1 files changed, 23 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index ce2213c78..cfbd4cfa5 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.133 2016/06/16 06:10:45 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.134 2017/04/29 04:12:25 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 16 2016 $
+.Dd $Mdocdate: April 29 2017 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -474,9 +474,29 @@ The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
+.It Ic extension Ns : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate extension.
+.It Ic critical Ns : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate critical option.
 .El
 .Pp
-At present, no options are valid for host keys.
+At present, no standard options are valid for host keys.
+.Pp
+For non-standard certificate extension or options included using
+.Ic extension
+or
+.Ic option ,
+the specified
+.Ar name
+should include a domain suffix, e.g.
+.Dq name@example.com .
+If a
+.Ar contents
+is specified then it is included as the contents of the extension/option
+encoded as a string, otherwise the extension/option is created with no
+contents (usually indicating a flag).
+Extensions may be ignored by a client or server that does not recognise them,
+whereas unknown critical options will cause the certificate to be refused.
 .It Fl o
 Causes
 .Nm

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index ce2213c78..cfbd4cfa5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.133 2016/06/16 06:10:45 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.134 2017/04/29 04:12:25 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: June 16 2016 $	38	.Dd $Mdocdate: April 29 2017 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -474,9 +474,29 @@ The
474	.Ar address_list	474	.Ar address_list
475	is a comma-separated list of one or more address/netmask pairs in CIDR	475	is a comma-separated list of one or more address/netmask pairs in CIDR
476	format.	476	format.
		477	.It Ic extension Ns : Ns Ar name Ns Op Ns = Ns Ar contents
		478	Includes an arbitrary certificate extension.
		479	.It Ic critical Ns : Ns Ar name Ns Op Ns = Ns Ar contents
		480	Includes an arbitrary certificate critical option.
477	.El	481	.El
478	.Pp	482	.Pp
479	At present, no options are valid for host keys.	483	At present, no standard options are valid for host keys.
		484	.Pp
		485	For non-standard certificate extension or options included using
		486	.Ic extension
		487	or
		488	.Ic option ,
		489	the specified
		490	.Ar name
		491	should include a domain suffix, e.g.
		492	.Dq name@example.com .
		493	If a
		494	.Ar contents
		495	is specified then it is included as the contents of the extension/option
		496	encoded as a string, otherwise the extension/option is created with no
		497	contents (usually indicating a flag).
		498	Extensions may be ignored by a client or server that does not recognise them,
		499	whereas unknown critical options will cause the certificate to be refused.
480	.It Fl o	500	.It Fl o
481	Causes	501	Causes
482	.Nm	502	.Nm