1=pod 2 3=for comment 4Original text by James Westby, contributed under the OpenSSL license. 5 6=head1 NAME 7 8c_rehash - Create symbolic links to files named by the hash values 9 10=head1 SYNOPSIS 11 12B<c_rehash> 13B<[-old]> 14B<[-h]> 15B<[-n]> 16B<[-v]> 17[ I<directory>...] 18 19=head1 DESCRIPTION 20 21B<c_rehash> scans directories and calculates a hash value of each 22C<.pem>, C<.crt>, C<.cer>, or C<.crl> 23file in the specified directory list and creates symbolic links 24for each file, where the name of the link is the hash value. 25(If the platform does not support symbolic links, a copy is made.) 26This utility is useful as many programs that use OpenSSL require 27directories to be set up like this in order to find certificates. 28 29If any directories are named on the command line, then those are 30processed in turn. If not, then the B<SSL_CERT_DIR> environment variable 31is consulted; this shold be a colon-separated list of directories, 32like the Unix B<PATH> variable. 33If that is not set then the default directory (installation-specific 34but often B</usr/local/ssl/certs>) is processed. 35 36In order for a directory to be processed, the user must have write 37permissions on that directory, otherwise it will be skipped. 38The links created are of the form C<HHHHHHHH.D>, where each B<H> 39is a hexadecimal character and B<D> is a single decimal digit. 40When processing a directory, B<c_rehash> will first remove all links 41that have a name in that syntax. If you have links in that format 42used for other purposes, they will be removed. 43To skip the removal step, use the B<-n> flag. 44Hashes for CRL's look similar except the letter B<r> appears after 45the period, like this: C<HHHHHHHH.rD>. 46 47Multiple objects may have the same hash; they will be indicated by 48incrementing the B<D> value. Duplicates are found by comparing the 49full SHA-1 fingerprint. A warning will be displayed if a duplicate 50is found. 51 52A warning will also be displayed if there are files that 53cannot be parsed as either a certificate or a CRL. 54 55The program uses the B<openssl> program to compute the hashes and 56fingerprints. If not found in the user's B<PATH>, then set the 57B<OPENSSL> environment variable to the full pathname. 58Any program can be used, it will be invoked as follows for either 59a certificate or CRL: 60 61 $OPENSSL x509 -hash -fingerprint -noout -in FILENAME 62 $OPENSSL crl -hash -fingerprint -noout -in FILENAME 63 64where B<FILENAME> is the filename. It must output the hash of the 65file on the first line, and the fingerprint on the second, 66optionally prefixed with some text and an equals sign. 67 68=head1 OPTIONS 69 70=over 4 71 72=item B<-old> 73 74Use old-style hashing (MD5, as opposed to SHA-1) for generating 75links for releases before 1.0.0. Note that current versions will 76not use the old style. 77 78=item B<-h> 79 80Display a brief usage message. 81 82=item B<-n> 83 84Do not remove existing links. 85This is needed when keeping new and old-style links in the same directory. 86 87=item B<-v> 88 89Print messages about old links removed and new links created. 90By default, B<c_rehash> only lists each directory as it is processed. 91 92=back 93 94=head1 ENVIRONMENT 95 96=over 97 98=item B<OPENSSL> 99 100The path to an executable to use to generate hashes and 101fingerprints (see above). 102 103=item B<SSL_CERT_DIR> 104 105Colon separated list of directories to operate on. 106Ignored if directories are listed on the command line. 107 108=back 109 110=head1 SEE ALSO 111 112L<openssl(1)|openssl(1)>, 113L<crl(1)|crl(1)>. 114L<x509(1)|x509(1)>. 115