finishing adding in missing arguments

1 files changed, 219 insertions, 63 deletions

diff --git a/certutil.xml b/certutil.xml
index 1ebd321..928951c 100644
--- a/certutil.xml
+++ b/certutil.xml
@@ -40,7 +40,7 @@ The key and certificate management process generally begins with creating keys i
   <refsection id="options">
     <title>Options and Arguments</title>
 	<para>
-		Running <command>certutil</command> always requires one (and only one) option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <option>-H</option> to see the arguments available for each option.
+		Running <command>certutil</command> always requires one (and only one) option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <option>-H</option> to see the arguments available for each command option.
 
 	</para>
    	<para><command>Options</command></para> 
@@ -75,7 +75,7 @@ The key and certificate management process generally begins with creating keys i
       <varlistentry>
         <term>-F</term>
         <listitem><para>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
-<option>-d</option> argument. Use the -k argument to specify explicitly whether to delete a DSA or an RSA key. If you don't use the <option>-k</option> argument, 
+<option>-d</option> argument. Use the <option>-k</option> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <option>-k</option> argument, 
 the option looks for an RSA key matching the specified nickname. 
 </para>
 <para>
@@ -93,7 +93,7 @@ When you delete keys, be sure to also remove any certificates associated with th
       </varlistentry>
 
       <varlistentry>
-        <term>-K prefix</term>
+        <term>-K </term>
         <listitem><para>List the keyID of keys in the key database. A keyID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</para></listitem>
       </varlistentry>
 
@@ -166,24 +166,23 @@ Use the -a argument to specify ASCII output.</para></listitem>
 	<variablelist>
       <varlistentry>
         <term>-a</term>
-        <listitem><para>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC #1113. 
-        For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
+        <listitem><para>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
+For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-b validity-time</term>
-        <listitem><para>Specify a time at which a certificate is required to be valid. 
-        Use when checking certificate validity with the -V option. The format of the validity-time argument is 
-        "YYMMDDHHMMSS[+HHMM|-HHMM|Z]". Specifying seconds (SS) is optional. When specifying an explicit time, 
-        use "YYMMDDHHMMSSZ". When specifying an offset time, use "YYMMDDHHMMSS+HHMM" or "YYMMDDHHMMSS-HHMM". 
-        If this option is not used, the validity check defaults to the current system time.</para></listitem>
+        <listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
+</para>
+<para>
+If this option is not used, the validity check defaults to the current system time.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-c issuer</term>
         <listitem><para>Identify the certificate of the CA from which a new certificate will derive its authenticity. 
-        Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
-        with quotation marks if it contains spaces. </para></listitem>
+ Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
+ with quotation marks if it contains spaces. </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -193,7 +192,7 @@ Use the -a argument to specify ASCII output.</para></listitem>
         On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). 
         On Windows NT the default is the current directory.
 -->
-        The cert8.db and key3.db database files must reside in the same directory. </para></listitem>
+ The cert8.db and key3.db database files must reside in the same directory. </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -204,13 +203,13 @@ Use the -a argument to specify ASCII output.</para></listitem>
       <varlistentry>
         <term>-f password-file</term>
         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
-        or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
-        unauthorized access to this file.</para></listitem>
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
+ unauthorized access to this file.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g keysize</term>
-        <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 256 bits and the maximum is 1024 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem>
+        <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem>
       </varlistentry>
 
 
@@ -220,13 +219,18 @@ Use the -a argument to specify ASCII output.</para></listitem>
       </varlistentry>
 
      <varlistentry>
-        <term>-i cert|cert-request-file</term>
-        <listitem><para>Specify a specific certificate or a certificate request file.</para></listitem>
+        <term>-i input_file</term>
+        <listitem><para>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-k rsa|dsa|all</term>
-        <listitem><para>Specify the type of a key. The valid options are RSA, DSA or both. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</para></listitem>
+        <term>-k rsa|dsa|ec|all</term>
+        <listitem><para>Specify the type of a key. The valid options are RSA, DSA, ECC, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k key-type-or-id</term>
+        <listitem><para>Specify the type or specific ID of a key. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates).</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -252,18 +256,23 @@ Use the -a argument to specify ASCII output.</para></listitem>
       <varlistentry>
         <term>-P dbPrefix</term>
         <listitem><para>Specify the prefix used on the cert8.db and key3.db files 
-        (for example, my_cert8.db and my_key3.db). This option is provided as a special case. 
-        Changing the names of the certificate and key databases is not recommended.</para></listitem>
+(for example, my_cert8.db and my_key3.db). This option is provided as a special case. 
+Changing the names of the certificate and key databases is not recommended.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-p phone</term>
+ <term>-p phone</term>
         <listitem><para>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-q pqgfile</term>
-        <listitem><para>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, the Key Database Tool generates its own PQG value. PQG files are created with a separate DSA utility.</para></listitem>
+        <listitem><para>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <command>certutil</command> generates its own PQG value. PQG files are created with a separate DSA utility.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-q curve-name</term>
+        <listitem><para>Set the elliptic curve name to use when generating ECC key pairs. A complete list of ECC curves is given in the help (<option>-H</option>).</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -278,30 +287,29 @@ Use the -a argument to specify ASCII output.</para></listitem>
 
       <varlistentry>
         <term>-t trustargs</term>
-        <listitem><para>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database.
-        There are three available trust categories for each certificate, expressed in the order <emphasis>SSL, email, object signing</emphasis>. In each category position, use none, any, or all
-	of the attribute codes: 
+        <listitem><para>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <emphasis>SSL, email, object signing</emphasis> for each trust setting. In each category position, use none, any, or all
+of the attribute codes: 
 	</para>
 	<para>
-		<command>p</command> - Valid peer
+		* <command>p</command> - Valid peer
 	</para>
 	<para>
-		<command>P</command> - Trusted peer (implies p)
+		* <command>P</command> - Trusted peer (implies p)
 	</para>
 	<para>
-		<command>c</command> - Valid CA
+		* <command>c</command> - Valid CA
 	</para>
 	<para>
-		<command>T</command> - Trusted CA to issue client certificates (implies c)
+		* <command>T</command> - Trusted CA to issue client certificates (implies c)
 	</para>
 	<para>
-		<command>C</command> - Trusted CA to issue server certificates (SSL only) (implies c)
+		* <command>C</command> - Trusted CA to issue server certificates (SSL only) (implies c)
 	</para>
 	<para>
-		<command>u</command> - Certificate can be used for authentication or signing
+		* <command>u</command> - Certificate can be used for authentication or signing
 	</para>
 	<para>
-		<command>w</command> - Send warning (use with other attributes to include a warning when the certificate is used in that context)
+		* <command>w</command> - Send warning (use with other attributes to include a warning when the certificate is used in that context)
 	</para>
 	<para>
 		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
@@ -314,33 +322,38 @@ Use the -a argument to specify ASCII output.</para></listitem>
       <varlistentry>
         <term>-u certusage</term>
         <listitem><para>Specify a usage context to apply when validating a certificate with the -V option.</para><para>The contexts are the following:</para>
-<para><command>C</command> (as an SSL client)</para>
-<para><command>V</command> (as an SSL server)</para>
-<para><command>S</command> (as an email signer)</para>
-<para><command>R</command> (as an email recipient)</para></listitem>
+<para>* <command>C</command> (as an SSL client)</para>
+<para>* <command>V</command> (as an SSL server)</para>
+<para>* <command>S</command> (as an email signer)</para>
+<para>* <command>R</command> (as an email recipient)</para>
+<para>* <command>O</command> (as an OCSP status responder)</para>
+<para>* <command>J</command> (as an object signer)</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v valid-months</term>
-        <listitem><para>Set the number of months a new certificate will be valid. 
-        The validity period begins at the current system time unless an offset is added or 
-        subtracted with the -w option. If this argument is not used, the default validity 
-        period is three months. When this argument is used, the default three-month period 
-        is automatically added to any value given in the valid-month argument. For example, 
-        using this option to set a value of 3 would cause 3 to be added to the three-month 
-        default, creating a validity period of six months. You can use negative values to 
-        reduce the default period. For example, setting a value of -2 would subtract 2 from 
-        the default and create a validity period of one month.</para></listitem>
+        <listitem><para>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <option>-w</option> option. If this argument is not used, the default validity 
+period is three months. When this argument is used, the default three-month period 
+is automatically added to any value given in the valid-month argument. For example, 
+using this option to set a value of 3 would cause 3 to be added to the three-month 
+default, creating a validity period of six months. You can use negative values to 
+reduce the default period. For example, setting a value of -2 would subtract 2 from 
+the default and create a validity period of one month.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-w offset-months</term>
         <listitem><para>Set an offset from the current system time, in months, 
-        for the beginning of a certificate's validity period. Use when creating 
-        the certificate or adding it to a database. Express the offset in integers, 
-        using a minus sign (-) to indicate a negative offset. If this argument is 
-        not used, the validity period begins at the current system time. The length 
-        of the validity period is set with the -v argument. </para></listitem>
+ for the beginning of a certificate's validity period. Use when creating 
+ the certificate or adding it to a database. Express the offset in integers, 
+ using a minus sign (-) to indicate a negative offset. If this argument is 
+ not used, the validity period begins at the current system time. The length 
+ of the validity period is set with the -v argument. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-X </term>
+        <listitem><para>Force the key and certificate database to open in read-write mode. This is used with the <option>-U</option> and <option>-L</option> command options.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -359,43 +372,186 @@ Use the -a argument to specify ASCII output.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-1 </term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <term>-0 SSO_password</term>
+        <listitem><para>Set a site security officer password on a token.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-1 | --keyUsage keyword,keyword</term>
+        <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para>
+	<para>
+		* digital signature
+	</para>
+	<para>
+		* nonRepudiation
+	</para>
+	<para>
+		* keyEncipherment
+	</para>
+	<para>
+		* dataEncipherment
+	</para>
+	<para>
+		* keyAgreement
+	</para>
+	<para>
+		* certSigning
+	</para>
+	<para>
+		* crlSigning
+	</para>
+	<para>
+		* critical
+	</para>
+</listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-2 </term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <listitem><para>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <command>certutil</command> prompts for the certificate constraint extension to select.</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-3 </term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <listitem><para>Add an authority keyID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority keyID extension.</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-4 </term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <listitem><para>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <command>certutil</command> prompts for the URL.</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-5 </term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <term>-5 | --nsCertType keyword,keyword</term>
+        <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
+	<para>
+		* sslClient
+	</para>
+	<para>
+		* sslServer
+	</para>
+	<para>
+		* smime
+	</para>
+	<para>
+		* objectSigning
+	</para>
+	<para>
+		* sslCA
+	</para>
+	<para>
+		* smimeCA
+	</para>
+	<para>
+		* objectSigningCA
+	</para>
+	<para>
+		* critical
+	</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-6 </term>
-        <listitem><para>yyyyyyyy</para></listitem>
+        <term>-6 | --extKeyUsage keyword,keyword</term>
+        <listitem><para>Add an extended key usage extension to a certificate that is being created or added to the database. Several keywords are available:</para>
+	<para>
+		* serverAuth
+	</para>
+	<para>
+		* clientAuth
+	</para>
+	<para>
+		* codeSigning
+	</para>
+	<para>
+		* emailProtection
+	</para>
+	<para>
+		* timeStamp
+	</para>
+	<para>
+		* ocspResponder
+	</para>
+	<para>
+		* stepUp
+	</para>
+	<para>
+		* critical
+	</para>
+<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-7 emailAddrs</term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <listitem><para>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-8 dns-names</term>
-        <listitem><para>yyyyyyyy.</para></listitem>
+        <listitem><para>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extAIA</term>
+        <listitem><para>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extSIA</term>
+        <listitem><para>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extCP</term>
+        <listitem><para>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extPM</term>
+        <listitem><para>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extPC</term>
+        <listitem><para>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extIA</term>
+        <listitem><para>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--extSKID</term>
+        <listitem><para>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--source-dir certdir</term>
+        <listitem><para>Identify the certificate database directory to upgrade.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--source-prefix certdir</term>
+        <listitem><para>Give the prefix of the certificate and key databases to upgrade.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--upgrade-id uniqueID</term>
+        <listitem><para>Give the unique ID of the database to upgrade.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--upgrade-token-name name</term>
+        <listitem><para>Set the name of the token to use while it is being upgraded.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-@ pwfile</term>
+        <listitem><para>Give the name of a password file to use for the database being upgraded.</para></listitem>
       </varlistentry>
 
     </variablelist>