certtool: improved documentation on --provable option

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

1 files changed, 8 insertions, 1 deletions

diff --git a/src/certtool-args.def b/src/certtool-args.def
index fcb895e829..bc1bf5f5da 100644
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -224,7 +224,14 @@ flag = {
 flag = {
     name      = provable;
     descrip   = "Generate a private key or parameters from a seed using a provable method";
-    doc = "This will use the FIPS-186-4 algorithms (i.e., Shawe-Taylor) for provable key generation. When specified the private keys or parameters will be generated from a seed, and can be proven to be correctly generated from the seed. You may specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with --generate-privkey or --generate-dh-params.";
+    doc = "This will use the FIPS-186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.
+When specified the private keys or parameters will be generated from a seed, and can be
+later validated with --verify-provable-privkey to be correctly generated from the seed. You may
+specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with
+--generate-privkey or --generate-dh-params.
+
+That option applies to RSA and DSA keys. On the DSA keys the PQG parameters
+are generated using the seed, and on RSA the two primes.";
 };
 
 flag = {