diff --git a/doc/tools/pkcs15-init.1.xml b/doc/tools/pkcs15-init.1.xml
index 7b28af66..3a0bd28c 100644
--- a/doc/tools/pkcs15-init.1.xml
+++ b/doc/tools/pkcs15-init.1.xml
@@ -233,6 +233,22 @@
usually the user certificate that goes with the key, as well as the CA certificate.
+
+
+ Secret Key Upload
+
+ You can use a secret key generated by other means and upload it to the card.
+ For instance, to upload an AES-secret key generated by the system random generator
+ you would use
+
+
+ pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes/256 --auth-id 01
+
+
+ By default a random ID is generated for the secret key. You may specify an ID
+ with the if needed.
+
+
@@ -380,6 +396,19 @@
+
+
+ keyspec,
+
+
+
+ keyspec describes the algorithm and length of the
+ key to be created or downloaded, such as aes/256.
+ This will create a 256 bit AES key.
+
+
+
+
filename,
@@ -439,6 +468,24 @@
+
+
+ filename,
+
+
+
+ Tells pkcs15-init to download the specified
+ secret key to the card. The file is assumed to contain the raw key.
+ They key type should be specified with
+ option.
+ You may additionally specify the key ID along with this command,
+ using the option, otherwise a random ID is generated.
+ For the multi-application cards the target PKCS#15 application can be
+ specified by the hexadecimal AID value of the option.
+
+
+
+
filename,