C_REHASH(1SSL) OpenSSL C_REHASH(1SSL)NAME
c_rehash - Create symbolic links to files named by the hash values
SYNOPSIS
c_rehash [directory] ...
DESCRIPTION
c_rehash scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of
the files named by the hash value. This is useful as many programs require directories to be set up like this in order to find the
certificates they require.
If any directories are named on the command line then these directories are processed in turn. If not then and the environment variable
SSL_CERT_DIR is defined then that is consulted. This variable should be a colon (:) separated list of directories, all of which will be
processed. If neither of these conditions are true then /usr/lib/ssl/certs is processed.
For each directory that is to be processed he user must have write permissions on the directory, if they do not then nothing will be
printed for that directory.
Note that this program deletes all the symbolic links that look like ones that it creates before processing a directory. Beware that if you
run the program on a directory that contains symbolic links for other purposes that are named in the same format as those created by this
program they will be lost.
The hashes for certificate files are of the form <hash>.<n> where n is an integer. If the hash value already exists then n will be
incremented, unless the file is a duplicate. Duplicates are detected using the fingerprint of the certificate. A warning will be printed if
a duplicate is detected. The hashes for CRL files are of the form <hash>.r<n> and have the same behavior.
The program will also warn if there are files with extension .pem which are not certificate or CRL files.
The program uses the openssl program to compute the hashes and fingerprints. It expects the executable to be named openssl and be on the
PATH, or in the /usr/lib/ssl/bin directory. If the OPENSSL environment variable is defined then this is used instead as the executable that
provides the hashes and fingerprints. When called as $OPENSSL x509 -hash -fingerprint -noout -in $file it must output the hash of $file on
the first line followed by the fingerprint on the second line, optionally prefixed with some text and an equals sign (=).
OPTIONS
None
ENVIRONMENT
OPENSSL
The name (and path) of an executable to use to generate hashes and fingerprints (see above).
SSL_CERT_DIR
Colon separated list of directories to operate on. Ignored if directories are listed on the command line.
SEE ALSO openssl(1), x509(1)BUGS
No known bugs
1.0.0e 2013-02-18 C_REHASH(1SSL)
Check Out this Related Man Page
REHASH(1SSL) OpenSSL REHASH(1SSL)NAME
openssl-c_rehash, openssl-rehash, c_rehash, rehash - Create symbolic links to files named by the hash values
SYNOPSIS
openssl rehash [-h] [-help] [-old] [-n] [-v] [ directory...]
c_rehash flags...
DESCRIPTION
On some platforms, the OpenSSL rehash command is available as an external script called c_rehash. They are functionally equivalent, except
for minor differences noted below.
rehash scans directories and calculates a hash value of each ".pem", ".crt", ".cer", or ".crl" file in the specified directory list and
creates symbolic links for each file, where the name of the link is the hash value. (If the platform does not support symbolic links, a
copy is made.) This utility is useful as many programs that use OpenSSL require directories to be set up like this in order to find
certificates.
If any directories are named on the command line, then those are processed in turn. If not, then the SSL_CERT_DIR environment variable is
consulted; this should be a colon-separated list of directories, like the Unix PATH variable. If that is not set then the default
directory (installation-specific but often /usr/local/ssl/certs) is processed.
In order for a directory to be processed, the user must have write permissions on that directory, otherwise an error will be generated.
The links created are of the form "HHHHHHHH.D", where each H is a hexadecimal character and D is a single decimal digit. When processing a
directory, rehash will first remove all links that have a name in that syntax, even if they are being used for some other purpose. To skip
the removal step, use the -n flag. Hashes for CRL's look similar except the letter r appears after the period, like this: "HHHHHHHH.rD".
Multiple objects may have the same hash; they will be indicated by incrementing the D value. Duplicates are found by comparing the full
SHA-1 fingerprint. A warning will be displayed if a duplicate is found.
A warning will also be displayed if there are files that cannot be parsed as either a certificate or a CRL or if more than one such object
appears in the file.
Script Configuration
The c_rehash script uses the openssl program to compute the hashes and fingerprints. If not found in the user's PATH, then set the OPENSSL
environment variable to the full pathname. Any program can be used, it will be invoked as follows for either a certificate or CRL:
$OPENSSL x509 -hash -fingerprint -noout -in FILENAME
$OPENSSL crl -hash -fingerprint -noout -in FILENAME
where FILENAME is the filename. It must output the hash of the file on the first line, and the fingerprint on the second, optionally
prefixed with some text and an equals sign.
OPTIONS -help -h
Display a brief usage message.
-old
Use old-style hashing (MD5, as opposed to SHA-1) for generating links to be used for releases before 1.0.0. Note that current versions
will not use the old style.
-n Do not remove existing links. This is needed when keeping new and old-style links in the same directory.
-compat
Generate links for both old-style (MD5) and new-style (SHA1) hashing. This allows releases before 1.0.0 to use these links along-side
newer releases.
-v Print messages about old links removed and new links created. By default, rehash only lists each directory as it is processed.
ENVIRONMENT
OPENSSL
The path to an executable to use to generate hashes and fingerprints (see above).
SSL_CERT_DIR
Colon separated list of directories to operate on. Ignored if directories are listed on the command line.
SEE ALSO openssl(1), crl(1). x509(1).
COPYRIGHT
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a
copy in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.
1.1.1a 2018-12-18 REHASH(1SSL)