implemented suggestion by weijun to distinguish between the flags that are documented as commands vs. options

src/java.base/share/man/keytool.md

@@ -211,7 +211,7 @@ perform.
 
 ## Commands for Creating or Adding Data to the Keystore
 
-[`-gencert`]{#option-gencert}
+[`-gencert`]{#command-gencert}
 :   The following are the available options for the `-gencert` command:
 
     -   {`-rfc`}: Output in RFC (Request For Comment) style
@@ -478,7 +478,7 @@ perform.
     specified by `-startdate`, or the current date when `-startdate` isn't
     specified) for which the certificate should be considered valid.
 
-[`-genseckey`]{#option-genseckey}
+[`-genseckey`]{#command-genseckey}
 :   The following are the available options for the `-genseckey` command:
 
     -   {`-alias` *alias*}: Alias name of the entry to process
@@ -521,7 +521,7 @@ perform.
     the same password that is used for the `-keystore`. The `-keypass` value
     must contain at least six characters.
 
-[`-importcert`]{#option-importcert}
+[`-importcert`]{#command-importcert}
 :   The following are the available options for the `-importcert` command:
 
     -   {`-noprompt`}: Do not prompt
@@ -586,7 +586,7 @@ perform.
     entry, then the `keytool` command assumes that you're importing a
     certificate reply.
 
-[`-importpass`]{#option-importpass}
+[`-importpass`]{#command-importpass}
 :   The following are the available options for the `-importpass` command:
 
     -   {`-alias` *alias*}: Alias name of the entry to process
@@ -629,7 +629,7 @@ perform.
 
 ## Commands for Importing Contents from Another Keystore
 
-[`-importkeystore`]{#option-importkeystore}
+[`-importkeystore`]{#command-importkeystore}
 :   The following are the available options for the `-importkeystore` command:
 
     -   `-srckeystore` *keystore*: Source keystore name
@@ -724,7 +724,7 @@ perform.
 
 ## Commands for Generating a Certificate Request
 
-[`-certreq`]{#option-certreq}
+[`-certreq`]{#command-certreq}
 :   The following are the available options for the `-certreq` command:
 
     -   {`-alias` *alias*}: Alias name of the entry to process
@@ -786,7 +786,7 @@ perform.
 
 ## Commands for Exporting Data
 
-[`-exportcert`]{#option-exportcert}
+[`-exportcert`]{#command-exportcert}
 :   The following are the available options for the `-exportcert` command:
 
     -   {`-rfc`}: Output in RFC style
@@ -834,7 +834,7 @@ perform.
 
 ## Commands for Displaying Data
 
-[`-list`]{#option-list}
+[`-list`]{#command-list}
 :   The following are the available options for the `-list` command:
 
     -   {`-rfc`}: Output in RFC style
@@ -881,7 +881,7 @@ perform.
     You can't specify both `-v` and `-rfc` in the same command. Otherwise, an
     error is reported.
 
-[`-printcert`]{#option-printcert}
+[`-printcert`]{#command-printcert}
 :   The following are the available options for the `-printcert` command:
 
     -   {`-rfc`}: Output in RFC style
@@ -946,7 +946,7 @@ perform.
     trusted certificate in the user keystore (specified by `-keystore`) or in
     the `cacerts` keystore (if `-trustcacerts` is specified).
 
-[`-printcertreq`]{#option-printcertreq}
+[`-printcertreq`]{#command-printcertreq}
 :   The following are the available options for the `-printcertreq` command:
 
     -   {`-file` *file*}: Input file name
@@ -958,7 +958,7 @@ perform.
     command. The command reads the request from file. If there is no file, then
     the request is read from the standard input.
 
-[`-printcrl`]{#option-printcrl}
+[`-printcrl`]{#command-printcrl}
 :   The following are the available options for the `-printcrl` command:
 
     -   {`-file crl`}: Input file name
@@ -999,7 +999,7 @@ perform.
 
 ## Commands for Managing the Keystore
 
-[`-storepasswd`]{#option-storepasswd}
+[`-storepasswd`]{#command-storepasswd}
 :   The following are the available options for the `-storepasswd` command:
 
     -   \[`-new` *arg*\]: New password
@@ -1029,7 +1029,7 @@ perform.
     integrity of the keystore contents. The new password is set by `-new` *arg*
     and must contain at least six characters.
 
-[`-keypasswd`]{#option-keypasswd}
+[`-keypasswd`]{#command-keypasswd}
 :   The following are the available options for the `-keypasswd` command:
 
     -   {`-alias` *alias*}: Alias name of the entry to process
@@ -1069,7 +1069,7 @@ perform.
     If the `-new` option isn't provided at the command line, then the user is
     prompted for it.
 
-[`-delete`]{#option-delete}
+[`-delete`]{#command-delete}
 :   The following are the available options for the `-delete` command:
 
     -   \[`-alias` *alias*\]: Alias name of the entry to process
@@ -1101,7 +1101,7 @@ perform.
     keystore. When not provided at the command line, the user is prompted for
     the `alias`.
 
-[`-changealias`]{#option-changealias}
+[`-changealias`]{#command-changealias}
 :   The following are the available options for the `-changealias` command:
 
     -   {`-alias` *alias*}: Alias name of the entry to process
@@ -1143,7 +1143,7 @@ perform.
 
 ## Commands for Displaying Security-related Information
 
-[`-showinfo`]{#option-showinfo}
+[`-showinfo`]{#command-showinfo}
 :   The following are the available options for the `-showinfo` command:
 
     -   {`-tls`}: Displays TLS configuration information

src/java.security.jgss/windows/man/kinit.md

@@ -79,34 +79,34 @@ will compromise your password.
 You can specify one of the following commands. After the command, specify the
 options for it.
 
-[`-A`]{#option-A}
+[`-A`]{#command-A}
 :   Doesn't include addresses.
 
-[`-f`]{#option-f}
+[`-f`]{#command-f}
 :   Issues a forwardable ticket.
 
-[`-p`]{#option-p}
+[`-p`]{#command-p}
 :   Issues a proxiable ticket.
 
 [`-c`]{#option-c} *cache\_name*
 :   The cache name (for example, `FILE:D:\temp\mykrb5cc`).
 
-[`-l`]{#option-l} *lifetime*
+[`-l`]{#command-l} *lifetime*
 :   Sets the lifetime of a ticket. The value can be one of "h:m[:s]",
     "NdNhNmNs", and "N". See the [MIT krb5 Time Duration definition](
     http://web.mit.edu/kerberos/krb5-1.17/doc/basic/date_format.html#duration)
     for more information.
 
-[`-r`]{#option-r} *renewable\_time*
+[`-r`]{#command-r} *renewable\_time*
 :   Sets the total lifetime that a ticket can be renewed.
 
-[`-R`]{#option-R}
+[`-R`]{#command-R}
 :   Renews a ticket.
 
 [`-k`]{#option-k}
 :   Uses keytab
 
-[`-t`]{#option-t} *keytab\_filename*
+[`-t`]{#command-t} *keytab\_filename*
 :   The keytab name (for example, `D:\winnt\profiles\duke\krb5.keytab`).
 
 *principal*

src/java.security.jgss/windows/man/klist.md

@@ -45,7 +45,7 @@ the contents of the credentials cache or keytab using the `klist` tool. The
 
 ## Commands
 
-[`-c`]{#option-c}
+[`-c`]{#command-c}
 :   Specifies that the credential cache is to be listed.
 
     The following are the options for credential cache entries:
@@ -62,7 +62,7 @@ the contents of the credentials cache or keytab using the `klist` tool. The
     `-n`
     :   If the `-a` option is specified, don't reverse resolve addresses.
 
-[`-k`]{#option-k}
+[`-k`]{#command-k}
 :   Specifies that key tab is to be listed.
 
     List the keytab entries. The following are the options for keytab entries:
@@ -82,7 +82,7 @@ the contents of the credentials cache or keytab using the `klist` tool. The
     uses default values for the cache name and keytab. The `kinit`
     documentation lists these default values.
 
-[`-help`]{#option-help}
+`-help`
 :   Displays instructions.
 
 ## Examples

src/java.security.jgss/windows/man/ktab.md

@@ -72,12 +72,12 @@ send a keytab file over a network in the clear.
 
 ## Commands and Options
 
-[`-l`]{#option-l} \[`-e`\] \[`-t`\]
+[`-l`]{#command-l} \[`-e`\] \[`-t`\]
 :   Lists the keytab name and entries. When `-e` is specified, the encryption
     type for each entry is displayed. When `-t` is specified, the timestamp for
     each entry is displayed.
 
-[`-a`]{#option-a} *principal\_name* \[*password*\] \[`-n` *kvno*\] \[`-s` *salt* \| `-f`\] \[`-append`\]
+[`-a`]{#command-a} *principal\_name* \[*password*\] \[`-n` *kvno*\] \[`-s` *salt* \| `-f`\] \[`-append`\]
 :   Adds new key entries to the keytab for the given principal name with an
     optional *password*. If a *kvno* is specified, new keys' Key Version
     Numbers equal to the value, otherwise, automatically incrementing the Key
@@ -90,7 +90,7 @@ send a keytab file over a network in the clear.
     on the command line or in a script.** This tool will prompt for a password
     if it isn't specified.
 
-[`-d`]{#option-d} *principal\_name* \[`-f`\] \[`-e` *etype*\] \[*kvno* \| `all`\| `old`\]
+[`-d`]{#command-d} *principal\_name* \[`-f`\] \[`-e` *etype*\] \[*kvno* \| `all`\| `old`\]
 :   Deletes key entries from the keytab for the specified principal. No changes
     are made to the Kerberos database.
 
@@ -108,7 +108,7 @@ send a keytab file over a network in the clear.
     When *etype* is provided, only the entry matching this encryption type is
     deleted. Otherwise, all entries are deleted.
 
-[`-help`]{#option-help}
+`-help`
 :   Displays instructions.
 
 ## Common Options