+is a low-level utility for transforming raw, PEM-encoded RSA secret
+keys into OpenPGP-formatted certificates. The generated certificates
+include the secret key material, so they should be handled carefully.
+.Pp
+It works as an element within a pipeline: feed it the raw key on
+stdin, supply the desired User ID as a command line argument. Note
+that you may need to quote the string to ensure that it is entirely in
+a single argument.
+.Pp
+Other choices about how to generate the new OpenPGP certificate are
+governed by environment variables.
+.Sh ENVIRONMENT
+The following environment variables influence the behavior of
+.Nm :
+.Pp
+.ti 3
+\fBPEM2OPENPGP_TIMESTAMP\fP controls the timestamp (measured in
+seconds since the UNIX epoch) indicated as the creation time (a.k.a
+"not valid before") of the generated certificate (self-signature) and
+the key itself. By default,
+.Nm
+uses the current time.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_KEY_TIMESTAMP\fP controls the timestamp (measured in
+seconds since the UNIX epoch) indicated as the creation time of just
+the key itself (not the self-signature). By default,
+.Nm
+uses the value from PEM2OPENPGP_TIMESTAMP.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_USAGE_FLAGS\fP should contain a comma-separated list of
+valid OpenPGP usage flags (see section 5.2.3.21 of RFC 4880 for what
+these mean). The available choices are: certify, sign, encrypt_comms,
+encrypt_storage, encrypt (this means both encrypt_comms and
+encrypt_storage), authenticate, split, shared. By default,
+.Nm
+only sets the certify flag.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_EXPIRATION\fP sets an expiration (measured in seconds
+after the creation time of the key) in each self-signature packet. By
+default, no expiration subpacket is included.
+.Pp
+.ti 3
+\fBPEM2OPENPGP_NEWKEY\fP indicates that
+.Nm
+should ignore stdin, and instead generate a new key internally and
+build the certificate based on this new key. Set this variable to the
+number of bits for the new key (e.g. 2048). By default (when this is
+unset),
+.Nm
+will read the key from stdin.