1 files changed, 18 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index c4464878d..9acd8f8c9 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.97 2010/07/15 21:20:38 schwarze Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,7 +37,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 15 2010 $
+.Dd $Mdocdate: August 4 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -215,6 +215,11 @@ the passphrase if the key has one, and for the new comment.
 .It Fl D Ar pkcs11
 Download the RSA public keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+When used in combination with
+.Fl s ,
+this option indicates that a CA key resides in a PKCS#11 token (see the
+.Sx CERTIFICATES
+section for details).
 .It Fl e
 This option will read a private or public OpenSSH key file and
 print to stdout the key in one of the formats specified by the
@@ -553,7 +558,17 @@ option:
 .Pp
 The host certificate will be output to
 .Pa /path/to/host_key-cert.pub .
-In both cases,
+.Pp
+It is possible to sign using a CA key stored in a PKCS#11 token by
+providing the token library using
+.Fl D
+and identifying the CA key by providing its public half as an argument
+to
+.Fl s :
+.Pp
+.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
+.Pp
+In all cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
 is used for authentication.

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c4464878d..9acd8f8c9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.97 2010/07/15 21:20:38 schwarze Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -37,7 +37,7 @@
37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39	.\"	39	.\"
40	.Dd $Mdocdate: July 15 2010 $	40	.Dd $Mdocdate: August 4 2010 $
41	.Dt SSH-KEYGEN 1	41	.Dt SSH-KEYGEN 1
42	.Os	42	.Os
43	.Sh NAME	43	.Sh NAME
@@ -215,6 +215,11 @@ the passphrase if the key has one, and for the new comment.
215	.It Fl D Ar pkcs11	215	.It Fl D Ar pkcs11
216	Download the RSA public keys provided by the PKCS#11 shared library	216	Download the RSA public keys provided by the PKCS#11 shared library
217	.Ar pkcs11 .	217	.Ar pkcs11 .
		218	When used in combination with
		219	.Fl s ,
		220	this option indicates that a CA key resides in a PKCS#11 token (see the
		221	.Sx CERTIFICATES
		222	section for details).
218	.It Fl e	223	.It Fl e
219	This option will read a private or public OpenSSH key file and	224	This option will read a private or public OpenSSH key file and
220	print to stdout the key in one of the formats specified by the	225	print to stdout the key in one of the formats specified by the
@@ -553,7 +558,17 @@ option:
553	.Pp	558	.Pp
554	The host certificate will be output to	559	The host certificate will be output to
555	.Pa /path/to/host_key-cert.pub .	560	.Pa /path/to/host_key-cert.pub .
556	In both cases,	561	.Pp
		562	It is possible to sign using a CA key stored in a PKCS#11 token by
		563	providing the token library using
		564	.Fl D
		565	and identifying the CA key by providing its public half as an argument
		566	to
		567	.Fl s :
		568	.Pp
		569	.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
		570	.Pp
		571	In all cases,
557	.Ar key_id	572	.Ar key_id
558	is a "key identifier" that is logged by the server when the certificate	573	is a "key identifier" that is logged by the server when the certificate
559	is used for authentication.	574	is used for authentication.