-\S{pubkey-puttygen-generate} Generate a new key
-
-Before generating a new key you have to choose the strength of the
-encryption, and the type of the key (see \k{pubkey-types}). With
-\q{Parameters} you define the strength of the key. The default of
-1024 should be OK for most users.
-
-Pressing the \q{Generate} button starts the process of generating a
-new key pair. You then have to move the mouse over the blank area in
-order to generate random data for the algorithm. Continue until the
-progress bar is complete.
-
-As soon as enough random data is available the key is generated. This
-may take a little while, especially on slow machines. Once the key is
-generated, its details appear in the \q{Key} part of the PuTTYgen
-window.
-
-Now you can change the \q{Key comment} field to something more
-meaningful than the default (which is based on the current date).
-e.g. add the name of the host you will use it for. When using
-multiple keys a meaningful comment may help you remember which
-passphrase to use! You should always enter a passphrase in the
-\q{Key passphrase} and \q{Confirm passphrase} fields, to protect
-your keys.
-
-(Choosing a good passphrase is difficult. Just as you shouldn't use
-a dictionary word as a password because it's easy for an attacker to
+\cfg{winhelp-topic}{puttygen.fingerprint}
+
+The \q{Key fingerprint} box shows you a fingerprint value for the
+generated key. This is derived cryptographically from the \e{public}
+key value, so it doesn't need to be kept secret.
+
+The fingerprint value is intended to be cryptographically secure, in
+the sense that it is computationally infeasible for someone to
+invent a second key with the same fingerprint, or to find a key with
+a particular fingerprint. So some utilities, such as the Pageant key
+list box (see \k{pageant-mainwin-keylist}) and the Unix \c{ssh-add}
+utility, will list key fingerprints rather than the whole public key.
+
+\S{puttygen-comment} Setting a comment for your key
+
+\cfg{winhelp-topic}{puttygen.comment}
+
+If you have more than one key and use them for different purposes,
+you don't need to memorise the key fingerprints in order to tell
+them apart. PuTTY allows you to enter a \e{comment} for your key,
+which will be displayed whenever PuTTY or Pageant asks you for the
+passphrase.
+
+The default comment format, if you don't specify one, contains the
+key type and the date of generation, such as \c{rsa-key-20011212}.
+Another commonly used approach is to use your name and the name of
+the computer the key will be used on, such as \c{simon@simons-pc}.
+
+To alter the key comment, just type your comment text into the
+\q{Key comment} box before saving the private key. If you want to
+change the comment later, you can load the private key back into
+PuTTYgen, change the comment, and save it again.
+
+\S{puttygen-passphrase} Setting a passphrase for your key
+
+\cfg{winhelp-topic}{puttygen.passphrase}
+
+The \q{Key passphrase} and \q{Confirm passphrase} boxes allow you to
+choose a passphrase for your key. The passphrase will be used to
+encrypt the key on disk, so you will not be able to use the key
+without first entering the passphrase.
+
+When you save the key, PuTTY will check that the \q{Key passphrase}
+and \q{Confirm passphrase} boxes both contain exactly the same
+passphrase, and will refuse to save the key otherwise.
+
+If you leave the passphrase fields blank, the key will be saved
+unencrypted. You should \e{not} do this without good reason; if you
+do, your private key file on disk will be all an attacker needs to
+gain access to any machine configured to accept that key. If you
+want to be able to log in without having to type a passphrase every
+time, you should consider using Pageant (\k{pageant}) so that your
+decrypted key is only held in memory rather than on disk.
+
+Under special circumstances you may genuinely \e{need} to use a key
+with no passphrase; for example, if you need to run an automated
+batch script that needs to make an SSH connection, you can't be
+there to type the passphrase. In this case we recommend you generate
+a special key for each specific batch script (or whatever) that
+needs one, and on the server side you should arrange that each key
+is \e{restricted} so that it can only be used for that specific
+purpose. The documentation for your SSH server should explain how to
+do this (it will probably vary between servers).
+
+Choosing a good passphrase is difficult. Just as you shouldn't use a
+dictionary word as a password because it's easy for an attacker to