diff --git a/README.md b/README.md
index ac39e6d..04fda32 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ Contents:
         ski         Display the SKI for PEM-encoded TLS material.
         stealchain/ Dump the verified chain from a TLS
                     connection.
+        subjhash/   Print or match subject info from a certificate.
         tlskeypair/ Check whether a TLS certificate and key file match.
         utc/        Convert times to UTC.
         yamll/      A small YAML linter.
diff --git a/cmd/fragment/fragment.go b/cmd/fragment/fragment.go
index c73d0d3..773dd59 100644
--- a/cmd/fragment/fragment.go
+++ b/cmd/fragment/fragment.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"flag"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -11,9 +12,13 @@ import (
 	"github.com/kisom/goutils/die"
 )
 
-func usage() {
+func init() {
+	flag.Usage = func() { usage(os.Stdout); os.Exit(1) }
+}
+
+func usage(w io.Writer) {
 	progname := filepath.Base(os.Args[0])
-	fmt.Printf(`Usage: %s [-nl] file start [end]
+	fmt.Fprintf(w, `Usage: %s [-nl] file start [end]
 
 	Print a fragment of a file starting a line 'start' and ending
 	at line 'end', or EOF if no end is specified.
@@ -27,7 +32,7 @@ func main() {
 	flag.Parse()
 
 	if flag.NArg() < 2 || flag.NArg() > 3 {
-		usage()
+		usage(os.Stderr)
 		os.Exit(1)
 	}
 
diff --git a/cmd/subjhash/README b/cmd/subjhash/README
new file mode 100644
index 0000000..21cdd9f
--- /dev/null
+++ b/cmd/subjhash/README
@@ -0,0 +1,20 @@
+subjhash
+
+This tool prints the SHA-256 hash of an X.509 certificate's subject
+info or issuer fields. It can also verify that the hashes of the
+subject are the same between two certificates.
+
+Usage: subjhash [-im] certs...
+
+Flags:
+	-i	Print hash of issuer field.
+	-m	Matching mode. This expects arguments to be in the form of
+		pairs of certificates (e.g. previous, new) whose subjects
+		will be compared. For example,
+
+			subjhash -m ca1.pem ca1-renewed.pem	\
+				ca2.pem ca2-renewed.pem
+
+		will exit with a non-zero status if the subject in the
+		ca1-renewed.pem certificate doesn't match the subject in the
+		ca.pem certificate; similarly for ca2.
diff --git a/cmd/subjhash/main.go b/cmd/subjhash/main.go
index 17d2700..fb4bb96 100644
--- a/cmd/subjhash/main.go
+++ b/cmd/subjhash/main.go
@@ -13,6 +13,10 @@ import (
 	"github.com/kisom/goutils/lib"
 )
 
+func init() {
+	flag.Usage = func() { usage(os.Stdout); os.Exit(1) }
+}
+
 func usage(w io.Writer) {
 	fmt.Fprintf(w, `Print hash of subject or issuer fields in certificates.