1=pod 2 3=for comment 4Original text by James Westby, contributed under the OpenSSL license. 5 6=head1 NAME 7 8openssl-c_rehash, openssl-rehash, 9c_rehash, rehash - Create symbolic links to files named by the hash values 10 11=head1 SYNOPSIS 12 13B<openssl> 14B<rehash> 15B<[-h]> 16B<[-help]> 17B<[-old]> 18B<[-n]> 19B<[-v]> 20[ I<directory>...] 21 22B<c_rehash> 23I<flags...> 24 25=head1 DESCRIPTION 26 27On some platforms, the OpenSSL B<rehash> command is available as 28an external script called B<c_rehash>. They are functionally equivalent, 29except for minor differences noted below. 30 31B<rehash> scans directories and calculates a hash value of each 32C<.pem>, C<.crt>, C<.cer>, or C<.crl> 33file in the specified directory list and creates symbolic links 34for each file, where the name of the link is the hash value. 35(If the platform does not support symbolic links, a copy is made.) 36This utility is useful as many programs that use OpenSSL require 37directories to be set up like this in order to find certificates. 38 39If any directories are named on the command line, then those are 40processed in turn. If not, then the B<SSL_CERT_DIR> environment variable 41is consulted; this should be a colon-separated list of directories, 42like the Unix B<PATH> variable. 43If that is not set then the default directory (installation-specific 44but often B</usr/local/ssl/certs>) is processed. 45 46In order for a directory to be processed, the user must have write 47permissions on that directory, otherwise an error will be generated. 48 49The links created are of the form C<HHHHHHHH.D>, where each B<H> 50is a hexadecimal character and B<D> is a single decimal digit. 51When processing a directory, B<rehash> will first remove all links 52that have a name in that syntax, even if they are being used for some 53other purpose. 54To skip the removal step, use the B<-n> flag. 55Hashes for CRL's look similar except the letter B<r> appears after 56the period, like this: C<HHHHHHHH.rD>. 57 58Multiple objects may have the same hash; they will be indicated by 59incrementing the B<D> value. Duplicates are found by comparing the 60full SHA-1 fingerprint. A warning will be displayed if a duplicate 61is found. 62 63A warning will also be displayed if there are files that 64cannot be parsed as either a certificate or a CRL or if 65more than one such object appears in the file. 66 67=head2 Script Configuration 68 69The B<c_rehash> script 70uses the B<openssl> program to compute the hashes and 71fingerprints. If not found in the user's B<PATH>, then set the 72B<OPENSSL> environment variable to the full pathname. 73Any program can be used, it will be invoked as follows for either 74a certificate or CRL: 75 76 $OPENSSL x509 -hash -fingerprint -noout -in FILENAME 77 $OPENSSL crl -hash -fingerprint -noout -in FILENAME 78 79where B<FILENAME> is the filename. It must output the hash of the 80file on the first line, and the fingerprint on the second, 81optionally prefixed with some text and an equals sign. 82 83=head1 OPTIONS 84 85=over 4 86 87=item B<-help> B<-h> 88 89Display a brief usage message. 90 91=item B<-old> 92 93Use old-style hashing (MD5, as opposed to SHA-1) for generating 94links to be used for releases before 1.0.0. 95Note that current versions will not use the old style. 96 97=item B<-n> 98 99Do not remove existing links. 100This is needed when keeping new and old-style links in the same directory. 101 102=item B<-compat> 103 104Generate links for both old-style (MD5) and new-style (SHA1) hashing. 105This allows releases before 1.0.0 to use these links along-side newer 106releases. 107 108=item B<-v> 109 110Print messages about old links removed and new links created. 111By default, B<rehash> only lists each directory as it is processed. 112 113=back 114 115=head1 ENVIRONMENT 116 117=over 4 118 119=item B<OPENSSL> 120 121The path to an executable to use to generate hashes and 122fingerprints (see above). 123 124=item B<SSL_CERT_DIR> 125 126Colon separated list of directories to operate on. 127Ignored if directories are listed on the command line. 128 129=back 130 131=head1 SEE ALSO 132 133L<openssl(1)>, 134L<crl(1)>. 135L<x509(1)>. 136 137=head1 COPYRIGHT 138 139Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 140 141Licensed under the OpenSSL license (the "License"). You may not use 142this file except in compliance with the License. You can obtain a copy 143in the file LICENSE in the source distribution or at 144L<https://www.openssl.org/source/license.html>. 145 146=cut 147