flag.StringVar(&c.KMS,"kms",kmsuri,"PKCS #11 URI with the module-path and token to connect to the module.")
flag.StringVar(&c.Pin,"pin","","PKCS #11 PIN")
flag.StringVar(&c.RootObject,"root-cert","pkcs11:id=7330;object=root-cert","PKCS #11 URI with object id and label to store the root certificate.")
flag.StringVar(&c.RootPath,"root-cert-path","root_ca.crt","Location to write the root certificate.")
flag.StringVar(&c.RootKeyObject,"root-key","pkcs11:id=7330;object=root-key","PKCS #11 URI with object id and label to store the root key.")
// Option 1: Generate new root
flag.BoolVar(&c.GenerateRoot,"root-gen",true,"Enable the generation of a root key.")
flag.StringVar(&c.RootSubject,"root-name","PKCS #11 Smallstep Root","Subject and Issuer of the root certificate.")
flag.StringVar(&c.CrtObject,"crt-cert","pkcs11:id=7331;object=intermediate-cert","PKCS #11 URI with object id and label to store the intermediate certificate.")
flag.StringVar(&c.CrtPath,"crt-cert-path","intermediate_ca.crt","Location to write the intermediate certificate.")
flag.StringVar(&c.CrtKeyObject,"crt-key","pkcs11:id=7331;object=intermediate-key","PKCS #11 URI with object id and label to store the intermediate certificate.")
flag.StringVar(&c.RootObject,"root-cert-obj","pkcs11:id=7330;object=root-cert","PKCS #11 URI with object id and label to store the root certificate.")
flag.StringVar(&c.RootKeyObject,"root-key-obj","pkcs11:id=7330;object=root-key","PKCS #11 URI with object id and label to store the root key.")
// Option 2: Read root from disk and sign intermediate
flag.StringVar(&c.RootFile,"root-cert-file","","Path to the root certificate to use.")
flag.StringVar(&c.KeyFile,"root-key-file","","Path to the root key to use.")
// Option 3: Generate certificate signing request
flag.StringVar(&c.CrtSubject,"crt-name","PKCS #11 Smallstep Intermediate","Subject of the intermediate certificate.")
flag.StringVar(&c.CrtKeyPath,"crt-key-path","intermediate_ca_key","Location to write the intermediate private key.")
flag.StringVar(&c.CrtObject,"crt-cert-obj","pkcs11:id=7331;object=intermediate-cert","PKCS #11 URI with object id and label to store the intermediate certificate.")
flag.StringVar(&c.CrtKeyObject,"crt-key-obj","pkcs11:id=7331;object=intermediate-key","PKCS #11 URI with object id and label to store the intermediate certificate.")
// SSH certificates
flag.BoolVar(&c.EnableSSH,"ssh",false,"Enable the creation of ssh keys.")
flag.StringVar(&c.SSHHostKeyObject,"ssh-host-key","pkcs11:id=7332;object=ssh-host-key","PKCS #11 URI with object id and label to store the key used to sign SSH host certificates.")
flag.StringVar(&c.SSHUserKeyObject,"ssh-user-key","pkcs11:id=7333;object=ssh-user-key","PKCS #11 URI with object id and label to store the key used to sign SSH user certificates.")
flag.BoolVar(&c.RootOnly,"root-only",false,"Store only only the root certificate and sign and intermediate.")
flag.StringVar(&c.RootFile,"root","","Path to the root certificate to use.")
flag.StringVar(&c.KeyFile,"key","","Path to the root key to use.")
flag.BoolVar(&c.EnableSSH,"ssh",false,"Enable the creation of ssh keys.")
// Output files
flag.StringVar(&c.RootPath,"root-cert-path","root_ca.crt","Location to write the root certificate.")
flag.StringVar(&c.CrtPath,"crt-cert-path","intermediate_ca.crt","Location to write the intermediate certificate.")
flag.StringVar(&c.CrtKeyPath,"crt-key-path","","Location to write the intermediate private key.")
// Others
flag.BoolVar(&c.NoCerts,"no-certs",false,"Do not store certificates in the module.")
flag.BoolVar(&c.Force,"force",false,"Force the delete of previous keys.")
flag.BoolVar(&c.Extractable,"extractable",false,"Allow export of private keys under wrap.")