-You should use
-.Ic tincd -K
-to generate public/private keypairs.
-It will generate two keys.
-The private key should be stored in a separate file
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /rsa_key.priv
-\-\- where
-.Ar NETNAME
-stands for the network (see
-.Sx NETWORKS )
-above.
-The public key should be stored in the host configuration file
-.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Va NAME
-\-\- where
-.Va NAME
-stands for the name of the local tinc daemon (see
-.Sx NAMES ) .
+The
+.Nm tincctl Li init
+command will have generated both RSA and ECDSA public/private keypairs.
+The private keys should be stored in files named
+.Pa rsa_key.priv
+and
+.Pa ecdsa_key.priv
+in the directory
+.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /
+The public keys should be stored in the host configuration file
+.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Ns Va NAME .
+
+The RSA keys are used for backwards compatibility with tinc version 1.0.
+If you are upgrading from version 1.0 to 1.1, you can keep the old configuration files,
+but you will need to create ECDSA keys using the following command:
+.Bd -literal -offset indent
+.Nm tincctl Fl n Ar NETNAME Li generate-ecdsa-keys
+.Ed