+into \fIscep\-submit\fR via stdin.
 
 .SH MODES
 .TP
-\fB\-c\fR
+\fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR
 \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and
 print the results.
 .TP
-\fB\-C\fR
-\fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR
-requests to the server, parse the responses, and then print, in order,
+\fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR
+\fIscep-submit\fR will issue a \fIGetCACert\fR
+request to the server, parse the response, and then print, in order,
 the RA certificate, the CA certificate, and any additional certificates.
 .TP
-\fB\-p\fR
-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
-using the passed-in message as the message content.  It will parse the
+\fB\-p\fR, \fB\-\-pki\-message\fR
+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
+using the passed\-in message as the message content.  It will parse the
 server's response, verify the signature, and if the response includes an
 issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
 format.  If the response indicates an error, it will print the error.
 .TP
-\fB\-g\fR
-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
-using the passed-in message as the message content.  It will parse the
+\fB\-g\fR, \fB\-\-get\-initial\-cert\fR
+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
+using the passed\-in message as the message content.  It will parse the
 server's response, verify the signature, and if the response includes an
 issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
 format.  If the response indicates an error, it will print the error.
 .SH OPTIONS
 .TP
-\fB\-u\fR SERVER-URL
+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
 The location of the SCEP interface provided by the CA.  This is
-typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
+typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or
 \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR.  This option is
 always required.
 .TP
-\fB\-R\fR CA-certificate-file
+\fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR
 The location of the CA certificate which was used to issue the SCEP web
 server's certificate in PEM form. If the URL specified with the
-\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
+\fB\-u\fR option is an \fIhttps\fR URL, then this option is required.
 .TP
-\fB\-N\fR ca-certificate-file
-The location of a PEM-formatted copy of the SCEP server's CA certificate.
+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
 A discovered value is normally supplied by the certmonger daemon, but one can
 be specified for troubleshooting purposes.
 .TP
-\fB\-r\fR RA-certificate-file
+\fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR
 The location of the SCEP server's RA certificate, which is expected to
 be used for signing responses sent by the SCEP server back to the
-client.  This option is required when either the \fB-g\fR flag or the
-\fB-p\fR flag is specified.
+client.  This option is required when either the \fB\-g\fR flag or the
+\fB\-p\fR flag is specified.
 .TP
-\fB\-I\fR other-certificates-file
-The location of a file containing other PEM-formatted certificates which
+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
+The location of a file containing other PEM\-formatted certificates which
 may be needed in order to properly verify signed responses sent by the
 SCEP server back to the client.  This option may be necessary when
-either the \fB-g\fR flag or the \fB-p\fR flag is specified.
+either the \fB\-g\fR flag or the \fB\-p\fR flag is specified.
 .TP
-\fB\-i\fR ca-identifier
-When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to
+\fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR
+When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to
 specify the CA identifier which is passed to the server as part of the client's
 request.  The default is "0".
 .TP
-\fB\-n\fR
-The SCEP Renewal feature allows a client with a previously-issued certificate
+\fB\-n\fR, \fB\-\-non\-renewal\fR
+The SCEP Renewal feature allows a client with a previously\-issued certificate
 to use that certificate and the associated private key to request a new
 certificate for a different key pair, and can be used to support
 \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
-it.  This option forces the \fIscep-submit\fR helper to prefer to issue
+it.  This option forces the \fIscep\-submit\fR helper to prefer to issue
 requests which do not make use of this feature.
 .TP
-\fB-v\fR
+\fB-v\fR, \fB\-\-verbose\fR
 Increases the logging level.  Use twice for more logging.  This option
 is mainly useful for troubleshooting.
 
@@ -100,7 +100,7 @@ is mainly useful for troubleshooting.
 .TP
 0
 if the certificate was issued. The pkcsPKIEnvelope will be printed in
-PEM-encoded form.
+PEM\-encoded form.
 .TP
 1
 if the CA is still thinking.  A cookie (state) value will be printed.
@@ -131,22 +131,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger.8.in b/src/certmonger.8.in
index 8c00d5a..a726e3b 100644
--- a/src/certmonger.8.in
+++ b/src/certmonger.8.in
@@ -1,14 +1,14 @@
-.TH certmonger 8 "14 June 2015" "certmonger Manual"
+.TH CERTMONGER 8 "June 14, 2015" "certmonger Manual"
 
 .SH NAME
 certmonger
 
 .SH SYNOPSIS
-certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v]
+certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v]
 
 .SH DESCRIPTION
 The \fIcertmonger\fR daemon monitors certificates for impending
-expiration, and can optionally refresh soon-to-be-expired certificates
+expiration, and can optionally refresh soon\-to\-be\-expired certificates
 with the help of a CA.  If told to, it can drive the entire enrollment
 process from key generation through enrollment and refresh.
 
@@ -17,58 +17,58 @@ service, with which client tools such as \fBgetcert\fR(1) interact.
 
 .SH OPTIONS
 .TP
--s
+\fB\-s\fR, \fB\-\-session\fR
 Listen on the session bus rather than the system bus.
 .TP
--S
+\fB\-S\fR, \fB\-\-system\fR
 Listen on the system bus rather than the session bus.  This is the default.
 .TP
--l
+\fB\-l\fR, \fB\-\-listening\-socket\fR
 Also listen on a private socket for connections from clients running under the
 same UID.
 .TP
--L
+\fB\-L\fR, \fB\-\-only\-listening\-socket\fR
 Listen only on a private socket for connections from clients running under the
 same UID, and skip connecting to a bus.
 .TP
--P
+\fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR
 Specify a location for the private listening socket.  If the location beings
 with a '/' character, it will be prefixed with 'unix:path=', otherwise it will
 be prefixed with 'unix:'.  If this option is not specified, the listening
 socket, if one is created, will be placed in the abstract namespace.
 .TP
--b TIMEOUT
-Behave as a bus-activated service: if there are no certificates to be monitored
+\fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR
+Behave as a bus\-activated service: if there are no certificates to be monitored
 or obtained, and no requests are received within TIMEOUT seconds, exit.  Not
-compatible with the -c option.
+compatible with the \-c option.
 .TP
--B
-Don't behave as a bus-activated service.  This is the default.
+\fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR
+Don't behave as a bus\-activated service.  This is the default.
 .TP
--n
+\fB\-n\fR, \fB\-\-nofork\fR
 Don't fork, and log messages to stderr rather than syslog.
 .TP
--f
+\fB\-f\fR, \fB\-\-fork\fR
 Do fork, and log messages to syslog rather than stderr.  This is the default.
 .TP
--d LEVEL
-Set debugging level.  Higher values produce more debugging output.  Implies -n.
+\fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR
+Set debugging level.  Higher values produce more debugging output.  Implies \-n.
 .TP
--p FILE
+\fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR
 Store the daemon's process ID in the named file.
 .TP
--F
+\fB\-F\fR, \fB\-\-fips\fR
 Force NSS to be initialized in FIPS mode.  The default behavior is to heed
 the setting stored in \fI/proc/sys/crypto/fips_enabled\fR.
 .TP
--c cmd
+\fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
 After the service has initialized, run the specified command, then shut down
-the service after the command exits.  If the -l or -L option was also
+the service after the command exits.  If the \-l or \-L option was also
 specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR
 environment variable set to the listening socket's location.  Not compatible
-with the -b option.
+with the \-b option.
 .TP
--v
+\fB\-v\fR, \fB\-\-version\fR
 Print version information and exit.
 
 .SH FILES
@@ -89,24 +89,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 
 .SH SEE ALSO
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 241f48b..80de748 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -1,18 +1,18 @@
-.TH certmonger.conf 5 "12 May 2015" "certmonger Manual"
+.TH CERTMONGER 5 "May 12, 2015" "certmonger Manual"
 
 .SH NAME
-certmonger.conf - configuration file for certmonger
+certmonger.conf \- configuration file for certmonger
 
 .SH DESCRIPTION
 The \fIcertmonger.conf\fR file contains default settings used by certmonger.
-Its format is more or less that of a typical INI-style file.  The only sections
+Its format is more or less that of a typical INI\-style file.  The only sections
 currently of note are named \fIdefaults\fR and \fIselfsign\fR.
 
 .SH DEFAULTS
 Within the \fIdefaults\fR section, these variables and values are recognized:
 
 .IP notify_ttls
-This is the list of times, given in seconds, before a certificate's not-after
+This is the list of times, given in seconds, before a certificate's not\-after
 validity date
 (often referred to as its expiration time) when \fIcertmonger\fR should warn
 that the certificate will soon no longer be valid.
@@ -20,7 +20,7 @@ If this value is not specified, \fIcertmonger\fR will attempt to use the value
 of the \fIttls\fR setting.  The default list of values is "@CM_DEFAULT_TTL_LIST@".
 
 .IP enroll_ttls
-This is the list of times, given in seconds, before a certificate's not-after
+This is the list of times, given in seconds, before a certificate's not\-after
 validity date
 (often referred to as its expiration time) when \fIcertmonger\fR should attempt
 to automatically renew the certificate, if it is configured to do so.
@@ -43,7 +43,7 @@ an email address, or it can be a command to run.  The default value is
 
 .IP key_type
 This is the type of key pair which will be generated, used in certificate
-signing requests, and used when self-signing certificates.
+signing requests, and used when self\-signing certificates.
 @NO_MAN_DSA@\fIRSA\fR is supported.
 @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported.
 @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported.
@@ -58,7 +58,7 @@ software.
 
 .IP digest
 This is the digest algorithm which will be used when signing certificate
-signing requests and self-signed certificates.  Recognized values include
+signing requests and self\-signed certificates.  Recognized values include
 \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP.  The default is
 \fIsha256\fP.  It is not recommended that this value be changed except in cases
 where the default is incompatible with other software.
@@ -95,14 +95,14 @@ There is effectively no default for this setting.
 Within the \fIselfsign\fR section, these variables and values are recognized:
 
 .IP validity_period
-This is the validity period given to self-signed certificates.
+This is the validity period given to self\-signed certificates.
 The value is specified as a combination of years (y), months (M), weeks (w),
 days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
 specified, seconds are assumed.
 The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
 
 .IP populate_unique_id
-This controls whether or not self-signed certificates will have their
+This controls whether or not self\-signed certificates will have their
 subjectUniqueID and issuerUniqueID fields populated.  While RFC5280 prohibits
 their use, they may be needed and/or used by older applications.  The default
 value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
@@ -111,7 +111,7 @@ value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
 Within the \fIlocal\fR section, these variables and values are recognized:
 
 .IP validity_period
-This is the validity period given to the locally-signed CA's certificate when it
+This is the validity period given to the locally\-signed CA's certificate when it
 is generated.
 The value is specified as a combination of years (y), months (M), weeks (w),
 days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
diff --git a/src/getcert-add-ca.1.in b/src/getcert-add-ca.1.in
index 31b3b93..54f55f5 100644
--- a/src/getcert-add-ca.1.in
+++ b/src/getcert-add-ca.1.in
@@ -1,10 +1,10 @@
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert add-ca [options]
+getcert add\-ca [options]
 
 .SH DESCRIPTION
 Adds a CA configuration to \fIcertmonger\fR, which can subsequently be
@@ -12,17 +12,17 @@ used to enroll certificates.
 
 .SH OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 The nickname to give to this CA configuration.  This same value can later be
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
-\fIstart-tracking\fR commands using the \fB-c\fR flag.
+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
 .TP
-\fB\-e\fR COMMAND
+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
 The helper command to run for communicating with the CA.  The helper will be
 used to pass signing requests to the CA, relay the CA's responses back to the
 \fIcertmonger\fR service, and to read information about the CA.
 .TP
-\fB\-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
 
@@ -32,22 +32,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index bf07306..c2751ed 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -1,64 +1,64 @@
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert add-scep-ca [options]
+getcert add\-scep\-ca [options]
 
 .SH DESCRIPTION
 Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to
-enroll certificates.  The configuration will use the bundled \fIscep-submit\fR
-helper.  The \fIadd-scep-ca\fR command is more or less a wrapper for the
-\fIadd-ca\fR command.
+enroll certificates.  The configuration will use the bundled \fIscep\-submit\fR
+helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
+\fIadd\-ca\fR command.
 
 .SH OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 The nickname to give to this CA configuration.  This same value can later be
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
-\fIstart-tracking\fR commands using the \fB-c\fR flag.
+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
 .TP
-\fB\-u\fR URL
+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
 The location of the SCEP server's enrollment interface.  This option must be
 specified.
 .TP
-\fB\-R\fR ca-certificate-file
-The location of a PEM-formatted copy of the CA's certificate used to verify
+\fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR
+The location of a PEM\-formatted copy of the CA's certificate used to verify
 the TLS connection the SCEP server.
 
 This option must be specified if the URL is an \fIhttps\fR location.
 .TP
-\fB\-N\fR ca-certificate-file
-The location of a PEM-formatted copy of the SCEP server's CA certificate.
+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
 A discovered value is normally supplied by the certmonger daemon, but one can
 be specified for troubleshooting purposes.
 .TP
-\fB\-r\fR ra-certificate-file
-The location of a PEM-formatted copy of the SCEP server's RA's certificate.
+\fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR
+The location of a PEM\-formatted copy of the SCEP server's RA's certificate.
 A discovered value is normally supplied by the certmonger daemon, but one can
 be specified for troubleshooting purposes.
 .TP
-\fB\-I\fR other-certificates-file
-The location of a file containing other PEM-formatted certificates which may be
+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
+The location of a file containing other PEM\-formatted certificates which may be
 needed in order to properly verify signed responses sent by the SCEP server
 back to the client.  A discovered set is normally supplied by the certmonger
 daemon, but can be specified for troubleshooting purposes.
 .TP
-\fB\-i\fR identifier
+\fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR
 A CA identifier value which will passed to the server when the
-\fIscep-submit\fR helper is used to retrieve copies of the server's
+\fIscep\-submit\fR helper is used to retrieve copies of the server's
 certificates.
 .TP
-\fB\-n\fR
-The SCEP Renewal feature allows a client with a previously-issued certificate
+\fB\-n\fR, \fB\-\-non\-renewal\fR
+The SCEP Renewal feature allows a client with a previously\-issued certificate
 to use that certificate and the associated private key to request a new
 certificate for a different key pair, and can be used to support
 \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
-it.  This option forces the \fIscep-submit\fR helper to issue requests without
+it.  This option forces the \fIscep\-submit\fR helper to issue requests without
 making use of this feature.
 .TP
-\fB\-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
 
@@ -68,22 +68,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-list-cas.1.in b/src/getcert-list-cas.1.in
index 7f250e5..ff4e14f 100644
--- a/src/getcert-list-cas.1.in
+++ b/src/getcert-list-cas.1.in
@@ -1,17 +1,17 @@
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert list-cas [options]
+getcert list\-cas [options]
 
 .SH DESCRIPTION
 Queries \fIcertmonger\fR for a list of known CAs.
 
 .SH OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 List only information about the CA which has the specified nickname.
 
 .SH BUGS
@@ -20,23 +20,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-list.1.in b/src/getcert-list.1.in
index eded28a..9bf4826 100644
--- a/src/getcert-list.1.in
+++ b/src/getcert-list.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "28 June 2016" "certmonger Manual"
+.TH CERTMONGER 1 "June 28, 2016" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -12,35 +12,35 @@ monitoring or attempting to obtain.
 
 .SH ENROLLMENT OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 List only entries which use the specified CA.  The name of the CA should
-correspond to one listed by \fIgetcert list-cas\fR.
+correspond to one listed by \fIgetcert list\-cas\fR.
 
 .SH LISTING OPTIONS
 .TP
-\fB\-r\fR
+\fB\-r\fR, \fB\-\-requests\-only\fR
 List only entries which are either currently being enrolled or refreshed.
 .TP
-\fB\-t\fR
+\fB\-t\fR, \fB\-\-tracking\-only\fR
 List only entries which are not currently being enrolled or refreshed.
 .TP
-\fB\-u\fR|\fB--utc\fR
+\fB\-u\fR, \fB\-\-utc\fR
 Display timestamps in UTC instead of local time.
 
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fBDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
 List only entries which use an NSS database in the specified directory
 for storing the certificate.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
 List only tracking requests which use an NSS database and the specified
 nickname for storing the certificate.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 List only tracking requests which specify that the certificate should be
 stored in the specified file.
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 List only tracking requests which use this request nickname.
 
 .SH STATES
@@ -53,11 +53,11 @@ The service is currently generating a new key pair.
 .TP
 NEED_KEY_GEN_PERMS
 The service encountered a filesystem permission error while attempting
-to save the newly-generated key pair.
+to save the newly\-generated key pair.
 .TP
 NEED_KEY_GEN_PIN
 The service is missing the PIN which is required to access an NSS
-database in order to save the newly-generated key pair, or it has an
+database in order to save the newly\-generated key pair, or it has an
 incorrect PIN for a database.
 .TP
 NEED_KEY_GEN_TOKEN
@@ -75,7 +75,7 @@ The service is currently reading information about the key pair.
 .TP
 NEED_KEYINFO_READ_PIN
 The service is missing the PIN which is required to access an NSS
-database in order to read information about the newly-generated key pair, or
+database in order to read information about the newly\-generated key pair, or
 it has an incorrect PIN for a database, or has an incorrect password for
 accessing a key stored in encrypted PEM format.
 .TP
@@ -161,8 +161,8 @@ The CA approved the signing request, and the service is about to save the
 issued certificate to the location where it has been told to save it.
 .TP
 PRE_SAVE_CERT
-The service is running a configured pre-saving command before saving the
-newly-issued certificate to the location where it has been told to save
+The service is running a configured pre\-saving command before saving the
+newly\-issued certificate to the location where it has been told to save
 it.
 .TP
 START_SAVING_CERT
@@ -175,16 +175,16 @@ where it has been told to save it.
 .TP
 NEED_CERTSAVE_PERMS
 The service encountered a filesystem permission error while attempting
-to save the newly-issued certificate to the location where it has been
+to save the newly\-issued certificate to the location where it has been
 told to save it.
 .TP
 NEED_CERTSAVE_TOKEN
-The service is unable to find the token in which the newly-issued
+The service is unable to find the token in which the newly\-issued
 certificate is to be stored.
 .TP
 NEED_CERTSAVE_PIN
 The service is missing the PIN which is required to access an NSS
-database in order to save the newly-issued certificate to the location
+database in order to save the newly\-issued certificate to the location
 where it has been told to save it.
 .TP
 NEED_TO_SAVE_CA_CERTS
@@ -231,22 +231,22 @@ issuer's certificate to the locations where it has been told to save
 them.
 .TP
 POST_SAVED_CERT
-The service is running a configured post-saving command after saving the
-newly-issued certificate to the location where it has been told to save
+The service is running a configured post\-saving command after saving the
+newly\-issued certificate to the location where it has been told to save
 them.
 .TP
 MONITORING
 The service is monitoring the certificate and waiting for its
-not-valid-after date to approach.  This is expected to be the status
+not\-valid\-after date to approach.  This is expected to be the status
 most often seen.
 .TP
 NEED_TO_NOTIFY_VALIDITY
 The service is about to notify the system administrator that the
-certificate's not-valid-after date is approaching.
+certificate's not\-valid\-after date is approaching.
 .TP
 NOTIFYING_VALIDITY
 The service is notifying the system administrator that the certificate's
-not-valid-after date is approaching.
+not\-valid\-after date is approaching.
 .TP
 NEED_TO_NOTIFY_REJECTION
 The service is about to notify the system administrator that the
@@ -350,23 +350,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-modify-ca.1.in b/src/getcert-modify-ca.1.in
index 36677c5..90bc621 100644
--- a/src/getcert-modify-ca.1.in
+++ b/src/getcert-modify-ca.1.in
@@ -1,23 +1,23 @@
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert modify-ca [options]
+getcert modify\-ca [options]
 
 .SH DESCRIPTION
 Modifies the helper command in a \fIcertmonger\fR CA configuration.
 
 .SH OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 The nickname of the CA configuration to modify.
 .TP
-\fB\-e\fR COMMAND
+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
 The new helper command to run for communicating with the CA.
 .TP
-\fB\-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
 
@@ -27,22 +27,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-refresh-ca.1.in b/src/getcert-refresh-ca.1.in
index 2662adc..86318e7 100644
--- a/src/getcert-refresh-ca.1.in
+++ b/src/getcert-refresh-ca.1.in
@@ -1,21 +1,21 @@
-.TH certmonger 1 "29 May 2014" "certmonger Manual"
+.TH CERTMONGER 1 "May 29, 2014" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert refresh-ca [options]
+getcert refresh\-ca [options]
 
 .SH DESCRIPTION
 Forces \fIcertmonger\fR to refresh information specific to a CA, such as
-locally-stored copies of its certificates.
+locally\-stored copies of its certificates.
 
 .SH OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 Refresh information about the CA which has the specified nickname.
 .TP
-\fB\-a\fR
+\fB\-a\fR, \fB\-\-all\fR
 Refresh information about all known CAs.
 
 .SH BUGS
@@ -24,24 +24,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-refresh.1.in b/src/getcert-refresh.1.in
index 660c2ec..79028c1 100644
--- a/src/getcert-refresh.1.in
+++ b/src/getcert-refresh.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "21 July 2014" "certmonger Manual"
+.TH CERTMONGER 1 "July 24, 2014" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -13,7 +13,7 @@ waiting for the CA.
 
 .SH SPECIFYING REQUESTS BY NICKNAME
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 Check on the status of the signing request which has this nickname.
 If this option is not specified, and a tracking entry which matches the
 certificate storage options which are specified already exists, that entry
@@ -23,24 +23,24 @@ with the \fB\-f\fR option.
 
 .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \rIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
 The certificate is in the NSS database in the specified directory.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
 The certificate in the NSS database named with \fB\-d\fR has the specified
 nickname.  Only valid with \fB\-d\fR.
 .TP
-\fB\-t\fR TOKEN
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
 If the NSS database has more than one token available, the certificate
 is stored in this token.  This argument only rarely needs to be specified.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 The certificate is stored in the named file.
 
 .SH OPTIONS
 .TP
-\fB\-a\fR
+\fB\-a\fR, \fB\-\-all\fR
 Refresh information about all requests for which the service will need to
 attempt to contact the CA again.
 
@@ -50,23 +50,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-rekey.1.in b/src/getcert-rekey.1.in
index 39ba761..fd848e7 100644
--- a/src/getcert-rekey.1.in
+++ b/src/getcert-rekey.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "31 July 2015" "certmonger Manual"
+.TH CERTMONGER 1 "July 31, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -13,7 +13,7 @@ order to replace both a certificate and its private key.
 
 .SH SPECIFYING REQUESTS BY NICKNAME
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 The new key pair will be generated and the new certificate will be obtained for
 the tracking request which has this nickname.  If this option is not specified,
 and a tracking entry which matches the key and certificate storage options
@@ -23,62 +23,61 @@ of the \fB\-d\fR and \fB\-n\fR options, or with the \fB\-f\fR option.
 
 .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
 The certificate is in the NSS database in the specified directory.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
 The certificate in the NSS database named with \fB\-d\fR has the specified
 nickname.  Only valid with \fB\-d\fR.
 .TP
-\fB\-t\fR TOKEN
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
 If the NSS database has more than one token available, the certificate
 is stored in this token.  This argument only rarely needs to be specified.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 The certificate is stored in the named file.
 
 .SH KEY GENERATION OPTIONS
 .TP
-\fB\-G\fR TYPE
+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR
 In case a new key pair needs to be generated, this option specifies the
 type of the keys to be generated.  If not specified, the current key type
 will be used.
 .TP
-\fB\-g\fR BITS
+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR
 This option specifies the size of the new key to be generated.  If not
 specified, a key of the same size as the existing key will be generated.
 
-\fB\-c\fR NAME
 .SH ENROLLMENT OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 Submit the new signing request to the specified CA rather than the one which
 was previously associated with this certificate.  The name of
-the CA should correspond to one listed by \fIgetcert list-cas\fR.
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
 .TP
-\fB\-T\fR NAME
+\fB\-T\fR \fINAME, \fB\-\-profile\fR=\fINAME\fR
 Request a certificate using the named profile, template, or certtype,
 from the specified CA.
 .TP
-\fB\-\-ms-template-spec\fR SPEC
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
 Include a V2 Certificate Template extension in the signing request.
 This datum includes an Object Identifier, a major version number
 (positive integer) and an optional minor version number.  The format
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
 .TP
-\fB\-X\fR NAME
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
 Request a certificate using the named issuer from the specified CA.
 .TP
-\fB\-I\fR NAME
+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR
 Assign the specified nickname to this task, replacing the previous nickname.
 
 .SH SIGNING REQUEST OPTIONS
 .TP
-\fB\-N\fR NAME
+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
 Change the subject name to include in the signing request.
 .TP
-\fB\-u\fR keyUsage
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
 Add an extensionRequest for the specified keyUsage to the
 signing request.  The keyUsage value is expected to be one of these names:
 
@@ -100,62 +99,74 @@ encipherOnly
 
 decipherOnly
 .TP
-\fB\-U\fR EKU
+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
 Change the extendedKeyUsage value specified in an extendedKeyUsage
 extension part of the extensionRequest attribute in the signing
 request.  The EKU value is expected to be an object identifier (OID).
 .TP
-\fB\-K\fR NAME
+\fB\-K\fR \fINAME\fB, \fB\-\-ca\fR=\fINAME\fR
 Change the Kerberos principal name specified as part of a subjectAltName
 extension part of the extensionRequest attribute in the signing request.
 .TP
-\fB\-E\fR EMAIL
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
 Change the email address specified as part of a subjectAltName
 extension part of the extensionRequest attribute in the signing request.
 .TP
-\fB\-D\fR DNSNAME
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
 Change the DNS name specified as part of a subjectAltName extension part of the
 extensionRequest attribute in the signing request.
 .TP
-\fB\-A\fR ADDRESS
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
 Change the IP address specified as part of a subjectAltName extension part of
 the extensionRequest attribute in the signing request.
 .TP
-\fB\-l\fR FILE
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fINAME\fR
 Add an optional ChallengePassword value, read from the file, to the signing
 request.  A ChallengePassword is often required when the CA is accessed using
 SCEP.
 .TP
-\fB\-L\fR PIN
+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
 Add the argument value to the signing request as a ChallengePassword attribute.
 A ChallengePassword is often required when the CA is accessed using SCEP.
 
 .SH OTHER OPTIONS
 .TP
-\fB\-B\fR COMMAND
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user before
 saving the certificates.
 .TP
-\fB\-C\fR COMMAND
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user after
 saving the certificates.
 .TP
-\fB\-a\fR DIR
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, save them to the specified NSS database.
 .TP
-\fB\-F\fR FILE
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, and when the local copies of the
 CA's root certificates are updated, save them to the specified file.
 .TP
-\fB\-w\fR
+\fB\-\-for\-ca\fR
+Request a CA certificate.
+.TP
+\fB\-\-not\-for\-ca\fR
+Request a non\-CA certificate (the default).
+.TP
+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
+Path length for CA certificate. Only valid with \-\-for\-ca.
+.TP
+\fB\-w\fR, \fB\-\-wait\fR
 Wait for the new certificate to be issued and saved, or for the attempt to obtain
 one using the new key to fail.
 .TP
-\fB\-v\fR
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
+Maximum time to wait for the certificate to be issued.
+.TP
+\fB\-v\fR \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
 
@@ -165,22 +176,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-remove-ca.1.in b/src/getcert-remove-ca.1.in
index 4b29db7..1839f84 100644
--- a/src/getcert-remove-ca.1.in
+++ b/src/getcert-remove-ca.1.in
@@ -1,10 +1,10 @@
-.TH certmonger 1 "24 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert remove-ca [options]
+getcert remove\-ca [options]
 
 .SH DESCRIPTION
 Remove a CA configuration from \fIcertmonger\fR.  Enrollment requests which
@@ -12,10 +12,10 @@ reference the CA will behave as though they have no assigned CA.
 
 .SH OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 The nickname of the CA configuration to remove.
 .TP
-\fB\-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
 
@@ -25,22 +25,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in
index ba43016..89bc080 100644
--- a/src/getcert-request.1.in
+++ b/src/getcert-request.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "9 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -14,87 +14,87 @@ CA.
 
 .SH KEY AND CERTIFICATE STORAGE OPTIONS
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
 Use an NSS database in the specified directory for storing this
 certificate and key.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
 Use the key with this nickname to generate the signing request.  If no
 such key is found, generate one.  Give the enrolled certificate this
 nickname, too.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-t\fR TOKEN
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
 If the NSS database has more than one token available, use the token
 with this name for storing and accessing the certificate and key.  This
 argument only rarely needs to be specified.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 Store the issued certificate in this file.  For safety's sake, do not
 use the same file specified with the \fB\-k\fR option.
 .TP
-\fB\-k\fR FILE
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
 Use the key stored in this file to generate the signing request.  If no
 such file is found, generate a new key pair and store them in the file.
 Only valid with \fB\-f\fR.
 
 .SH KEY ENCRYPTION OPTIONS
 .TP
-\fB\-p\fR FILE
+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR
 Encrypt private key files or databases using the PIN stored in the named
 file as the passphrase.
 .TP
-\fB\-P\fR PIN
+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR
 Encrypt private key files or databases using the specified PIN as the
-passphrase.  Because command-line arguments to running processes are
+passphrase.  Because command\-line arguments to running processes are
 trivially discoverable, use of this option is not recommended except
 for testing.
 
 .SH KEY GENERATION OPTIONS
 .TP
-\fB\-G\fR TYPE
+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR
 In case a new key pair needs to be generated, this option specifies the
 type of the keys to be generated.  If not specified, a reasonable default
 (currently \fIRSA\fR) will be used.
 .TP
-\fB\-g\fR BITS
+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR
 In case a new key pair needs to be generated, this option specifies the
 size of the key.  If not specified, a reasonable default (currently
 @CM_DEFAULT_PUBKEY_SIZE@ bits) will be used.
 
 .SH TRACKING OPTIONS
 .TP
-\fB\-r\fR
+\fB\-r\fR, \fB\-\-renew\fR
 Attempt to obtain a new certificate from the CA when the expiration date of a
 certificate nears.  This is the default setting.
 .TP
-\fB\-R\fR
+\fB\-R\fR, \fB\-\-no\-renew\fR
 Don't attempt to obtain a new certificate from the CA when the expiration date
 of a certificate nears.  If this option is specified, an expired certificate
 will simply stay expired.
 .TP
-\fB\-I\fR NAME
+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 Assign the specified nickname to this task.  If this option is not specified,
 a name will be assigned automatically.
 
 .SH ENROLLMENT OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 Enroll with the specified CA rather than a possible default.  The name of
-the CA should correspond to one listed by \fIgetcert list-cas\fR.
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
 .TP
-\fB\-T\fR NAME
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
 Request a certificate using the named profile, template, or certtype,
 from the specified CA.
 .TP
-\fB\-\-ms-template-spec\fR SPEC
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
 Include a V2 Certificate Template extension in the signing request.
 This datum includes an Object Identifier, a major version number
 (positive integer) and an optional minor version number.  The format
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
 .TP
-\fB\-X\fR NAME
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
 Request a certificate using the named issuer from the specified CA.
 
 .SH SIGNING REQUEST OPTIONS
@@ -108,11 +108,11 @@ The options \fB\-K\fR, \fB\-E\fR, \fB\-D\fR and \fB\-A\fR may be provided
 multiple times to set multiple subjectAltName of the same type.
 
 .TP
-\fB\-N\fR NAME
+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
 Set the subject name to include in the signing request.  The default
 used is CN=\fIhostname\fR, where \fIhostname\fR is the local hostname.
 .TP
-\fB\-u\fR keyUsage
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
 Add an extensionRequest for the specified keyUsage to the
 signing request.  The keyUsage value is expected to be one of these names:
 
@@ -134,84 +134,113 @@ encipherOnly
 
 decipherOnly
 .TP
-\fB\-U\fR EKU
+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
 Add an extensionRequest for the specified extendedKeyUsage to the
 signing request.  The EKU value is expected to be an object identifier
 (OID), but some specific names are also recognized.  These are some
 names and their associated OID values:
 
-id-kp-serverAuth 1.3.6.1.5.5.7.3.1
+id\-kp\-serverAuth 1.3.6.1.5.5.7.3.1
 
-id-kp-clientAuth 1.3.6.1.5.5.7.3.2
+id\-kp\-clientAuth 1.3.6.1.5.5.7.3.2
 
-id-kp-codeSigning 1.3.6.1.5.5.7.3.3
+id\-kp\-codeSigning 1.3.6.1.5.5.7.3.3
 
-id-kp-emailProtection 1.3.6.1.5.5.7.3.4
+id\-kp\-emailProtection 1.3.6.1.5.5.7.3.4
 
-id-kp-timeStamping 1.3.6.1.5.5.7.3.8
+id\-kp\-timeStamping 1.3.6.1.5.5.7.3.8
 
-id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
+id\-kp\-OCSPSigning 1.3.6.1.5.5.7.3.9
 
-id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
+id\-pkinit\-KPClientAuth 1.3.6.1.5.2.3.4
 
-id-pkinit-KPKdc 1.3.6.1.5.2.3.5
+id\-pkinit\-KPKdc 1.3.6.1.5.2.3.5
 
-id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
+id\-ms\-kp\-sc\-logon 1.3.6.1.4.1.311.20.2.2
 .TP
-\fB\-K\fR NAME
+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
 Add an extensionRequest for a subjectAltName, with the specified Kerberos
 principal name as its value, to the signing request.
 .TP
-\fB\-E\fR EMAIL
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
 Add an extensionRequest for a subjectAltName, with the specified email
 address as its value, to the signing request.
 .TP
-\fB\-D\fR DNSNAME
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
 Add an extensionRequest for a subjectAltName, with the specified DNS name
 as its value, to the signing request.
 .TP
-\fB\-A\fR ADDRESS
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
 Add an extensionRequest for a subjectAltName, with the specified IP address
 as its value, to the signing request.
 .TP
-\fB\-l\fR FILE
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
 Add an optional ChallengePassword value, read from the file, to the signing
 request.  A ChallengePassword is often required when the CA is accessed using
 SCEP.
 .TP
-\fB\-L\fR PIN
+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
 Add the argument value to the signing request as a ChallengePassword attribute.
 A ChallengePassword is often required when the CA is accessed using SCEP.
 
 .SH OTHER OPTIONS
 .TP
-\fB\-B\fR COMMAND
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user before
 saving the certificates.
 .TP
-\fB\-C\fR COMMAND
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user after
 saving the certificates.
 .TP
-\fB\-a\fR DIR
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, save them to the specified NSS database.
 .TP
-\fB\-F\fR FILE
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, and when the local copies of the
 CA's root certificates are updated, save them to the specified file.
 .TP
-\fB\-w\fR
+\fB\-\-for\-ca\fR
+Request a CA certificate.
+.TP
+\fB\-\-not\-for\-ca\fR
+Request a non\-CA certificate (the default).
+.TP
+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
+Path length for CA certificate. Only valid with \-\-for\-ca.
+.TP
+\fB\-w\fR, \fB\-\-wait\fR
 Wait for the certificate to be issued and saved, or for the attempt to obtain
 one to fail.
 .TP
-\fB\-v\fR
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
+Maximum time to wait for the certificate to be issued.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
-
+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
+After generation set the owner on the private key file or database to OWNER.
+.TP
+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
+After generation set the file permissions on the private key file or database to MODE.
+.TP
+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR
+After generation set the owner on the certificate file or database to OWNER.
+.TP
+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR
+After generation set the file permissions on the certificate file or database to MODE.
+.SH BUS OPTIONS
+\fB\-s\fR, \fB\-\-session\fR
+Connect to certmonger on the session bus rather than the system bus.
+.TP
+\fB\-S\fR, \fB\-\-system\fR
+Connect to certmonger on the system bus rather than the session bus.  This
+is the default.
 .SH NOTES
 Locations specified for key and certificate storage need to be
 accessible to the \fIcertmonger\fR daemon process.  When run as a system
@@ -219,7 +248,7 @@ daemon on a system which uses a mandatory access control mechanism such
 as SELinux, the system policy must ensure that the daemon is allowed to
 access the locations where certificates and keys that it will manage
 will be stored (these locations are typically labeled as \fIcert_t\fR or
-an equivalent).  More SELinux-specific information can be found in the
+an equivalent).  More SELinux\-specific information can be found in the
 \fIselinux.txt\fR documentation file for this package.
 
 .SH BUGS
@@ -228,23 +257,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in
index f9e6bb1..aefea51 100644
--- a/src/getcert-resubmit.1.in
+++ b/src/getcert-resubmit.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "9 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -12,7 +12,7 @@ submit (or resubmit) the signing request to a CA for signing.
 
 .SH SPECIFYING REQUESTS BY NICKNAME
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 Resubmit a signing request for the tracking request which has this nickname.
 If this option is not specified, and a tracking entry which matches the key
 and certificate storage options which are specified already exists, that entry
@@ -22,50 +22,50 @@ with the \fB\-f\fR option.
 
 .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
 The certificate is in the NSS database in the specified directory.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
 The certificate in the NSS database named with \fB\-d\fR has the specified
 nickname.  Only valid with \fB\-d\fR.
 .TP
-\fB\-t\fR TOKEN
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
 If the NSS database has more than one token available, the certificate
 is stored in this token.  This argument only rarely needs to be specified.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 The certificate is stored in the named file.
 
 .SH ENROLLMENT OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 Submit the new signing request to the specified CA rather than the one which
 was previously associated with this certificate.  The name of
-the CA should correspond to one listed by \fIgetcert list-cas\fR.
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
 .TP
-\fB\-T\fR NAME
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
 Request a certificate using the named profile, template, or certtype,
 from the specified CA.
 .TP
-\fB\-\-ms-template-spec\fR SPEC
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
 Include a V2 Certificate Template extension in the signing request.
 This datum includes an Object Identifier, a major version number
 (positive integer) and an optional minor version number.  The format
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
 .TP
-\fB\-X\fR NAME
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
 Request a certificate using the named issuer from the specified CA.
 .TP
-\fB\-I\fR NAME
+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 Assign the specified nickname to this task, replacing the previous nickname.
 
 .SH SIGNING REQUEST OPTIONS
 .TP
-\fB\-N\fR NAME
+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
 Change the subject name to include in the signing request.
 .TP
-\fB\-u\fR keyUsage
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
 Add an extensionRequest for the specified keyUsage to the
 signing request.  The keyUsage value is expected to be one of these names:
 
@@ -87,64 +87,84 @@ encipherOnly
 
 decipherOnly
 .TP
-\fB\-U\fR EKU
++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
 Change the extendedKeyUsage value specified in an extendedKeyUsage
 extension part of the extensionRequest attribute in the signing
 request.  The EKU value is expected to be an object identifier (OID).
 .TP
-\fB\-K\fR NAME
+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
 Change the Kerberos principal name specified as part of a subjectAltName
 extension part of the extensionRequest attribute in the signing request.
 .TP
-\fB\-E\fR EMAIL
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
 Change the email address specified as part of a subjectAltName
 extension part of the extensionRequest attribute in the signing request.
 .TP
-\fB\-D\fR DNSNAME
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
 Change the DNS name specified as part of a subjectAltName extension part of the
 extensionRequest attribute in the signing request.
 .TP
-\fB\-A\fR ADDRESS
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
 Change the IP address specified as part of a subjectAltName extension part of
 the extensionRequest attribute in the signing request.
 .TP
-\fB\-l\fR FILE
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
 Add an optional ChallengePassword value, read from the file, to the signing
 request.  A ChallengePassword is often required when the CA is accessed using
 SCEP.
 .TP
-\fB\-L\fR PIN
+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
 Add the argument value to the signing request as a ChallengePassword attribute.
 A ChallengePassword is often required when the CA is accessed using SCEP.
 
 .SH OTHER OPTIONS
 .TP
-\fB\-B\fR COMMAND
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user before
 saving the certificates.
 .TP
-\fB\-C\fR COMMAND
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user after
 saving the certificates.
 .TP
-\fB\-a\fR DIR
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, save them to the specified NSS database.
 .TP
-\fB\-F\fR FILE
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, and when the local copies of the
 CA's root certificates are updated, save them to the specified file.
 .TP
-\fB\-w\fR
+\fB\-\-for\-ca\fR
+Request a CA certificate.
+.TP
+\fB\-\-not\-for\-ca\fR
+Request a non\-CA certificate (the default).
+.TP
+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
+Path length for CA certificate. Only valid with \-\-for\-ca.
+.TP
+\fB\-w\fR, \fB\-\-wait\fR
 Wait for the certificate to be reissued and saved, or for the attempt to obtain
 one to fail.
 .TP
-\fB\-v\fR
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
+Maximum time to wait for the certificate to be issued.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
+After generation set the owner on the private key file or database to OWNER.
+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
+After generation set the file permissions on the private key file or database to MODE.
+\fB\-O\fR \fIOWNER\fR, \fB\-\-cert\-owner\fR=\fIOWNER\fR
+After generation set the owner on the certificate file or database to OWNER.
+\fB\-M\fR \fIMODE\fR, \fB\-\-cert\-perms\fR=\fIMODE\fR
+After generation set the file permissions on the certificate file or database to MODE.
 
 .SH BUGS
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
@@ -152,23 +172,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in
index f60e4a7..fff16f5 100644
--- a/src/getcert-start-tracking.1.in
+++ b/src/getcert-start-tracking.1.in
@@ -1,13 +1,13 @@
-.TH certmonger 1 "9 February 2015" "certmonger Manual"
+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert start-tracking [options]
+getcert start\-tracking [options]
 
 .SH DESCRIPTION
-Tells \fIcertmonger\fR to monitor an already-issued certificate.
+Tells \fIcertmonger\fR to monitor an already\-issued certificate.
 Optionally, when the certificate nears expiration, use an existing key
 pair (or to generate one if one is not already found in the specified
 location), to generate a signing request using the key pair and to
@@ -15,7 +15,7 @@ submit them for signing to a CA.
 
 .SH SPECIFYING EXISTING REQUESTS
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 Modify the request which has this nickname.  If this option is not specified,
 and a tracking entry which matches the key and certificate storage options
 which are specified already exists, that entry will be modified.  Otherwise, a
@@ -23,27 +23,27 @@ new tracking entry will be added.
 
 .SH KEY AND CERTIFICATE STORAGE OPTIONS
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
 Use an NSS database in the specified directory for reading this
 certificate and, if possible, the corresponding key.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
 Use the certificate with this nickname, and if a private key with the
 same nickname or which corresponds to the certificate is available, to
 use it, too.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-t\fR TOKEN
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
 If the NSS database has more than one token available, use the token
 with this name for accessing the certificate and key.  This argument
 only rarely needs to be specified.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 Read the certificate from this file.  For safety's sake, do not use the
 same file specified with the \fB\-k\fR option.
 .TP
-\fB\-k\fR FILE
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
 Use the key stored in this file to generate a signing request for
 refreshing the certificate.  If no such file is found when needed,
 generate a new key pair and store them in the file.
@@ -51,58 +51,58 @@ Only valid with \fB\-f\fR.
 
 .SH KEY ENCRYPTION OPTIONS
 .TP
-\fB\-p\fR FILE
+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR
 The private key files or databases are encrypted using the PIN stored in the
 named file as the passphrase.
 .TP
-\fB\-P\fR PIN
+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR
 The private key files or databases are encrypted using the specified PIN as the
-passphrase.  Because command-line arguments to running processes are trivially
+passphrase.  Because command\-line arguments to running processes are trivially
 discoverable, use of this option is not recommended except for testing.
 
 .SH TRACKING OPTIONS
 .TP
-\fB\-I\fR NAME
+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR
 Assign the specified nickname to this task.  If this option is not specified,
 a name will be assigned automatically.
 .TP
-\fB\-r\fR
+\fB\-r\fR, \fB\-\-renew\fR
 Attempt to obtain a new certificate from the CA when the expiration date of a
 certificate nears.  This is the default setting.
 .TP
-\fB\-R\fR
+\fB\-R\fR, \fB\-\-no\-renew\fR
 Don't attempt to obtain a new certificate from the CA when the expiration date
 of a certificate nears.  If this option is specified, an expired certificate
 will simply stay expired.
 
 .SH ENROLLMENT OPTIONS
 .TP
-\fB\-c\fR NAME
+\fB\-c\fR  \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 Enroll with the specified CA rather than a possible default.  The name of
-the CA should correspond to one listed by \fIgetcert list-cas\fR.  Only
+the CA should correspond to one listed by \fIgetcert list\-cas\fR.  Only
 useful in combination with \fB\-r\fR.
 .TP
-\fB\-T\fR NAME
+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
 Request a certificate using the named profile, template, or certtype,
 from the specified CA.
 .TP
-\fB\-\-ms-template-spec\fR SPEC
+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
 Include a V2 Certificate Template extension in the signing request.
 This datum includes an Object Identifier, a major version number
 (positive integer) and an optional minor version number.  The format
 is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
 .TP
-\fB\-X\fR NAME
+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
 Request a certificate using the named issuer from the specified CA.
 
 .SH SIGNING REQUEST OPTIONS
 If and when \fIcertmonger\fR attempts to obtain a new certificate to replace
 the one being monitored, the values to be added to the signing request will be
 taken from the current certificate, unless preferred values are set using one
-or more of \fB-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.
+or more of \fB\-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.
 
 .TP
-\fB\-u\fR keyUsage
+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
 Add an extensionRequest for the specified keyUsage to the
 signing request.  The keyUsage value is expected to be one of these names:
 
@@ -124,64 +124,86 @@ encipherOnly
 
 decipherOnly
 .TP
-\fB\-U\fR EKU
+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
 Add an extensionRequest for the specified extendedKeyUsage to the
 signing request.  The EKU value is expected to be an object identifier
 (OID).
 .TP
-\fB\-K\fR NAME
+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
 Add an extensionRequest for a subjectAltName, with the specified Kerberos
 principal name as its value, to the signing request.
 .TP
-\fB\-E\fR EMAIL
+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
 Add an extensionRequest for a subjectAltName, with the specified email
 address as its value, to the signing request.
 .TP
-\fB\-D\fR DNSNAME
+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
 Add an extensionRequest for a subjectAltName, with the specified DNS name
 as its value, to the signing request.
-\fB\-A\fR ADDRESS
+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
 Add an extensionRequest for a subjectAltName, with the specified IP address
 as its value, to the signing request.
 .TP
-\fB\-l\fR FILE
+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
 Add an optional ChallengePassword value, read from the file, to the signing
 request.  A ChallengePassword is often required when the CA is accessed using
 SCEP.
 .TP
-\fB\-L\fR PIN
+\fB\-L\fR \fIPASSWORD\fR, \fB\-\-challenge\-password\fR=\fIPASSWORD\fR
 Add the argument value to the signing request as a ChallengePassword attribute.
 A ChallengePassword is often required when the CA is accessed using SCEP.
 
 .SH OTHER OPTIONS
 .TP
-\fB\-B\fR COMMAND
+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user before
 saving the certificates.
 .TP
-\fB\-C\fR COMMAND
+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
 When ever the certificate or the CA's certificates are saved to the
 specified locations, run the specified command as the client user after
 saving the certificates.
 .TP
-\fB\-a\fR DIR
+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, save them to the specified NSS database.
 .TP
-\fB\-F\fR FILE
+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
 When ever the certificate is saved to the specified location, if root
 certificates for the CA are available, and when the local copies of the
 CA's root certificates are updated, save them to the specified file.
 .TP
-\fB\-w\fR
+\fB\-w\fR, \fB\-\-wait\fR
 Wait for the certificate to become valid or to be reissued and saved, or for
 the attempt to obtain a new one to fail.
 .TP
-\fB\-v\fR
+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
+Maximum time to wait for the certificate to be issued.
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
-
+.TP
+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
+After generation set the owner on the private key file or database to OWNER.
+.TP
+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
+After generation set the file permissions on the private key file or database to MODE.
+.TP
+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR
+After generation set the owner on the certificate file or database to OWNER.
+.TP
+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR
+After generation set the file permissions on the certificate file or database to MODE.
+.SH BUS OPTIONS
+.TP
+\fB\-s\fR, \fB\-\-session\fR
+Connect to certmonger on the session bus rather than the system bus.
+.TP
+\fB\-S\fR, \fB\-\-system\fR
+Connect to certmonger on the system bus rather than the session bus.  This
+is the default.
 .SH NOTES
 Locations specified for key and certificate storage need to be
 accessible to the \fIcertmonger\fR daemon process.  When run as a system
@@ -189,7 +211,7 @@ daemon on a system which uses a mandatory access control mechanism such
 as SELinux, the system policy must ensure that the daemon is allowed to
 access the locations where certificates and keys that it will manage
 will be stored (these locations are typically labeled as \fIcert_t\fR or
-an equivalent).  More SELinux-specific information can be found in the
+an equivalent).  More SELinux\-specific information can be found in the
 \fIselinux.txt\fR documentation file for this package.
 
 .SH BUGS
@@ -198,23 +220,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-status.1.in b/src/getcert-status.1.in
index 071d393..da2fbc6 100644
--- a/src/getcert-status.1.in
+++ b/src/getcert-status.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "13 June 2014" "certmonger Manual"
+.TH CERTMONGER 1 "June 13, 2014" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -12,18 +12,18 @@ request and sets an exit status to reflect that status.
 
 .SH SELECTION OPTIONS
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
 Check that status of a certificate in the named NSS database.  Must be
-specified with the \fB-n\fR option.
+specified with the \fB\-n\fR option.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
 Check that status of a certificate in with the specified nickname.  Must be
-specified with the \fB-d\fR option.
+specified with the \fB\-d\fR option.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 Check that status of a certificate stored in the specified PEM file.
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 Check that status of a certificate with the specified request nickname.
 
 .SH EXIT STATUS
@@ -53,24 +53,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert-stop-tracking.1.in b/src/getcert-stop-tracking.1.in
index a8657f3..96345d1 100644
--- a/src/getcert-stop-tracking.1.in
+++ b/src/getcert-stop-tracking.1.in
@@ -1,10 +1,10 @@
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
 
 .SH NAME
 getcert
 
 .SH SYNOPSIS
-getcert stop-tracking [options]
+getcert stop\-tracking [options]
 
 .SH DESCRIPTION
 Tells \fIcertmonger\fR to stop monitoring or attempting to obtain or
@@ -12,7 +12,7 @@ refresh a certificate.
 
 .SH TRACKING OPTIONS
 .TP
-\fB\-i\fR NAME
+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
 The certificate was tracked using the request with the specified nickname.
 If this option is not specified, some combination of \fB\-d\fR and
 \fB\-n\fR or \fB\-f\fR can be used to specify which certificate should
@@ -20,55 +20,62 @@ henceforth be forgotten.
 
 .SH KEY AND CERTIFICATE STORAGE OPTIONS
 .TP
-\fB\-d\fR DIR
+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
 The certificate is the one stored in the specified NSS database.
 .TP
-\fB\-n\fR NAME
+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
 The certificate is the one which has this nickname.  Only valid with
 \fB\-d\fR.
 .TP
-\fB\-t\fR TOKEN
+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
 If the NSS database has more than one token available, the certificate
 is stored in this token.  This argument only rarely needs to be
 specified.
 Only valid with \fB\-d\fR.
 .TP
-\fB\-f\fR FILE
+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
 The certificate is or was to be stored in this file.
 .TP
-\fB\-k\fR FILE
+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
 The private key is or was to be stored in this file.
 Only valid with \fB\-f\fR.
 
 .SH OTHER OPTIONS
 .TP
-\fB\-v\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Be verbose about errors.  Normally, the details of an error received from
 the daemon will be suppressed if the client can make a diagnostic suggestion.
-
+.SH BUS OPTIONS
+.TP
+\fB\-s\fR, \fB\-\-session\fR
+Connect to certmonger on the session bus rather than the system bus.
+.TP
+\fB\-S\fR, \fB\-\-system\fR
+Connect to certmonger on the system bus rather than the session bus.  This
+is the default.
 .SH BUGS
 Please file tickets for any that you find at https://fedorahosted.org/certmonger/
 
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/getcert.1.in b/src/getcert.1.in
index 7380f49..8669c76 100644
--- a/src/getcert.1.in
+++ b/src/getcert.1.in
@@ -1,4 +1,4 @@
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
 
 .SH NAME
 getcert
@@ -6,12 +6,12 @@ getcert
 .SH SYNOPSIS
  getcert request [options]
  getcert resubmit [options]
- getcert start-tracking [options]
+ getcert start\-tracking [options]
  getcert status [options]
- getcert stop-tracking [options]
+ getcert stop\-tracking [options]
  getcert list [options]
- getcert list-cas [options]
- getcert refresh-cas [options]
+ getcert list\-cas [options]
+ getcert refresh\-cas [options]
 
 .SH DESCRIPTION
 The \fIgetcert\fR tool issues requests to a @CM_DBUS_NAME@ service on
@@ -22,7 +22,7 @@ expiration, and optionally to refresh it when expiration nears, it can
 list the set of certificates that the service is already monitoring, or
 it can list the set of CAs that the service is capable of using.
 
-If no command is given as the first command-line argument, \fIgetcert\fR
+If no command is given as the first command\-line argument, \fIgetcert\fR
 will print short usage information for each of its functions.
 
 If \fIgetcert\fR is invoked by a user with UID 0, and there is no system bus
@@ -32,7 +32,7 @@ available, \fIgetcert\fR will attempt to launch a temporary copy of the
 .SH COMMON ARGUMENTS
 If \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR is set in the environment, \fIgetcert\fR
 contacts the service directly at the specified location.
-All commands can take either the \fB-s\fR or \fB-S\fR arguments, which instruct
+All commands can take either the \fB\-s\fR or \fB\-S\fR arguments, which instruct
 \fIgetcert\fR to contact the @CM_DBUS_NAME@ service on the session or system
 bus, if no value is set.  By default, \fIgetcert\fR consults the @CM_DBUS_NAME@
 service attached to the system bus.
@@ -42,24 +42,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 
 .SH SEE ALSO
 \fBcertmonger\fR(8)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/ipa-getcert.1.in b/src/ipa-getcert.1.in
index a1d36d5..f1b3682 100644
--- a/src/ipa-getcert.1.in
+++ b/src/ipa-getcert.1.in
@@ -1,20 +1,20 @@
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
 
 .SH NAME
-ipa-getcert
+ipa\-getcert
 
 .SH SYNOPSIS
- ipa-getcert request [options]
- ipa-getcert resubmit [options]
- ipa-getcert start-tracking [options]
- ipa-getcert status [options]
- ipa-getcert stop-tracking [options]
- ipa-getcert list [options]
- ipa-getcert list-cas [options]
- ipa-getcert refresh-cas [options]
+ ipa\-getcert request [options]
+ ipa\-getcert resubmit [options]
+ ipa\-getcert start\-tracking [options]
+ ipa\-getcert status [options]
+ ipa\-getcert stop\-tracking [options]
+ ipa\-getcert list [options]
+ ipa\-getcert list\-cas [options]
+ ipa\-getcert refresh\-cas [options]
 
 .SH DESCRIPTION
-The \fIipa-getcert\fR tool issues requests to a @CM_DBUS_NAME@
+The \fIipa\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
 service on behalf of the invoking user.  It can ask the service to begin
 enrollment, optionally generating a key pair to use, it can ask the
 service to begin monitoring a certificate in a specified location for
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
 list the set of certificates that the service is already monitoring, or
 it can list the set of CAs that the service is capable of using.
 
-If no command is given as the first command-line argument,
-\fIipa-getcert\fR will print short usage information for each of
+If no command is given as the first command\-line argument,
+\fIipa\-getcert\fR will print short usage information for each of
 its functions.
 
-The \fIipa-getcert\fR tool behaves identically to the generic
-\fIgetcert\fR tool when it is used with the \fB-c
+The \fIipa\-getcert\fR tool behaves identically to the generic
+\fIgetcert\fR tool when it is used with the \fB\-c
 \fI@CM_IPA_CA_NAME@\fR option.
 
 \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
-using the \fB-F\fR and \fB-a\fR options to specify where those certificates
+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
+using the \fB\-F\fR and \fB\-a\fR options to specify where those certificates
 should be stored.
 
 .SH BUGS
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/local-getcert.1.in b/src/local-getcert.1.in
index 526e31f..48a265b 100644
--- a/src/local-getcert.1.in
+++ b/src/local-getcert.1.in
@@ -1,20 +1,20 @@
-.TH certmonger 1 "7 June 2014" "certmonger Manual"
+.TH CERTMONGER 1 "June 7, 2014" "certmonger Manual"
 
 .SH NAME
-local-getcert
+local\-getcert
 
 .SH SYNOPSIS
- local-getcert request [options]
- local-getcert resubmit [options]
- local-getcert start-tracking [options]
- local-getcert status [options]
- local-getcert stop-tracking [options]
- local-getcert list [options]
- local-getcert list-cas [options]
- local-getcert refresh-cas [options]
+ local\-getcert request [options]
+ local\-getcert resubmit [options]
+ local\-getcert start\-tracking [options]
+ local\-getcert status [options]
+ local\-getcert stop\-tracking [options]
+ local\-getcert list [options]
+ local\-getcert list\-cas [options]
+ local\-getcert refresh\-cas [options]
 
 .SH DESCRIPTION
-The \fIlocal-getcert\fR tool issues requests to a @CM_DBUS_NAME@
+The \fIlocal\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
 service on behalf of the invoking user.  It can ask the service to begin
 enrollment, optionally generating a key pair to use, it can ask the
 service to begin monitoring a certificate in a specified location for
@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
 list the set of certificates that the service is already monitoring, or
 it can list the set of CAs that the service is capable of using.
 
-If no command is given as the first command-line argument,
-\fIlocal-getcert\fR will print short usage information for each of
+If no command is given as the first command\-line argument,
+\fIlocal\-getcert\fR will print short usage information for each of
 its functions.
 
-The \fIlocal-getcert\fR tool behaves identically to the generic
-\fIgetcert\fR tool when it is used with the \fB-c
+The \fIlocal\-getcert\fR tool behaves identically to the generic
+\fIgetcert\fR tool when it is used with the \fB\-c
 \fIlocal\fR option.
 
-\fBcertmonger\fR supports retrieving the list of current and previously-used
-local CA certificates.  See \fBgetcert-request\fR(1) and
-\fBgetcert-resubmit\fR(1) for information about using the \fB-F\fR and \fB-a\fR
+\fBcertmonger\fR supports retrieving the list of current and previously\-used
+local CA certificates.  See \fBgetcert\-request\fR(1) and
+\fBgetcert\-resubmit\fR(1) for information about using the \fB\-F\fR and \fB\-a\fR
 options to specify where those certificates should be stored.
 
 .SH BUGS
@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
diff --git a/src/selfsign-getcert.1.in b/src/selfsign-getcert.1.in
index 88389e8..d15c398 100644
--- a/src/selfsign-getcert.1.in
+++ b/src/selfsign-getcert.1.in
@@ -1,20 +1,20 @@
-.TH certmonger 1 "3 November 2009" "certmonger Manual"
+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
 
 .SH NAME
-selfsign-getcert
+selfsign\-getcert
 
 .SH SYNOPSIS
- selfsign-getcert request [options]
- selfsign-getcert resubmit [options]
- selfsign-getcert start-tracking [options]
- selfsign-getcert status [options]
- selfsign-getcert stop-tracking [options]
- selfsign-getcert list [options]
- selfsign-getcert list-cas [options]
- selfsign-getcert refresh-cas [options]
+ selfsign\-getcert request [options]
+ selfsign\-getcert resubmit [options]
+ selfsign\-getcert start\-tracking [options]
+ selfsign\-getcert status [options]
+ selfsign\-getcert stop\-tracking [options]
+ selfsign\-getcert list [options]
+ selfsign\-getcert list\-cas [options]
+ selfsign\-getcert refresh\-cas [options]
 
 .SH DESCRIPTION
-The \fIselfsign-getcert\fR tool issues requests to a @CM_DBUS_NAME@
+The \fIselfsign\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
 service on behalf of the invoking user.  It can ask the service to begin
 enrollment, optionally generating a key pair to use, it can ask the
 service to begin monitoring a certificate in a specified location for
@@ -22,16 +22,16 @@ expiration, and optionally to refresh it when expiration nears, it can
 list the set of certificates that the service is already monitoring, or
 it can list the set of CAs that the service is capable of using.
 
-If no command is given as the first command-line argument,
-\fIselfsign-getcert\fR will print short usage information for each of
+If no command is given as the first command\-line argument,
+\fIselfsign\-getcert\fR will print short usage information for each of
 its functions.
 
-The \fIselfsign-getcert\fR tool behaves identically to the generic
-\fIgetcert\fR tool when it is used with the \fB-c
+The \fIselfsign\-getcert\fR tool behaves identically to the generic
+\fIgetcert\fR tool when it is used with the \fB\-c
 \fI@CM_SELF_SIGN_CA_NAME@\fR option.
 
-\fBcertmonger\fR's self-signer doesn't use root certificates.  While the
-\fB-F\fR and \fB-a\fR options will still be recognized, they will effectively
+\fBcertmonger\fR's self\-signer doesn't use root certificates.  While the
+\fB\-F\fR and \fB\-a\fR options will still be recognized, they will effectively
 be ignored.
 
 .SH BUGS
@@ -40,24 +40,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
 .SH SEE ALSO
 \fBcertmonger\fR(8)
 \fBgetcert\fR(1)
-\fBgetcert-add-ca\fR(1)
-\fBgetcert-add-scep-ca\fR(1)
-\fBgetcert-list-cas\fR(1)
-\fBgetcert-list\fR(1)
-\fBgetcert-modify-ca\fR(1)
-\fBgetcert-refresh-ca\fR(1)
-\fBgetcert-refresh\fR(1)
-\fBgetcert-rekey\fR(1)
-\fBgetcert-remove-ca\fR(1)
-\fBgetcert-request\fR(1)
-\fBgetcert-resubmit\fR(1)
-\fBgetcert-start-tracking\fR(1)
-\fBgetcert-status\fR(1)
-\fBgetcert-stop-tracking\fR(1)
-\fBcertmonger-certmaster-submit\fR(8)
-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
-\fBcertmonger-dogtag-submit\fR(8)
-\fBcertmonger-ipa-submit\fR(8)
-\fBcertmonger-local-submit\fR(8)
-\fBcertmonger-scep-submit\fR(8)
+\fBgetcert\-add\-ca\fR(1)
+\fBgetcert\-add\-scep\-ca\fR(1)
+\fBgetcert\-list\-cas\fR(1)
+\fBgetcert\-list\fR(1)
+\fBgetcert\-modify\-ca\fR(1)
+\fBgetcert\-refresh\-ca\fR(1)
+\fBgetcert\-refresh\fR(1)
+\fBgetcert\-rekey\fR(1)
+\fBgetcert\-remove\-ca\fR(1)
+\fBgetcert\-request\fR(1)
+\fBgetcert\-resubmit\fR(1)
+\fBgetcert\-start\-tracking\fR(1)
+\fBgetcert\-status\fR(1)
+\fBgetcert\-stop\-tracking\fR(1)
+\fBcertmonger\-certmaster\-submit\fR(8)
+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
+\fBcertmonger\-dogtag\-submit\fR(8)
+\fBcertmonger\-ipa\-submit\fR(8)
+\fBcertmonger\-local\-submit\fR(8)
+\fBcertmonger\-scep\-submit\fR(8)
 \fBcertmonger_selinux\fR(8)
-- 
2.21.1