diff --git a/src/management/controller.hpp b/src/management/controller.hpp
index 8ae508e..5c32b3b 100644
--- a/src/management/controller.hpp
+++ b/src/management/controller.hpp
@@ -22,6 +22,7 @@
 
 class Name;
 class Face;
+class IdentityCertificate;
 
 class Controller
 {
@@ -40,9 +41,33 @@
                      const FailCallback&    onFail) = 0;
 
   virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const IdentityCertificate& certificate) = 0;
+
+  virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const Name& identity) = 0;
+
+  virtual void
   selfDeregisterPrefix(const Name& prefixToRegister,
                        const SuccessCallback& onSuccess,
                        const FailCallback&    onFail) = 0;
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const IdentityCertificate& certificate) = 0;
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const Name& identity) = 0;
 };
 
 } // namespace ndn
diff --git a/src/management/ndnd-controller.cpp b/src/management/ndnd-controller.cpp
index c8e97f0..6e917b0 100644
--- a/src/management/ndnd-controller.cpp
+++ b/src/management/ndnd-controller.cpp
@@ -14,6 +14,7 @@
 #include "ndnd-controller.hpp"
 
 #include "../face.hpp"
+#include "../security/identity-certificate.hpp"
 #include "../security/signature-sha256-with-rsa.hpp"
 #include "../util/random.hpp"
 
@@ -51,7 +52,6 @@
                       onFail);
 }
 
-
 void
 Controller::selfDeregisterPrefix(const Name& prefixToRegister,
                                  const SuccessCallback& onSuccess,
diff --git a/src/management/ndnd-controller.hpp b/src/management/ndnd-controller.hpp
index 5d57886..f6de05f 100644
--- a/src/management/ndnd-controller.hpp
+++ b/src/management/ndnd-controller.hpp
@@ -43,10 +43,46 @@
                      const FailCallback&    onFail);
 
   virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const IdentityCertificate& certificate)
+  {
+    selfRegisterPrefix(prefixToRegister, onSuccess, onFail);
+  }
+
+  virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const Name& identity)
+  {
+    selfRegisterPrefix(prefixToRegister, onSuccess, onFail);
+  }
+
+  virtual void
   selfDeregisterPrefix(const Name& prefixToRegister,
                        const SuccessCallback& onSuccess,
                        const FailCallback&    onFail);
 
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const IdentityCertificate& certificate)
+  {
+    selfDeregisterPrefix(prefixToRegister, onSuccess, onFail);
+  }
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const Name& identity)
+  {
+    selfDeregisterPrefix(prefixToRegister, onSuccess, onFail);
+  }
+
 protected:
   void
   startFaceAction(const FaceInstance& entry,
diff --git a/src/management/nfd-control-command.hpp b/src/management/nfd-control-command.hpp
index a78179d..bde5725 100644
--- a/src/management/nfd-control-command.hpp
+++ b/src/management/nfd-control-command.hpp
@@ -25,6 +25,10 @@
 class ControlCommand : noncopyable
 {
 public:
+  /** \brief a callback on signing command interest
+   */
+  typedef function<void(Interest&)> Sign;
+
   /** \brief represents an error in ControlParameters
    */
   class ArgumentError : public std::invalid_argument
@@ -49,14 +53,14 @@
    */
   Interest
   makeCommandInterest(const ControlParameters& parameters,
-                      CommandInterestGenerator& commandInterestGenerator) const
+                      const Sign& sign) const
   {
     this->validateRequest(parameters);
 
     Name name = m_prefix;
     name.append(parameters.wireEncode());
     Interest commandInterest(name);
-    commandInterestGenerator.generate(commandInterest);
+    sign(commandInterest);
     return commandInterest;
   }
 
diff --git a/src/management/nfd-controller.cpp b/src/management/nfd-controller.cpp
index c0c7729..661b08a 100644
--- a/src/management/nfd-controller.cpp
+++ b/src/management/nfd-controller.cpp
@@ -12,6 +12,7 @@
 
 #include "nfd-controller.hpp"
 #include "nfd-control-response.hpp"
+#include "../security/identity-certificate.hpp"
 
 namespace ndn {
 namespace nfd {
@@ -75,7 +76,8 @@
 void
 Controller::selfRegisterPrefix(const Name& prefixToRegister,
                                const SuccessCallback& onSuccess,
-                               const FailCallback& onFail)
+                               const FailCallback& onFail,
+                               const Sign& sign)
 {
   const uint32_t selfFaceId = 0;
 
@@ -85,13 +87,15 @@
 
   this->start<FibAddNextHopCommand>(parameters,
                                     bind(onSuccess),
-                                    bind(onFail, _2));
+                                    bind(onFail, _2),
+                                    sign);
 }
 
 void
 Controller::selfDeregisterPrefix(const Name& prefixToDeRegister,
                                  const SuccessCallback& onSuccess,
-                                 const FailCallback& onFail)
+                                 const FailCallback& onFail,
+                                 const Sign& sign)
 {
   const uint32_t selfFaceId = 0;
 
@@ -101,7 +105,8 @@
 
   this->start<FibRemoveNextHopCommand>(parameters,
                                        bind(onSuccess),
-                                       bind(onFail, _2));
+                                       bind(onFail, _2),
+                                       sign);
 }
 
 } // namespace nfd
diff --git a/src/management/nfd-controller.hpp b/src/management/nfd-controller.hpp
index f9ca999..583be71 100644
--- a/src/management/nfd-controller.hpp
+++ b/src/management/nfd-controller.hpp
@@ -17,6 +17,7 @@
 #include "nfd-control-command.hpp"
 #include "../face.hpp"
 
+
 namespace ndn {
 namespace nfd {
 
@@ -33,6 +34,10 @@
    */
   typedef function<void(uint32_t/*code*/,const std::string&/*reason*/)> CommandFailCallback;
 
+  /** \brief a callback on signing command interest
+   */
+  typedef function<void(Interest&)> Sign;
+
   explicit
   Controller(Face& face);
 
@@ -43,18 +48,136 @@
   start(const ControlParameters& parameters,
         const CommandSucceedCallback& onSuccess,
         const CommandFailCallback& onFailure,
-        time::milliseconds timeout = getDefaultCommandTimeout());
+        const time::milliseconds& timeout = getDefaultCommandTimeout())
+  {
+    start<Command>(parameters, onSuccess, onFailure,
+                   bind(&CommandInterestGenerator::generate,
+                        &m_commandInterestGenerator, _1,
+                        boost::cref(Name())),
+                   timeout);
+  }
+
+  template<typename Command>
+  void
+  start(const ControlParameters& parameters,
+        const CommandSucceedCallback& onSuccess,
+        const CommandFailCallback& onFailure,
+        const IdentityCertificate& certificate,
+        const time::milliseconds& timeout = getDefaultCommandTimeout())
+  {
+    start<Command>(parameters, onSuccess, onFailure,
+                   bind(&CommandInterestGenerator::generate,
+                        &m_commandInterestGenerator, _1,
+                        boost::cref(certificate.getName())),
+                   timeout);
+  }
+
+  template<typename Command>
+  void
+  start(const ControlParameters& parameters,
+        const CommandSucceedCallback& onSuccess,
+        const CommandFailCallback& onFailure,
+        const Name& identity,
+        const time::milliseconds& timeout = getDefaultCommandTimeout())
+  {
+    start<Command>(parameters, onSuccess, onFailure,
+                   bind(&CommandInterestGenerator::generateWithIdentity,
+                        &m_commandInterestGenerator, _1,
+                        boost::cref(identity)),
+                   timeout);
+  }
 
 public: // selfreg using FIB Management commands
   virtual void
   selfRegisterPrefix(const Name& prefixToRegister,
                      const SuccessCallback& onSuccess,
-                     const FailCallback&    onFail);
+                     const FailCallback&    onFail)
+  {
+    this->selfRegisterPrefix(prefixToRegister, onSuccess, onFail,
+                             bind(&CommandInterestGenerator::generate,
+                                  &m_commandInterestGenerator, _1,
+                                  boost::cref(Name())));
+  }
+
+  virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const IdentityCertificate& certificate)
+  {
+    this->selfRegisterPrefix(prefixToRegister, onSuccess, onFail,
+                             bind(&CommandInterestGenerator::generate,
+                                  &m_commandInterestGenerator, _1,
+                                  boost::cref(certificate.getName())));
+  }
+
+  virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const Name& identity)
+  {
+    this->selfRegisterPrefix(prefixToRegister, onSuccess, onFail,
+                             bind(&CommandInterestGenerator::generateWithIdentity,
+                                  &m_commandInterestGenerator, _1,
+                                  boost::cref(identity)));
+  }
 
   virtual void
   selfDeregisterPrefix(const Name& prefixToDeRegister,
                        const SuccessCallback& onSuccess,
-                       const FailCallback&    onFail);
+                       const FailCallback&    onFail)
+  {
+    this->selfDeregisterPrefix(prefixToDeRegister, onSuccess, onFail,
+                               bind(&CommandInterestGenerator::generate,
+                                    &m_commandInterestGenerator, _1,
+                                    boost::cref(Name())));
+  }
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToDeRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const IdentityCertificate& certificate)
+  {
+    this->selfDeregisterPrefix(prefixToDeRegister, onSuccess, onFail,
+                               bind(&CommandInterestGenerator::generate,
+                                    &m_commandInterestGenerator, _1,
+                                    boost::cref(certificate.getName())));
+  }
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToDeRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const Name& identity)
+  {
+    this->selfDeregisterPrefix(prefixToDeRegister, onSuccess, onFail,
+                               bind(&CommandInterestGenerator::generateWithIdentity,
+                                    &m_commandInterestGenerator, _1,
+                                    boost::cref(identity)));
+  }
+
+protected:
+  template<typename Command>
+  void
+  start(const ControlParameters& parameters,
+        const CommandSucceedCallback& onSuccess,
+        const CommandFailCallback& onFailure,
+        const Sign& sign,
+        const time::milliseconds& timeout = getDefaultCommandTimeout());
+
+  virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const Sign& sign);
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToDeRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const Sign& sign);
 
 private:
   void
@@ -81,13 +204,15 @@
 Controller::start(const ControlParameters& parameters,
                   const CommandSucceedCallback& onSuccess,
                   const CommandFailCallback&    onFailure,
-                  time::milliseconds timeout)
+                  const Sign& sign,
+                  const time::milliseconds& timeout)
 {
   BOOST_ASSERT(timeout > time::milliseconds::zero());
 
   shared_ptr<ControlCommand> command = make_shared<Command>();
 
-  Interest commandInterest = command->makeCommandInterest(parameters, m_commandInterestGenerator);
+  Interest commandInterest = command->makeCommandInterest(parameters, sign);
+
   commandInterest.setInterestLifetime(timeout);
 
   // http://msdn.microsoft.com/en-us/library/windows/desktop/ms740668.aspx
diff --git a/src/management/nrd-controller.cpp b/src/management/nrd-controller.cpp
index 558f056..b023277 100644
--- a/src/management/nrd-controller.cpp
+++ b/src/management/nrd-controller.cpp
@@ -13,6 +13,8 @@
 #include "nrd-controller.hpp"
 #include "nrd-prefix-reg-options.hpp"
 #include "nfd-control-response.hpp" // used in deprecated function only
+#include "../security/identity-certificate.hpp"
+
 
 namespace ndn {
 namespace nrd {
@@ -29,27 +31,31 @@
 void
 Controller::selfRegisterPrefix(const Name& prefixToRegister,
                                const SuccessCallback& onSuccess,
-                               const FailCallback&    onFail)
+                               const FailCallback&    onFail,
+                               const Sign& sign)
 {
   ControlParameters parameters;
   parameters.setName(prefixToRegister);
 
   this->start<RibRegisterCommand>(parameters,
                                   bind(onSuccess),
-                                  bind(onFail, _2));
+                                  bind(onFail, _2),
+                                  sign);
 }
 
 void
 Controller::selfDeregisterPrefix(const Name& prefixToRegister,
                                  const SuccessCallback& onSuccess,
-                                 const FailCallback&    onFail)
+                                 const FailCallback&    onFail,
+                                 const Sign& sign)
 {
   ControlParameters parameters;
   parameters.setName(prefixToRegister);
 
   this->start<RibUnregisterCommand>(parameters,
                                     bind(onSuccess),
-                                    bind(onFail, _2));
+                                    bind(onFail, _2),
+                                    sign);
 }
 
 void
diff --git a/src/management/nrd-controller.hpp b/src/management/nrd-controller.hpp
index 2e94de6..1aba57f 100644
--- a/src/management/nrd-controller.hpp
+++ b/src/management/nrd-controller.hpp
@@ -24,23 +24,16 @@
 class Controller : public nfd::Controller
 {
 public:
+  /** \brief a callback on signing command interest
+   */
+  typedef function<void(Interest&)> Sign;
+
   /// \deprecated
   typedef function<void(const PrefixRegOptions&)> CommandSucceedCallback;
 
   explicit
   Controller(Face& face);
 
-public: // selfreg using RIB Management commands
-  virtual void
-  selfRegisterPrefix(const Name& prefixToRegister,
-                     const SuccessCallback& onSuccess,
-                     const FailCallback&    onFail);
-
-  virtual void
-  selfDeregisterPrefix(const Name& prefixToRegister,
-                       const SuccessCallback& onSuccess,
-                       const FailCallback&    onFail);
-
 public:
   /// \deprecated .start<RibRegisterCommand>
   void
@@ -74,6 +67,19 @@
                const CommandSucceedCallback& onSuccess,
                const FailCallback& onFailure);
 
+  // selfreg using RIB Management commands
+  virtual void
+  selfRegisterPrefix(const Name& prefixToRegister,
+                     const SuccessCallback& onSuccess,
+                     const FailCallback&    onFail,
+                     const Sign& sign);
+
+  virtual void
+  selfDeregisterPrefix(const Name& prefixToDeRegister,
+                       const SuccessCallback& onSuccess,
+                       const FailCallback&    onFail,
+                       const Sign& sign);
+
 private:
   /// \deprecated
   void