pki: Add --label options to --est* command synopsis

Also fixes some formatting in the man pages.

src/pki/commands/est.c

@@ -357,15 +357,16 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		est, 'E', "est",
 		"Enroll an X.509 certificate with an EST server",
-		{"--url url [--in file] [--cacert file]+ [-userpass username:password]",
-		 "[--cert file|--certid hex --key file|--keyid hex] [--interval time]",
+		{"--url url [--label label] [--in file] --cacert file",
+		 "[--cert file|--certid hex --key file|--keyid hex]",
+		 "[--userpass username:password] [--interval time]",
 		 "[--maxpolltime time] [--outform der|pem]"},
 		{
 			{"help",        'h', 0, "show usage information"},
 			{"url",         'u', 1, "URL of the EST server"},
 			{"label",       'l', 1, "label in the EST server path"},
 			{"in",          'i', 1, "PKCS#10 input file, default: stdin"},
-			{"cacert",      'C', 1, "CA certificate"},
+			{"cacert",      'C', 1, "CA certificate(s)"},
 			{"cert",        'c', 1, "old certificate about to be renewed"},
 			{"certid",      'X', 1, "smartcard or TPM certificate object handle" },
 			{"key",         'k', 1, "old private key about to be replaced"},

src/pki/commands/estca.c

@@ -131,13 +131,14 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		estca, 'e', "estca",
-		"get CA certificate[s] from a EST server",
-		{"--url url [--cacert file]+ [--caout file] [--outform der|pem] [--force]"},
+		"get CA certificate[s] from an EST server",
+		{"--url url [--label label] --cacert file [--caout file]",
+		 "[--outform der|pem] [--force]"},
 		{
 			{"help",    'h', 0, "show usage information"},
 			{"url",     'u', 1, "URL of the EST server"},
 			{"label",   'l', 1, "label in the EST server path"},
-			{"cacert",  'C', 1, "TLS CA certificate"},
+			{"cacert",  'C', 1, "TLS CA certificate(s)"},
 			{"caout",   'c', 1, "CA certificate [template]"},
 			{"outform", 'f', 1, "encoding of stored certificates, default: der"},
 			{"force",   'F', 0, "force overwrite of existing files"},

src/pki/man/pki---est.1.in

@@ -7,14 +7,13 @@ pki \-\-est \- Enroll an X.509 certificate with an EST server
 .SH "SYNOPSIS"
 .
 .SY pki\ \-\-est
-.BI\-\-\-url\~ url
+.BI \-\-\-url\~ url
 .OP \-\-label label
 .OP \-\-in file
 .BI \-\-cacert\~ file
 .RB [ \-\-cert
 .IR file | \fB\-\-certid\fR
-.IR hex ]
-.RB [ \-\-key
+.IB hex\~ \-\-key
 .IR file | \fB\-\-keyid\fR
 .IR hex ]
 .OP \-\-userpass username:password
@@ -118,8 +117,8 @@ To save some typing work the following command line options are stored in a
 .B NOTE:
 For a successful HTTPS connection, trust must be established into the EST server
 certificate. The TLS trust chain including the root CA certificate and
-optionally intermediate CA certificates must be given using [multiple]
-.B --cacert*
+optionally intermediate CA certificates must be given using multiple
+.B --cacert
 options.
 .P
 The

src/pki/man/pki---estca.1.in

@@ -7,9 +7,9 @@ pki \-\-estca \- Get CA certificate[s] from an EST server
 .SH "SYNOPSIS"
 .
 .SY pki\ \-\-estca
-.BI\-\-\-url\~ url
+.BI \-\-url\~ url
 .OP \-\-label label
-.BI\-\-\-cacert\~ file
+.BI \-\-cacert\~ file
 .OP \-\-caout file
 .OP \-\-outform encoding
 .OP \-\-force
@@ -92,7 +92,7 @@ To save some typing work the following command line options are stored in a
 .B NOTE:
 For a successful HTTPS connection, trust must be established into the EST server
 certificate. The TLS trust chain including the root CA certificate and optionally
-intermediate CA certificates must be given using [multiple]
+intermediate CA certificates must be given using multiple
 .B --cacert
 options.
 .P

src/pki/man/pki---scep.1.in

@@ -9,7 +9,7 @@ pki \-\-scep \- Enroll an X.509 certificate with a SCEP server
 .SY pki\ \-\-scep
 .BI\-\-\-url\~ url
 .OP \-\-in file
-.BI \-\-dn\~ distinguished-name
+.OP \-\-dn\~ distinguished-name
 .OP \-\-san subjectAltName
 .OP \-\-profile profile
 .OP \-\-password password