pki: Document --not-before/after and --dateform options in manpages

4 files changed, 99 insertions, 7 deletions

diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
index 3e23366bc..ec1d8be6e 100644
--- a/src/pki/man/pki---acert.1.in
+++ b/src/pki/man/pki---acert.1.in
@@ -12,6 +12,8 @@ pki \-\-acert \- Issue an attribute certificate
 .BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex
 .BI \-\-issuercert\~ file
 .OP \-\-lifetime hours
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
 .OP \-\-serial hex
 .OP \-\-digest digest
 .OP \-\-outform encoding
@@ -69,7 +71,28 @@ is required.
 Issuer certificate file. Required.
 .TP
 .BI "\-l, \-\-lifetime " hours
-Hours the attribute certificate is valid, default: 24.
+Hours the attribute certificate is valid, default: 24. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the AC begins. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the AC ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-s, \-\-serial " hex
 Serial number in hex. It is randomly allocated by default.
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 3fad1ae8a..375cb2fe4 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -14,6 +14,8 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
 .OP \-\-dn subject-dn
 .OP \-\-san subjectAltName
 .OP \-\-lifetime days
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
 .OP \-\-serial hex
 .OP \-\-flag flag
 .OP \-\-digest digest
@@ -88,7 +90,28 @@ Subject distinguished name (DN) of the issued certificate.
 subjectAltName extension to include in certificate. Can be used multiple times.
 .TP
 .BI "\-l, \-\-lifetime " days
-Days the certificate is valid, default: 1095.
+Days the certificate is valid, default: 1095. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the certificate begins. The datetime format
+is defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the certificate ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-s, \-\-serial " hex
 Serial number in hex. It is randomly allocated by default.
@@ -176,4 +199,4 @@ given PKCS#10 certificate request and the options above:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index ee42cf9a0..5e6e78bd0 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -14,6 +14,8 @@ pki \-\-self \- Create a self-signed certificate
 .BI \-\-dn\~ distinguished-name
 .OP \-\-san subjectAltName
 .OP \-\-lifetime days
+.OP \-\-not-before datetime
+.OP \-\-not-after datetime
 .OP \-\-serial hex
 .OP \-\-flag flag
 .OP \-\-digest digest
@@ -75,7 +77,28 @@ Subject and issuer distinguished name (DN). Required.
 subjectAltName extension to include in certificate. Can be used multiple times.
 .TP
 .BI "\-l, \-\-lifetime " days
-Days the certificate is valid, default: 1095.
+Days the certificate is valid, default: 1095. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-not-before " datetime
+Absolute time when the validity of the certificate begins. The datetime format
+is defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-not-after " datetime
+Absolute time when the validity of the certificate ends. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-not\-before
+and
+.B \-\-not\-after
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-s, \-\-serial " hex
 Serial number in hex. It is randomly allocated by default.
@@ -145,4 +168,4 @@ Generate a self-signed certificate using the given RSA key:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index 6ba96f6bc..bd6cba547 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -10,6 +10,8 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific
 .BI \-\-cakey\~ file |\-\-cakeyid\~ hex
 .BI \-\-cacert\~ file
 .OP \-\-lifetime days
+.OP \-\-this-update datetime
+.OP \-\-next-update datetime
 .OP \-\-lastcrl crl
 .OP \-\-basecrl crl
 .OP \-\-crluri uri
@@ -62,7 +64,28 @@ is required.
 CA certificate file. Required.
 .TP
 .BI "\-l, \-\-lifetime " days
-Days until the CRL gets a nextUpdate, default: 15.
+Days until the CRL gets a nextUpdate, default: 15. Ignored if both
+an absolute start and end time are given.
+.TP
+.BI "\-F, \-\-this-update " datetime
+Absolute time when the validity of the CRL begins. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-T, \-\-next-update " datetime
+Absolute time when the validity of the CRL end. The datetime format is
+defined by the
+.B \-\-dateform
+option.
+.TP
+.BI "\-D, \-\-dateform " form
+strptime(3) format for the
+.B \-\-this\-update
+and
+.B \-\-next\-update
+options, default:
+.B %d.%m.%y %T
 .TP
 .BI "\-a, \-\-lastcrl " crl
 CRL of lastUpdate to copy revocations from.
@@ -121,4 +144,4 @@ number, but no reason:
 .PP
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)