34 files changed, 1245 insertions, 70 deletions
diff --git a/configure.ac b/configure.ac
index 9469ddbb7..2d1762c77 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1471,6 +1471,7 @@ AC_CONFIG_FILES([
 	src/openac/Makefile
 	src/scepclient/Makefile
 	src/pki/Makefile
+	src/pki/man/Makefile
 	src/dumm/Makefile
 	src/dumm/ext/extconf.rb
 	src/libfast/Makefile
@@ -1482,6 +1483,29 @@ AC_CONFIG_FILES([
 	scripts/Makefile
 	testing/Makefile
 ])
+
+# =================
+#  build man pages
+# =================
+
+AC_CONFIG_FILES([
+	man/ipsec.conf.5
+	man/ipsec.secrets.5
+	man/strongswan.conf.5
+	src/charon-cmd/charon-cmd.8
+	src/pki/man/pki.1
+	src/pki/man/pki---gen.1
+	src/pki/man/pki---issue.1
+	src/pki/man/pki---keyid.1
+	src/pki/man/pki---pkcs7.1
+	src/pki/man/pki---print.1
+	src/pki/man/pki---pub.1
+	src/pki/man/pki---req.1
+	src/pki/man/pki---self.1
+	src/pki/man/pki---signcrl.1
+	src/pki/man/pki---verify.1
+])
+
 AC_OUTPUT
 
 # ========================
diff --git a/man/.gitignore b/man/.gitignore
index 2767ce80f..5d06cd466 100644
--- a/man/.gitignore
+++ b/man/.gitignore
@@ -1,3 +1 @@
-ipsec.conf.5
-ipsec.secrets.5
-strongswan.conf.5
+*.5
diff --git a/man/Makefile.am b/man/Makefile.am
index 0becd24c7..266ef7d3a 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,13 +1,6 @@
-dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
-EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
-CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+man_MANS = \
+	ipsec.conf.5 \
+	ipsec.secrets.5 \
+	strongswan.conf.5
 
-SUFFIXES = .in
-
-.in:
-	$(AM_V_GEN) \
-	sed \
-	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-	-e "s:@DEV_URANDOM@:$(urandom_device):" \
-	-e "s:@DEV_RANDOM@:$(random_device):" \
-	$(srcdir)/$@.in > $@
+CLEANFILES = $(man_MANS)
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index b85172923..a62d68aae 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "@PACKAGE_VERSION@" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index ee20c9670..15e36faff 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "@PACKAGE_VERSION@" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 3ccc43867..9ee82f594 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "@PACKAGE_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -386,7 +386,7 @@ DHCP server unicast or broadcast IP address
 .BR charon.plugins.duplicheck.enable " [yes]"
 Enable duplicheck plugin (if loaded)
 .TP
-.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+.BR charon.plugins.duplicheck.socket " [unix://@piddir@/charon.dck]"
 Socket provided by the duplicheck plugin
 .TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
@@ -571,7 +571,7 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
-.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+.BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]"
 Socket provided by the error-notify plugin
 .TP
 .BR charon.plugins.ha.autobalance " [0]"
@@ -632,7 +632,7 @@ Time in ms to wait until virtual IP addresses appear/disappear before failing.
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
-.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+.BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]"
 Socket provided by the lookip plugin
 .TP
 .BR charon.plugins.radattr.dir
@@ -673,7 +673,7 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
-.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+.BR charon.plugins.stroke.socket " [unix://@piddir@/charon.ctl]"
 Socket provided by the stroke plugin
 .TP
 .BR charon.plugins.stroke.timeout " [0]"
@@ -744,7 +744,7 @@ plugins, like resolve)
 .BR charon.plugins.whitelist.enable " [yes]"
 Enable loaded whitelist plugin
 .TP
-.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+.BR charon.plugins.whitelist.socket " [unix://@piddir@/charon.wlst]"
 Socket provided by the whitelist plugin
 .TP
 .BR charon.plugins.xauth-eap.backend " [radius]"
@@ -852,11 +852,11 @@ keys not stored on tokens
 .BR libstrongswan.plugins.pkcs11.use_rng " [no]"
 Whether the PKCS#11 modules should be used as RNG
 .TP
-.BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]"
-File to read random bytes from, instead of @DEV_RANDOM@
+.BR libstrongswan.plugins.random.random " [@random_device@]"
+File to read random bytes from, instead of @random_device@
 .TP
-.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
-File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.BR libstrongswan.plugins.random.urandom " [@urandom_device@]"
+File to read pseudo random bytes from, instead of @urandom_device@
 .TP
 .BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
 File to read DNS resolver configuration from
@@ -970,7 +970,7 @@ Send open listening ports without being prompted
 .BR libimcv.plugins.imv-scanner.remediation_uri
 URI pointing to scanner remediation instructions
 .TP
-.BR libimcv.plugins.imc-swid.swid_directory "[$(prefix)/share]"
+.BR libimcv.plugins.imc-swid.swid_directory " [@prefix@/share]"
 Directory where SWID tags are located
 .TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
@@ -1511,7 +1511,7 @@ Request an INTERNAL_IPV4_ADDR from the server
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
 .TP
-.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+.BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]"
 Socket provided by the load-tester plugin
 .TP
 .BR charon.plugins.load-tester.version " [0]"
diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am
index 9ed82be5e..73df45072 100644
--- a/src/charon-cmd/Makefile.am
+++ b/src/charon-cmd/Makefile.am
@@ -1,7 +1,6 @@
 sbin_PROGRAMS = charon-cmd
-CLEANFILES = charon-cmd.8
-dist_man8_MANS = charon-cmd.8
-EXTRA_DIST = charon-cmd.8.in
+man8_MANS = charon-cmd.8
+CLEANFILES = $(man8_MANS)
 
 charon_cmd_SOURCES = \
 	cmd/cmd_options.h cmd/cmd_options.c \
@@ -24,9 +23,3 @@ charon_cmd_LDADD = \
 	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
-
-charon-cmd.8 : charon-cmd.8.in
-	$(AM_V_GEN) \
-	sed \
-	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-	$(srcdir)/$@.in > $@
diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in
index c9d52c92f..25d706995 100644
--- a/src/charon-cmd/charon-cmd.8.in
+++ b/src/charon-cmd/charon-cmd.8.in
@@ -1,4 +1,4 @@
-.TH CHARON\-CMD 8 "2013-06-21" "@IPSEC_VERSION@" "strongSwan"
+.TH CHARON\-CMD 8 "2013-06-21" "@PACKAGE_VERSION@" "strongSwan"
 .SH "NAME"
 charon\-cmd \- Simple IKE client (IPsec VPN client)
 .SH SYNOPSIS
diff --git a/src/ipsec/Android.mk b/src/ipsec/Android.mk
index c25be3ebc..3936f7af9 100644
--- a/src/ipsec/Android.mk
+++ b/src/ipsec/Android.mk
@@ -19,6 +19,7 @@ $(GEN) : PRIVATE_CUSTOM_TOOL = sed \
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(strongswan_DIR):" \
 	-e "s:@IPSEC_SCRIPT@:ipsec:" \
+	-e "s:@IPSEC_BINDIR@:$(strongswan_DIR):" \
 	-e "s:@IPSEC_SBINDIR@:$(strongswan_SBINDIR):" \
 	-e "s:@IPSEC_CONFDIR@:$(strongswan_CONFDIR):" \
 	-e "s:@IPSEC_PIDDIR@:$(strongswan_PIDDIR):" \
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index 73427c0fa..71f2d150b 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -20,6 +20,7 @@ _ipsec : _ipsec.in
 	-e "s:@IPSEC_DISTRO@::" \
 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
+	-e "s:@IPSEC_BINDIR@:$(bindir):" \
 	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
 	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
 	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 03ddb744d..3c1f99825 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -15,7 +15,7 @@
 # for more details.
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@:@IPSEC_BINDIR@"
 export PATH
 
 # set daemon name
@@ -28,6 +28,7 @@ IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`"
 
 # where the private directory and the config files are
 IPSEC_DIR="@IPSEC_DIR@"
+IPSEC_BINDIR="@IPSEC_BINDIR@"
 IPSEC_SBINDIR="@IPSEC_SBINDIR@"
 IPSEC_CONFDIR="@IPSEC_CONFDIR@"
 IPSEC_PIDDIR="@IPSEC_PIDDIR@"
@@ -39,7 +40,7 @@ IPSEC_CHARON_PID="${IPSEC_PIDDIR}/${DAEMON_NAME}.pid"
 IPSEC_STROKE="${IPSEC_DIR}/stroke"
 IPSEC_STARTER="${IPSEC_DIR}/starter"
 
-export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID
+export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID
 
 IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
 
@@ -313,6 +314,10 @@ update)
 		exit 7
 	fi
 	;;
+pki)
+	shift
+	exec $IPSEC_BINDIR/pki "$@"
+	;;
 version|--version)
 	printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
 	printf "$IPSEC_DISTRO\n"
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index e07938284..efbed9b2b 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -1,4 +1,6 @@
-ipsec_PROGRAMS = pki
+SUBDIRS = man
+
+bin_PROGRAMS = pki
 
 pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/gen.c \
diff --git a/src/pki/command.c b/src/pki/command.c
index a5e5b8528..984da59b4 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -258,6 +258,6 @@ int command_dispatch(int c, char *v[])
 			return cmds[i].call();
 		}
 	}
-	return command_usage("invalid operation");
+	return command_usage(c > 1 ? "invalid operation" : NULL);
 }
 
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index e3602f0c3..b74be7d98 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -151,7 +151,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		gen, 'g', "gen", "generate a new private key",
 		{"  [--type rsa|ecdsa] [--size bits] [--safe-primes]",
-		 "[--shares n] [--threshold l] [--outform der|pem|pgp]"},
+		 "[--shares n] [--threshold l] [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"type",		't', 1, "type of key, default: rsa"},
@@ -159,7 +159,7 @@ static void __attribute__ ((constructor))reg()
 			{"safe-primes", 'p', 0, "generate rsa safe primes"},
 			{"shares",		'n', 1, "number of private rsa key shares"},
 			{"threshold",	'l', 1, "minimum number of participating rsa key shares"},
-			{"outform",		'f', 1, "encoding of generated private key"},
+			{"outform",		'f', 1, "encoding of generated private key, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 5f098ba41..9d669dfdd 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -514,14 +514,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
+		{"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
-		 "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+",
-		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
-		 "[--nc-permitted name] [--nc-excluded name]",
-		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
-		 "[--policy-map issuer-oid:subject-oid]",
+		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
+		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
+		 "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
+		 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
+		 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
diff --git a/src/pki/commands/pkcs7.c b/src/pki/commands/pkcs7.c
index 790656c62..6c75693ab 100644
--- a/src/pki/commands/pkcs7.c
+++ b/src/pki/commands/pkcs7.c
@@ -445,8 +445,8 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions",
-		{"--sign | --verify | --encrypt | --decrypt",
-		 "--certificate+ [--key]"},
+		{"--sign|--verify|--encrypt|--decrypt|--show",
+		 "[--in file] [--cert file]+ [--key file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"sign",	's', 0, "create PKCS#7 signed-data"},
@@ -455,8 +455,8 @@ static void __attribute__ ((constructor))reg()
 			{"decrypt",	'd', 0, "decrypt PKCS#7 enveloped-data"},
 			{"show",	'p', 0, "show info about PKCS#7, print certificates"},
 			{"in",		'i', 1, "input file, default: stdin"},
-			{"key",		'k', 1, "path to private key for sign/decryp"},
-			{"cert",	'c', 1, "path to certificate for sign/verify/encryp"},
+			{"key",		'k', 1, "path to private key for sign/decrypt"},
+			{"cert",	'c', 1, "path to certificate for sign/verify/encrypt"},
 		}
 	});
 }
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 9912061f4..5a658afec 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -158,13 +158,13 @@ static void __attribute__ ((constructor))reg()
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
 		{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
-		 "[--outform der|pem|pgp|dnskey]"},
+		 "[--outform der|pem|dnskey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
 			{"keyid",	'x', 1, "keyid on smartcard of private key"},
 			{"type",	't', 1, "type of credential, default: rsa"},
-			{"outform",	'f', 1, "encoding of extracted public key"},
+			{"outform",	'f', 1, "encoding of extracted public key, default: der"},
 		}
 	});
 }
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index d90ddc251..e269f64ea 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -174,9 +174,8 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"[--in file] [--type rsa|ecdsa]",
-		 " --dn distinguished-name [--san subjectAltName]+",
-		 "[--password challengePassword]",
+		{"  [--in file] [--type rsa|ecdsa] --dn distinguished-name",
+		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 448360821..a1f17c8f9 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -378,14 +378,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{"[--in file | --keyid hex] [--type rsa|ecdsa]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+",
 		 "[--nc-permitted name] [--nc-excluded name]",
-		 "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+",
 		 "[--policy-map issuer-oid:subject-oid]",
 		 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
+		 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index f9746cca7..4f9dd291d 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -429,13 +429,13 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		sign_crl, 'c', "signcrl",
 		"issue a CRL using a CA certificate and key",
-		{"--cacert file --cakey file | --cakeyid hex --lifetime days",
-		 "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+",
-		 "[  [--reason key-compromise|ca-compromise|affiliation-changed|",
+		{"--cacert file --cakey file|--cakeyid hex [--lifetime days]",
+		 "  [--lastcrl crl] [--basecrl crl] [--crluri uri]+",
+		 "  [[--reason key-compromise|ca-compromise|affiliation-changed|",
 		 "             superseded|cessation-of-operation|certificate-hold]",
-		 "   [--date timestamp]",
-		 "    --cert file | --serial hex ]*",
-		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+		 "   [--date timestamp] --cert file|--serial hex]*",
+		 "  [--digest md5|sha1|sha224|sha256|sha384|sha512]",
+		 "  [--outform der|pem]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"cacert",		'c', 1, "CA certificate file"},
diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c
index 3e983d3ec..11c596d78 100644
--- a/src/pki/commands/verify.c
+++ b/src/pki/commands/verify.c
@@ -125,7 +125,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		verify, 'v', "verify",
 		"verify a certificate using the CA certificate",
-		{"[--in file] [--ca file]"},
+		{"[--in file] [--cacert file]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "X.509 certificate to verify, default: stdin"},
@@ -133,4 +133,3 @@ static void __attribute__ ((constructor))reg()
 		}
 	});
 }
-
diff --git a/src/pki/man/.gitignore b/src/pki/man/.gitignore
new file mode 100644
index 000000000..44b27a64b
--- /dev/null
+++ b/src/pki/man/.gitignore
@@ -0,0 +1 @@
+*.8
+\ No newline at end of file
diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am
new file mode 100644
index 000000000..618bd4093
--- /dev/null
+++ b/src/pki/man/Makefile.am
@@ -0,0 +1,14 @@
+man1_MANS = \
+	pki.1 \
+	pki---gen.1 \
+	pki---self.1 \
+	pki---issue.1 \
+	pki---signcrl.1 \
+	pki---req.1 \
+	pki---pkcs7.1 \
+	pki---keyid.1 \
+	pki---print.1 \
+	pki---pub.1 \
+	pki---verify.1
+
+CLEANFILES = $(man1_MANS)
diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in
new file mode 100644
index 000000000..138ab6122
--- /dev/null
+++ b/src/pki/man/pki---gen.1.in
@@ -0,0 +1,112 @@
+.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-gen \- Generate a new RSA or ECDSA private key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-gen
+.OP \-\-type type
+.OP \-\-size bits
+.OP \-\-safe\-primes
+.OP \-\-shares n
+.OP \-\-threshold l
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-gen
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-gen"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to generate a new RSA or ECDSA private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-s, \-\-size " bits
+Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
+For \fIecdsa\fR only three values are currently supported: 256, 384 and 521.
+.TP
+.BI "\-p, \-\-safe\-primes"
+Generate RSA safe primes.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the generated private key. Either \fIder\fR (ASN.1 DER) or \fIpem\fR
+(Base64 PEM), defaults
+to \fIder\fR.
+.PP
+.SS "RSA Threshold Cryptography"
+.TP
+.BI "\-n, \-\-shares " <n>
+Number of private RSA key shares.
+.TP
+.BI "\-l, \-\-threshold " <l>
+Minimum number of participating RSA key shares.
+.
+.SH "PROBLEMS ON HOSTS WITH LOW ENTROPY"
+.
+If the
+.I gmp
+plugin is used to generate RSA private keys the key material is read from
+.I /dev/random
+(via the
+.I random
+plugin). Therefore, the command may block if the system's entropy pool is empty.
+To avoid this, either use a hardware random number generator to feed
+.I /dev/random
+or use OpenSSL (via the
+.I openssl
+plugin or the command line) which is not as strict in regards to the quality of
+the key material (it reads from
+.I /dev/urandom
+if necessary). It is also possible to configure the devices used by the
+.I random
+plugin in
+.BR strongswan.conf (5).
+Setting
+.B libstrongswan.plugins.random.random
+to
+.I /dev/urandom
+forces the plugin to treat bytes read from
+.I /dev/urandom
+as high grade random data, thus avoiding the blocking. Of
+course, this doesn't change the fact that the key material generated this way is
+of lower quality.
+.
+.SH "EXAMPLES"
+.
+.TP
+.B pki \-\-gen \-\-size 3072 > rsa_key.der
+Generates a 3072-bit RSA private key.
+.
+.TP
+.B pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der
+Generates a 256-bit ECDSA private key.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
new file mode 100644
index 000000000..9effd9b15
--- /dev/null
+++ b/src/pki/man/pki---issue.1.in
@@ -0,0 +1,179 @@
+.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-issue \- Issue a certificate using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-issue
+.OP \-\-in file
+.OP \-\-type type
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-dn subject-dn
+.OP \-\-san subjectAltName
+.OP \-\-lifetime days
+.OP \-\-serial hex
+.OP \-\-flag flag
+.OP \-\-digest digest
+.OP \-\-ca
+.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
+.OP \-\-ocsp uri
+.OP \-\-pathlen len
+.OP \-\-nc-permitted name
+.OP \-\-nc-excluded name
+.OP \-\-policy\-mapping mapping
+.OP \-\-policy\-explicit len
+.OP \-\-policy\-inhibit len
+.OP \-\-policy\-any len
+.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-issue
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-issue"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue a certificate using a CA certificate and private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Public key or PKCS#10 certificate request file to issue. If not given the
+key/request is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input. Either \fIpub\fR for a public key, or \fIpkcs10\fR for a
+PKCS#10 certificate request, defaults to \fIpub\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-d, \-\-dn " subject-dn
+Subject distinguished name (DN) of the issued certificate.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in certificate. Can be used multiple times.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days the certificate is valid, default: 1095.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-e, \-\-flag " flag
+Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
+\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.TP
+.BI "\-b, \-\-ca"
+Include CA basicConstraint extension in certificate.
+.TP
+.BI "\-u, \-\-crl " uri
+CRL distribution point URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-I, \-\-crlissuer " issuer
+Optional CRL issuer for the CRL at the preceding distribution point.
+.TP
+.BI "\-o, \-\-ocsp " uri
+OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-p, \-\-pathlen " len
+Set path length constraint.
+.TP
+.BI "\-n, \-\-nc-permitted " name
+Add permitted NameConstraint extension to certificate.
+.TP
+.BI "\-N, \-\-nc-excluded " name
+Add excluded NameConstraint extension to certificate.
+.TP
+.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
+Add policyMapping from issuer to subject OID.
+.TP
+.BI "\-E, \-\-policy-explicit " len
+Add requireExplicitPolicy constraint.
+.TP
+.BI "\-H, \-\-policy-inhibit " len
+Add inhibitPolicyMapping constraint.
+.TP
+.BI "\-A, \-\-policy-any " len
+Add inhibitAnyPolicy constraint.
+.PP
+.SS "Certificate Policy"
+Multiple certificatePolicy extensions can be added. Each with the following
+information:
+.TP
+.BI "\-P, \-\-cert-policy " oid
+OID to include in certificatePolicy extension. Required.
+.TP
+.BI "\-C, \-\-cps-uri " uri
+Certification Practice statement URI for certificatePolicy.
+.TP
+.BI "\-U, \-\-user-notice " text
+User notice for certificatePolicy.
+.
+.SH "EXAMPLES"
+.
+To save repetitive typing, command line options can be stored in files.
+Lets assume
+.I pki.opt
+contains the following contents:
+.PP
+.EX
+  --cacert ca_cert.der --cakey ca_key.der --digest sha256
+  --flag serverAuth --lifetime 1460 --type pkcs10
+.EE
+.PP
+Then the following command can be used to issue a certificate based on a
+given PKCS#10 certificate request and the options above:
+.PP
+.EX
+  pki --issue --options pki.opt --in req.der > cert.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
new file mode 100644
index 000000000..490f7afea
--- /dev/null
+++ b/src/pki/man/pki---keyid.1.in
@@ -0,0 +1,72 @@
+.TH "PKI \-\-KEYID" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-keyid \- Calculate key identifiers of a key or certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-keyid
+.OP \-\-in file
+.OP \-\-type type
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-keyid
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-keyid"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+calculates key identifiers of private keys and certificates.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
+private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
+request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+.
+.SH "EXAMPLES"
+.
+Calculate key identifiers of an RSA private key:
+.PP
+.EX
+  pki --keyid --in key.der
+  subjectKeyIdentifier:      6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
+  subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
+.EE
+.PP
+Calculate key identifiers of an X.509 certificate:
+.PP
+.EX
+  pki --keyid --in cert.der --type x509
+  subjectKeyIdentifier:      6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
+  subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---pkcs7.1.in b/src/pki/man/pki---pkcs7.1.in
new file mode 100644
index 000000000..38186cf70
--- /dev/null
+++ b/src/pki/man/pki---pkcs7.1.in
@@ -0,0 +1,79 @@
+.TH "PKI \-\-PKCS7" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pkcs7 \- Provides PKCS#7 wrap/unwrap functions
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pkcs7
+.BR \-\-sign | \-\-verify | \-\-encrypt | \-\-decrypt | \-\-show
+.OP \-\-in file
+.OP \-\-cert file
+.OP \-\-key file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs7
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pkcs7"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+provides functions to wrap/unwrap PKCS#7 containers.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-s, \-\-sign"
+Create PKCS#7 signed-data.
+.TP
+.BI "\-u, \-\-verify"
+Verify PKCS#7 signed-data.
+.TP
+.BI "\-e, \-\-encrypt"
+Create PKCS#7 enveloped-data.
+.TP
+.BI "\-e, \-\-decrypt"
+Decrypt PKCS#7 enveloped-data.
+.TP
+.BI "\-p, \-\-show"
+Show information about PKCS#7 container, list certificates.
+.TP
+.BI "\-i, \-\-in " file
+PKCS#7 input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-k, \-\-key " file
+Private key used for
+.B \-\-sign
+and
+.BR \-\-decrypt.
+.TP
+.BI "\-c, \-\-cert " file
+Certificate for
+.BR \-\-sign ,
+.B \-\-verify
+and
+.BR \-\-encrypt.
+Can be used multiple times.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
new file mode 100644
index 000000000..8d3345edc
--- /dev/null
+++ b/src/pki/man/pki---print.1.in
@@ -0,0 +1,53 @@
+.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-print \- Print a credential (key, certificate etc.) in human readable form
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-print
+.OP \-\-in file
+.OP \-\-type type
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-print
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-print"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+prints credentials (keys, certificates etc.) in human readable form.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
+private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
+(Certificate Revocation List, CRL), defaults to \fIx509\fR.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
new file mode 100644
index 000000000..d588ae732
--- /dev/null
+++ b/src/pki/man/pki---pub.1.in
@@ -0,0 +1,75 @@
+.TH "PKI \-\-PUB" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pub \- Extract a public key from a private key or certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pub
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
+.OP \-\-type type
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pub
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pub"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+extracts public keys from a private keys and certificates.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
+private key), \fIpkcs10\fR (PKCS#10 certificate request), \fIx509\fR (X.509
+certificate), defaults to \fIrsa\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
+(Base64 PEM), or \fIdnskey\fR (RFC 3110 DNS key), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+Extract the public key from an RSA private key:
+.PP
+.EX
+  pki --pub --in key.der > pub.der
+.EE
+.PP
+Extract the public key from an X.509 certificate:
+.PP
+.EX
+  pki --pub --in cert.der --type x509 > pub.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
new file mode 100644
index 000000000..ab144ce2a
--- /dev/null
+++ b/src/pki/man/pki---req.1.in
@@ -0,0 +1,91 @@
+.TH "PKI \-\-REQ" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-req \- Create a PKCS#10 certificate request
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-req
+.OP \-\-in file
+.OP \-\-type type
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-password password
+.OP \-\-digest digest
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-req
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-req"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to create a PKCS#10 certificate request.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Private key input file. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in request. Can be used multiple times.
+.TP
+.BI "\-p, \-\-password " password
+The challengePassword to include in the certificate request.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+Generate a certificate request for an RSA key, with a subjectAltName extension:
+.PP
+.EX
+  pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
+       \-\-san moon@strongswan.org > req.der
+.EE
+.PP
+Generate a certificate request for an ECDSA key and a different digest:
+.PP
+.EX
+  pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\
+      \-\-dn "C=CH, O=strongSwan, CN=carol"  > req.der
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
new file mode 100644
index 000000000..ee42cf9a0
--- /dev/null
+++ b/src/pki/man/pki---self.1.in
@@ -0,0 +1,148 @@
+.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-self \- Create a self-signed certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-self
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
+.OP \-\-type t
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-lifetime days
+.OP \-\-serial hex
+.OP \-\-flag flag
+.OP \-\-digest digest
+.OP \-\-ca
+.OP \-\-ocsp uri
+.OP \-\-pathlen len
+.OP \-\-nc-permitted name
+.OP \-\-nc-excluded name
+.OP \-\-policy\-mapping mapping
+.OP \-\-policy\-explicit len
+.OP \-\-policy\-inhibit len
+.OP \-\-policy\-any len
+.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-self
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-self"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to create a self-signed certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Private key input file. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-x, \-\-keyid " hex
+Key ID of a private key on a smartcard.
+.TP
+.BI "\-t, \-\-type " type
+Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject and issuer distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in certificate. Can be used multiple times.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days the certificate is valid, default: 1095.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-e, \-\-flag " flag
+Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
+\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.TP
+.BI "\-b, \-\-ca"
+Include CA basicConstraint extension in certificate.
+.TP
+.BI "\-o, \-\-ocsp " uri
+OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
+times.
+.TP
+.BI "\-p, \-\-pathlen " len
+Set path length constraint.
+.TP
+.BI "\-n, \-\-nc-permitted " name
+Add permitted NameConstraint extension to certificate.
+.TP
+.BI "\-N, \-\-nc-excluded " name
+Add excluded NameConstraint extension to certificate.
+.TP
+.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
+Add policyMapping from issuer to subject OID.
+.TP
+.BI "\-E, \-\-policy-explicit " len
+Add requireExplicitPolicy constraint.
+.TP
+.BI "\-H, \-\-policy-inhibit " len
+Add inhibitPolicyMapping constraint.
+.TP
+.BI "\-A, \-\-policy-any " len
+Add inhibitAnyPolicy constraint.
+.PP
+.SS "Certificate Policy"
+Multiple certificatePolicy extensions can be added. Each with the following
+information:
+.TP
+.BI "\-P, \-\-cert-policy " oid
+OID to include in certificatePolicy extension. Required.
+.TP
+.BI "\-C, \-\-cps-uri " uri
+Certification Practice statement URI for certificatePolicy.
+.TP
+.BI "\-U, \-\-user-notice " text
+User notice for certificatePolicy.
+.
+.SH "EXAMPLES"
+.
+Generate a self-signed certificate using the given RSA key:
+.PP
+.EX
+  pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
+      \-\-san moon.strongswan.org > cert.der
+.EE
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
new file mode 100644
index 000000000..6ba96f6bc
--- /dev/null
+++ b/src/pki/man/pki---signcrl.1.in
@@ -0,0 +1,124 @@
+.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-signcrl
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-lifetime days
+.OP \-\-lastcrl crl
+.OP \-\-basecrl crl
+.OP \-\-crluri uri
+.OP \-\-digest digest
+.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-signcrl
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-signcrl"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue a Certificate Revocation List (CRL) using a CA certificate and
+private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days until the CRL gets a nextUpdate, default: 15.
+.TP
+.BI "\-a, \-\-lastcrl " crl
+CRL of lastUpdate to copy revocations from.
+.TP
+.BI "\-b, \-\-basecrl " crl
+Base CRL to create a delta CRL for.
+.TP
+.BI "\-u, \-\-crluri " uri
+Freshest delta CRL URI to include in CRL. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.PP
+.SS "Revoked Certificates"
+Multiple revoked certificates can be added to the CRL by either providing the
+certificate file or the respective serial number directly.
+A reason and a timestamp can be configured for each revocation (they have to be
+given before each certificate/serial on the command line).
+.TP
+.BI "\-r, \-\-reason " reason
+The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
+\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
+\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
+.TP
+.BI "\-d, \-\-date " ts
+Revocation date as Unix timestamp. Defaults to the current time.
+.TP
+.BI "\-z, \-\-cert " file
+Certificate file to revoke.
+.TP
+.BI "\-s, \-\-serial " hex
+Hexadecimal encoded serial number of the certificate to revoke.
+.
+.SH "EXAMPLES"
+.
+Revoke a certificate:
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-reason superseded \-\-cert cert.der > crl.der
+.EE
+.PP
+Update an existing CRL with two new revocations, using the certificate's serial
+number, but no reason:
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
+.EE
+.PP
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in
new file mode 100644
index 000000000..de34acad4
--- /dev/null
+++ b/src/pki/man/pki---verify.1.in
@@ -0,0 +1,56 @@
+.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-verify \- Verify a certificate using a CA certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-verify
+.OP \-\-in file
+.OP \-\-cacert file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-verify
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-verify"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+verifies a certificate using an optional CA certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+X.509 certificate to verify. If not given it is read from \fISTDIN\fR.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate to use. If not given the certificate is assumed to be
+self-signed.
+.
+.SH "EXIT STATUS"
+The exit status is 0 if the certificate was verified successfully, and 2 if
+the verification failed.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
+\ No newline at end of file
diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in
new file mode 100644
index 000000000..8dfc53af3
--- /dev/null
+++ b/src/pki/man/pki.1.in
@@ -0,0 +1,156 @@
+.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \- Simple public key infrastructure (PKI) management tool
+.
+.SH "SYNOPSIS"
+.
+.SY "pki"
+.I command
+.RI [ option\~ .\|.\|.]
+.YS
+.
+.SY "pki"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+.B pki
+is a suite of commands that allow you to manage a simple public key
+infrastructure (PKI).
+.P
+Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
+containing subjectAltNames, create X.509 self-signed end-entity and root CA
+certificates, issue end-entity and intermediate CA certificates signed by the
+private key of a CA and containing subjectAltNames, CRL distribution points
+and URIs of OCSP servers. You can also extract raw public keys from private
+keys, certificate requests and certificates and compute two kinds of SHA-1-based
+key IDs.
+.
+.SH "COMMANDS"
+.
+.TP
+.B "\-h, \-\-help"
+Prints usage information and a short summary of the available commands.
+.TP
+.B "\-g, \-\-gen"
+Generate a new private key.
+.TP
+.B "\-s, \-\-self"
+Create a self-signed certificate.
+.TP
+.B "\-i, \-\-issue"
+Issue a certificate using a CA certificate and key.
+.TP
+.B "\-c, \-\-signcrl"
+Issue a CRL using a CA certificate and key.
+.TP
+.B "\-r, \-\-req"
+Create a PKCS#10 certificate request.
+.TP
+.B "\-7, \-\-pkcs7"
+Provides PKCS#7 wrap/unwrap functions.
+.TP
+.B "\-k, \-\-keyid"
+Calculate key identifiers of a key or certificate.
+.TP
+.B "\-a, \-\-print"
+Print a credential (key, certificate etc.) in human readable form.
+.TP
+.B "\-p, \-\-pub"
+Extract a public key from a private key or certificate.
+.TP
+.B "\-v, \-\-verify"
+Verify a certificate using a CA certificate.
+.
+.SH "EXAMPLES"
+.
+.SS "Generating a CA Certificate"
+.
+The first step is to generate a private key using the
+.B \-\-gen
+command. By default this generates a 2048-bit RSA key.
+.PP
+.EX
+  pki \-\-gen > ca_key.der
+.EE
+.PP
+This key is used to create the self-signed CA certificate, using the
+.B \-\-self
+command. The distinguished name should be adjusted to your needs.
+.PP
+.EX
+  pki \-\-self \-\-ca \-\-in ca_key.der \\
+      \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
+.EE
+.PP
+.
+.SS "Generating End-Entity Certificates"
+.
+With the root CA certificate and key at hand end-entity certificates for clients
+and servers can be issued. Similarly intermediate CA certificates can be issued,
+which in turn can issue other certificates.
+To generate a certificate for a server, we start by generating a private key.
+.PP
+.EX
+  pki \-\-gen > server_key.der
+.EE
+.PP
+The public key will be included in the certificate so lets extract that from the
+private key.
+.PP
+.EX
+  pki \-\-pub \-\-in server_key.der > server_pub.der
+.EE
+.PP
+The following command will use the CA certificate and private key to issue the
+certificate for this server. Adjust the distinguished name, subjectAltName(s)
+and flags as needed (check
+.BR pki\ \-\-issue (8)
+for more options).
+.PP
+.EX
+  pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
+      \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
+      \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
+.EE
+.PP
+Instead of storing the public key in a separate
+file, the output of
+.B \-\-pub
+may also be piped directly into the above command.
+.
+.SS "Generating Certificate Revocation Lists (CRL)"
+.
+If end-entity certificates have to be revoked, CRLs may be generated using
+the
+.B \-\-signcrl
+command.
+.PP
+.EX
+  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+      \-\-reason superseded \-\-cert server_cert.der > crl.der
+.EE
+.PP
+The certificate given with \-\-cacert must be either a CA certificate or a
+certificate with the
+.I crlSign
+extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued
+certificates with the \-\-crl option.
+.
+.SH "SEE ALSO"
+.
+.BR pki\ \-\-gen (1),
+.BR pki\ \-\-self (1),
+.BR pki\ \-\-issue (1),
+.BR pki\ \-\-signcrl (1),
+.BR pki\ \-\-req (1),
+.BR pki\ \-\-pkcs7 (1),
+.BR pki\ \-\-keyid (1),
+.BR pki\ \-\-print (1),
+.BR pki\ \-\-pub (1),
+.BR pki\ \-\-verify (1)