1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=for comment 5Original text by James Westby. 6 7=head1 NAME 8 9openssl-rehash, c_rehash - Create symbolic links to files named by the hash 10values 11 12=head1 SYNOPSIS 13 14B<openssl> 15B<rehash> 16[B<-h>] 17[B<-help>] 18[B<-old>] 19[B<-compat>] 20[B<-n>] 21[B<-v>] 22{- $OpenSSL::safe::opt_provider_synopsis -} 23[I<directory>] ... 24 25B<c_rehash> 26[B<-h>] 27[B<-help>] 28[B<-old>] 29[B<-n>] 30[B<-v>] 31{- $OpenSSL::safe::opt_provider_synopsis -} 32[I<directory>] ... 33 34=head1 DESCRIPTION 35 36This command is generally equivalent to the external 37script B<c_rehash>, 38except for minor differences noted below. 39 40B<openssl rehash> scans directories and calculates a hash value of 41each F<.pem>, F<.crt>, F<.cer>, or F<.crl> 42file in the specified directory list and creates symbolic links 43for each file, where the name of the link is the hash value. 44(If the platform does not support symbolic links, a copy is made.) 45This command is useful as many programs that use OpenSSL require 46directories to be set up like this in order to find certificates. 47 48If any directories are named on the command line, then those are 49processed in turn. If not, then the B<SSL_CERT_DIR> environment variable 50is consulted; this should be a colon-separated list of directories, 51like the Unix B<PATH> variable. 52If that is not set then the default directory (installation-specific 53but often F</usr/local/ssl/certs>) is processed. 54 55In order for a directory to be processed, the user must have write 56permissions on that directory, otherwise an error will be generated. 57 58The links created are of the form I<HHHHHHHH.D>, where each I<H> 59is a hexadecimal character and I<D> is a single decimal digit. 60When a directory is processed, all links in it that have a name 61in that syntax are first removed, even if they are being used for 62some other purpose. 63To skip the removal step, use the B<-n> flag. 64Hashes for CRL's look similar except the letter B<r> appears after 65the period, like this: I<HHHHHHHH.>B<r>I<D>. 66 67Multiple objects may have the same hash; they will be indicated by 68incrementing the I<D> value. Duplicates are found by comparing the 69full SHA-1 fingerprint. A warning will be displayed if a duplicate 70is found. 71 72A warning will also be displayed if there are files that 73cannot be parsed as either a certificate or a CRL or if 74more than one such object appears in the file. 75 76=head2 Script Configuration 77 78The B<c_rehash> script 79uses the B<openssl> program to compute the hashes and 80fingerprints. If not found in the user's B<PATH>, then set the 81B<OPENSSL> environment variable to the full pathname. 82Any program can be used, it will be invoked as follows for either 83a certificate or CRL: 84 85 $OPENSSL x509 -hash -fingerprint -noout -in FILENAME 86 $OPENSSL crl -hash -fingerprint -noout -in FILENAME 87 88where I<FILENAME> is the filename. It must output the hash of the 89file on the first line, and the fingerprint on the second, 90optionally prefixed with some text and an equals sign. 91 92=head1 OPTIONS 93 94=over 4 95 96=item B<-help> B<-h> 97 98Display a brief usage message. 99 100=item B<-old> 101 102Use old-style hashing (MD5, as opposed to SHA-1) for generating 103links to be used for releases before 1.0.0. 104Note that current versions will not use the old style. 105 106=item B<-n> 107 108Do not remove existing links. 109This is needed when keeping new and old-style links in the same directory. 110 111=item B<-compat> 112 113Generate links for both old-style (MD5) and new-style (SHA1) hashing. 114This allows releases before 1.0.0 to use these links along-side newer 115releases. 116 117=item B<-v> 118 119Print messages about old links removed and new links created. 120By default, this command only lists each directory as it is processed. 121 122{- $OpenSSL::safe::opt_provider_item -} 123 124=back 125 126=head1 ENVIRONMENT 127 128=over 4 129 130=item B<OPENSSL> 131 132The path to an executable to use to generate hashes and 133fingerprints (see above). 134 135=item B<SSL_CERT_DIR> 136 137Colon separated list of directories to operate on. 138Ignored if directories are listed on the command line. 139 140=back 141 142=head1 SEE ALSO 143 144L<openssl(1)>, 145L<openssl-crl(1)>, 146L<openssl-x509(1)> 147 148=head1 COPYRIGHT 149 150Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. 151 152Licensed under the Apache License 2.0 (the "License"). You may not use 153this file except in compliance with the License. You can obtain a copy 154in the file LICENSE in the source distribution or at 155L<https://www.openssl.org/source/license.html>. 156 157=cut 158
