===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.1,v
retrieving revision 1.133
retrieving revision 1.134
diff -u -r1.133 -r1.134
--- src/usr.bin/ssh/ssh-keygen.1	2016/06/16 06:10:45	1.133
+++ src/usr.bin/ssh/ssh-keygen.1	2017/04/29 04:12:25	1.134
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.133 2016/06/16 06:10:45 jmc Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.134 2017/04/29 04:12:25 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 16 2016 $
+.Dd $Mdocdate: April 29 2017 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -474,9 +474,29 @@
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
+.It Ic extension Ns : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate extension.
+.It Ic critical Ns : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate critical option.
 .El
 .Pp
-At present, no options are valid for host keys.
+At present, no standard options are valid for host keys.
+.Pp
+For non-standard certificate extension or options included using
+.Ic extension
+or
+.Ic option ,
+the specified
+.Ar name
+should include a domain suffix, e.g.
+.Dq name@example.com .
+If a
+.Ar contents
+is specified then it is included as the contents of the extension/option
+encoded as a string, otherwise the extension/option is created with no
+contents (usually indicating a flag).
+Extensions may be ignored by a client or server that does not recognise them,
+whereas unknown critical options will cause the certificate to be refused.
 .It Fl o
 Causes
 .Nm