-.B update-users [USER]...
-Update admin-controlled authorized_keys files at
-/var/cache/monkeysphere/authorized_keys/USER. For each specified
-user, the user ID's listed in the user's authorized_user_ids file are
-processed. For each user ID, gpg will be queried for keys associated
-with that user ID, querying a keyserver if specified. If a key is
-found, it will be converted to an ssh key, and any matching ssh keys
-will be removed from the user's authorized_keys file. If the found
-key is acceptable (see KEY ACCEPTABILITY), then the key will be
-updated and re-added to the authorized_keys file. If no gpg key is
-found for the user ID, then nothing is done. If the
-RAW_AUTHORIZED_KEYS variable is set, then a user-controlled
-authorized_keys file (usually ~USER/.ssh/authorized_keys) is added to
-the authorized_keys file. If no users are specified, then all users
-listed in /etc/passwd are processed. `u' may be used in place of
-`update-users.
-.TP
-.B gen-key
-Generate a OpenPGP key pair for the host. `g' may be used in place of
-`gen-key'.
-.TP
-.B show-fingerprint
-Show the fingerprint for the host's OpenPGP key. `f' may be used in place of
-`show-fingerprint'.
+.B update-users [ACCOUNT]...
+Rebuild the monkeysphere-controlled authorized_keys files. For each
+specified account, the user ID's listed in the account's
+authorized_user_ids file are processed. For each user ID, gpg will be
+queried for keys associated with that user ID, optionally querying a
+keyserver. If an acceptable key is found (see KEY ACCEPTABILITY in
+monkeysphere(7)), the key is added to the account's
+monkeysphere-controlled authorized_keys file. If the
+RAW_AUTHORIZED_KEYS variable is set, then a separate authorized_keys
+file (usually ~USER/.ssh/authorized_keys) is appended to the
+monkeysphere-controlled authorized_keys file. If no accounts are
+specified, then all accounts on the system are processed. `u' may be
+used in place of `update-users'.
+.TP
+.B gen-key [HOSTNAME]
+Generate a OpenPGP key for the host. If HOSTNAME is not specified,
+then the system fully-qualified domain name will be user. An
+alternate key bit length can be specified with the `-l' or `--length'
+option (default 2048). An expiration length can be specified with the
+`-e' or `--expire' option (prompt otherwise). The expiration format
+is the same as that of \fBextend-key\fP, below. A key revoker
+fingerprint can be specified with the `-r' or `--revoker' option. `g'
+may be used in place of `gen-key'.
+.TP
+.B extend-key EXPIRE
+Extend the validity of the OpenPGP key for the host until EXPIRE from
+the present. If EXPIRE is not specified, then the user will be
+prompted for the extension term. Expiration is specified like GnuPG
+does:
+.nf
+ 0 = key does not expire
+ <n> = key expires in n days
+ <n>w = key expires in n weeks
+ <n>m = key expires in n months
+ <n>y = key expires in n years
+.fi
+`e' may be used in place of `extend-key'.
+.TP
+.B add-hostname HOSTNAME
+Add a hostname user ID to the server host key. `n+' may be used in
+place of `add-hostname'.
+.TP
+.B revoke-hostname HOSTNAME
+Revoke a hostname user ID from the server host key. `n-' may be used
+in place of `revoke-hostname'.
+.TP
+.B show-key
+Output gpg information about host's OpenPGP key. `s' may be used in
+place of `show-key'.