===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.1,v
retrieving revision 1.141
retrieving revision 1.142
diff -u -r1.141 -r1.142
--- src/usr.bin/ssh/ssh-keygen.1	2017/05/05 10:41:58	1.141
+++ src/usr.bin/ssh/ssh-keygen.1	2017/06/28 01:09:22	1.142
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.141 2017/05/05 10:41:58 naddy Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.142 2017/06/28 01:09:22 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 5 2017 $
+.Dd $Mdocdate: June 28 2017 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -114,6 +114,8 @@
 .Fl s Ar ca_key
 .Fl I Ar certificate_identity
 .Op Fl h
+.Op Fl U
+.Op Fl D Ar pkcs11_provider
 .Op Fl n Ar principals
 .Op Fl O Ar option
 .Op Fl V Ar validity_interval
@@ -558,6 +560,14 @@
 .Dq ed25519 ,
 or
 .Dq rsa .
+.It Fl U
+When used in combination with
+.Fl s ,
+this option indicates that a CA key resides in a
+.Xr ssh-agent 1 .
+See the
+.Sx CERTIFICATES
+section for more information.
 .It Fl u
 Update a KRL.
 When specified with
@@ -704,6 +714,14 @@
 .Fl s :
 .Pp
 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
+.Pp
+Similarly, it is possible for the CA key to be hosted in a
+.Xr ssh-agent 1 .
+This is indicated by the
+.Fl U
+flag and, again, the CA key must be identified by its public half.
+.Pp
+.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
 .Pp
 In all cases,
 .Ar key_id