security+tools: Allow user to explicitly specify the cert name prefix before 'KEY' component in ndnsec-certgen
Change-Id: I71e137e89b5ab0cd5db7001b39ff76c22a448bd2
Refs: #1659
diff --git a/docs/manpages/ndnsec-cert-gen.rst b/docs/manpages/ndnsec-cert-gen.rst
index 3c2eff8..923c936 100644
--- a/docs/manpages/ndnsec-cert-gen.rst
+++ b/docs/manpages/ndnsec-cert-gen.rst
@@ -8,7 +8,7 @@
::
- $ ndnsec-cert-gen [-h] [-S timestamp] [-E timestamp] [-N name] [-I info] [-s sign-id] request
+ $ ndnsec-cert-gen [-h] [-S timestamp] [-E timestamp] [-N name] [-I info] [-s sign-id] [-p cert-prefix] request
Description
-----------
@@ -45,6 +45,15 @@
Signing identity. The default key/certificate of ``sign-id`` will be used to sign the requested
certificate. If this option is not specified, the system default identity will be used.
+``-p cert-prefix``
+ The certificate prefix, which is the part of certificate name before ``KEY`` component.
+
+ By default, the certificate prefix will be inferred from the certificate name according
+ to the relation between the signing identity and the subject identity. If the signing
+ identity is a prefix of the subject identity, ``KEY`` will be inserted after the
+ signingIdentity, otherwise ``KEY`` is inserted after subject identity (i.e., before
+ ``ksk-....``).
+
Examples
--------