diff --git a/cmd/kes/identity.go b/cmd/kes/identity.go
index 8aad418a..d382f4f9 100644
--- a/cmd/kes/identity.go
+++ b/cmd/kes/identity.go
@@ -200,7 +200,7 @@ Options:
 
 Examples:
     $ kes identity new
-    $ kes identity new --ip "192.168.0.182" --ip "10.0.0.92" localhost
+    $ kes identity new --ip "192.168.0.182" --ip "10.0.0.92" --key private.key --cert public.crt localhost
     $ kes identity new --key server.key --cert server.crt --encrypt --expiry 8760h kes-server.local
 `
 
@@ -217,8 +217,8 @@ func newIdentityCmd(args []string) {
 		expiry    time.Duration
 		encrypt   bool
 	)
-	cmd.StringVar(&keyPath, "key", "", "Path to private key")
-	cmd.StringVar(&certPath, "cert", "", "Path to certificate")
+	cmd.StringVar(&keyPath, "key", "server.key", "Path to private key")
+	cmd.StringVar(&certPath, "cert", "server.crt", "Path to certificate")
 	cmd.BoolVarP(&forceFlag, "force", "f", false, "Overwrite an existing private key and/or certificate")
 	cmd.IPSliceVar(&IPs, "ip", []net.IP{}, "Add <IP> as subject alternative name")
 	cmd.StringSliceVar(&domains, "dns", []string{}, "Add <DOMAIN> as subject alternative name")
@@ -250,7 +250,7 @@ func newIdentityCmd(args []string) {
 			cli.Fatalf("'--expiry' requires a private key and certificate file. Set the '--cert' and '--key' flag")
 		}
 		if len(IPs) > 0 {
-			cli.Fatalf("'--ip' requires a private key and certificate file. Set the '--cert' and '--key' flag")
+		 	cli.Fatalf("'--ip' requires a private key and certificate file. Set the '--cert' and '--key' flag")
 		}
 		if len(domains) > 0 {
 			cli.Fatalf("'--dns' requires a private key and certificate file. Set the '--cert' and '--key' flag")