--- gvpe/doc/gvpectrl.8	2016/03/30 04:02:50	1.8
+++ gvpe/doc/gvpectrl.8	2016/11/02 07:06:38	1.9
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GVPECTRL 8"
-.TH GVPECTRL 8 "2015-10-31" "2.25" "GNU Virtual Private Ethernet"
+.TH GVPECTRL 8 "2016-11-02" "2.25" "GNU Virtual Private Ethernet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -152,9 +152,34 @@
 .IP "\fB\-c\fR, \fB\-\-config=\fR\fI\s-1DIR\s0\fR" 4
 .IX Item "-c, --config=DIR"
 Read configuration options from \fI\s-1DIR\s0\fR.
-.IP "\fB\-g\fR, \fB\-\-generate\-keys\fR" 4
-.IX Item "-g, --generate-keys"
-Generate public/private \s-1RSA\s0 key-pair and exit.
+.IP "\fB\-g\fR, \fB\-\-generate\-key=path\fR" 4
+.IX Item "-g, --generate-key=path"
+Generates a single \s-1RSA\s0 key-pair. The public key will be stored in \fI\fIpath\fI\fR
+while the private key will be stored in \fI\fIpath\fI .privkey\fR. Neither file must be
+non-empty for this to succeed.
+.Sp
+The public key file \fI\fIpath\fI\fR is normally copied to \fIpubkey/nodename\fR in
+the config directory on all nodes, while the private key \fI\fIpath\fI.privkey\fR
+should be copied to the file \fIhostkey\fR on the node the key is for.
+.Sp
+It's recommended to generate the keypair on the node where it will be
+used, so that the private key file does not have to travel over the
+network.
+.IP "\fB\-G\fR, \fB\-\-generate\-keys\fR" 4
+.IX Item "-G, --generate-keys"
+Generate public/private \s-1RSA\s0 key-pairs for all nodes not having a key and exit.
+.Sp
+Note that in normal configurations this will fail, as there cna only be
+one private key per host. To make this configuration work you need to
+specify separate keyfiles for hostkeys in your config file, e.g.:
+.Sp
+.Vb 1
+\&   private\-key = hostkeys/%s
+.Ve
+.Sp
+Such a configuration makes it easier to distribute a configuration
+centrally but requires private keys to be transported securely over the
+network.
 .IP "\fB\-q\fR, \fB\-\-quiet\fR" 4
 .IX Item "-q, --quiet"
 Suppresses messages the author finds nonessential for scripting purposes.