diff --git a/lib/puppet/application/cert.rb b/lib/puppet/application/cert.rb
index 467b0c859..0db968e9e 100644
--- a/lib/puppet/application/cert.rb
+++ b/lib/puppet/application/cert.rb
@@ -1,85 +1,196 @@
 require 'puppet/application'
 
 class Puppet::Application::Cert < Puppet::Application
 
   should_parse_config
   run_mode :master
 
   attr_accessor :cert_mode, :all, :ca, :digest, :signed
 
   def find_mode(opt)
     require 'puppet/ssl/certificate_authority'
     modes = Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS
     tmp = opt.sub("--", '').to_sym
     @cert_mode = modes.include?(tmp) ? tmp : nil
   end
 
   option("--clean", "-c") do
     @cert_mode = :destroy
   end
 
   option("--all", "-a") do
     @all = true
   end
 
   option("--digest DIGEST") do |arg|
     @digest = arg
   end
 
   option("--signed", "-s") do
     @signed = true
   end
 
   option("--debug", "-d") do |arg|
     Puppet::Util::Log.level = :debug
   end
 
   require 'puppet/ssl/certificate_authority/interface'
   Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.reject {|m| m == :destroy }.each do |method|
     option("--#{method}", "-#{method.to_s[0,1]}") do
       find_mode("--#{method}")
     end
   end
 
   option("--verbose", "-v") do
     Puppet::Util::Log.level = :info
   end
 
+  def help
+    <<-HELP
+
+SYNOPSIS
+========
+Stand-alone certificate authority. Capable of generating certificates
+but mostly meant for signing certificate requests from puppet clients.
+
+
+USAGE
+=====
+  puppet cert [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
+              [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
+              [-p|--print] [-c|--clean] [--verify] [--digest DIGEST]
+              [--fingerprint] [host]
+
+
+DESCRIPTION
+===========
+Because the puppetmasterd daemon defaults to not signing client
+certificate requests, this script is available for signing outstanding
+requests. It can be used to list outstanding requests and then either
+sign them individually or sign all of them.
+
+
+OPTIONS
+=======
+Note that any configuration parameter that's valid in the configuration
+file is also a valid long argument. For example, 'ssldir' is a valid
+configuration parameter, so you can specify '--ssldir <directory>' as an
+argument.
+
+See the configuration file documentation at
+http://docs.puppetlabs.com/references/stable/configuration.html for the
+full list of acceptable parameters. A commented list of all
+configuration options can also be generated by running puppet cert with
+'--genconfig'.
+
+all:         Operate on all items. Currently only makes sense with
+             '--sign', '--clean', or '--list'.
+
+digest:      Set the digest for fingerprinting (defaults to md5). Valid
+             values depends on your openssl and openssl ruby extension
+             version, but should contain at least md5, sha1, md2,
+             sha256.
+
+clean:       Remove all files related to a host from puppet cert's
+             storage. This is useful when rebuilding hosts, since new
+             certificate signing requests will only be honored if puppet
+             cert does not have a copy of a signed certificate for that
+             host. The certificate of the host is also revoked. If
+             '--all' is specified then all host certificates, both
+             signed and unsigned, will be removed.
+
+debug:       Enable full debugging.
+
+generate:    Generate a certificate for a named client. A
+             certificate/keypair will be generated for each client named
+             on the command line.
+
+help:        Print this help message
+
+list:        List outstanding certificate requests. If '--all' is
+             specified, signed certificates are also listed, prefixed by
+             '+', and revoked or invalid certificates are prefixed by
+             '-' (the verification outcome is printed in parenthesis).
+
+print:       Print the full-text version of a host's certificate.
+
+fingerprint: Print the DIGEST (defaults to md5) fingerprint of a host's
+             certificate.
+
+revoke:      Revoke the certificate of a client. The certificate can be
+             specified either by its serial number, given as a decimal
+             number or a hexadecimal number prefixed by '0x', or by its
+             hostname. The certificate is revoked by adding it to the
+             Certificate Revocation List given by the 'cacrl' config
+             parameter. Note that the puppetmasterd needs to be
+             restarted after revoking certificates.
+
+sign:        Sign an outstanding certificate request. Unless '--all' is
+             specified, hosts must be listed after all flags.
+
+verbose:     Enable verbosity.
+
+version:     Print the puppet version number and exit.
+
+verify:      Verify the named certificate against the local CA
+             certificate.
+
+
+EXAMPLE
+=======
+  $ puppet cert -l
+  culain.madstop.com
+  $ puppet cert -s culain.madstop.com
+
+
+AUTHOR
+======
+Luke Kanies
+
+
+COPYRIGHT
+=========
+Copyright (c) 2005 Puppet Labs, LLC Licensed under the GNU Public
+License
+
+    HELP
+  end
+
   def main
     if @all
       hosts = :all
     elsif @signed
       hosts = :signed
     else
       hosts = command_line.args.collect { |h| h.downcase }
     end
     begin
       @ca.apply(:revoke, :to => hosts) if @cert_mode == :destroy
       @ca.apply(@cert_mode, :to => hosts, :digest => @digest)
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
       puts detail.to_s
       exit(24)
     end
   end
 
   def setup
     exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
 
     Puppet::Util::Log.newdestination :console
 
     if [:generate, :destroy].include? @cert_mode
       Puppet::SSL::Host.ca_location = :local
     else
       Puppet::SSL::Host.ca_location = :only
     end
 
     begin
       @ca = Puppet::SSL::CertificateAuthority.new
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
       puts detail.to_s
       exit(23)
     end
   end
 end
diff --git a/lib/puppet/util/command_line/puppetca b/lib/puppet/util/command_line/puppetca
deleted file mode 100755
index 317d99881..000000000
--- a/lib/puppet/util/command_line/puppetca
+++ /dev/null
@@ -1,110 +0,0 @@
-#!/usr/bin/env ruby
-
-#
-# = Synopsis
-#
-# Stand-alone certificate authority.  Capable of generating certificates
-# but mostly meant for signing certificate requests from puppet clients.
-#
-# = Usage
-#
-#   puppet cert [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
-#               [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
-#               [-p|--print] [-c|--clean] [--verify] [--digest DIGEST]
-#               [--fingerprint] [host]
-#
-# = Description
-#
-# Because the puppetmasterd daemon defaults to not signing client certificate
-# requests, this script is available for signing outstanding requests.  It
-# can be used to list outstanding requests and then either sign them individually
-# or sign all of them.
-#
-# = Options
-#
-# Note that any configuration parameter that's valid in the configuration file
-# is also a valid long argument.  For example, 'ssldir' is a valid configuration
-# parameter, so you can specify '--ssldir <directory>' as an argument.
-#
-# See the configuration file documentation at
-# http://docs.puppetlabs.com/references/stable/configuration.html for
-# the full list of acceptable parameters. A commented list of all
-# configuration options can also be generated by running puppet cert with
-# '--genconfig'.
-#
-# all::
-#   Operate on all items.  Currently only makes sense with '--sign',
-#   '--clean', or '--list'.
-#
-# digest::
-#   Set the digest for fingerprinting (defaults to md5). Valid values depends
-#   on your openssl and openssl ruby extension version, but should contain at
-#   least md5, sha1, md2, sha256.
-#
-# clean::
-#    Remove all files related to a host from puppet cert's storage. This is
-#    useful when rebuilding hosts, since new certificate signing requests
-#    will only be honored if puppet cert does not have a copy of a signed
-#    certificate for that host. The certificate of the host is also revoked.
-#    If '--all' is specified then all host certificates, both signed and
-#    unsigned, will be removed.
-#
-# debug::
-#   Enable full debugging.
-#
-# generate::
-#   Generate a certificate for a named client.  A certificate/keypair will be
-#   generated for each client named on the command line.
-#
-# help::
-#   Print this help message
-#
-# list::
-#   List outstanding certificate requests.  If '--all' is specified,
-#   signed certificates are also listed, prefixed by '+', and revoked
-#   or invalid certificates are prefixed by '-' (the verification outcome
-#   is printed in parenthesis).
-#
-# print::
-#   Print the full-text version of a host's certificate.
-#
-# fingerprint::
-#   Print the DIGEST (defaults to md5) fingerprint of a host's certificate.
-#
-# revoke::
-#   Revoke the certificate of a client. The certificate can be specified
-#   either by its serial number, given as a decimal number or a hexadecimal
-#   number prefixed by '0x', or by its hostname. The certificate is revoked
-#   by adding it to the Certificate Revocation List given by the 'cacrl'
-#   config parameter. Note that the puppetmasterd needs to be restarted
-#   after revoking certificates.
-#
-# sign::
-#   Sign an outstanding certificate request.  Unless '--all' is specified,
-#   hosts must be listed after all flags.
-#
-# verbose::
-#   Enable verbosity.
-#
-# version::
-#   Print the puppet version number and exit.
-#
-# verify::
-#   Verify the named certificate against the local CA certificate.
-#
-# = Example
-#
-#   $ puppet cert -l
-#   culain.madstop.com
-#   $ puppet cert -s culain.madstop.com
-#
-# = Author
-#
-# Luke Kanies
-#
-# = Copyright
-#
-# Copyright (c) 2005 Puppet Labs, LLC
-# Licensed under the GNU Public License
-
-#Puppet::Application[:cert].run