diff --git a/configure.ac b/configure.ac
index 545f1fb58..a7ee63dd6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1868,17 +1868,18 @@ AC_CONFIG_FILES([
 	man/ipsec.secrets.5
 	src/charon-cmd/charon-cmd.8
 	src/pki/man/pki.1
+	src/pki/man/pki---acert.1
+	src/pki/man/pki---dn.1
 	src/pki/man/pki---gen.1
 	src/pki/man/pki---issue.1
 	src/pki/man/pki---keyid.1
-	src/pki/man/pki---pkcs7.1
 	src/pki/man/pki---pkcs12.1
+	src/pki/man/pki---pkcs7.1
 	src/pki/man/pki---print.1
 	src/pki/man/pki---pub.1
 	src/pki/man/pki---req.1
 	src/pki/man/pki---self.1
 	src/pki/man/pki---signcrl.1
-	src/pki/man/pki---acert.1
 	src/pki/man/pki---verify.1
 	src/swanctl/swanctl.8
 	src/swanctl/swanctl.conf.5.head
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 25456700b..a793800b7 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -5,7 +5,7 @@ AM_CPPFLAGS = \
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
 	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
-	dnssec malloc_speed aes-test settings-test timeattack extract-dn
+	dnssec malloc_speed aes-test settings-test timeattack
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -30,7 +30,6 @@ fetch_SOURCES = fetch.c
 dnssec_SOURCES = dnssec.c
 timeattack_SOURCES = timeattack.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-extract_dn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index ab407e021..a3da0ab04 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -3,17 +3,18 @@ SUBDIRS = man
 bin_PROGRAMS = pki
 
 pki_SOURCES = pki.c pki.h command.c command.h \
+	commands/acert.c \
+	commands/dn.c \
 	commands/gen.c \
 	commands/issue.c \
 	commands/keyid.c \
+	commands/pkcs12.c \
+	commands/pkcs7.c \
+	commands/print.c \
 	commands/pub.c \
 	commands/req.c \
 	commands/self.c \
-	commands/print.c \
 	commands/signcrl.c \
-	commands/acert.c \
-	commands/pkcs7.c \
-	commands/pkcs12.c \
 	commands/verify.c
 
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/command.h b/src/pki/command.h
index d49adda09..e55c579e4 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -24,7 +24,7 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 13
+#define MAX_COMMANDS 14
 
 /**
  * Maximum number of options in a command (+3)
diff --git a/scripts/extract-dn.c b/src/pki/commands/dn.c
similarity index 51%
rename from scripts/extract-dn.c
rename to src/pki/commands/dn.c
index 01261422e..75585fc16 100644
--- a/scripts/extract-dn.c
+++ b/src/pki/commands/dn.c
@@ -12,31 +12,17 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <stdio.h>
+
+#include "pki.h"
+
+#include <credentials/certificates/certificate.h>
+
 #include <errno.h>
-#include <getopt.h>
-
-#include <library.h>
-
-static void usage(FILE *out, char *name)
-{
-	fprintf(out, "Extract the ASN.1 subject DN from a certificate\n\n");
-	fprintf(out, "%s [OPTIONS]\n\n", name);
-	fprintf(out, "Options:\n");
-	fprintf(out, "  -h, --help          print this help.\n");
-	fprintf(out, "  -i, --in=FILE       certificate file (default STDIN).\n");
-	fprintf(out, "  -f, --format=FORMAT output format (config, hex, base64, binary).\n");
-	fprintf(out, "\n");
-}
 
 /**
- * Extract the binary ASN.1 subject DN from a certificate
+ * Extract subject DN
  */
-int main(int argc, char *argv[])
+static int dn()
 {
 	identification_t *id;
 	certificate_t *cert;
@@ -47,76 +33,64 @@ int main(int argc, char *argv[])
 		FORMAT_BASE64,
 		FORMAT_BINARY,
 	} format = FORMAT_CONFIG;
-	int fd = 0;
-	char *fmt;
+	char *arg, *file = NULL, *fmt;
 
-	library_init(NULL, "extract-dn");
-	atexit(library_deinit);
-
-	while (true)
+	while (TRUE)
 	{
-		struct option long_opts[] = {
-			{"help",		no_argument,		NULL,	'h' },
-			{"in",			required_argument,	NULL,	'i' },
-			{"format",		required_argument,	NULL,	'f' },
-			{0,0,0,0 },
-		};
-		switch (getopt_long(argc, argv, "hi:f:", long_opts, NULL))
+		switch (command_getopt(&arg))
 		{
-			case EOF:
-				break;
 			case 'h':
-				usage(stdout, argv[0]);
-				return 0;
-			case 'i':
-				fd = open(optarg, O_RDONLY);
-				if (fd == -1)
-				{
-					fprintf(stderr, "failed to open '%s': %s\n", optarg,
-							strerror(errno));
-					usage(stderr, argv[0]);
-					return 1;
-				}
-				continue;
+				return command_usage(NULL);
 			case 'f':
-				if (streq(optarg, "hex"))
+				if (streq(arg, "hex"))
 				{
 					format = FORMAT_HEX;
 				}
-				else if (streq(optarg, "base64"))
+				else if (streq(arg, "base64"))
 				{
 					format = FORMAT_BASE64;
 				}
-				else if (streq(optarg, "bin"))
+				else if (streq(arg, "bin"))
 				{
 					format = FORMAT_BINARY;
 				}
+				else if (!streq(arg, "config"))
+				{
+					return command_usage( "invalid output format");
+				}
 				continue;
+			case 'i':
+				file = arg;
+				continue;
+			case EOF:
+				break;
 			default:
-				usage(stderr, argv[0]);
-				return 1;
+				return command_usage("invalid --print option");
 		}
 		break;
 	}
-	/* TODO: maybe make plugins configurable */
-	lib->plugins->load(lib->plugins, PLUGINS);
-
-	if (!chunk_from_fd(fd, &chunk))
+	if (file)
 	{
-		fprintf(stderr, "reading input failed: %s\n", strerror(errno));
-		return 1;
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, file, BUILD_END);
 	}
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
-							  BUILD_BLOB, chunk, BUILD_END);
-	chunk_free(&chunk);
-	if (fd != 0)
+	else
 	{
-		close(fd);
-	}
+		chunk_t chunk;
 
+		set_file_mode(stdin, CERT_ASN1_DER);
+		if (!chunk_from_fd(0, &chunk))
+		{
+			fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+			return 1;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	if (!cert)
 	{
-		fprintf(stderr, "failed to read certificate\n");
+		fprintf(stderr, "parsing input failed\n");
 		return 1;
 	}
 	id = cert->get_subject(cert);
@@ -153,3 +127,20 @@ int main(int argc, char *argv[])
 	cert->destroy(cert);
 	return 0;
 }
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t)
+		{ dn, 'd', "dn",
+		"extract the subject DN of an X.509 certificate",
+		{"[--in file] [--format config|hex|base64|bin]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"in",			'i', 1, "input file, default: stdin"},
+			{"format",		'f', 1, "output format, default: config"},
+		}
+	});
+}
diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am
index 4c901ae3c..fc9440031 100644
--- a/src/pki/man/Makefile.am
+++ b/src/pki/man/Makefile.am
@@ -1,15 +1,16 @@
 man1_MANS = \
 	pki.1 \
-	pki---gen.1 \
-	pki---self.1 \
-	pki---issue.1 \
-	pki---signcrl.1 \
 	pki---acert.1 \
-	pki---req.1 \
-	pki---pkcs7.1 \
+	pki---dn.1 \
+	pki---gen.1 \
+	pki---issue.1 \
 	pki---keyid.1 \
+	pki---pkcs7.1 \
 	pki---print.1 \
 	pki---pub.1 \
+	pki---req.1 \
+	pki---self.1 \
+	pki---signcrl.1 \
 	pki---verify.1
 
 CLEANFILES = $(man1_MANS)
diff --git a/src/pki/man/pki---dn.1.in b/src/pki/man/pki---dn.1.in
new file mode 100644
index 000000000..ce1210fdb
--- /dev/null
+++ b/src/pki/man/pki---dn.1.in
@@ -0,0 +1,56 @@
+.TH "PKI \-\-DN" 1 "2015-08-06" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-dn \- Extract the subject DN of an X.509 certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-dn
+.OP \-\-in file
+.OP \-\-format format
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-dn
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-dn"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+extracts the ASN.1-encoded subject DistinguishedName (DN) of an X.509
+certificate and exports it in different formats.  This may be useful when
+strongSwan's identity parser is unable to produce the correct binary encoding
+from a string.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Input file. If not given the input is read from \fISTDIN\fR.
+.TP
+.BI "\-t, \-\-format " format
+Output format. One of \fIconfig\fR (strongSwan configuration compatible),
+\fIhex\fR (hexadecimal encoding, no prefix), \fIbase64\fR (Base64 encoding,
+no prefix), \fIbin\fR (raw binary data), defaults to \fIconfig\fR.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)
diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in
index f347031b4..f1a2ae2c0 100644
--- a/src/pki/man/pki.1.in
+++ b/src/pki/man/pki.1.in
@@ -1,4 +1,4 @@
-.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH PKI 1 "2015-08-06" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -64,6 +64,9 @@ Calculate key identifiers of a key or certificate.
 .B "\-a, \-\-print"
 Print a credential (key, certificate etc.) in human readable form.
 .TP
+.B "\-d, \-\-dn"
+Extract the subject DN of an X.509 certificate.
+.TP
 .B "\-p, \-\-pub"
 Extract a public key from a private key or certificate.
 .TP
@@ -156,5 +159,6 @@ certificates with the \-\-crl option.
 .BR pki\ \-\-pkcs7 (1),
 .BR pki\ \-\-keyid (1),
 .BR pki\ \-\-print (1),
+.BR pki\ \-\-dn (1),
 .BR pki\ \-\-pub (1),
 .BR pki\ \-\-verify (1)