diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 368f2c8dc..33191b812 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -384,6 +384,11 @@ command = {
 	help = "Generates random bytes and prints them to standard output"
 }
 command = {
+	option = {
+		long = "type"
+		type = "string"
+		help = "type of CMS algorithm"
+	}
 	name = "crypto-available"
 	min_args="0"
 	help = "Print available CMS crypto types"
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index a953a050d..dd8f080ba 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -991,14 +991,25 @@ random_data(void *opt, int argc, char **argv)
 }
 
 int
-crypto_available(void *opt, int argc, char **argv)
+crypto_available(struct crypto_available_options *opt, int argc, char **argv)
 {
     int ret;
     size_t len, i;
     AlgorithmIdentifier *val;
+    int type = HX509_SELECT_ALL;
 
-    ret = hx509_crypto_available(context, HX509_SELECT_ALL,
-				 NULL, &val, &len);
+    if (opt->type_string) {
+	if (strcmp(opt->type_string, "all") == 0)
+	    type = HX509_SELECT_ALL;
+	else if (strcmp(opt->type_string, "digest") == 0)
+	    type = HX509_SELECT_DIGEST;
+	else if (strcmp(opt->type_string, "public-sig") == 0)
+	    type = HX509_SELECT_PUBLIC_SIG;
+	else
+	    errx(1, "unknown type: %s", opt->type_string);
+    }
+
+    ret = hx509_crypto_available(context, type, NULL, &val, &len);
     if (ret)
 	errx(1, "hx509_crypto_available");