diff --git a/g10/ChangeLog b/g10/ChangeLog
index f7d7a62ee..b103050ce 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,9 @@
+2009-02-09  Werner Koch  <wk@g10code.com>
+
+	* keylist.c (print_capabilities): Take care of cert-only keys.
+	Fixes bug#998.
+	* keyedit.c (show_key_with_all_names_colon): Print the capabilities.
+
 2009-01-26  Werner Koch  <wk@g10code.com>
 
 	* card-util.c (card_status): Detect a Geldkarte. 
diff --git a/g10/keyedit.c b/g10/keyedit.c
index fd9f23b20..b0d59f66a 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -2522,6 +2522,17 @@ show_key_with_all_names_colon (KBNODE keyblock)
 	      && !(opt.fast_list_mode || opt.no_expensive_trust_checks ))
 	    putchar(get_ownertrust_info (pk));
           putchar(':');
+          putchar (':');
+          putchar (':');
+          /* Print capabilities.  */
+          if ( (pk->pubkey_usage & PUBKEY_USAGE_ENC) )
+            putchar ('e');
+          if ( (pk->pubkey_usage & PUBKEY_USAGE_SIG) )
+            putchar ('s');
+          if ( (pk->pubkey_usage & PUBKEY_USAGE_CERT) )
+            putchar ('c');
+          if ( (pk->pubkey_usage & PUBKEY_USAGE_AUTH) )
+            putchar ('a');
           putchar('\n');
           
           print_fingerprint (pk, NULL, 0);
diff --git a/g10/keylist.c b/g10/keylist.c
index c4f5d2696..4a76ee065 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -594,6 +594,7 @@ print_capabilities (PKT_public_key *pk, PKT_secret_key *sk, KBNODE keyblock)
   if(pk || (sk && sk->protect.s2k.mode!=1001))
     {
       unsigned int use = pk? pk->pubkey_usage : sk->pubkey_usage;
+      int c_printed = 0;
     
       if ( use & PUBKEY_USAGE_ENC )
         putchar ('e');
@@ -602,9 +603,19 @@ print_capabilities (PKT_public_key *pk, PKT_secret_key *sk, KBNODE keyblock)
 	{
 	  putchar ('s');
 	  if( pk? pk->is_primary : sk->is_primary )
-	    putchar ('c');
+            {
+              putchar ('c');
+              /* The PUBKEY_USAGE_CERT flag was introduced later and
+                 we used to always print 'c' for a primary key.  To
+                 avoid any regression here we better track whether we
+                 printed 'c' already.  */
+              c_printed = 1;
+            }
 	}
 
+      if ( (use & PUBKEY_USAGE_CERT) && !c_printed )
+        putchar ('c');
+
       if ( (use & PUBKEY_USAGE_AUTH) )
         putchar ('a');
     }
@@ -630,6 +641,8 @@ print_capabilities (PKT_public_key *pk, PKT_secret_key *sk, KBNODE keyblock)
 			if(pk->is_primary)
 			  cert = 1;
 		      }
+                    if ( pk->pubkey_usage & PUBKEY_USAGE_CERT )
+                      cert = 1;
                     if ( (pk->pubkey_usage & PUBKEY_USAGE_AUTH) )
                       auth = 1;
                 }
@@ -647,6 +660,8 @@ print_capabilities (PKT_public_key *pk, PKT_secret_key *sk, KBNODE keyblock)
 			if(sk->is_primary)
 			  cert = 1;
 		      }
+                    if ( (sk->pubkey_usage & PUBKEY_USAGE_CERT) )
+                        cert = 1;
                     if ( (sk->pubkey_usage & PUBKEY_USAGE_AUTH) )
                         auth = 1;
                 }
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index dd9788b79..94826ce79 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -893,7 +893,7 @@ main ( int argc, char **argv)
 
   /* Note: If you change this default cipher algorithm , please
      remember to update the Gpgconflist entry as well.  */
-  opt.def_cipher_algoid = "AES";  /*des-EDE3-CBC*/
+  opt.def_cipher_algoid = "3DES";  /*des-EDE3-CBC*/
 
   opt.homedir = default_homedir ();
 
@@ -1607,7 +1607,7 @@ main ( int argc, char **argv)
 #ifndef HAVE_W32_SYSTEM
         printf ("prefer-system-dirmngr:%lu:\n", GC_OPT_FLAG_NONE);
 #endif
-        printf ("cipher-algo:%lu:\"AES:\n", GC_OPT_FLAG_DEFAULT);
+        printf ("cipher-algo:%lu:\"3DES:\n", GC_OPT_FLAG_DEFAULT);
         printf ("p12-charset:%lu:\n", GC_OPT_FLAG_DEFAULT);
         printf ("default-key:%lu:\n", GC_OPT_FLAG_DEFAULT);
         printf ("encrypt-to:%lu:\n", GC_OPT_FLAG_DEFAULT);