docs: Extending documentation and manpages

Refs: #1462

Change-Id: If33a0f3c623daf3502ed301bcdc63892779463e3
diff --git a/docs/conf.py b/docs/conf.py
index 20cd786..c8f55dc 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -230,10 +230,26 @@
 # (source start file, name, description, authors, manual section).
 man_pages = [
     ('manpages/ndnsec', 'ndnsec', u'NDN security tools', None, 1),
+    ('manpages/ndnsec-cert-dump',    'ndnsec-cert-dump',   'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-cert-gen',     'ndnsec-cert-gen',    'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-cert-install', 'ndnsec-cert-instal', 'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-delete',       'ndnsec-delete',      'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-export',       'ndnsec-export',      'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-get-default',  'ndnsec-get-default', 'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-import',       'ndnsec-import',      'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-key-gen',      'ndnsec-key-gen',     'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-list',         'ndnsec-list',        'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-op-tool',      'ndnsec-op-tool',     'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-set-acl',      'ndnsec-set-acl',     'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-set-default',  'ndnsec-set-default', 'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-sig-verify',   'ndnsec-sig-verify',  'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-sign-req',     'ndnsec-sign-req',    'part of NDN security tools', None, 1),
+    ('manpages/ndnsec-unlock-tpm',   'ndnsec-unlock-tpm',  'part of NDN security tools', None, 1),
     ('tutorials/security-validator-config', 'ndnsec-validator.conf',
      'NDN trust validator configuration file', None, 5),
+    ('manpages/tlvdump', 'tlvdump',  'Decode structure of TLV encoded buffer', None, 1),
 ]
 
 
 # If true, show URL addresses after external links.
-#man_show_urls = False
+man_show_urls = True
diff --git a/docs/examples.rst b/docs/examples.rst
new file mode 100644
index 0000000..3e76704
--- /dev/null
+++ b/docs/examples.rst
@@ -0,0 +1,52 @@
+Basic examples
+==============
+
+Trivial consumer
+----------------
+
+In the following trivial example, a consumer creates a Face with default transport (UnixSocket transport) and sends an Interest for ``/localhost/testApp/randomData``.
+While expressing Interest, the app specifies two callbacks to be called when Data is retrieved or Interest times out.
+
+``ndn::bind`` is an alias for either `boost::bind <http://www.boost.org/doc/libs/1_55_0/libs/bind/bind.html>`_ or `std::bind <http://en.cppreference.com/w/cpp/utility/functional/bind>`_ when the library is compiled in C++11 mode.
+
+.. literalinclude:: ../examples/consumer.cpp
+   :language: c++
+   :linenos:
+   :emphasize-lines: 17-19,25-27,41-44,47
+
+
+Trivial producer
+----------------
+
+The following example demonstrates how to write a simple producer application.
+
+First, application sets interset filter for ``/localhost/testApp`` to receive all Interests that have this prefix.
+``setInterestFilter`` call accepts two callbacks, one which will be called when an Interest is received, and the other if prefix registration (i.e., configuring proper FIB entry in NFD) fails.
+
+After Interest is received, a producer creates a Data packet with the same name as in the received Interest, adds a silly content, and signs the Data packet with the system-default identity.
+It is possible to specify a particular key to be used during the signing.
+For more information, refer to KeyChain API documentation.
+
+Finally, after Data packet has been created and signed, it is returned to the requester using ``Face::put`` method.
+
+.. literalinclude:: ../examples/producer.cpp
+   :language: c++
+   :linenos:
+   :emphasize-lines: 37-40,43,49,63-65
+
+
+Consumer that uses ndn::Scheduler
+---------------------------------
+
+The following example demonstrates use for ``ndn::Scheduler`` to schedule an arbitrary events for execution at specific points of time.
+
+The library internally uses `boost::asio::io_service <http://www.boost.org/doc/libs/1_48_0/doc/html/boost_asio/reference/io_service.html>`_ to implement fully asynchronous NDN operations (i.e., sending and receiving Interests and Data).
+In addition to network-related operations, ``boost::asio::io_service`` can be used to execute any arbitrary callback within the processing thread (run either explicitly via ``io->run`` or implicitly via ``Face::processEvents`` as in previous examples).
+``ndn::Scheduler`` is just a wrapper on top of ``boost::asio::io_service``, allowing simple interface to schedule tasks at specific times.
+
+The highlighted lines in the example demonstrate all that is needed to express a second interest approximately 2 seconds after the first one.
+
+.. literalinclude:: ../examples/consumer-with-timer.cpp
+   :language: c++
+   :linenos:
+   :emphasize-lines: 10,62,69,72-73,76
diff --git a/docs/index.rst b/docs/index.rst
index 08f7084..db36d09 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -4,6 +4,7 @@
 `API documentation (doxygen) <doxygen/annotated.html>`_
 
 .. toctree::
+   examples
    tutorials/security-library
    tutorials/utils-ndn-regex
    tutorials/security-validator-config
diff --git a/docs/manpages.rst b/docs/manpages.rst
index 8300f89..af5501d 100644
--- a/docs/manpages.rst
+++ b/docs/manpages.rst
@@ -2,5 +2,23 @@
 ========
 
 .. toctree::
-   manpages/ndnsec
-   :maxdepth: 1
+    manpages/ndnsec
+    ndnsec-list         <manpages/ndnsec-list>
+    ndnsec-get-default  <manpages/ndnsec-get-default>
+    ndnsec-set-default  <manpages/ndnsec-set-default>
+    ndnsec-key-gen      <manpages/ndnsec-key-gen>
+    ndnsec-sign-req     <manpages/ndnsec-sign-req>
+    ndnsec-cert-gen     <manpages/ndnsec-cert-gen>
+    ndnsec-cert-install <manpages/ndnsec-cert-install>
+    ndnsec-cert-dump    <manpages/ndnsec-cert-dump>
+    ndnsec-delete       <manpages/ndnsec-delete>
+    ndnsec-export       <manpages/ndnsec-export>
+    ndnsec-import       <manpages/ndnsec-import>
+    ndnsec-unlock-tpm   <manpages/ndnsec-unlock-tpm>
+    manpages/tlvdump
+    :maxdepth: 1
+
+..
+   manpages/ndnsec-op-tool
+   manpages/ndnsec-set-acl
+   manpages/ndnsec-sig-verify
diff --git a/docs/manpages/ndnsec-cert-dump.rst b/docs/manpages/ndnsec-cert-dump.rst
new file mode 100644
index 0000000..9daf52c
--- /dev/null
+++ b/docs/manpages/ndnsec-cert-dump.rst
@@ -0,0 +1,67 @@
+ndnsec-cert-dump
+================
+
+``ndnsec-cert-dump`` is a tool to dump a certificate from **Public Info Base** or file and output
+it to standard output.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-cert-dump [-h] [-p] [-ikf] name
+
+Description
+-----------
+
+``ndnsec-cert-dump`` can read a certificate from **Public Info Base (PIB)** or a file and output
+the certificate to standard output.
+
+By default, ``name`` is interpreted as a certificate name.
+
+Options
+-------
+
+``-i``
+  Interpret ``name`` as an identity name. If specified, the certificate to dump is the default
+  certificate of the identity.
+
+``-k``
+  Interpret ``name`` as a key name. If specified, the certificate to dump is the default certificate
+  of the key.
+
+``-f``
+  Interpret ``name`` as a path to a file containing the certificate. If ``name`` is ``-``,
+  certificate will be read from standard input.
+
+``-p``
+  Print out the certificate to a human-readable format.
+
+Examples
+--------
+
+Dump a certificate from PIB to standard output:
+::
+
+    $ ndnsec-cert-dump /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
+
+Dump a certificate to a human-readable format:
+::
+
+    $ ndnsec-cert-dump -p /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
+    Certificate name:
+      /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
+    Validity:
+      NotBefore: 20140401T000000
+      NotAfter: 20150331T235959
+    Subject Description:
+      2.5.4.41: David
+      2.5.4.10: Some Organization
+    Public key bits:
+    MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAtLq50tpynJ15zExEh9l6
+    jvh/HOmwhOppr/hTEPYUn2VTh21+JJIg5pHAAH/DQr8Bq5BGrdDUCIShxSxbaHwu
+    a1y4XgKP1MYBQP/WzcIhIzB/3PBDdmE0jM3Qg6yuk8BOwett3C07GtwW9dfgacwt
+    aC29xIHnYKfryH/gBSIDUIb38M7ILIDgQeIiQcHGHoFO8CbDtKY2OvVkFNgxowAR
+    Xn+gtkIfMdE77Z8p0S21pYfdvPuIpVVLy7lnFdwGzyCi3nmbtd/r9NSTepBczWQz
+    zBbThT7yfeNyHWLu0PZPdz84UpNPsBad3Bx9tT31noIVnt8yyBEfEU1jyEIVkm8U
+    VQIB
diff --git a/docs/manpages/ndnsec-cert-gen.rst b/docs/manpages/ndnsec-cert-gen.rst
new file mode 100644
index 0000000..3c2eff8
--- /dev/null
+++ b/docs/manpages/ndnsec-cert-gen.rst
@@ -0,0 +1,70 @@
+ndnsec-cert-gen
+===============
+
+``ndnsec-cert-gen`` is a tool to issue an identity certificate.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-cert-gen [-h] [-S timestamp] [-E timestamp] [-N name] [-I info] [-s sign-id] request
+
+Description
+-----------
+
+``ndnsec-cert-gen`` takes signing request as input and issues an identity certificate for the key in
+the signing request. The signing request can be created during ``ndnsec-keygen`` and can be
+re-generated with ``ndnsec-sign-req``.
+
+By default, the default key/certificate will be used to sign the issued certificate.
+
+``request`` could be a path to a file that contains the signing request. If ``request`` is ``-``,
+then signing request will be read from standard input.
+
+The generated certificate will be written to standard output in base64 encoding.
+
+
+Options
+-------
+
+``-S timestamp``
+  Timestamp when the certificate becomes valid. The default value is now.
+
+``-E timestamp``
+  Timestamp when the certificate expires. The default value is one year from now.
+
+``-N name``
+  Name of the certificate owner.
+
+``-I info``
+  Other information about the certificate owner. ``subject-info`` is a list of pairs of OID and
+  corresponding value. For example, "2.5.4.10 'Some Organization' 2.5.4.3 'http://home.page/'".
+
+``-s sign-id``
+  Signing identity. The default key/certificate of ``sign-id`` will be used to sign the requested
+  certificate. If this option is not specified, the system default identity will be used.
+
+Examples
+--------
+
+::
+
+    $ ndnsec-cert-gen -S 20140401000000 -E 20150331235959 -N "David"
+    -I "2.5.4.10 'Some Organization'" -s /ndn/test sign_request.cert
+    Bv0C9wc9CANuZG4IBHRlc3QIA0tFWQgFZGF2aWQIEWtzay0xMzk2OTEzMDU4MTk2
+    CAdJRC1DRVJUCAgAAAFFPp2g3hQDGAECFf0BdjCCAXIwIhgPMjAxNDA0MDEwMDAw
+    MDBaGA8yMDE1MDMzMTIzNTk1OVowKDAMBgNVBCkTBURhdmlkMBgGA1UEChMRU29t
+    ZSBPcmdhbml6YXRpb24wggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC0
+    urnS2nKcnXnMTESH2XqO+H8c6bCE6mmv+FMQ9hSfZVOHbX4kkiDmkcAAf8NCvwGr
+    kEat0NQIhKHFLFtofC5rXLheAo/UxgFA/9bNwiEjMH/c8EN2YTSMzdCDrK6TwE7B
+    623cLTsa3Bb11+BpzC1oLb3Egedgp+vIf+AFIgNQhvfwzsgsgOBB4iJBwcYegU7w
+    JsO0pjY69WQU2DGjABFef6C2Qh8x0TvtnynRLbWlh928+4ilVUvLuWcV3AbPIKLe
+    eZu13+v01JN6kFzNZDPMFtOFPvJ943IdYu7Q9k93PzhSk0+wFp3cHH21PfWeghWe
+    3zLIER8RTWPIQhWSbxRVAgERFjMbAQEcLgcsCANuZG4IA0tFWQgEdGVzdAgRa3Nr
+    LTEzOTQxMjk2OTQ3ODgIB0lELUNFUlQX/QEABUGcl7U+F8cwMHKckerv+1H2Nvsd
+    OfeqX0+4RzWU+wRx2emMGMZZdHSx8M/i45hb0P5hbNEF99L35/SrSTSzhTZdOriD
+    t/LQOcKBoNXY+iw3EUFM0gvRGU0kaEVBKAHtbYhtoHc48QLEyrsVaMqmrjCmpeF/
+    JOcClhzJfFW3cZ/SlhcTEayF0ntogYLR2cMzIwQhhSj5L/Kl7I7uxNxZhK1DS98n
+    q8oGAxHufEAluPrRpDQfI+jeQ4h/YYKcXPW3Vn7VQAGOqIi6gTlUxrmEbyCDF70E
+    xj5t3wfSUmDa1N+hLRMdEAI+IjRRHDSx2Lhj/QcoPIZPWwKjBz9CBL92og==
diff --git a/docs/manpages/ndnsec-cert-install.rst b/docs/manpages/ndnsec-cert-install.rst
new file mode 100644
index 0000000..1ca1ddb
--- /dev/null
+++ b/docs/manpages/ndnsec-cert-install.rst
@@ -0,0 +1,56 @@
+ndnsec-cert-install
+===================
+
+``ndnsec-cert-install`` is a tool to install a certificate into **Public Information Base (PIB)**.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-cert-install [-h] [-IKN] cert-source
+
+Description
+-----------
+
+``ndnsec-cert-install`` can insert a certificate into PIB. By default, the installed certificate
+will be set as the default certificate of its corresponding identity and the identity is set as
+the system default identity.
+
+``cert-source`` could be a filesystem path or an HTTP URL of a file containing to certificate to
+install or . If ``cert-file`` is ``-``, the certificate will be read from standard input.
+
+Options
+-------
+
+``-I``
+  Set the certificate as the default certificate of its corresponding identity, but do not change
+  the system default identity.
+
+``-K``
+  Set the certificate as the default certificate of its corresponding key, but do not change the
+  corresponding identity's default key and the system default identity.
+
+``-N``
+  Install the certificate but do not change any default settings.
+
+Examples
+--------
+
+Install a certificate and set it as the system default certificate:
+
+::
+
+    $ ndnsec-cert-install cert_file.cert
+
+Install a certificate with HTTP URL and set it as the system default certificate:
+
+::
+
+    $ ndnsec-install-cert "http://ndncert.domain.com/cert/get/my-certificate.ndncert"
+
+Install a certificate but do not change any default settings:
+
+::
+
+    $ ndnsec-cert-install -N cert_file.cert
diff --git a/docs/manpages/ndnsec-delete.rst b/docs/manpages/ndnsec-delete.rst
new file mode 100644
index 0000000..e501592
--- /dev/null
+++ b/docs/manpages/ndnsec-delete.rst
@@ -0,0 +1,37 @@
+ndnsec-delete
+=============
+
+``ndnsec-delete`` is a tool to delete security data from both **Public Info Base** and
+**Trusted Platform Module**.
+
+Usage
+-----
+
+::
+
+    ndnsec-delete [-h] [-kc] name
+
+Description
+-----------
+
+By default, ``ndnsec-delete`` interpret ``name`` as an identity name. If an identity is deleted,
+all the keys and certificates belonging to the identity will be deleted as well. If a key is
+deleted,  all the certificate belonging to the key will be deleted as well.
+
+Options
+-------
+
+``-k``
+  Interpret ``name`` as a key name and delete the key and its related data.
+
+``-c``
+  Interpret ``name`` as a certificate name and delete the certificate.
+
+Examples
+--------
+
+Delete all data related to an identity:
+
+::
+
+    $ ndnsec-delete /ndn/test/david
diff --git a/docs/manpages/ndnsec-export.rst b/docs/manpages/ndnsec-export.rst
new file mode 100644
index 0000000..839e381
--- /dev/null
+++ b/docs/manpages/ndnsec-export.rst
@@ -0,0 +1,44 @@
+ndnsec-export
+=============
+
+``ndnsec-export`` is a tool to export an identity's security data
+
+Usage
+-----
+
+::
+
+    $ ndnsec-export [-h] [-o output] [-p] identity
+
+Description
+-----------
+
+``ndnsec-export`` can export public data of the ``identity`` including default key/certificate.
+``ndnsec-export`` can also export sensitive data (such as private key), but the sensitive data will
+be encrypted. The exported identity can be imported again using ``ndnsec-import``.
+
+By default, the command will write exported data to standard output.
+
+Options
+-------
+
+``-o output``
+  Output the exported data to a file pointed by ``output``.
+
+``-p``
+  Export private key of the identity. A password will be asked for data encryption.
+
+Examples
+--------
+
+Export an identity's security data including private key and store the security data in a file:
+
+::
+
+    $ ndnsec-export -o id.info -p /ndn/test/alice
+
+Export an identity's security data without private key and write it to standard output:
+
+::
+
+    $ ndnsec-export /ndn/test/alice
diff --git a/docs/manpages/ndnsec-get-default.rst b/docs/manpages/ndnsec-get-default.rst
new file mode 100644
index 0000000..48889c8
--- /dev/null
+++ b/docs/manpages/ndnsec-get-default.rst
@@ -0,0 +1,61 @@
+ndnsec-get-default
+==================
+
+``ndnsec-get-default`` is a tool to display the default setting of a particular entity.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-get-default [-h] [-kc] [-i identity|-K key] [-q]
+
+Description
+-----------
+
+Given a particular entity, ``ndnsec-get-default`` can display its default setting as specified in
+options. If ``identity`` is specified, the given entity becomes the identity. If ``key`` is
+specified, the given identity becomes the key. If no entity is specified, the command will take the
+system default identity as the given entity.
+
+Options
+-------
+
+``-k``
+  Display the given entity's default key name.
+
+``-c``
+  Display the given entity's default certificate name.
+
+``-i identity``
+  Display default setting of the ``identity``
+
+``-K key``
+  Display default setting of the ``key``.
+
+``-q``
+  Disable trailling new line character.
+
+Examples
+--------
+
+Display an identity's default key name.
+
+::
+
+    $ ndnsec-get-default -k -i /ndn/test/alice
+    /ndn/test/alice/ksk-1394129695025
+
+Display an identity's default certificate name.
+
+::
+
+    $ ndnsec-get-default -c -i /ndn/test/alice
+    /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
+
+Display a key's default certificate name.
+
+::
+
+    $ ndnsec-get-default -c -K /ndn/test/alice/ksk-1394129695025
+    /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
diff --git a/docs/manpages/ndnsec-import.rst b/docs/manpages/ndnsec-import.rst
new file mode 100644
index 0000000..5b61f59
--- /dev/null
+++ b/docs/manpages/ndnsec-import.rst
@@ -0,0 +1,33 @@
+ndnsec-import
+=============
+
+``ndnsec-import`` is a tool to import an identity's security data that is prepared by
+``ndnsec-export``.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-import [-h] [-p] input
+
+Description
+-----------
+
+``ndnsec-import`` read data from ``input``. It will ask for password if the input contains private
+key. If ``input`` is ``-``, security data will be read from standard input.
+
+Options
+-------
+
+``-p``
+  Indicates the imported data containing private key. A password will be asked for data encryption.
+
+Examples
+--------
+
+Import an identity's security data including private key:
+
+::
+
+    $ ndnsec-import -p input_file
diff --git a/docs/manpages/ndnsec-key-gen.rst b/docs/manpages/ndnsec-key-gen.rst
new file mode 100644
index 0000000..fe70233
--- /dev/null
+++ b/docs/manpages/ndnsec-key-gen.rst
@@ -0,0 +1,50 @@
+ndnsec-key-gen
+==============
+
+``ndnsec-key-gen`` is tool to generate a pair of RSA key.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-key-gen [-h] [-n] identity
+
+Description
+-----------
+
+``ndnsec-key-gen`` creates a RSA key pair for the specified ``identity`` and sets the key as the
+identity's default key. ``ndnsec-key-gen`` will also create a signing request for the generated key.
+The signing request will be written to standard output in base64 encoding.
+
+By default, it will also set the identity as the system default identity.
+
+Options
+-------
+
+``-n``
+  Do not set the identity as the system default identity.
+
+Examples
+--------
+
+::
+
+    $ ndnsec-key-gen /ndn/test/david
+    Bv0DAAc9CANuZG4IBHRlc3QIBWRhdmlkCANLRVkIEWtzay0xMzk2OTEzMDU4MTk2
+    CAdJRC1DRVJUCAgAAAFFPoG0ohQDGAECFf0BeDCCAXQwIhgPMjAxNDA0MDcyMzI0
+    MThaGA8yMDM0MDQwMjIzMjQxOFowKjAoBgNVBCkTIS9uZG4vdGVzdC9kYXZpZC9r
+    c2stMTM5NjkxMzA1ODE5NjCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
+    ALS6udLacpydecxMRIfZeo74fxzpsITqaa/4UxD2FJ9lU4dtfiSSIOaRwAB/w0K/
+    AauQRq3Q1AiEocUsW2h8LmtcuF4Cj9TGAUD/1s3CISMwf9zwQ3ZhNIzN0IOsrpPA
+    TsHrbdwtOxrcFvXX4GnMLWgtvcSB52Cn68h/4AUiA1CG9/DOyCyA4EHiIkHBxh6B
+    TvAmw7SmNjr1ZBTYMaMAEV5/oLZCHzHRO+2fKdEttaWH3bz7iKVVS8u5ZxXcBs8g
+    ot55m7Xf6/TUk3qQXM1kM8wW04U+8n3jch1i7tD2T3c/OFKTT7AWndwcfbU99Z6C
+    FZ7fMsgRHxFNY8hCFZJvFFUCAREWOhsBARw1BzMIA25kbggEdGVzdAgFZGF2aWQI
+    A0tFWQgRa3NrLTEzOTY5MTMwNTgxOTYIB0lELUNFUlQX/QEAW2yfF8JTgu5okR+n
+    dRlXc3UR/b1REegrpQb3xVzs7fYiiHwFYzQE9RzOuGh/9GSMvQcfejsPw021tJnj
+    oxNx6spGTOK5Bc0QZGeC6YyNoVSaJr9Obc5Uh8eRqxw76r0pCUHP+l38UgUGeBg/
+    aHurtcu5zK0zFYX++SAfUGLUZlG4CqKBUNZC+6w9OGUXlcW411zMzfqQ7V9Gxg+p
+    1IMNJQ6trTFdIwT/4YWHsxR+16r2TRWCNHtJey2GEG84YoqRh8y37jnu7oPhAtTN
+    TgG9O7O39dZLiFg+UP3LpW1LY64fJXsNfZQmnZWcNo5lX6MXfeiPxWFjOQqnno82
+    1hgqgA==
diff --git a/docs/manpages/ndnsec-list.rst b/docs/manpages/ndnsec-list.rst
new file mode 100644
index 0000000..bc4a316
--- /dev/null
+++ b/docs/manpages/ndnsec-list.rst
@@ -0,0 +1,83 @@
+ndnsec-list
+===========
+
+``ndnsec-list`` is a tool to display entities stored in **Public Information Base (PIB)**, such as
+identities, keys, and certificates.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-list [-h] [-KkCc]
+
+Description
+-----------
+
+``ndnsec-list`` lists names of all the entities according to the granularity specified in options
+(The default granularity is identity). The default entities will be marked with ``*`` in front of
+their names. For example:
+
+::
+
+    $ ndnsec list
+    * /ndn/edu/ucla/cs/yingdi
+      /ndn/test/cathy
+      /ndn/test/bob
+      /ndn/test/alice
+
+
+Options
+-------
+
+``-K, -k``
+  Display key names for each identity. The key name with ``*`` in front is the default key name of
+  the corresponding identity.
+
+``-C, -c``
+  Display certificate names for each key. The certificate name with ``*`` in front is the default
+  certificate name of the corresponding key.
+
+Examples
+--------
+
+Display all the key names in PIB.
+
+::
+
+    $ ndnsec-list -k
+    * /ndn/edu/ucla/cs/yingdi
+      +->* /ndn/edu/ucla/cs/yingdi/ksk-1397247318867
+      +->  /ndn/edu/ucla/cs/yingdi/ksk-1393811874052
+
+      /ndn/test/cathy
+      +->* /ndn/test/cathy/ksk-1394129695418
+
+      /ndn/test/bob
+      +->* /ndn/test/bob/ksk-1394129695308
+
+      /ndn/test/alice
+      +->* /ndn/test/alice/ksk-1394129695025
+
+Display all the certificate names in PIB.
+
+::
+
+    $ ndnsec-list -c
+    * /ndn/edu/ucla/cs/yingdi
+      +->* /ndn/edu/ucla/cs/yingdi/ksk-1397247318867
+           +->* /ndn/edu/ucla/cs/yingdi/KEY/ksk-1397247318867/ID-CERT/%00%00%01ERn%1B%BE
+      +->  /ndn/edu/ucla/cs/yingdi/ksk-1393811874052
+           +->* /ndn/edu/ucla/cs/yingdi/KEY/ksk-1393811874052/ID-CERT/%FD%01D%85%A9a%DD
+
+      /ndn/test/cathy
+      +->* /ndn/test/cathy/ksk-1394129695418
+           +->* /ndn/test/KEY/cathy/ksk-1394129695418/ID-CERT/%FD%01D%98%9A%F3J
+
+      /ndn/test/bob
+      +->* /ndn/test/bob/ksk-1394129695308
+           +->* /ndn/test/KEY/bob/ksk-1394129695308/ID-CERT/%FD%01D%98%9A%F2%AE
+
+      /ndn/test/alice
+      +->* /ndn/test/alice/ksk-1394129695025
+           +->* /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
diff --git a/docs/manpages/ndnsec-op-tool.rst b/docs/manpages/ndnsec-op-tool.rst
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/docs/manpages/ndnsec-op-tool.rst
diff --git a/docs/manpages/ndnsec-set-acl.rst b/docs/manpages/ndnsec-set-acl.rst
new file mode 100644
index 0000000..23eb1a3
--- /dev/null
+++ b/docs/manpages/ndnsec-set-acl.rst
@@ -0,0 +1,26 @@
+ndnsec-set-acl
+==============
+
+``ndnsec-set-acl`` is a tool to add an application into access control list of an private key.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-set-acl [-h] keyName appPath
+
+Description
+-----------
+
+``ndnsec-set-acl`` will add the application pointed by ``appPath`` into the ACL of a key with name
+``keyName``.
+
+Examples
+--------
+
+Add an application into a key's ACL:
+
+::
+
+    $ ndnsec-set-acl /ndn/test/alice/ksk-1394129695025 /test/app/path
diff --git a/docs/manpages/ndnsec-set-default.rst b/docs/manpages/ndnsec-set-default.rst
new file mode 100644
index 0000000..da0c5b5
--- /dev/null
+++ b/docs/manpages/ndnsec-set-default.rst
@@ -0,0 +1,49 @@
+ndnsec-set-default
+==================
+
+``ndnsec-set-default`` is a tool to change the default security settings.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-set-default [-h] [-k|c] name
+
+Description
+-----------
+
+By default, ``ndnsec-set-default`` takes ``name`` as an identity name and sets the identity as the
+system default identity.
+
+Options
+-------
+
+``-k``
+  Set default key. ``name`` should be a key name, ``ndnsec-set-default`` can infer the corresponding
+  identity and set the key as the identity's default key.
+
+``-c``
+  Set default certificate. ``name`` should be a certificate name, ``ndnsec-set-default`` can
+  infer the corresponding key name and set the certificate as the key's default certificate.
+
+Examples
+--------
+
+Set a key's default certificate:
+
+::
+
+    $ ndnsec-set-default -c /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
+
+Set an identity's default key:
+
+::
+
+    $ ndnsec-set-default -k /ndn/test/alice/ksk-1394129695025
+
+Set system default identity:
+
+::
+
+    $ ndnsec-set-default /ndn/test/alice
diff --git a/docs/manpages/ndnsec-sig-verify.rst b/docs/manpages/ndnsec-sig-verify.rst
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/docs/manpages/ndnsec-sig-verify.rst
diff --git a/docs/manpages/ndnsec-sign-req.rst b/docs/manpages/ndnsec-sign-req.rst
new file mode 100644
index 0000000..67d11f4
--- /dev/null
+++ b/docs/manpages/ndnsec-sign-req.rst
@@ -0,0 +1,77 @@
+ndnsec-sign-req
+===============
+
+``ndnsec-sign-req`` is a tool to generate a signing request for a particular key.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-sign-req [-h] [-k] name
+
+Description
+-----------
+
+The signing request of a key is actually a self-signed certificate. Given key's information,
+``ndnsec-sign-req`` looks up the key in PIB. If such a key exists, a self-signed certificate of the
+key, or its signing request, will be outputed to **stdout** with base64 encoding.
+
+By default, ``name`` is interpreted as an identity name. ``ndnsec-sign-req`` will generate a
+signing request for the identity's default key.
+
+Options
+-------
+
+``-k``
+  Interpret ``name`` as a key name.
+
+Examples
+--------
+
+Create a signing request for an identity's default key.
+
+::
+
+    $ ndnsec-sign-req /ndn/test/david
+    Bv0DAAc9CANuZG4IBHRlc3QIBWRhdmlkCANLRVkIEWtzay0xMzk2OTk4Mzg5MjU3
+    CAdJRC1DRVJUCAgAAAFFZ+ibohQDGAECFf0BeDCCAXQwIhgPMjAxNDA0MTYwMDIx
+    MDhaGA8yMDM0MDQxMTAwMjEwOFowKjAoBgNVBCkTIS9uZG4vdGVzdC9kYXZpZC9r
+    c2stMTM5Njk5ODM4OTI1NzCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
+    AKOhGgpUZXiUkaqgfcIvBKSw4wFcSMhBdXr45Tzh8hi8dv1plXKAV4YQLkjHhJqi
+    VTj8qGWkvaP0Kv/mkynaa2rPzUQ77wE1ydRIBUik62bXQa8SanJsV9ux99t9LBKq
+    MY4mtWgal48wFqwqRPNH4xq0yFACh28eaMCMpNvZd2Fh4gmDvQ5xU7sJTyRLt/Mc
+    mfYppDFGfzUP2nP8eQW5I9+L0DXMAAb4z8w1nXHs21xyPv0SSaJXgBH0ZdBwB++D
+    Eo5RLmcDdhFqN0f9Rlz06LVq+gLUC2M+N54jD5qUhPEdW5erY6pyYhq4Zv2B4lbK
+    Zgf2FWIB2iw0of4snf2SxDcCAREWOhsBARw1BzMIA25kbggEdGVzdAgFZGF2aWQI
+    A0tFWQgRa3NrLTEzOTY5OTgzODkyNTcIB0lELUNFUlQX/QEABe8tCY99uFTPyiNX
+    u/hUY96FGnfQx4usA2rCd+M4bkvsAwKQVlbBx1sDXsakvoHhLaCi+MTwHw17o+oG
+    mtPqklLjM8XS+gF+Lh+OyivJQixb8KR8tAtlGeLDoLU/kpgYv/xVhp8Q5ma0/T47
+    faI4Sn6bQP7YoWj+BdO3oZYthtq3MZPw2hl7wuTRMHNm5i3efnZyZdoPNMR2K43x
+    gH6ew1JbEQG7G6l5Q/jjnfT/oTtUeQzqWf2SSylAX+9xFZ9KG4+S6K7mYieBoqiA
+    0wHjvDS1cuIH2j6XveoUYapRjZXaEZqB/YoBwRqEYq2KVn/ol5knLM6FIISXXjxn
+    cIh62A==
+
+
+Create a signing request for a particular key.
+
+::
+
+    $ ndnsec-sign-req -k /ndn/test/david/ksk-1396913058196
+    Bv0DAAc9CANuZG4IBHRlc3QIBWRhdmlkCANLRVkIEWtzay0xMzk2OTEzMDU4MTk2
+    CAdJRC1DRVJUCAgAAAFFZ+mbhRQDGAECFf0BeDCCAXQwIhgPMjAxNDA0MTYwMDIy
+    MTRaGA8yMDM0MDQxMTAwMjIxNFowKjAoBgNVBCkTIS9uZG4vdGVzdC9kYXZpZC9r
+    c2stMTM5NjkxMzA1ODE5NjCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
+    ALS6udLacpydecxMRIfZeo74fxzpsITqaa/4UxD2FJ9lU4dtfiSSIOaRwAB/w0K/
+    AauQRq3Q1AiEocUsW2h8LmtcuF4Cj9TGAUD/1s3CISMwf9zwQ3ZhNIzN0IOsrpPA
+    TsHrbdwtOxrcFvXX4GnMLWgtvcSB52Cn68h/4AUiA1CG9/DOyCyA4EHiIkHBxh6B
+    TvAmw7SmNjr1ZBTYMaMAEV5/oLZCHzHRO+2fKdEttaWH3bz7iKVVS8u5ZxXcBs8g
+    ot55m7Xf6/TUk3qQXM1kM8wW04U+8n3jch1i7tD2T3c/OFKTT7AWndwcfbU99Z6C
+    FZ7fMsgRHxFNY8hCFZJvFFUCAREWOhsBARw1BzMIA25kbggEdGVzdAgFZGF2aWQI
+    A0tFWQgRa3NrLTEzOTY5MTMwNTgxOTYIB0lELUNFUlQX/QEAkA2DjqDq8pcAD579
+    PaGz3sybCMo2zyjAJvLCRRDPrjQfkublIvN3wGykfsYRKTPW/aDlZcgOtqn8+Qdo
+    tpL9PixqB7hPAZzelADB7Rrqw41p5VNJTzBuIzC6bCssMa8xb2VTGkw1oEtWb1vl
+    Dn+WWvmTNE/yTnSTjNXnTdLinBSA1HH4edkjvH9hTn5+DVyZlpZrTX2qRYcNZqdC
+    kgESIroeoFnp95NVmO+jtL/pKaJ53jh7pvpv7y8wOu28Qk6HuhwDUR186Y/TNNt4
+    hIc0NNDfvvyGgbDEGCMJ7/qOSt0qpJ2BxvPCb9S/bQD1odjGfP2F4ZA2S/JN2SYm
+    5gldDQ==
diff --git a/docs/manpages/ndnsec-unlock-tpm.rst b/docs/manpages/ndnsec-unlock-tpm.rst
new file mode 100644
index 0000000..7672f00
--- /dev/null
+++ b/docs/manpages/ndnsec-unlock-tpm.rst
@@ -0,0 +1,17 @@
+ndnsec-unlock-tpm
+=================
+
+``ndnsec-unlock-tpm`` is a tool to (temporarily) unlock the **Trusted Platform Module (TPM)** that
+manages private keys.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-unlock-tpm [-h]
+
+Description
+-----------
+
+``ndnsec-unlock-tpm`` will ask for password to unlock the TPM.
diff --git a/docs/manpages/ndnsec.rst b/docs/manpages/ndnsec.rst
index 8004f80..1efc2e1 100644
--- a/docs/manpages/ndnsec.rst
+++ b/docs/manpages/ndnsec.rst
@@ -1,352 +1,85 @@
-ndnsec: NDN security tool
-=========================
+ndnsec
+======
 
-``ndnsec`` is a command-line tools to perform various NDN security management
-operation:
+``ndnsec`` is a command-line toolkit to perform various NDN security management
+operation.
+
+Usage
+-----
 
 ::
 
-    $ ndnsec <command> <args>
+    $ ndnsec <command> [<args>]
 
-One can check the command list by
+or alternatively
 
 ::
 
-    $ ndnsec help
+    $ ndnsec-command [<args>]
 
-Here is a list of commands supported so far:
+Description
+-----------
 
-::
+The NDN security data are stored and managed in two places: **Public Information Base** and
+**Trusted Platform Module**. ``ndnsec`` toolkit provides a command-line interface of managing and
+using the NDN security data.
 
-    $ ndnsec help
-      help         Show all commands.
-      list         Display information in PublicInfo.
-      get-default  Get default setting info.
-      set-default  Configure default setting.
-      key-gen      Generate a Key-Signing-Key for an identity.
-      sign-req     Generate a certificate signing request.
-      cert-gen     Generate an identity certificate.
-      cert-dump    Dump a certificate from PublicInfo.
-      cert-install Install a certificate into PublicInfo.
-      delete       Delete identity/key/certificate.
-      export       Export an identity package.
-      import       Import an identity package.
-      set-acl      Configure ACL of a private key.
-      unlock-tpm   Unlock Tpm.
-      op-tool      Operator tool.
+ndnsec commands
+---------------
 
-Next, we will introduce these commands one-by-one:
+ndnsec-list_
+  Display information in PublicInfo.
 
-list
-----
+ndnsec-get-default_
+  Get default setting info.
 
-``list`` command can display the information of identities, keys, and
-certificates. By default, it only display all the identities created in
-the system. For example:
+ndnsec-set-default_
+  Configure default setting.
 
-::
+ndnsec-key-gen_
+  Generate a Key-Signing-Key for an identity.
 
-    $ ndnsec list
-    * /ndn/edu/ucla/cs/yingdi
-      /ndn/test/cathy
-      /ndn/test/bob
-      /ndn/test/alice
+ndnsec-sign-req_
+  Generate a certificate signing request.
 
-The identity with ``*`` in front is the default identity of the system.
+ndnsec-cert-gen_
+  Generate an identity certificate.
 
-If option ``-K`` or ``-k`` is specified, the output of the command will
-display key names for each identity. The key name with ``*`` in front is
-the key name of the corresponding identity. For example:
+ndnsec-cert-dump_
+  Dump a certificate from PublicInfo.
 
-::
+ndnsec-cert-install_
+  Install a certificate into PublicInfo.
 
-    $ ndnsec list -k
-    * /ndn/edu/ucla/cs/yingdi
-      +->* /ndn/edu/ucla/cs/yingdi/ksk-1393811874052
+ndnsec-delete_
+  Delete identity/key/certificate.
 
-      /ndn/test/cathy
-      +->* /ndn/test/cathy/ksk-1394129695418
+ndnsec-export_
+  Export an identity package.
 
-      /ndn/test/bob
-      +->* /ndn/test/bob/ksk-1394129695308
+ndnsec-import_
+  Import an identity package.
 
-      /ndn/test/alice
-      +->* /ndn/test/alice/ksk-1394129695025
+ndnsec-set-acl_
+  Configure ACL of a private key.
 
-If option ``-C`` or ``-c`` is specified, the output of the command will
-display certificate names for each key. The certificate name with ``*``
-in front is the certificate name of the corresponding key. For example:
+ndnsec-unlock-tpm_
+  Unlock Tpm.
 
-::
+ndnsec-op-tool_
+  Operator tool.
 
-    $ ndnsec list -c
-    * /ndn/edu/ucla/cs/yingdi
-      +->* /ndn/edu/ucla/cs/yingdi/ksk-1393811874052
-           +->* /ndn/edu/ucla/cs/yingdi/KEY/ksk-1393811874052/ID-CERT/%FD%01D%85%A9a%DD
-
-      /ndn/test/cathy
-      +->* /ndn/test/cathy/ksk-1394129695418
-           +->* /ndn/test/KEY/cathy/ksk-1394129695418/ID-CERT/%FD%01D%98%9A%F3J
-
-      /ndn/test/bob
-      +->* /ndn/test/bob/ksk-1394129695308
-           +->* /ndn/test/KEY/bob/ksk-1394129695308/ID-CERT/%FD%01D%98%9A%F2%AE
-
-      /ndn/test/alice
-      +->* /ndn/test/alice/ksk-1394129695025
-           +->* /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
-
-get-default/set-default
------------------------
-
-If you are only curious about the default setting of a particular
-identity or key. You can use ``get-default`` command.
-
-If you want to check the default setting of a particular identity, you
-can specify the identity name with option ``-i``. For example, a
-command:
-
-::
-
-    $ ndnsec get-default -k -i /ndn/test/alice
-    /ndn/test/alice/ksk-1394129695025
-
-returns the default key name of ``/ndn/test/alice``. And a command:
-
-::
-
-    $ ndnsec get-default -c -i /ndn/test/alice
-    /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
-
-returns the default certificate name of ``/ndn/test/alice``. If option
-``-i`` is missing, the system default identity will be used.
-
-If you want to check default settings of a particular key, you can
-specify the key name with option ``-K``.
-
-::
-
-    $ ndnsec get-default -c -K /ndn/test/alice/ksk-1394129695025
-    /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
-
-In order to change the default setting, you can change it using command
-``set-default``. If you want to change the default system identity, you
-can use command:
-
-::
-
-    $ ndnsec set-default /ndn/test/alice
-
-If you want to set a key as the default key of its corresponding
-identity, you can specify the key name with option ``-k``:
-
-::
-
-    $ ndnsec set-default -k /ndn/test/alice/ksk-1394129695025
-
-If you want to set a certificate as the default certificate of its
-corresponding key, you can specify the certificate name with option
-``-c``:
-
-::
-
-    $ ndnsec set-default -c /ndn/test/KEY/alice/ksk-1394129695025/ID-CERT/%FD%01D%98%9A%F2%3F
-
-key-gen
--------
-
-Command ``key-gen`` allows you to generate keys for a specified
-identity.
-
-::
-
-    $ ndnsec key-gen /ndn/test/david
-    Bv0DAAc9CANuZG4IBHRlc3QIBWRhdmlkCANLRVkIEWtzay0xMzk2OTEzMDU4MTk2
-    CAdJRC1DRVJUCAgAAAFFPoG0ohQDGAECFf0BeDCCAXQwIhgPMjAxNDA0MDcyMzI0
-    MThaGA8yMDM0MDQwMjIzMjQxOFowKjAoBgNVBCkTIS9uZG4vdGVzdC9kYXZpZC9r
-    c2stMTM5NjkxMzA1ODE5NjCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
-    ALS6udLacpydecxMRIfZeo74fxzpsITqaa/4UxD2FJ9lU4dtfiSSIOaRwAB/w0K/
-    AauQRq3Q1AiEocUsW2h8LmtcuF4Cj9TGAUD/1s3CISMwf9zwQ3ZhNIzN0IOsrpPA
-    TsHrbdwtOxrcFvXX4GnMLWgtvcSB52Cn68h/4AUiA1CG9/DOyCyA4EHiIkHBxh6B
-    TvAmw7SmNjr1ZBTYMaMAEV5/oLZCHzHRO+2fKdEttaWH3bz7iKVVS8u5ZxXcBs8g
-    ot55m7Xf6/TUk3qQXM1kM8wW04U+8n3jch1i7tD2T3c/OFKTT7AWndwcfbU99Z6C
-    FZ7fMsgRHxFNY8hCFZJvFFUCAREWOhsBARw1BzMIA25kbggEdGVzdAgFZGF2aWQI
-    A0tFWQgRa3NrLTEzOTY5MTMwNTgxOTYIB0lELUNFUlQX/QEAW2yfF8JTgu5okR+n
-    dRlXc3UR/b1REegrpQb3xVzs7fYiiHwFYzQE9RzOuGh/9GSMvQcfejsPw021tJnj
-    oxNx6spGTOK5Bc0QZGeC6YyNoVSaJr9Obc5Uh8eRqxw76r0pCUHP+l38UgUGeBg/
-    aHurtcu5zK0zFYX++SAfUGLUZlG4CqKBUNZC+6w9OGUXlcW411zMzfqQ7V9Gxg+p
-    1IMNJQ6trTFdIwT/4YWHsxR+16r2TRWCNHtJey2GEG84YoqRh8y37jnu7oPhAtTN
-    TgG9O7O39dZLiFg+UP3LpW1LY64fJXsNfZQmnZWcNo5lX6MXfeiPxWFjOQqnno82
-    1hgqgA==
-
-And the generated key will be automatically set to be the default key of
-the identity. The output of these command is a base64 encoded
-self-signed certificate of the generated key. By default, the specified
-identity will become the system default identity. If this is not your
-intention, you can specify option ``-n`` to disable that.
-
-sign-req
---------
-
-If you want to ask somebody else to issue you a certificate, you need to
-create a signing request. Such a signing request is a self-signed
-certificate of the your default key. You can generate this request using
-command ``sign-req``, for example:
-
-::
-
-    $ ndnsec sign-req /ndn/test/david
-
-The request will be output to stdout. If you want to create a signing
-request for a particular key. You can specify the key name with option
-``-k``, for example:
-
-::
-
-    $ ndnsec sign-req -k /ndn/test/david/ksk-1396913058196
-
-cert-gen
---------
-
-In order to issue others certificates, you can use command ``cert-gen``.
-Such a command requires a signing request (a self-signed certificate).
-
-::
-
-    $ ndnsec cert-gen sign_request.cert
-
-You can specify the starting timestamp of the certificate's validity via
-option ``-S`` and the ending timestamp of the certificate's validity via
-option ``-E``. You can specify the name of the certificate owner via
-option ``-N`` and other information about the certificate owner via
-option ``-I``. At last, you may also specify the signing identity of the
-certificate via option ``-s``, the default key and certificate of the
-signing identity will be used to generate the requested certificate. If
-``-s`` is missing, the system default identity will be used. A complete
-example of ``cert-gen`` command could be:
-
-::
-
-    $ ndnsec cert-gen -S 20140401000000 -E 20150331235959 -N "David" -I "2.5.4.10 'Some Organization'" -s /ndn/test sign_request.cert
-    Bv0C9wc9CANuZG4IBHRlc3QIA0tFWQgFZGF2aWQIEWtzay0xMzk2OTEzMDU4MTk2
-    CAdJRC1DRVJUCAgAAAFFPp2g3hQDGAECFf0BdjCCAXIwIhgPMjAxNDA0MDEwMDAw
-    MDBaGA8yMDE1MDMzMTIzNTk1OVowKDAMBgNVBCkTBURhdmlkMBgGA1UEChMRU29t
-    ZSBPcmdhbml6YXRpb24wggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQC0
-    urnS2nKcnXnMTESH2XqO+H8c6bCE6mmv+FMQ9hSfZVOHbX4kkiDmkcAAf8NCvwGr
-    kEat0NQIhKHFLFtofC5rXLheAo/UxgFA/9bNwiEjMH/c8EN2YTSMzdCDrK6TwE7B
-    623cLTsa3Bb11+BpzC1oLb3Egedgp+vIf+AFIgNQhvfwzsgsgOBB4iJBwcYegU7w
-    JsO0pjY69WQU2DGjABFef6C2Qh8x0TvtnynRLbWlh928+4ilVUvLuWcV3AbPIKLe
-    eZu13+v01JN6kFzNZDPMFtOFPvJ943IdYu7Q9k93PzhSk0+wFp3cHH21PfWeghWe
-    3zLIER8RTWPIQhWSbxRVAgERFjMbAQEcLgcsCANuZG4IA0tFWQgEdGVzdAgRa3Nr
-    LTEzOTQxMjk2OTQ3ODgIB0lELUNFUlQX/QEABUGcl7U+F8cwMHKckerv+1H2Nvsd
-    OfeqX0+4RzWU+wRx2emMGMZZdHSx8M/i45hb0P5hbNEF99L35/SrSTSzhTZdOriD
-    t/LQOcKBoNXY+iw3EUFM0gvRGU0kaEVBKAHtbYhtoHc48QLEyrsVaMqmrjCmpeF/
-    JOcClhzJfFW3cZ/SlhcTEayF0ntogYLR2cMzIwQhhSj5L/Kl7I7uxNxZhK1DS98n
-    q8oGAxHufEAluPrRpDQfI+jeQ4h/YYKcXPW3Vn7VQAGOqIi6gTlUxrmEbyCDF70E
-    xj5t3wfSUmDa1N+hLRMdEAI+IjRRHDSx2Lhj/QcoPIZPWwKjBz9CBL92og==
-
-The output of ``cert-gen`` is the generated certificate with base64
-encoding.
-
-cert-install
-------------
-
-On receiving the requested certificate, you can install the certificate
-in your system via command ``cert-install``.
-
-::
-
-    $ ndnsec cert-install cert_file.cert
-
-By default, the installed certificate will be set to be the default
-certificate of its corresponding identity. And this identity will become
-the system default identity. If this is not your intention, you can
-specify option ``-N`` to install the certificate without changing any
-default setting; or you can specify option ``-K`` to set the installed
-certificate to be the default certificate of its corresponding key; or
-option ``-I`` to set the installed certificate to be the default
-certificate of its corresponding identity.
-
-cert-dump
----------
-
-If you want to display a certificate in stdout, you can use command
-``cert-dump``.
-
-::
-
-    $ ndnsec cert-dump /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
-
-By default, a base64 encoded certificate is displayed. You can specify
-option ``-p`` to display a decoded certificate:
-
-::
-
-    $ ndnsec cert-dump -p /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
-    Certificate name:
-      /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
-    Validity:
-      NotBefore: 20140401T000000
-      NotAfter: 20150331T235959
-    Subject Description:
-      2.5.4.41: David
-      2.5.4.10: Some Organization
-    Public key bits:
-    MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAtLq50tpynJ15zExEh9l6
-    jvh/HOmwhOppr/hTEPYUn2VTh21+JJIg5pHAAH/DQr8Bq5BGrdDUCIShxSxbaHwu
-    a1y4XgKP1MYBQP/WzcIhIzB/3PBDdmE0jM3Qg6yuk8BOwett3C07GtwW9dfgacwt
-    aC29xIHnYKfryH/gBSIDUIb38M7ILIDgQeIiQcHGHoFO8CbDtKY2OvVkFNgxowAR
-    Xn+gtkIfMdE77Z8p0S21pYfdvPuIpVVLy7lnFdwGzyCi3nmbtd/r9NSTepBczWQz
-    zBbThT7yfeNyHWLu0PZPdz84UpNPsBad3Bx9tT31noIVnt8yyBEfEU1jyEIVkm8U
-    VQIB
-
-delete
-------
-
-If you want to delete identities, keys, or certificates, you can use
-command ``delete``. You need to supply a name to this command. By
-default the name should be the identity to delete. For example:
-
-::
-
-    $ ndnsec delete /ndn/test/david
-
-If option ``-K`` or ``-k`` is specified, the name should be the name of
-the key to delete. If option ``-C`` or ``-c`` is specified, the name
-should be the name of the certificate to delete.
-
-export/import
--------------
-
-You can export or import security data of a specified identity. The
-security data may even include private key (which is protected by
-encryption).
-
-In order to export security data of an identity, you can use command:
-
-::
-
-    $ ndnsec export /ndn/test/alice
-
-This will output all the public security data of the specified identity
-to ``stdout``. If you want to export private keys, you need to specify
-option ``-p``. If you want to export security data into a file, you can
-specify the file name with option ``-o``.
-
-If you can also import security data of a particular identity from a
-file, you can use command:
-
-::
-
-    $ ndnsec import input_file
-
-If input\_file is ``-``, the command will import security data from
-``stdin``. If the security to import contains private key, you need to
-specify option ``-p``.
-
-unlock-tpm
-----------
-
-Depending on the internal implementation, the Trusted Platform Module
-(TPM) which manages private keys may be locked. If you want to
-explicitly unlock the TPM, you can use ``unlock-tpm`` command.
+.. _ndnsec-list: ndnsec-list.html
+.. _ndnsec-get-default: ndnsec-get-default.html
+.. _ndnsec-set-default: ndnsec-set-default.html
+.. _ndnsec-key-gen: ndnsec-key-gen.html
+.. _ndnsec-sign-req: ndnsec-sign-req.html
+.. _ndnsec-cert-gen: ndnsec-cert-gen.html
+.. _ndnsec-cert-dump: ndnsec-cert-dump.html
+.. _ndnsec-cert-install: ndnsec-cert-install.html
+.. _ndnsec-delete: ndnsec-delete.html
+.. _ndnsec-export: ndnsec-export.html
+.. _ndnsec-import: ndnsec-import.html
+.. _ndnsec-set-acl: ndnsec-set-acl.html
+.. _ndnsec-unlock-tpm: ndnsec-unlock-tpm.html
+.. _ndnsec-op-tool: ndnsec-op-tool.html
diff --git a/docs/manpages/tlvdump.rst b/docs/manpages/tlvdump.rst
new file mode 100644
index 0000000..eb50961
--- /dev/null
+++ b/docs/manpages/tlvdump.rst
@@ -0,0 +1,46 @@
+tlvdump
+=======
+
+``tlvdump`` is a simple application allowing to decode structure of TLV-encoded packet.
+
+Usage
+-----
+
+::
+
+    tlvdump [filename]
+
+Description
+-----------
+
+If filename is specified, ``tlvdump`` will attempt to read and decode content of the file,
+otherwise data will be read from standard input.
+
+Example
+-------
+
+::
+
+    $ tlvdump interest.tlv
+    5 (Interest) (size: 89)
+      7 (Name) (size: 20)
+        8 (NameComponent) (size: 5) [[local]]
+        8 (NameComponent) (size: 3) [[ndn]]
+        8 (NameComponent) (size: 6) [[prefix]]
+      9 (Selectors) (size: 55)
+        13 (MinSuffixComponents) (size: 1) [[%01]]
+        14 (MaxSuffixComponents) (size: 1) [[%01]]
+        28 (KeyLocatorDigest) (size: 22)
+          7 (Name) (size: 20)
+            8 (NameComponent) (size: 4) [[test]]
+            8 (NameComponent) (size: 3) [[key]]
+            8 (NameComponent) (size: 7) [[locator]]
+        16 (Exclude) (size: 20)
+          8 (NameComponent) (size: 4) [[alex]]
+          8 (NameComponent) (size: 4) [[xxxx]]
+          19 (Any) (size: 0) [[...]]
+          8 (NameComponent) (size: 4) [[yyyy]]
+        17 (ChildSelector) (size: 1) [[%01]]
+      10 (Nonce) (size: 1) [[%01]]
+      11 (Scope) (size: 1) [[%01]]
+      12 (InterestLifetime) (size: 2) [[%03%E8]]
diff --git a/docs/named_data_theme/static/base.css_t b/docs/named_data_theme/static/base.css_t
index 0f0b763..ea6938e 100644
--- a/docs/named_data_theme/static/base.css_t
+++ b/docs/named_data_theme/static/base.css_t
@@ -453,3 +453,11 @@
     border-top: 1px solid #ac9;
     border-bottom: 1px solid #ac9;
 }
+
+td.linenos pre {
+    padding: 5px 0px;
+    border: 0;
+    background-color: transparent;
+    color: #aaa;
+    margin-top: -10pt;
+}
\ No newline at end of file
diff --git a/docs/named_data_theme/static/named_data_style.css_t b/docs/named_data_theme/static/named_data_style.css_t
index 0d00020..f37be7f 100644
--- a/docs/named_data_theme/static/named_data_style.css_t
+++ b/docs/named_data_theme/static/named_data_style.css_t
@@ -10,7 +10,7 @@
     padding: 10px;
     background-color: #fafafa;
     color: #222;
-    line-height: 1.0em;
+    /* line-height: 1.0em; */
     border: 2px solid #C6C9CB;
     font-size: 0.9em;
     /* margin: 1.5em 0 1.5em 0; */