updated autogen'ed files.

11 files changed, 1195 insertions, 1298 deletions

diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index ceb314fafd..5797b15753 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -6,25 +6,32 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-certtool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:05:07 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:54 PM by AutoGen 5.16
 # From the definitions    ../src/certtool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Tool to parse and generate X.509 certificates, requests and private keys.
 It can be used interactively or non interactively by
 specifying the template command line option.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{certtool usage}
-@subsubheading certtool usage help (-?)
+@subsubheading certtool help/usage (-h)
+@cindex certtool help
 
-This is the automatically generated usage text for certtool:
+This is the automatically generated usage text for certtool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -121,141 +128,146 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
-@anchor{certtool bits}
-@subsubheading bits option
+@anchor{certtool debug}
+@subsubheading debug option (-d)
 
-This is the ``specify the number of bits for key generate'' option.
+This is the ``enable debugging.'' option.
+This option takes an argument number.
+Specifies the debug level.
+@anchor{certtool generate-request}
+@subsubheading generate-request option (-q)
 
+This is the ``generate a pkcs #10 certificate request'' option.
 
-@anchor{certtool certificate-info}
-@subsubheading certificate-info option (-i)
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+must not appear in combination with any of the following options:
+infile.
+@end itemize
 
-This is the ``print information on the given certificate'' option.
+Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.
+@anchor{certtool verify-chain}
+@subsubheading verify-chain option (-e)
 
+This is the ``verify a pem encoded certificate chain.'' option.
+The last certificate in the chain must be a self signed one.
+@anchor{certtool verify}
+@subsubheading verify option
 
-@anchor{certtool certificate-pubkey}
-@subsubheading certificate-pubkey option
+This is the ``verify a pem encoded certificate chain using a trusted list.'' option.
 
-This is the ``print certificate's public key'' option.
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+must appear in combination with the following options:
+load-ca-certificate.
+@end itemize
 
+The trusted certificate list must be loaded with --load-ca-certificate.
+@anchor{certtool verify-crl}
+@subsubheading verify-crl option
 
-@anchor{certtool crl-info}
-@subsubheading crl-info option (-l)
+This is the ``verify a crl using a trusted list.'' option.
 
-This is the ``print information on the given crl structure'' option.
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+must appear in combination with the following options:
+load-ca-certificate.
+@end itemize
 
+The trusted certificate list must be loaded with --load-ca-certificate.
+@anchor{certtool get-dh-params}
+@subsubheading get-dh-params option
 
-@anchor{certtool crq-info}
-@subsubheading crq-info option
+This is the ``get the included pkcs #3 encoded diffie-hellman parameters.'' option.
+Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
+are more efficient since GnuTLS 3.0.9.
+@anchor{certtool load-privkey}
+@subsubheading load-privkey option
 
-This is the ``print information on the given certificate request'' option.
+This is the ``loads a private key file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
+@anchor{certtool load-pubkey}
+@subsubheading load-pubkey option
 
+This is the ``loads a public key file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
+@anchor{certtool load-certificate}
+@subsubheading load-certificate option
 
-@anchor{certtool debug}
-@subsubheading debug option (-d)
+This is the ``loads a certificate file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
+@anchor{certtool load-ca-privkey}
+@subsubheading load-ca-privkey option
 
-This is the ``enable debugging.'' option.
-Specifies the debug level.
+This is the ``loads the certificate authority's private key file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
+@anchor{certtool load-ca-certificate}
+@subsubheading load-ca-certificate option
 
-@anchor{certtool dh-info}
-@subsubheading dh-info option
+This is the ``loads the certificate authority's certificate file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
+@anchor{certtool null-password}
+@subsubheading null-password option
 
-This is the ``print information pkcs #3 encoded diffie-hellman parameters'' option.
+This is the ``enforce a null password'' option.
+This option enforces a NULL password. This may be different than the empty password in some schemas.
+@anchor{certtool pubkey-info}
+@subsubheading pubkey-info option
 
+This is the ``print information on a public key'' option.
+The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.
+@anchor{certtool to-p12}
+@subsubheading to-p12 option
 
-@anchor{certtool disable-quick-random}
-@subsubheading disable-quick-random option
+This is the ``generate a pkcs #12 structure'' option.
 
-This is the ``no effect'' option.
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+must appear in combination with the following options:
+load-certificate.
+@end itemize
 
+It requires a certificate, a private key and possibly a CA certificate to be specified.
+@anchor{certtool rsa}
+@subsubheading rsa option
 
+This is the ``generate rsa key'' option.
+When combined with --generate-privkey generates an RSA private key.
 @anchor{certtool dsa}
 @subsubheading dsa option
 
 This is the ``generate dsa key'' option.
 When combined with --generate-privkey generates a DSA private key.
-
 @anchor{certtool ecc}
 @subsubheading ecc option
 
 This is the ``generate ecc (ecdsa) key'' option.
 When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.
-
 @anchor{certtool ecdsa}
 @subsubheading ecdsa option
 
-This is the ``'' option.
-This option has no @samp{doc} documentation.
-
-@anchor{certtool generate-certificate}
-@subsubheading generate-certificate option (-c)
-
-This is the ``generate a signed certificate'' option.
-
-
-@anchor{certtool generate-crl}
-@subsubheading generate-crl option
-
-This is the ``generate a crl'' option.
-
-
-@anchor{certtool generate-dh-params}
-@subsubheading generate-dh-params option
-
-This is the ``generate pkcs #3 encoded diffie-hellman parameters.'' option.
-
-
-@anchor{certtool generate-privkey}
-@subsubheading generate-privkey option (-p)
-
-This is the ``generate a private key'' option.
-
-
-@anchor{certtool generate-proxy}
-@subsubheading generate-proxy option
-
-This is the ``generates a proxy certificate'' option.
-
-
-@anchor{certtool generate-request}
-@subsubheading generate-request option (-q)
-
-This is the ``generate a pkcs #10 certificate request'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must not appear in combination with any of the following options:
-infile.
-@end itemize
-
-Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.
-
-@anchor{certtool generate-self-signed}
-@subsubheading generate-self-signed option (-s)
-
-This is the ``generate a self-signed certificate'' option.
-
-
-@anchor{certtool get-dh-params}
-@subsubheading get-dh-params option
-
-This is the ``get the included pkcs #3 encoded diffie-hellman parameters.'' option.
-Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation
-are more efficient since GnuTLS 3.0.9.
+This is an alias for the ecc option,
+@pxref{certtool ecc, the ecc option documentation}.
 
 @anchor{certtool hash}
 @subsubheading hash option
 
 This is the ``hash algorithm to use for signing.'' option.
+This option takes an argument string.
 Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
-
-@anchor{certtool hex-numbers}
-@subsubheading hex-numbers option
-
-This is the ``print big number in an easier format to parse'' option.
-
-
 @anchor{certtool inder}
 @subsubheading inder option
 
@@ -263,268 +275,338 @@ This is the ``use der format for input certificates and private keys.'' option.
 The input files will be assumed to be in DER or RAW format. 
 Unlike options that in PEM input would allow multiple input data (e.g. multiple 
 certificates), when reading in DER format a single data structure is read.
-
-@anchor{certtool infile}
-@subsubheading infile option
-
-This is the ``input file'' option.
-
-
 @anchor{certtool inraw}
 @subsubheading inraw option
 
-This is the ``'' option.
-This option has no @samp{doc} documentation.
-
-@anchor{certtool key-info}
-@subsubheading key-info option (-k)
-
-This is the ``print information on a private key'' option.
-
-
-@anchor{certtool load-ca-certificate}
-@subsubheading load-ca-certificate option
-
-This is the ``loads the certificate authority's certificate file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{certtool load-ca-privkey}
-@subsubheading load-ca-privkey option
-
-This is the ``loads the certificate authority's private key file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{certtool load-certificate}
-@subsubheading load-certificate option
-
-This is the ``loads a certificate file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{certtool load-privkey}
-@subsubheading load-privkey option
-
-This is the ``loads a private key file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{certtool load-pubkey}
-@subsubheading load-pubkey option
-
-This is the ``loads a public key file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{certtool load-request}
-@subsubheading load-request option
-
-This is the ``loads a certificate request file'' option.
-
-
-@anchor{certtool no-crq-extensions}
-@subsubheading no-crq-extensions option
-
-This is the ``do not use extensions in certificate requests'' option.
-
-
-@anchor{certtool null-password}
-@subsubheading null-password option
-
-This is the ``enforce a null password'' option.
-This option enforces a NULL password. This may be different than the empty password in some schemas.
+This is an alias for the inder option,
+@pxref{certtool inder, the inder option documentation}.
 
 @anchor{certtool outder}
 @subsubheading outder option
 
 This is the ``use der format for output certificates and private keys'' option.
 The output will be in DER or RAW format.
+@anchor{certtool outraw}
+@subsubheading outraw option
 
-@anchor{certtool outfile}
-@subsubheading outfile option
+This is an alias for the outder option,
+@pxref{certtool outder, the outder option documentation}.
 
-This is the ``output file'' option.
+@anchor{certtool sec-param}
+@subsubheading sec-param option
 
+This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
+This option takes an argument string @file{Security parameter}.
+This is alternative to the bits option.
+@anchor{certtool pkcs-cipher}
+@subsubheading pkcs-cipher option
 
-@anchor{certtool outraw}
-@subsubheading outraw option
+This is the ``cipher to use for pkcs #8 and #12 operations'' option.
+This option takes an argument string @file{Cipher}.
+Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
+@anchor{certtool exit status}
+@subsubheading certtool exit status
 
-This is the ``'' option.
-This option has no @samp{doc} documentation.
+One of the following exit values will be returned:
+@table @samp
+@item 0 (EXIT_SUCCESS)
+Successful program execution.
+@item 1 (EXIT_FAILURE)
+The operation failed or the command syntax was not valid.
+@end table
+@anchor{certtool See Also}
+@subsubheading certtool See Also
+    p11tool (1)
 
-@anchor{certtool p12-info}
-@subsubheading p12-info option
+@anchor{certtool Examples}
+@subsubheading certtool Examples
+@subsubheading Generating private keys
+To create an RSA private key, run:
+@example
+$ certtool --generate-privkey --outfile key.pem --rsa
+@end example
 
-This is the ``print information on a pkcs #12 structure'' option.
+To create a DSA or elliptic curves (ECDSA) private key use the
+above command combined with 'dsa' or 'ecc' options.
 
+@subsubheading Generating certificate requests
+To create a certificate request (needed when the certificate is  issued  by
+another party), run:
+@example
+certtool --generate-request --load-privkey key.pem \
+   --outfile request.pem
+@end example
 
-@anchor{certtool p7-info}
-@subsubheading p7-info option
+If the private key is stored in a smart card you can generate
+a request by specifying the private key object URL.
+@example
+$ ./certtool --generate-request --load-privkey "pkcs11:..." \
+  --load-pubkey "pkcs11:..." --outfile request.pem
+@end example
 
-This is the ``print information on a pkcs #7 structure'' option.
 
+@subsubheading Generating a self-signed certificate
+To create a self signed certificate, use the command:
+@example
+$ certtool --generate-privkey --outfile ca-key.pem
+$ certtool --generate-self-signed --load-privkey ca-key.pem \
+   --outfile ca-cert.pem
+@end example
 
-@anchor{certtool password}
-@subsubheading password option
+Note that a self-signed certificate usually belongs to a certificate
+authority, that signs other certificates.
 
-This is the ``password to use'' option.
+@subsubheading Generating a certificate
+To generate a certificate using the previous request, use the command:
+@example
+$ certtool --generate-certificate --load-request request.pem \
+   --outfile cert.pem --load-ca-certificate ca-cert.pem \
+   --load-ca-privkey ca-key.pem
+@end example
 
+To generate a certificate using the private key only, use the command:
+@example
+$ certtool --generate-certificate --load-privkey key.pem \
+   --outfile cert.pem --load-ca-certificate ca-cert.pem \
+   --load-ca-privkey ca-key.pem
+@end example
 
-@anchor{certtool pgp-certificate-info}
-@subsubheading pgp-certificate-info option
+@subsubheading Certificate information
+To view the certificate information, use:
+@example
+$ certtool --certificate-info --infile cert.pem
+@end example
 
-This is the ``print information on the given openpgp certificate'' option.
+@subsubheading PKCS #12 structure generation
+To generate a PKCS #12 structure using the previous key and certificate,
+use the command:
+@example
+$ certtool --load-certificate cert.pem --load-privkey key.pem \
+   --to-p12 --outder --outfile key.p12
+@end example
 
+Some tools (reportedly web browsers) have problems with that file
+because it does not contain the CA certificate for the certificate.
+To work around that problem in the tool, you can use the
+--load-ca-certificate parameter as follows:
 
-@anchor{certtool pgp-key-info}
-@subsubheading pgp-key-info option
+@example
+$ certtool --load-ca-certificate ca.pem \
+  --load-certificate cert.pem --load-privkey key.pem \
+  --to-p12 --outder --outfile key.p12
+@end example
 
-This is the ``print information on an openpgp private key'' option.
+@subsubheading Diffie-Hellman parameter generation
+To generate parameters for Diffie-Hellman key exchange, use the command:
+@example
+$ certtool --generate-dh-params --outfile dh.pem --sec-param normal
+@end example
 
+@subsubheading Proxy certificate generation
+Proxy certificate can be used to delegate your credential to a
+temporary, typically short-lived, certificate.  To create one from the
+previously created certificate, first create a temporary key and then
+generate a proxy certificate for it, using the commands:
+
+@example
+$ certtool --generate-privkey > proxy-key.pem
+$ certtool --generate-proxy --load-ca-privkey key.pem \
+  --load-privkey proxy-key.pem --load-certificate cert.pem \
+  --outfile proxy-cert.pem
+@end example
+
+@subsubheading Certificate revocation list generation
+To create an empty Certificate Revocation List (CRL) do:
+
+@example
+$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
+           --load-ca-certificate x509-ca.pem
+@end example
 
-@anchor{certtool pgp-ring-info}
-@subsubheading pgp-ring-info option
+To create a CRL that contains some revoked certificates, place the
+certificates in a file and use @code{--load-certificate} as follows:
 
-This is the ``print information on the given openpgp keyring structure'' option.
+@example
+$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
+  --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
+@end example
 
+To verify a Certificate Revocation List (CRL) do:
 
-@anchor{certtool pkcs8}
-@subsubheading pkcs8 option (-8)
+@example
+$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
+@end example
 
-This is the ``use pkcs #8 format for private keys'' option.
+@anchor{certtool Files}
+@subsubheading certtool Files
+@subsubheading Certtool's template file format
+A template file can be used to avoid the interactive questions of
+certtool. Initially create a file named 'cert.cfg' that contains the information
+about the certificate. The template can be used as below:
 
+@example
+$ certtool --generate-certificate cert.pem --load-privkey key.pem  \
+   --template cert.cfg \
+   --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
+@end example
 
-@anchor{certtool pkcs-cipher}
-@subsubheading pkcs-cipher option
+An example certtool template file that can be used to generate a certificate
+request or a self signed certificate follows.
 
-This is the ``cipher to use for pkcs #8 and #12 operations'' option.
-Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.
+@example
+# X.509 Certificate options
+#
+# DN options
 
-@anchor{certtool pubkey-info}
-@subsubheading pubkey-info option
+# The organization of the subject.
+organization = "Koko inc."
 
-This is the ``print information on a public key'' option.
-The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question.
+# The organizational unit of the subject.
+unit = "sleeping dept."
 
-@anchor{certtool rsa}
-@subsubheading rsa option
+# The locality of the subject.
+# locality =
 
-This is the ``generate rsa key'' option.
-When combined with --generate-privkey generates an RSA private key.
+# The state of the certificate owner.
+state = "Attiki"
 
-@anchor{certtool sec-param}
-@subsubheading sec-param option
+# The country of the subject. Two letter code.
+country = GR
 
-This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
-This is alternative to the bits option.
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
 
-@anchor{certtool smime-to-p7}
-@subsubheading smime-to-p7 option
+# A user id of the certificate owner.
+#uid = "clauper"
 
-This is the ``convert s/mime to pkcs #7 structure'' option.
+# Set domain components
+#dc = "name"
+#dc = "domain"
 
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = 2.5.4.12 Dr. 
+#dn_oid = 2.5.4.65 jackal
 
-@anchor{certtool template}
-@subsubheading template option
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@@none.org"
 
-This is the ``template file to use for non-interactive operation'' option.
+# The serial number of the certificate
+serial = 007
 
+# In how many days, counting from today, this certificate will expire.
+expiration_days = 700
 
-@anchor{certtool to-p12}
-@subsubheading to-p12 option
+# X.509 v3 extensions
 
-This is the ``generate a pkcs #12 structure'' option.
+# A dnsname in case of a WWW server.
+#dns_name = "www.none.org"
+#dns_name = "www.morethanone.org"
 
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-load-certificate.
-@end itemize
+# A subject alternative name URI
+#uri = "http://www.example.com"
 
-It requires a certificate, a private key and possibly a CA certificate to be specified.
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
 
-@anchor{certtool to-p8}
-@subsubheading to-p8 option
+# An email in case of a person
+email = "none@@none.org"
 
-This is the ``generate a pkcs #8 structure'' option.
+# Challenge password used in certificate requests
+challenge_password = 123456
 
+# Password when encrypting a private key
+#password = secret
 
-@anchor{certtool update-certificate}
-@subsubheading update-certificate option (-u)
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "http://www.getcrl.crl/getcrl/"
 
-This is the ``update a signed certificate'' option.
+# Whether this is a CA certificate or not
+#ca
 
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
 
-@anchor{certtool v1}
-@subsubheading v1 option
+### Other predefined key purpose OIDs
 
-This is the ``generate an x.509 version 1 certificate (with no extensions)'' option.
+# Whether this certificate will be used for a TLS client
+#tls_www_client
 
+# Whether this certificate will be used for a TLS server
+#tls_www_server
 
-@anchor{certtool verbose}
-@subsubheading verbose option (-V)
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
 
-This is the ``more verbose output'' option.
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
 
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
+# Whether this key will be used to sign other certificates.
+#cert_signing_key
 
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
 
+# Whether this key will be used to sign code.
+#code_signing_key
 
-@anchor{certtool verify}
-@subsubheading verify option
+# Whether this key will be used to sign OCSP data.
+#ocsp_signing_key
 
-This is the ``verify a pem encoded certificate chain using a trusted list.'' option.
+# Whether this key will be used for time stamping.
+#time_stamping_key
 
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-load-ca-certificate.
-@end itemize
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
 
-The trusted certificate list must be loaded with --load-ca-certificate.
+### end of key purpose OIDs
 
-@anchor{certtool verify-chain}
-@subsubheading verify-chain option (-e)
+# When generating a certificate from a certificate
+# request, then honor the extensions stored in the request
+# and store them in the real certificate.
+#honor_crq_extensions
 
-This is the ``verify a pem encoded certificate chain.'' option.
-The last certificate in the chain must be a self signed one.
+# Path length contraint. Sets the maximum number of
+# certificates that can be used to certify this certificate.
+# (i.e. the certificate chain length)
+#path_len = -1
+#path_len = 2
 
-@anchor{certtool verify-crl}
-@subsubheading verify-crl option
+# OCSP URI
+# ocsp_uri = http://my.ocsp.server/ocsp
 
-This is the ``verify a crl using a trusted list.'' option.
+# CA issuers URI
+# ca_issuers_uri = http://my.ca.issuer
 
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-load-ca-certificate.
-@end itemize
+# Certificate policies
+# policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
+# policy1_txt = "This is a long policy to summarize"
+# policy1_url = http://www.example.com/a-policy-to-read
 
-The trusted certificate list must be loaded with --load-ca-certificate.
+# policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
+# policy2_txt = "This is a short policy"
+# policy2_url = http://www.example.com/another-policy-to-read
 
-@anchor{certtool exit status}
-@subsubheading certtool exit status
 
-One of the following exit values will be returned:
-@table @samp
-@item 0
-Successful program execution.
-@item 1
-The operation failed or the command syntax was not valid.
-@end table
+# Options for proxy certificates
+# proxy_policy_language = 1.3.6.1.5.5.7.21.1
 
 
-@anchor{certtool See Also}
-@subsubheading certtool See Also
+# Options for generating a CRL
 
+# next CRL update will be in 43 days (wow)
+#crl_next_update = 43
 
-@anchor{certtool Examples}
-@subsubheading certtool Examples
+# this is the 5th CRL by this CA
+#crl_number = 5
 
+@end example
 
-@anchor{certtool Files}
-@subsubheading certtool Files
 
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index b7c19b6754..57df08a258 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -6,23 +6,30 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-danetool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:05:12 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:08:02 PM by AutoGen 5.16
 # From the definitions    ../src/danetool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Tool to generate DNS resource records for the DANE protocol.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{danetool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{danetool usage}
-@subsubheading danetool usage help (-?)
+@subsubheading danetool help/usage (-h)
+@cindex danetool help
 
-This is the automatically generated usage text for danetool:
+This is the automatically generated usage text for danetool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -71,36 +78,42 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
-@anchor{danetool ca}
-@subsubheading ca option
-
-This is the ``whether the provided certificate or public key is a certificate authority.'' option.
-Marks the DANE RR as a CA certificate if specified.
-
-@anchor{danetool check}
-@subsubheading check option
-
-This is the ``check a host's dane tlsa entry.'' option.
-Obtains the DANE TLSA entry from the given hostname and prints information.
-
 @anchor{danetool debug}
 @subsubheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
+@anchor{danetool load-pubkey}
+@subsubheading load-pubkey option
 
+This is the ``loads a public key file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
+@anchor{danetool load-certificate}
+@subsubheading load-certificate option
+
+This is the ``loads a certificate file'' option.
+This option takes an argument string.
+This can be either a file or a PKCS #11 URL
 @anchor{danetool hash}
 @subsubheading hash option
 
 This is the ``hash algorithm to use for signing.'' option.
+This option takes an argument string.
 Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
+@anchor{danetool check}
+@subsubheading check option
 
-@anchor{danetool host}
-@subsubheading host option
-
-This is the ``specify the hostname to be used in the dane rr'' option.
-This command sets the hostname for the DANE RR.
+This is the ``check a host's dane tlsa entry.'' option.
+This option takes an argument string.
+Obtains the DANE TLSA entry from the given hostname and prints information.
+@anchor{danetool local-dns}
+@subsubheading local-dns option
 
+This is the ``use the local dns server for dnssec resolving.'' option.
+This option will use the local DNS server for DNSSEC.
+This is disabled by default due to many servers not allowing DNSSEC.
 @anchor{danetool inder}
 @subsubheading inder option
 
@@ -108,67 +121,18 @@ This is the ``use der format for input certificates and private keys.'' option.
 The input files will be assumed to be in DER or RAW format. 
 Unlike options that in PEM input would allow multiple input data (e.g. multiple 
 certificates), when reading in DER format a single data structure is read.
-
-@anchor{danetool infile}
-@subsubheading infile option
-
-This is the ``input file'' option.
-
-
 @anchor{danetool inraw}
 @subsubheading inraw option
 
-This is the ``'' option.
-This option has no @samp{doc} documentation.
-
-@anchor{danetool load-certificate}
-@subsubheading load-certificate option
-
-This is the ``loads a certificate file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{danetool load-pubkey}
-@subsubheading load-pubkey option
-
-This is the ``loads a public key file'' option.
-This can be either a file or a PKCS #11 URL
-
-@anchor{danetool local}
-@subsubheading local option
-
-This is the ``the provided certificate or public key is a local entity.'' option.
-DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.
-
-@anchor{danetool local-dns}
-@subsubheading local-dns option
-
-This is the ``use the local dns server for dnssec resolving.'' option.
-This option will use the local DNS server for DNSSEC.
-This is disabled by default due to many servers not allowing DNSSEC.
-
-@anchor{danetool outfile}
-@subsubheading outfile option
-
-This is the ``output file'' option.
-
-
-@anchor{danetool port}
-@subsubheading port option
-
-This is the ``specify the port number for the dane data.'' option.
-
-
-@anchor{danetool proto}
-@subsubheading proto option
-
-This is the ``the protocol set for dane data (tcp, udp etc.)'' option.
-This command specifies the protocol for the service set in the DANE data.
+This is an alias for the inder option,
+@pxref{danetool inder, the inder option documentation}.
 
 @anchor{danetool tlsa-rr}
 @subsubheading tlsa-rr option
 
 This is the ``print the dane rr data on a certificate or public key'' option.
 
+@noindent
 This option has some usage constraints.  It:
 @itemize @bullet
 @item
@@ -177,42 +141,80 @@ host.
 @end itemize
 
 This command prints the DANE RR data needed to enable DANE on a DNS server.
+@anchor{danetool host}
+@subsubheading host option
 
-@anchor{danetool verbose}
-@subsubheading verbose option (-V)
-
-This is the ``more verbose output'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
-
+This is the ``specify the hostname to be used in the dane rr'' option.
+This option takes an argument string @file{Hostname}.
+This command sets the hostname for the DANE RR.
+@anchor{danetool proto}
+@subsubheading proto option
 
+This is the ``the protocol set for dane data (tcp, udp etc.)'' option.
+This option takes an argument string @file{Protocol}.
+This command specifies the protocol for the service set in the DANE data.
+@anchor{danetool ca}
+@subsubheading ca option
 
+This is the ``whether the provided certificate or public key is a certificate authority.'' option.
+Marks the DANE RR as a CA certificate if specified.
 @anchor{danetool x509}
 @subsubheading x509 option
 
 This is the ``use the hash of the x.509 certificate, rather than the public key.'' option.
 This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.
+@anchor{danetool local}
+@subsubheading local option
 
+This is the ``the provided certificate or public key is a local entity.'' option.
+DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.
 @anchor{danetool exit status}
 @subsubheading danetool exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{danetool See Also}
 @subsubheading danetool See Also
-
+    certtool (1)
 
 @anchor{danetool Examples}
 @subsubheading danetool Examples
+@subsubheading DANE TLSA RR generation
+
+To create a DANE TLSA resource record for a CA signed certificate use the following commands.
+
+@example
+$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
+@end example
+
+For a self signed certificate use:
+@example
+$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
+  --local
+@end example
+
+The latter is useful to add in your DNS entry even if your certificate is signed 
+by a CA. That way even users who do not trust your CA will be able to verify your
+certificate using DANE.
+
+In order to create a record for the signer of your certificate use:
+@example
+$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
+  --ca
+@end example
+
+To read a server's DANE TLSA entry, use:
+@example
+$ danetool --check www.example.com --proto tcp --port 443
+@end example
+
+To verify a server's DANE TLSA entry, use:
+@example
+$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem
+@end example
 
diff --git a/doc/invoke-gnutls-cli-debug.texi b/doc/invoke-gnutls-cli-debug.texi
index 791866f4a7..f930641df6 100644
--- a/doc/invoke-gnutls-cli-debug.texi
+++ b/doc/invoke-gnutls-cli-debug.texi
@@ -6,11 +6,12 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-gnutls-cli-debug.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:00:36 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:52 PM by AutoGen 5.16
 # From the definitions    ../src/cli-debug-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 TLS debug client. It sets up multiple TLS connections to 
 a server and queries its capabilities. It was created to assist in debugging 
 GnuTLS, but it might be useful to extract a TLS server's capabilities.
@@ -20,14 +21,20 @@ Can be used to check for servers with special needs or bugs.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli-debug} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{gnutls-cli-debug usage}
-@subheading gnutls-cli-debug usage help (-?)
+@subheading gnutls-cli-debug help/usage (-h)
+@cindex gnutls-cli-debug help
 
-This is the automatically generated usage text for gnutls-cli-debug:
+This is the automatically generated usage text for gnutls-cli-debug.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -67,41 +74,69 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @subheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
-
-@anchor{gnutls-cli-debug port}
-@subheading port option (-p)
-
-This is the ``the port to connect to'' option.
-
-
-@anchor{gnutls-cli-debug verbose}
-@subheading verbose option (-V)
-
-This is the ``more verbose output'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
-
 @anchor{gnutls-cli-debug exit status}
 @subheading gnutls-cli-debug exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{gnutls-cli-debug See Also}
 @subheading gnutls-cli-debug See Also
-
+gnutls-cli(1), gnutls-serv(1)
 
 @anchor{gnutls-cli-debug Examples}
 @subheading gnutls-cli-debug Examples
+@example
+$ ../src/gnutls-cli-debug localhost
+Resolving 'localhost'...
+Connecting to '127.0.0.1:443'...
+Checking for SSL 3.0 support... yes
+Checking whether %COMPAT is required... no
+Checking for TLS 1.0 support... yes
+Checking for TLS 1.1 support... no
+Checking fallback from TLS 1.1 to... TLS 1.0
+Checking for TLS 1.2 support... no
+Checking whether we need to disable TLS 1.0... N/A
+Checking for Safe renegotiation support... yes
+Checking for Safe renegotiation support (SCSV)... yes
+Checking for HTTPS server name... not checked
+Checking for version rollback bug in RSA PMS... no
+Checking for version rollback bug in Client Hello... no
+Checking whether the server ignores the RSA PMS version... no
+Checking whether the server can accept Hello Extensions... yes
+Checking whether the server can accept small records (512 bytes)... yes
+Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
+Checking whether the server can accept a bogus TLS record version in the client hello... yes
+Checking for certificate information... N/A
+Checking for trusted CAs... N/A
+Checking whether the server understands TLS closure alerts... partially
+Checking whether the server supports session resumption... yes
+Checking for export-grade ciphersuite support... no
+Checking RSA-export ciphersuite info... N/A
+Checking for anonymous authentication support... no
+Checking anonymous Diffie-Hellman group info... N/A
+Checking for ephemeral Diffie-Hellman support... no
+Checking ephemeral Diffie-Hellman group info... N/A
+Checking for ephemeral EC Diffie-Hellman support... yes
+Checking ephemeral EC Diffie-Hellman group info...
+ Curve SECP256R1 
+Checking for AES-GCM cipher support... no
+Checking for AES-CBC cipher support... yes
+Checking for CAMELLIA cipher support... no
+Checking for 3DES-CBC cipher support... yes
+Checking for ARCFOUR 128 cipher support... yes
+Checking for ARCFOUR 40 cipher support... no
+Checking for MD5 MAC support... yes
+Checking for SHA1 MAC support... yes
+Checking for SHA256 MAC support... no
+Checking for ZLIB compression support... no
+Checking for max record size... no
+Checking for OpenPGP authentication support... no
+@end example
 
diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi
index 950c2d91dd..f268c7690e 100644
--- a/doc/invoke-gnutls-cli.texi
+++ b/doc/invoke-gnutls-cli.texi
@@ -6,24 +6,31 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-gnutls-cli.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:00:35 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:50 PM by AutoGen 5.16
 # From the definitions    ../src/cli-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Simple client program to set up a TLS connection to some other computer. 
 It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{gnutls-cli usage}
-@subheading gnutls-cli usage help (-?)
+@subheading gnutls-cli help/usage (-h)
+@cindex gnutls-cli help
 
-This is the automatically generated usage text for gnutls-cli:
+This is the automatically generated usage text for gnutls-cli.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -107,49 +114,17 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
-@anchor{gnutls-cli benchmark-ciphers}
-@subheading benchmark-ciphers option
-
-This is the ``benchmark individual ciphers'' option.
-
-
-@anchor{gnutls-cli benchmark-soft-ciphers}
-@subheading benchmark-soft-ciphers option
-
-This is the ``benchmark individual software ciphers (no hw acceleration)'' option.
-
-
-@anchor{gnutls-cli benchmark-tls-ciphers}
-@subheading benchmark-tls-ciphers option
-
-This is the ``benchmark tls ciphers'' option.
-
-
-@anchor{gnutls-cli benchmark-tls-kx}
-@subheading benchmark-tls-kx option
-
-This is the ``benchmark tls key exchange methods'' option.
-
-
-@anchor{gnutls-cli ca-verification}
-@subheading ca-verification option
-
-This is the ``disable ca certificate verification'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-is enabled by default.
-@end itemize
-
-This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.
-
-@anchor{gnutls-cli crlf}
-@subheading crlf option
-
-This is the ``send cr lf instead of lf'' option.
+@anchor{gnutls-cli debug}
+@subheading debug option (-d)
 
+This is the ``enable debugging.'' option.
+This option takes an argument number.
+Specifies the debug level.
+@anchor{gnutls-cli tofu}
+@subheading tofu option
 
+This is the ``enable trust on first use authentication'' option.
+This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.
 @anchor{gnutls-cli dane}
 @subheading dane option
 
@@ -157,245 +132,124 @@ This is the ``enable dane certificate verification (dnssec)'' option.
 This option will, in addition to certificate authentication using 
 the trusted CAs, verify the server certificates using on the DANE information
 available via DNSSEC.
-
-@anchor{gnutls-cli debug}
-@subheading debug option (-d)
-
-This is the ``enable debugging.'' option.
-Specifies the debug level.
-
-@anchor{gnutls-cli dh-bits}
-@subheading dh-bits option
-
-This is the ``the minimum number of bits allowed for dh'' option.
-This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.
-
-@anchor{gnutls-cli disable-extensions}
-@subheading disable-extensions option
-
-This is the ``disable all the tls extensions'' option.
-This option disables all TLS extensions. Deprecated option. Use the priority string.
-
-@anchor{gnutls-cli fingerprint}
-@subheading fingerprint option (-f)
-
-This is the ``send the openpgp fingerprint, instead of the key'' option.
-
-
-@anchor{gnutls-cli heartbeat}
-@subheading heartbeat option (-b)
-
-This is the ``activate heartbeat support'' option.
-
-
-@anchor{gnutls-cli insecure}
-@subheading insecure option
-
-This is the ``don't abort program if server certificate can't be validated'' option.
-
-
-@anchor{gnutls-cli list}
-@subheading list option (-l)
-
-This is the ``print a list of the supported algorithms and modes'' option.
-Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
-
 @anchor{gnutls-cli local-dns}
 @subheading local-dns option
 
 This is the ``use the local dns server for dnssec resolving.'' option.
 This option will use the local DNS server for DNSSEC.
 This is disabled by default due to many servers not allowing DNSSEC.
+@anchor{gnutls-cli ca-verification}
+@subheading ca-verification option
 
-@anchor{gnutls-cli mtu}
-@subheading mtu option
-
-This is the ``set mtu for datagram tls'' option.
-
-
-@anchor{gnutls-cli noticket}
-@subheading noticket option
-
-This is the ``don't accept session tickets'' option.
+This is the ``disable ca certificate verification'' option.
 
+@noindent
+This option has some usage constraints.  It:
+@itemize @bullet
+@item
+is enabled by default.
+@end itemize
 
+This option will disable CA certificate verification. It is to be used with the --dane or --tofu options.
 @anchor{gnutls-cli ocsp}
 @subheading ocsp option
 
 This is the ``enable ocsp certificate verification'' option.
 This option will enable verification of the peer's certificate using ocsp
-
-@anchor{gnutls-cli pgpcertfile}
-@subheading pgpcertfile option
-
-This is the ``pgp public key (certificate) file to use'' option.
-
-
-@anchor{gnutls-cli pgpkeyfile}
-@subheading pgpkeyfile option
-
-This is the ``pgp key file to use'' option.
-
-
-@anchor{gnutls-cli pgpkeyring}
-@subheading pgpkeyring option
-
-This is the ``pgp key ring file to use'' option.
-
-
-@anchor{gnutls-cli pgpsubkey}
-@subheading pgpsubkey option
-
-This is the ``pgp subkey to use (hex or auto)'' option.
-
-
-@anchor{gnutls-cli port}
-@subheading port option (-p)
-
-This is the ``the port or service to connect to'' option.
-
-
-@anchor{gnutls-cli print-cert}
-@subheading print-cert option
-
-This is the ``print peer's certificate in pem format'' option.
-
-
-@anchor{gnutls-cli priority}
-@subheading priority option
-
-This is the ``priorities string'' option.
-TLS algorithms and protocols to enable. You can
-use predefined sets of ciphersuites such as PERFORMANCE,
-NORMAL, SECURE128, SECURE256.
-
-Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
-information on allowed keywords
-
-@anchor{gnutls-cli pskkey}
-@subheading pskkey option
-
-This is the ``psk key (in hex) to use'' option.
-
-
-@anchor{gnutls-cli pskusername}
-@subheading pskusername option
-
-This is the ``psk username to use'' option.
-
-
-@anchor{gnutls-cli recordsize}
-@subheading recordsize option
-
-This is the ``the maximum record size to advertize'' option.
-
-
-@anchor{gnutls-cli rehandshake}
-@subheading rehandshake option (-e)
-
-This is the ``establish a session and rehandshake'' option.
-Connect, establish a session and rehandshake immediately.
-
 @anchor{gnutls-cli resume}
 @subheading resume option (-r)
 
 This is the ``establish a session and resume'' option.
 Connect, establish a session, reconnect and resume.
+@anchor{gnutls-cli rehandshake}
+@subheading rehandshake option (-e)
 
-@anchor{gnutls-cli srppasswd}
-@subheading srppasswd option
-
-This is the ``srp password to use'' option.
-
-
-@anchor{gnutls-cli srpusername}
-@subheading srpusername option
-
-This is the ``srp username to use'' option.
-
-
-@anchor{gnutls-cli srtp-profiles}
-@subheading srtp-profiles option
-
-This is the ``offer srtp profiles'' option.
-
-
+This is the ``establish a session and rehandshake'' option.
+Connect, establish a session and rehandshake immediately.
 @anchor{gnutls-cli starttls}
 @subheading starttls option (-s)
 
 This is the ``connect, establish a plain session and start tls.'' option.
 The TLS session will be initiated when EOF or a SIGALRM is received.
+@anchor{gnutls-cli disable-extensions}
+@subheading disable-extensions option
 
-@anchor{gnutls-cli tofu}
-@subheading tofu option
-
-This is the ``enable trust on first use authentication'' option.
-This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication.
-
-@anchor{gnutls-cli udp}
-@subheading udp option (-u)
-
-This is the ``use dtls (datagram tls) over udp'' option.
-
-
-@anchor{gnutls-cli verbose}
-@subheading verbose option (-V)
-
-This is the ``more verbose output'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
-
-
-
-@anchor{gnutls-cli x509cafile}
-@subheading x509cafile option
-
-This is the ``certificate file or pkcs #11 url to use'' option.
-
-
-@anchor{gnutls-cli x509certfile}
-@subheading x509certfile option
-
-This is the ``x.509 certificate file or pkcs #11 url to use'' option.
-
-
-@anchor{gnutls-cli x509crlfile}
-@subheading x509crlfile option
-
-This is the ``crl file to use'' option.
-
-
-@anchor{gnutls-cli x509fmtder}
-@subheading x509fmtder option
-
-This is the ``use der format for certificates to read from'' option.
+This is the ``disable all the tls extensions'' option.
+This option disables all TLS extensions. Deprecated option. Use the priority string.
+@anchor{gnutls-cli dh-bits}
+@subheading dh-bits option
 
+This is the ``the minimum number of bits allowed for dh'' option.
+This option takes an argument number.
+This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.
+@anchor{gnutls-cli priority}
+@subheading priority option
 
-@anchor{gnutls-cli x509keyfile}
-@subheading x509keyfile option
+This is the ``priorities string'' option.
+This option takes an argument string.
+TLS algorithms and protocols to enable. You can
+use predefined sets of ciphersuites such as PERFORMANCE,
+NORMAL, SECURE128, SECURE256.
 
-This is the ``x.509 key file or pkcs #11 url to use'' option.
+Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
+information on allowed keywords
+@anchor{gnutls-cli list}
+@subheading list option (-l)
 
+This is the ``print a list of the supported algorithms and modes'' option.
+Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
 @anchor{gnutls-cli exit status}
 @subheading gnutls-cli exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{gnutls-cli See Also}
 @subheading gnutls-cli See Also
-
+gnutls-cli-debug(1), gnutls-serv(1)
 
 @anchor{gnutls-cli Examples}
 @subheading gnutls-cli Examples
+@subheading Connecting using PSK authentication
+To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below. 
+@example
+$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
+    --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
+    --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
+Resolving 'localhost'...
+Connecting to '127.0.0.1:5556'...
+- PSK authentication.
+- Version: TLS1.1
+- Key Exchange: PSK
+- Cipher: AES-128-CBC
+- MAC: SHA1
+- Compression: NULL
+- Handshake was completed
+    
+- Simple Client Mode:
+@end example
+By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake. 
+
+@subheading Listing ciphersuites in a priority string
+To list the ciphersuites in a priority string:
+@example
+$ ./gnutls-cli --priority SECURE192 -l
+Cipher suites for SECURE192
+TLS_ECDHE_ECDSA_AES_256_CBC_SHA384         0xc0, 0x24	TLS1.2
+TLS_ECDHE_ECDSA_AES_256_GCM_SHA384         0xc0, 0x2e	TLS1.2
+TLS_ECDHE_RSA_AES_256_GCM_SHA384           0xc0, 0x30	TLS1.2
+TLS_DHE_RSA_AES_256_CBC_SHA256             0x00, 0x6b	TLS1.2
+TLS_DHE_DSS_AES_256_CBC_SHA256             0x00, 0x6a	TLS1.2
+TLS_RSA_AES_256_CBC_SHA256                 0x00, 0x3d	TLS1.2
+
+Certificate types: CTYPE-X.509
+Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
+Compression: COMP-NULL
+Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
+PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
+@end example
 
diff --git a/doc/invoke-gnutls-serv.texi b/doc/invoke-gnutls-serv.texi
index c4c2807fbc..cb51df4aad 100644
--- a/doc/invoke-gnutls-serv.texi
+++ b/doc/invoke-gnutls-serv.texi
@@ -6,23 +6,30 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-gnutls-serv.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:00:38 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:53 PM by AutoGen 5.16
 # From the definitions    ../src/serv-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Server program that listens to incoming TLS connections.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-serv} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{gnutls-serv usage}
-@subheading gnutls-serv usage help (-?)
+@subheading gnutls-serv help/usage (-h)
+@cindex gnutls-serv help
 
-This is the automatically generated usage text for gnutls-serv:
+This is the automatically generated usage text for gnutls-serv.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -96,232 +103,213 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @subheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
-
-@anchor{gnutls-serv dhparams}
-@subheading dhparams option
-
-This is the ``dh params file to use'' option.
-
-
-@anchor{gnutls-serv disable-client-cert}
-@subheading disable-client-cert option (-a)
-
-This is the ``do not request a client certificate'' option.
-
-
-@anchor{gnutls-serv echo}
-@subheading echo option
-
-This is the ``act as an echo server'' option.
-
-
-@anchor{gnutls-serv generate}
-@subheading generate option (-g)
-
-This is the ``generate diffie-hellman and rsa-export parameters'' option.
-
-
 @anchor{gnutls-serv heartbeat}
 @subheading heartbeat option (-b)
 
 This is the ``activate heartbeat support'' option.
 Regularly ping client via heartbeat extension messages
-
-@anchor{gnutls-serv http}
-@subheading http option
-
-This is the ``act as an http server'' option.
-
-
-@anchor{gnutls-serv list}
-@subheading list option (-l)
-
-This is the ``print a list of the supported algorithms and modes'' option.
-Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
-
-@anchor{gnutls-serv mtu}
-@subheading mtu option
-
-This is the ``set mtu for datagram tls'' option.
-
-
-@anchor{gnutls-serv nodb}
-@subheading nodb option
-
-This is the ``do not use a resumption database'' option.
-
-
-@anchor{gnutls-serv noticket}
-@subheading noticket option
-
-This is the ``don't accept session tickets'' option.
-
-
-@anchor{gnutls-serv ocsp-response}
-@subheading ocsp-response option
-
-This is the ``the ocsp response to send to client'' option.
-If the client requested an OCSP response, return data from this file to the client.
-
-@anchor{gnutls-serv pgpcertfile}
-@subheading pgpcertfile option
-
-This is the ``pgp public key (certificate) file to use'' option.
-
-
-@anchor{gnutls-serv pgpkeyfile}
-@subheading pgpkeyfile option
-
-This is the ``pgp key file to use'' option.
-
-
-@anchor{gnutls-serv pgpkeyring}
-@subheading pgpkeyring option
-
-This is the ``pgp key ring file to use'' option.
-
-
-@anchor{gnutls-serv pgpsubkey}
-@subheading pgpsubkey option
-
-This is the ``pgp subkey to use (hex or auto)'' option.
-
-
-@anchor{gnutls-serv port}
-@subheading port option (-p)
-
-This is the ``the port to connect to'' option.
-
-
 @anchor{gnutls-serv priority}
 @subheading priority option
 
 This is the ``priorities string'' option.
+This option takes an argument string.
 TLS algorithms and protocols to enable. You can
 use predefined sets of ciphersuites such as PERFORMANCE,
 NORMAL, SECURE128, SECURE256.
 
 Check  the  GnuTLS  manual  on  section  ``Priority strings'' for more
 information on allowed keywords
+@anchor{gnutls-serv ocsp-response}
+@subheading ocsp-response option
 
-@anchor{gnutls-serv pskhint}
-@subheading pskhint option
-
-This is the ``psk identity hint to use'' option.
-
-
-@anchor{gnutls-serv pskpasswd}
-@subheading pskpasswd option
-
-This is the ``psk password file to use'' option.
-
-
-@anchor{gnutls-serv quiet}
-@subheading quiet option (-q)
-
-This is the ``suppress some messages'' option.
-
-
-@anchor{gnutls-serv require-client-cert}
-@subheading require-client-cert option (-r)
-
-This is the ``require a client certificate'' option.
-
-
-@anchor{gnutls-serv srppasswd}
-@subheading srppasswd option
-
-This is the ``srp password file to use'' option.
-
-
-@anchor{gnutls-serv srppasswdconf}
-@subheading srppasswdconf option
-
-This is the ``srp password configuration file to use'' option.
-
-
-@anchor{gnutls-serv srtp-profiles}
-@subheading srtp-profiles option
-
-This is the ``offer srtp profiles'' option.
-
-
-@anchor{gnutls-serv udp}
-@subheading udp option (-u)
-
-This is the ``use dtls (datagram tls) over udp'' option.
+This is the ``the ocsp response to send to client'' option.
+This option takes an argument file.
+If the client requested an OCSP response, return data from this file to the client.
+@anchor{gnutls-serv list}
+@subheading list option (-l)
 
+This is the ``print a list of the supported algorithms and modes'' option.
+Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.
+@anchor{gnutls-serv exit status}
+@subheading gnutls-serv exit status
 
-@anchor{gnutls-serv x509cafile}
-@subheading x509cafile option
+One of the following exit values will be returned:
+@table @samp
+@item 0 (EXIT_SUCCESS)
+Successful program execution.
+@item 1 (EXIT_FAILURE)
+The operation failed or the command syntax was not valid.
+@end table
+@anchor{gnutls-serv See Also}
+@subheading gnutls-serv See Also
+gnutls-cli-debug(1), gnutls-cli(1)
 
-This is the ``certificate file or pkcs #11 url to use'' option.
+@anchor{gnutls-serv Examples}
+@subheading gnutls-serv Examples
+Running your own TLS server based on GnuTLS can be useful when
+debugging clients and/or GnuTLS itself.  This section describes how to
+use @code{gnutls-serv} as a simple HTTPS server.
 
+The most basic server can be started as:
 
-@anchor{gnutls-serv x509certfile}
-@subheading x509certfile option
+@example
+gnutls-serv --http
+@end example
 
-This is the ``x.509 certificate file or pkcs #11 url to use'' option.
+It will only support anonymous ciphersuites, which many TLS clients
+refuse to use.
 
+The next step is to add support for X.509.  First we generate a CA:
 
-@anchor{gnutls-serv x509crlfile}
-@subheading x509crlfile option
+@example
+$ certtool --generate-privkey > x509-ca-key.pem
+$ echo 'cn = GnuTLS test CA' > ca.tmpl
+$ echo 'ca' >> ca.tmpl
+$ echo 'cert_signing_key' >> ca.tmpl
+$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
+  --template ca.tmpl --outfile x509-ca.pem
+...
+@end example
 
-This is the ``crl file to use'' option.
+Then generate a server certificate.  Remember to change the dns_name
+value to the name of your server host, or skip that command to avoid
+the field.
 
+@example
+$ certtool --generate-privkey > x509-server-key.pem
+$ echo 'organization = GnuTLS test server' > server.tmpl
+$ echo 'cn = test.gnutls.org' >> server.tmpl
+$ echo 'tls_www_server' >> server.tmpl
+$ echo 'encryption_key' >> server.tmpl
+$ echo 'signing_key' >> server.tmpl
+$ echo 'dns_name = test.gnutls.org' >> server.tmpl
+$ certtool --generate-certificate --load-privkey x509-server-key.pem \
+  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+  --template server.tmpl --outfile x509-server.pem
+...
+@end example
 
-@anchor{gnutls-serv x509dsacertfile}
-@subheading x509dsacertfile option
+For use in the client, you may want to generate a client certificate
+as well.
 
-This is the ``alternative x.509 certificate file or pkcs #11 url to use'' option.
+@example
+$ certtool --generate-privkey > x509-client-key.pem
+$ echo 'cn = GnuTLS test client' > client.tmpl
+$ echo 'tls_www_client' >> client.tmpl
+$ echo 'encryption_key' >> client.tmpl
+$ echo 'signing_key' >> client.tmpl
+$ certtool --generate-certificate --load-privkey x509-client-key.pem \
+  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+  --template client.tmpl --outfile x509-client.pem
+...
+@end example
 
+To be able to import the client key/certificate into some
+applications, you will need to convert them into a PKCS#12 structure.
+This also encrypts the security sensitive key with a password.
 
-@anchor{gnutls-serv x509dsakeyfile}
-@subheading x509dsakeyfile option
+@example
+$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
+  --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
+  --outder --outfile x509-client.p12
+@end example
 
-This is the ``alternative x.509 key file or pkcs #11 url to use'' option.
+For icing, we'll create a proxy certificate for the client too.
 
+@example
+$ certtool --generate-privkey > x509-proxy-key.pem
+$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
+$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
+  --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
+  --load-certificate x509-client.pem --template proxy.tmpl \
+  --outfile x509-proxy.pem
+...
+@end example
 
-@anchor{gnutls-serv x509ecccertfile}
-@subheading x509ecccertfile option
+Then start the server again:
 
-This is the ``alternative x.509 certificate file or pkcs #11 url to use'' option.
+@example
+$ gnutls-serv --http \
+            --x509cafile x509-ca.pem \
+            --x509keyfile x509-server-key.pem \
+            --x509certfile x509-server.pem
+@end example
 
+Try connecting to the server using your web browser.  Note that the
+server listens to port 5556 by default.
 
-@anchor{gnutls-serv x509ecckeyfile}
-@subheading x509ecckeyfile option
+While you are at it, to allow connections using DSA, you can also
+create a DSA key and certificate for the server.  These credentials
+will be used in the final example below.
 
-This is the ``alternative x.509 key file or pkcs #11 url to use'' option.
+@example
+$ certtool --generate-privkey --dsa > x509-server-key-dsa.pem
+$ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \
+  --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+  --template server.tmpl --outfile x509-server-dsa.pem
+...
+@end example
 
+The next step is to create OpenPGP credentials for the server.
 
-@anchor{gnutls-serv x509fmtder}
-@subheading x509fmtder option
+@example
+gpg --gen-key
+...enter whatever details you want, use 'test.gnutls.org' as name...
+@end example
 
-This is the ``use der format for certificates to read from'' option.
+Make a note of the OpenPGP key identifier of the newly generated key,
+here it was @code{5D1D14D8}.  You will need to export the key for
+GnuTLS to be able to use it.
 
+@example
+gpg -a --export 5D1D14D8 > openpgp-server.txt
+gpg --export 5D1D14D8 > openpgp-server.bin
+gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin
+gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt
+@end example
 
-@anchor{gnutls-serv x509keyfile}
-@subheading x509keyfile option
+Let's start the server with support for OpenPGP credentials:
 
-This is the ``x.509 key file or pkcs #11 url to use'' option.
+@example
+gnutls-serv --http \
+            --pgpkeyfile openpgp-server-key.txt \
+            --pgpcertfile openpgp-server.txt
+@end example
 
-@anchor{gnutls-serv exit status}
-@subheading gnutls-serv exit status
+The next step is to add support for SRP authentication. This requires
+an SRP password file created with @code{srptool}.
+To start the server with SRP support:
 
-One of the following exit values will be returned:
-@table @samp
-@item 0
-Successful program execution.
-@item 1
-The operation failed or the command syntax was not valid.
-@end table
+@example
+gnutls-serv --http \
+            --srppasswdconf srp-tpasswd.conf \
+            --srppasswd srp-passwd.txt
+@end example
 
+Let's also start a server with support for PSK. This would require
+a password file created with @code{psktool}.
 
-@anchor{gnutls-serv See Also}
-@subheading gnutls-serv See Also
+@example
+gnutls-serv --http \
+            --pskpasswd psk-passwd.txt
+@end example
 
+Finally, we start the server with all the earlier parameters and you
+get this command:
 
-@anchor{gnutls-serv Examples}
-@subheading gnutls-serv Examples
+@example
+gnutls-serv --http \
+            --x509cafile x509-ca.pem \
+            --x509keyfile x509-server-key.pem \
+            --x509certfile x509-server.pem \
+            --x509dsakeyfile x509-server-key-dsa.pem \
+            --x509dsacertfile x509-server-dsa.pem \
+            --pgpkeyfile openpgp-server-key.txt \
+            --pgpcertfile openpgp-server.txt \
+            --srppasswdconf srp-tpasswd.conf \
+            --srppasswd srp-passwd.txt \
+            --pskpasswd psk-passwd.txt
+@end example
 
diff --git a/doc/invoke-ocsptool.texi b/doc/invoke-ocsptool.texi
index a4f9b95ba5..c2f87d277c 100644
--- a/doc/invoke-ocsptool.texi
+++ b/doc/invoke-ocsptool.texi
@@ -6,25 +6,32 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-ocsptool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:05:09 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:57 PM by AutoGen 5.16
 # From the definitions    ../src/ocsptool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Ocsptool is a program that can parse and print information about
 OCSP requests/responses, generate requests and verify responses.
 
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{ocsptool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{ocsptool usage}
-@subsubheading ocsptool usage help (-?)
+@subsubheading ocsptool help/usage (-h)
+@cindex ocsptool help
 
-This is the automatically generated usage text for ocsptool:
+This is the automatically generated usage text for ocsptool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -83,11 +90,19 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
+@anchor{ocsptool debug}
+@subsubheading debug option (-d)
+
+This is the ``enable debugging.'' option.
+This option takes an argument number.
+Specifies the debug level.
 @anchor{ocsptool ask}
 @subsubheading ask option
 
 This is the ``ask an ocsp/http server on a certificate validity'' option.
+This option takes an optional argument string @file{server name|url}.
 
+@noindent
 This option has some usage constraints.  It:
 @itemize @bullet
 @item
@@ -96,141 +111,149 @@ load-cert, load-issuer.
 @end itemize
 
 Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.
+@anchor{ocsptool exit status}
+@subsubheading ocsptool exit status
 
-@anchor{ocsptool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging.'' option.
-Specifies the debug level.
-
-@anchor{ocsptool generate-request}
-@subsubheading generate-request option (-q)
-
-This is the ``generate an ocsp request'' option.
-
-
-@anchor{ocsptool inder}
-@subsubheading inder option
-
-This is the ``use der format for input certificates and private keys'' option.
-
-
-@anchor{ocsptool infile}
-@subsubheading infile option
-
-This is the ``input file'' option.
-
-
-@anchor{ocsptool load-cert}
-@subsubheading load-cert option
-
-This is the ``read certificate to check from file'' option.
-
-
-@anchor{ocsptool load-issuer}
-@subsubheading load-issuer option
-
-This is the ``read issuer certificate from file'' option.
-
-
-@anchor{ocsptool load-request}
-@subsubheading load-request option (-Q)
-
-This is the ``read der encoded ocsp request from file'' option.
-
-
-@anchor{ocsptool load-response}
-@subsubheading load-response option (-S)
-
-This is the ``read der encoded ocsp response from file'' option.
-
-
-@anchor{ocsptool load-signer}
-@subsubheading load-signer option
-
-This is the ``read ocsp response signer from file'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must not appear in combination with any of the following options:
-load-trust.
-@end itemize
-
-
+One of the following exit values will be returned:
+@table @samp
+@item 0 (EXIT_SUCCESS)
+Successful program execution.
+@item 1 (EXIT_FAILURE)
+The operation failed or the command syntax was not valid.
+@end table
+@anchor{ocsptool See Also}
+@subsubheading ocsptool See Also
+    certtool (1)
 
-@anchor{ocsptool load-trust}
-@subsubheading load-trust option
+@anchor{ocsptool Examples}
+@subsubheading ocsptool Examples
+@subsubheading Print information about an OCSP request
 
-This is the ``read ocsp trust anchors from file'' option.
+To parse an OCSP request and print information about the content, the
+@code{-i} or @code{--request-info} parameter may be used as follows.
+The @code{-Q} parameter specify the name of the file containing the
+OCSP request, and it should contain the OCSP request in binary DER
+format.
 
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must not appear in combination with any of the following options:
-load-signer.
-@end itemize
+@example
+$ ocsptool -i -Q ocsp-request.der
+@end example
 
+The input file may also be sent to standard input like this:
 
+@example
+$ cat ocsp-request.der | ocsptool --request-info
+@end example
 
-@anchor{ocsptool nonce}
-@subsubheading nonce option
+@subsubheading Print information about an OCSP response
 
-This is the ``don't add nonce to ocsp request'' option.
+Similar to parsing OCSP requests, OCSP responses can be parsed using
+the @code{-j} or @code{--response-info} as follows.
 
+@example
+$ ocsptool -j -Q ocsp-response.der
+$ cat ocsp-response.der | ocsptool --response-info
+@end example
 
-@anchor{ocsptool outfile}
-@subsubheading outfile option
+@subsubheading Generate an OCSP request
 
-This is the ``output file'' option.
+The @code{-q} or @code{--generate-request} parameters are used to
+generate an OCSP request.  By default the OCSP request is written to
+standard output in binary DER format, but can be stored in a file
+using @code{--outfile}.  To generate an OCSP request the issuer of the
+certificate to check needs to be specified with @code{--load-issuer}
+and the certificate to check with @code{--load-cert}.  By default PEM
+format is used for these files, although @code{--inder} can be used to
+specify that the input files are in DER format.
 
+@example
+$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \
+           --outfile ocsp-request.der
+@end example
 
-@anchor{ocsptool request-info}
-@subsubheading request-info option (-i)
+When generating OCSP requests, the tool will add an OCSP extension
+containing a nonce.  This behaviour can be disabled by specifying
+@code{--no-nonce}.
 
-This is the ``print information on a ocsp request'' option.
+@subsubheading Verify signature in OCSP response
 
+To verify the signature in an OCSP response the @code{-e} or
+@code{--verify-response} parameter is used.  The tool will read an
+OCSP response in DER format from standard input, or from the file
+specified by @code{--load-response}.  The OCSP response is verified
+against a set of trust anchors, which are specified using
+@code{--load-trust}.  The trust anchors are concatenated certificates
+in PEM format.  The certificate that signed the OCSP response needs to
+be in the set of trust anchors, or the issuer of the signer
+certificate needs to be in the set of trust anchors and the OCSP
+Extended Key Usage bit has to be asserted in the signer certificate.
 
-@anchor{ocsptool response-info}
-@subsubheading response-info option (-j)
+@example
+$ ocsptool -e --load-trust issuer.pem \
+           --load-response ocsp-response.der
+@end example
 
-This is the ``print information on a ocsp response'' option.
+The tool will print status of verification.
 
+@subsubheading Verify signature in OCSP response against given certificate
 
-@anchor{ocsptool verbose}
-@subsubheading verbose option (-V)
+It is possible to override the normal trust logic if you know that a
+certain certificate is supposed to have signed the OCSP response, and
+you want to use it to check the signature.  This is achieved using
+@code{--load-signer} instead of @code{--load-trust}.  This will load
+one certificate and it will be used to verify the signature in the
+OCSP response.  It will not check the Extended Key Usage bit.
 
-This is the ``more verbose output'' option.
+@example
+$ ocsptool -e --load-signer ocsp-signer.pem \
+           --load-response ocsp-response.der
+@end example
 
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
+This approach is normally only relevant in two situations.  The first
+is when the OCSP response does not contain a copy of the signer
+certificate, so the @code{--load-trust} code would fail.  The second
+is if you want to avoid the indirect mode where the OCSP response
+signer certificate is signed by a trust anchor.
 
+@subsubheading Real-world example
 
+Here is an example of how to generate an OCSP request for a
+certificate and to verify the response.  For illustration we'll use
+the @code{blog.josefsson.org} host, which (as of writing) uses a
+certificate from CACert.  First we'll use @code{gnutls-cli} to get a
+copy of the server certificate chain.  The server is not required to
+send this information, but this particular one is configured to do so.
 
-@anchor{ocsptool verify-response}
-@subsubheading verify-response option (-e)
+@example
+$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
+@end example
 
-This is the ``verify response'' option.
+Use a text editor on @code{chain.pem} to create three files for each
+separate certificates, called @code{cert.pem} for the first
+certificate for the domain itself, secondly @code{issuer.pem} for the
+intermediate certificate and @code{root.pem} for the final root
+certificate.
 
-@anchor{ocsptool exit status}
-@subsubheading ocsptool exit status
+The domain certificate normally contains a pointer to where the OCSP
+responder is located, in the Authority Information Access Information
+extension.  For example, from @code{certtool -i < cert.pem} there is
+this information:
 
-One of the following exit values will be returned:
-@table @samp
-@item 0
-Successful program execution.
-@item 1
-The operation failed or the command syntax was not valid.
-@end table
+@example
+Authority Information Access Information (not critical):
+Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
+Access Location URI: http://ocsp.CAcert.org/
+@end example
 
+This means the CA support OCSP queries over HTTP.  We are now ready to
+create a OCSP request for the certificate.
 
-@anchor{ocsptool See Also}
-@subsubheading ocsptool See Also
+@example
+$ ocsptool --ask ocsp.CAcert.org --load-issuer issuer.pem \
+           --load-cert cert.pem --outfile ocsp-response.der
+@end example
 
+The request is sent via HTTP to the OCSP server address specified. If the
+address is ommited ocsptool will use the address stored in the certificate.
 
-@anchor{ocsptool Examples}
-@subsubheading ocsptool Examples
 
diff --git a/doc/invoke-p11tool.texi b/doc/invoke-p11tool.texi
index 688461a46b..278e1aa302 100644
--- a/doc/invoke-p11tool.texi
+++ b/doc/invoke-p11tool.texi
@@ -6,11 +6,12 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-p11tool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:00:45 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:59 PM by AutoGen 5.16
 # From the definitions    ../src/p11tool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Program that allows handling data from PKCS #11 smart cards
 and security modules. 
 
@@ -20,176 +21,122 @@ To use PKCS #11 tokens with gnutls the configuration file
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{p11tool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{p11tool usage}
-@subsubheading p11tool usage help (-?)
+@subsubheading p11tool help/usage (-h)
+@cindex p11tool help
 
-This is the automatically generated usage text for p11tool:
+This is the automatically generated usage text for p11tool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
-p11tool is unavailable - no --help
+p11tool - GnuTLS PKCS #11 tool - Ver. @@VERSION@@
+USAGE:  p11tool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [url]
+
+   -d, --debug=num            Enable debugging.
+                                - It must be in the range:
+                                  0 to 9999
+       --outfile=str          Output file
+       --list-tokens          List all available tokens
+       --export               Export the object specified by the URL
+       --list-mechanisms      List all available mechanisms in a token
+       --list-all             List all available objects in a token
+       --list-all-certs       List all available certificates in a token
+       --list-certs           List all certificates that have an associated private key
+       --list-all-privkeys    List all available private keys in a token
+       --list-all-trusted     List all available certificates marked as trusted
+       --initialize           Initializes a PKCS #11 token
+       --write                Writes the loaded objects to a PKCS #11 token
+       --delete               Deletes the objects matching the PKCS #11 URL
+       --generate-rsa         Generate an RSA private-public key pair
+       --generate-dsa         Generate an RSA private-public key pair
+       --generate-ecc         Generate an RSA private-public key pair
+       --label=str            Sets a label for the write operation
+       --trusted              Marks the object to be written as trusted
+                                - disabled as --no-trusted
+       --private              Marks the object to be written as private
+                                - disabled as --no-private
+                                - enabled by default
+       --login                Force login to token
+                                - disabled as --no-login
+       --detailed-url         Print detailed URLs
+                                - disabled as --no-detailed-url
+       --secret-key=str       Provide a hex encoded secret key
+       --load-privkey=file    Private key file to use
+                                - file must pre-exist
+       --load-pubkey=file     Public key file to use
+                                - file must pre-exist
+       --load-certificate=file Certificate file to use
+                                - file must pre-exist
+   -8, --pkcs8                Use PKCS #8 format for private keys
+       --bits=num             Specify the number of bits for key generate
+       --sec-param=str        Specify the security level
+       --inder                Use DER/RAW format for input
+                                - disabled as --no-inder
+       --inraw                This is an alias for 'inder'
+       --provider=file        Specify the PKCS #11 provider library
+                                - file must pre-exist
+   -v, --version[=arg]        Output version information and exit
+   -h, --help                 Display extended usage information and exit
+   -!, --more-help            Extended usage information passed thru pager
+
+Options are specified by doubled hyphens and their name or by a single
+hyphen and the flag character.
+Operands and options may be intermixed.  They will be reordered.
+
+
+
+Program that allows handling data from PKCS #11 smart cards and security
+modules.
+
+To use PKCS #11 tokens with gnutls the configuration file
+/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the
+form 'load=/usr/lib/opensc-pkcs11.so'.
+
+please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
-@anchor{p11tool bits}
-@subsubheading bits option
-
-This is the ``specify the number of bits for key generate'' option.
-
-
 @anchor{p11tool debug}
 @subsubheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
+@anchor{p11tool write}
+@subsubheading write option
 
-@anchor{p11tool delete}
-@subsubheading delete option
-
-This is the ``deletes the objects matching the pkcs #11 url'' option.
-
-
-@anchor{p11tool detailed-url}
-@subsubheading detailed-url option
-
-This is the ``print detailed urls'' option.
-
-
-@anchor{p11tool export}
-@subsubheading export option
-
-This is the ``export the object specified by the url'' option.
-
+This is the ``writes the loaded objects to a pkcs #11 token'' option.
+It can be used to write private keys, certificates or secret keys to a token.
+@anchor{p11tool generate-rsa}
+@subsubheading generate-rsa option
 
+This is the ``generate an rsa private-public key pair'' option.
+Generates an RSA private-public key pair on the specified token.
 @anchor{p11tool generate-dsa}
 @subsubheading generate-dsa option
 
 This is the ``generate an rsa private-public key pair'' option.
 Generates an RSA private-public key pair on the specified token.
-
 @anchor{p11tool generate-ecc}
 @subsubheading generate-ecc option
 
 This is the ``generate an rsa private-public key pair'' option.
 Generates an RSA private-public key pair on the specified token.
-
-@anchor{p11tool generate-rsa}
-@subsubheading generate-rsa option
-
-This is the ``generate an rsa private-public key pair'' option.
-Generates an RSA private-public key pair on the specified token.
-
-@anchor{p11tool inder}
-@subsubheading inder option
-
-This is the ``use der/raw format for input'' option.
-Use DER/RAW format for input certificates and private keys.
-
-@anchor{p11tool initialize}
-@subsubheading initialize option
-
-This is the ``initializes a pkcs #11 token'' option.
-
-
-@anchor{p11tool inraw}
-@subsubheading inraw option
-
-This is the ``'' option.
-This option has no @samp{doc} documentation.
-
-@anchor{p11tool label}
-@subsubheading label option
-
-This is the ``sets a label for the write operation'' option.
-
-
-@anchor{p11tool list-all}
-@subsubheading list-all option
-
-This is the ``list all available objects in a token'' option.
-
-
-@anchor{p11tool list-all-certs}
-@subsubheading list-all-certs option
-
-This is the ``list all available certificates in a token'' option.
-
-
-@anchor{p11tool list-all-privkeys}
-@subsubheading list-all-privkeys option
-
-This is the ``list all available private keys in a token'' option.
-
-
-@anchor{p11tool list-all-trusted}
-@subsubheading list-all-trusted option
-
-This is the ``list all available certificates marked as trusted'' option.
-
-
-@anchor{p11tool list-certs}
-@subsubheading list-certs option
-
-This is the ``list all certificates that have an associated private key'' option.
-
-
-@anchor{p11tool list-mechanisms}
-@subsubheading list-mechanisms option
-
-This is the ``list all available mechanisms in a token'' option.
-
-
-@anchor{p11tool list-tokens}
-@subsubheading list-tokens option
-
-This is the ``list all available tokens'' option.
-
-
-@anchor{p11tool load-certificate}
-@subsubheading load-certificate option
-
-This is the ``certificate file to use'' option.
-
-
-@anchor{p11tool load-privkey}
-@subsubheading load-privkey option
-
-This is the ``private key file to use'' option.
-
-
-@anchor{p11tool load-pubkey}
-@subsubheading load-pubkey option
-
-This is the ``public key file to use'' option.
-
-
-@anchor{p11tool login}
-@subsubheading login option
-
-This is the ``force login to token'' option.
-
-
-@anchor{p11tool outfile}
-@subsubheading outfile option
-
-This is the ``output file'' option.
-
-
-@anchor{p11tool pkcs8}
-@subsubheading pkcs8 option (-8)
-
-This is the ``use pkcs #8 format for private keys'' option.
-
-
 @anchor{p11tool private}
 @subsubheading private option
 
 This is the ``marks the object to be written as private'' option.
 
+@noindent
 This option has some usage constraints.  It:
 @itemize @bullet
 @item
@@ -197,53 +144,77 @@ is enabled by default.
 @end itemize
 
 The written object will require a PIN to be used.
-
-@anchor{p11tool provider}
-@subsubheading provider option
-
-This is the ``specify the pkcs #11 provider library'' option.
-This will override the default options in /etc/gnutls/pkcs11.conf
-
 @anchor{p11tool sec-param}
 @subsubheading sec-param option
 
 This is the ``specify the security level'' option.
+This option takes an argument string @file{Security parameter}.
 This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra].
+@anchor{p11tool inder}
+@subsubheading inder option
 
-@anchor{p11tool secret-key}
-@subsubheading secret-key option
-
-This is the ``provide a hex encoded secret key'' option.
-
-
-@anchor{p11tool trusted}
-@subsubheading trusted option
-
-This is the ``marks the object to be written as trusted'' option.
-
+This is the ``use der/raw format for input'' option.
+Use DER/RAW format for input certificates and private keys.
+@anchor{p11tool inraw}
+@subsubheading inraw option
 
-@anchor{p11tool write}
-@subsubheading write option
+This is an alias for the inder option,
+@pxref{p11tool inder, the inder option documentation}.
 
-This is the ``writes the loaded objects to a pkcs #11 token'' option.
-It can be used to write private keys, certificates or secret keys to a token.
+@anchor{p11tool provider}
+@subsubheading provider option
 
+This is the ``specify the pkcs #11 provider library'' option.
+This option takes an argument file.
+This will override the default options in /etc/gnutls/pkcs11.conf
 @anchor{p11tool exit status}
 @subsubheading p11tool exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{p11tool See Also}
 @subsubheading p11tool See Also
-
+    certtool (1)
 
 @anchor{p11tool Examples}
 @subsubheading p11tool Examples
+To view all tokens in your system use:
+@example
+$ p11tool --list-tokens
+@end example
+
+To view all objects in a token use:
+@example
+$ p11tool --login --list-all "pkcs11:TOKEN-URL"
+@end example
+
+To store a private key and a certificate in a token run:
+@example
+$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
+          --label "Mykey"
+$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
+          --label "Mykey"
+@end example
+Note that some tokens require the same label to be used for the certificate
+and its corresponding private key.
+
+To generate an RSA private key inside the token use:
+@example
+$ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" \
+          --outfile MyNewKey.pub "pkcs11:TOKEN-URL"
+@end example
+The bits parameter in the above example is explicitly set because some
+tokens only support a limited number of bits. The output file is the
+corresponding public key. This key can be used to general a certificate
+request with certtool.
+@example
+certtool --generate-request --load-privkey "pkcs11:KEY-URL" \
+   --load-pubkey MyNewKey.pub --outfile request.pem
+@end example
+
 
diff --git a/doc/invoke-psktool.texi b/doc/invoke-psktool.texi
index 77d5c8f198..0f3c26819c 100644
--- a/doc/invoke-psktool.texi
+++ b/doc/invoke-psktool.texi
@@ -6,24 +6,31 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-psktool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:07:10 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:58 PM by AutoGen 5.16
 # From the definitions    ../src/psk-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Program  that generates random keys for use with TLS-PSK. The
 keys are stored in hexadecimal format in a key file.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{psktool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{psktool usage}
-@subsubheading psktool usage help (-?)
+@subsubheading psktool help/usage (-h)
+@cindex psktool help
 
-This is the automatically generated usage text for psktool:
+This is the automatically generated usage text for psktool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -58,41 +65,34 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @subsubheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
-
-@anchor{psktool keysize}
-@subsubheading keysize option (-s)
-
-This is the ``specify the key size in bytes'' option.
-
-
-@anchor{psktool passwd}
-@subsubheading passwd option (-p)
-
-This is the ``specify a password file.'' option.
-
-
-@anchor{psktool username}
-@subsubheading username option (-u)
-
-This is the ``specify a username'' option.
-
 @anchor{psktool exit status}
 @subsubheading psktool exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{psktool See Also}
 @subsubheading psktool See Also
-
+    gnutls-cli-debug (1), gnutls-serv (1), srptool (1), certtool (1)
 
 @anchor{psktool Examples}
 @subsubheading psktool Examples
+To add a user 'psk_identity' in @file{passwd.psk} for use with GnuTLS run:
+@example
+$ ./psktool -u psk_identity -p passwd.psk
+Generating a random key for user 'psk_identity'
+Key stored to passwd.psk
+$ cat psks.txt
+psk_identity:88f3824b3e5659f52d00e959bacab954b6540344
+$
+@end example
+
+This command will create @file{passwd.psk} if it does not exist
+and will add user 'psk_identity' (you will also be prompted for a password). 
 
diff --git a/doc/invoke-srptool.texi b/doc/invoke-srptool.texi
index b555a6a211..dd4a8de914 100644
--- a/doc/invoke-srptool.texi
+++ b/doc/invoke-srptool.texi
@@ -6,11 +6,12 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-srptool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:07:08 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:07:56 PM by AutoGen 5.16
 # From the definitions    ../src/srptool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Simple program that emulates the programs in the Stanford SRP (Secure
 Remote Password) libraries using GnuTLS.  It is intended for use in  places
 where you don't expect SRP authentication to be the used for system users.
@@ -21,14 +22,20 @@ configuration file to hold the group parameters (called tpasswd.conf).
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{srptool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{srptool usage}
-@subsubheading srptool usage help (-?)
+@subsubheading srptool help/usage (-h)
+@cindex srptool help
 
-This is the automatically generated usage text for srptool:
+This is the automatically generated usage text for srptool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -66,71 +73,63 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
-@anchor{srptool create-conf}
-@subsubheading create-conf option
-
-This is the ``generate a password configuration file.'' option.
-This generates a password configuration file (tpasswd.conf)
-containing the required for TLS parameters.
-
 @anchor{srptool debug}
 @subsubheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
+@anchor{srptool verify}
+@subsubheading verify option
 
-@anchor{srptool index}
-@subsubheading index option (-i)
-
-This is the ``specify the index of the group parameters in tpasswd.conf to use.'' option.
-
-
-@anchor{srptool passwd}
-@subsubheading passwd option (-p)
-
-This is the ``specify a password file.'' option.
-
-
+This is the ``just verify the password.'' option.
+Verifies the password provided against the password file.
 @anchor{srptool passwd-conf}
 @subsubheading passwd-conf option (-v)
 
 This is the ``specify a password conf file.'' option.
+This option takes an argument string.
 Specify a filename or a PKCS #11 URL to read the CAs from.
+@anchor{srptool create-conf}
+@subsubheading create-conf option
 
-@anchor{srptool salt}
-@subsubheading salt option (-s)
-
-This is the ``specify salt size.'' option.
-
-
-@anchor{srptool username}
-@subsubheading username option (-u)
-
-This is the ``specify a username'' option.
-
-
-@anchor{srptool verify}
-@subsubheading verify option
-
-This is the ``just verify the password.'' option.
-Verifies the password provided against the password file.
-
+This is the ``generate a password configuration file.'' option.
+This option takes an argument string.
+This generates a password configuration file (tpasswd.conf)
+containing the required for TLS parameters.
 @anchor{srptool exit status}
 @subsubheading srptool exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{srptool See Also}
 @subsubheading srptool See Also
-
+    gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1)
 
 @anchor{srptool Examples}
 @subsubheading srptool Examples
+To create @file{tpasswd.conf} which holds the g and n values for SRP protocol
+(generator and a large prime), run:
+@example
+$ srptool --create-conf /etc/tpasswd.conf
+@end example
+
+This command will create @file{/etc/tpasswd} and will add user 'test' (you
+will also be prompted for a password). Verifiers are stored by default
+in the way libsrp expects.
+@example
+$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test
+@end example
+
+
+This command will check against a password. If the password matches
+the one in @file{/etc/tpasswd} you will get an ok.
+@example
+$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test
+@end example
 
diff --git a/doc/invoke-tpmtool.texi b/doc/invoke-tpmtool.texi
index 98c267de1b..d510346e55 100644
--- a/doc/invoke-tpmtool.texi
+++ b/doc/invoke-tpmtool.texi
@@ -6,23 +6,30 @@
 # 
 # DO NOT EDIT THIS FILE   (invoke-tpmtool.texi)
 # 
-# It has been AutoGen-ed  December 29, 2012 at 01:00:46 PM by AutoGen 5.12
+# It has been AutoGen-ed  January  1, 2013 at 09:08:01 PM by AutoGen 5.16
 # From the definitions    ../src/tpmtool-args.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
 
+
 Program that allows handling cryptographic data from the TPM chip.
 
 This section was generated by @strong{AutoGen},
 using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
 
 
 @anchor{tpmtool usage}
-@subsubheading tpmtool usage help (-?)
+@subsubheading tpmtool help/usage (-h)
+@cindex tpmtool help
 
-This is the automatically generated usage text for tpmtool:
+This is the automatically generated usage text for tpmtool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!).  @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function.  The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}.  Both will exit
+with a status code of 0.
 
 @exampleindent 0
 @example
@@ -83,24 +90,12 @@ please send bug reports to:  bug-gnutls@@gnu.org
 @end example
 @exampleindent 4
 
-@anchor{tpmtool bits}
-@subsubheading bits option
-
-This is the ``specify the number of bits for key generate'' option.
-
-
 @anchor{tpmtool debug}
 @subsubheading debug option (-d)
 
 This is the ``enable debugging.'' option.
+This option takes an argument number.
 Specifies the debug level.
-
-@anchor{tpmtool delete}
-@subsubheading delete option
-
-This is the ``delete the key identified by the given url (uuid).'' option.
-
-
 @anchor{tpmtool generate-rsa}
 @subsubheading generate-rsa option
 
@@ -108,105 +103,29 @@ This is the ``generate an rsa private-public key pair'' option.
 Generates an RSA private-public key pair in the TPM chip. 
 The key may be stored in filesystem and protected by a PIN, or stored (registered)
 in the TPM chip flash.
+@anchor{tpmtool user}
+@subsubheading user option
 
-@anchor{tpmtool inder}
-@subsubheading inder option
-
-This is the ``use the der format for keys.'' option.
-The input files will be assumed to be in the portable
-DER format of TPM. The default format is a custom format used by various
-TPM tools
-
-@anchor{tpmtool infile}
-@subsubheading infile option
-
-This is the ``input file'' option.
-
-
-@anchor{tpmtool legacy}
-@subsubheading legacy option
-
-This is the ``any generated key will be a legacy key'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-generate-rsa.
-@item
-must not appear in combination with any of the following options:
-signing.
-@end itemize
-
-
-
-@anchor{tpmtool list}
-@subsubheading list option
-
-This is the ``lists all stored keys in the tpm'' option.
-
-
-@anchor{tpmtool outder}
-@subsubheading outder option
-
-This is the ``use der format for output keys'' option.
-The output will be in the TPM portable DER format.
-
-@anchor{tpmtool outfile}
-@subsubheading outfile option
-
-This is the ``output file'' option.
-
-
-@anchor{tpmtool pubkey}
-@subsubheading pubkey option
-
-This is the ``prints the public key of the provided key'' option.
-
-
-@anchor{tpmtool register}
-@subsubheading register option
-
-This is the ``any generated key will be registered in the tpm'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-generate-rsa.
-@end itemize
-
-
-
-@anchor{tpmtool sec-param}
-@subsubheading sec-param option
-
-This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
-This is alternative to the bits option. Note however that the
-values allowed by the TPM chip are quantized and given values may be rounded up.
-
-@anchor{tpmtool signing}
-@subsubheading signing option
-
-This is the ``any generated key will be a signing key'' option.
+This is the ``any registered key will be a user key'' option.
 
+@noindent
 This option has some usage constraints.  It:
 @itemize @bullet
 @item
 must appear in combination with the following options:
-generate-rsa.
+register.
 @item
 must not appear in combination with any of the following options:
-legacy.
+system.
 @end itemize
 
-
-
+The generated key will be stored in a user specific persistent storage.
 @anchor{tpmtool system}
 @subsubheading system option
 
 This is the ``any registred key will be a system key'' option.
 
+@noindent
 This option has some usage constraints.  It:
 @itemize @bullet
 @item
@@ -218,40 +137,64 @@ user.
 @end itemize
 
 The generated key will be stored in system persistent storage.
+@anchor{tpmtool sec-param}
+@subsubheading sec-param option
 
-@anchor{tpmtool user}
-@subsubheading user option
-
-This is the ``any registered key will be a user key'' option.
-
-This option has some usage constraints.  It:
-@itemize @bullet
-@item
-must appear in combination with the following options:
-register.
-@item
-must not appear in combination with any of the following options:
-system.
-@end itemize
+This is the ``specify the security level [low, legacy, normal, high, ultra].'' option.
+This option takes an argument string @file{Security parameter}.
+This is alternative to the bits option. Note however that the
+values allowed by the TPM chip are quantized and given values may be rounded up.
+@anchor{tpmtool inder}
+@subsubheading inder option
 
-The generated key will be stored in a user specific persistent storage.
+This is the ``use the der format for keys.'' option.
+The input files will be assumed to be in the portable
+DER format of TPM. The default format is a custom format used by various
+TPM tools
+@anchor{tpmtool outder}
+@subsubheading outder option
 
+This is the ``use der format for output keys'' option.
+The output will be in the TPM portable DER format.
 @anchor{tpmtool exit status}
 @subsubheading tpmtool exit status
 
 One of the following exit values will be returned:
 @table @samp
-@item 0
+@item 0 (EXIT_SUCCESS)
 Successful program execution.
-@item 1
+@item 1 (EXIT_FAILURE)
 The operation failed or the command syntax was not valid.
 @end table
-
-
 @anchor{tpmtool See Also}
 @subsubheading tpmtool See Also
-
+    p11tool (1), certtool (1)
 
 @anchor{tpmtool Examples}
 @subsubheading tpmtool Examples
+To generate a key that is to be stored in filesystem use:
+@example
+$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
+@end example
+
+To generate a key that is to be stored in TPM's flash use:
+@example
+$ tpmtool --generate-rsa --bits 2048 --register --user
+@end example
+
+To get the public key of a TPM key use:
+@example
+$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
+          --outfile pubkey.pem
+@end example
+
+or if the key is stored in the filesystem:
+@example
+$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
+@end example
+
+To list all keys stored in TPM use:
+@example
+$ tpmtool --list
+@end example
 
diff --git a/doc/manpages/tpmtool.1 b/doc/manpages/tpmtool.1
index 4ff4b2b7d9..7b1dff167c 100644
--- a/doc/manpages/tpmtool.1
+++ b/doc/manpages/tpmtool.1
@@ -1,8 +1,8 @@
-.TH tpmtool 1 "12 Dec 2012" "@VERSION@" "User Commands"
+.TH tpmtool 1 "01 Jan 2013" "@VERSION@" "User Commands"
 .\"
 .\"  DO NOT EDIT THIS FILE   (tpmtool-args.man)
 .\"  
-.\"  It has been AutoGen-ed  December 12, 2012 at 07:04:47 PM by AutoGen 5.16
+.\"  It has been AutoGen-ed  January  1, 2013 at 09:07:45 PM by AutoGen 5.16
 .\"  From the definitions    ../../src/tpmtool-args.def.tmp
 .\"  and the template file   agman-cmd.tpl
 .\"