[thirdparty/openssl.git] / doc / man1 / rehash.pod

=pod

=for comment
Original text by James Westby, contributed under the OpenSSL license.

=head1 NAME

openssl-c_rehash, openssl-rehash,
c_rehash, rehash - Create symbolic links to files named by the hash values

=head1 SYNOPSIS

B<openssl>
B<rehash>
B<[-h]>
B<[-help]>
B<[-old]>
B<[-n]>
B<[-v]>
[ I<directory>...]

B<c_rehash>
I<flags...>

=head1 DESCRIPTION

On some platforms, the OpenSSL B<rehash> command is available as
an external script called B<c_rehash>.  They are functionally equivalent,
except for minor differences noted below.

B<rehash> scans directories and calculates a hash value of each
C<.pem>, C<.crt>, C<.cer>, or C<.crl>
file in the specified directory list and creates symbolic links
for each file, where the name of the link is the hash value.
(If the platform does not support symbolic links, a copy is made.)
This utility is useful as many programs that use OpenSSL require
directories to be set up like this in order to find certificates.

If any directories are named on the command line, then those are
processed in turn. If not, then the B<SSL_CERT_DIR> environment variable
is consulted; this should be a colon-separated list of directories,
like the Unix B<PATH> variable.
If that is not set then the default directory (installation-specific
but often B</usr/local/ssl/certs>) is processed.

In order for a directory to be processed, the user must have write
permissions on that directory, otherwise an error will be generated.

The links created are of the form C<HHHHHHHH.D>, where each B<H>
is a hexadecimal character and B<D> is a single decimal digit.
When processing a directory, B<rehash> will first remove all links
that have a name in that syntax, even if they are being used for some
other purpose.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after
the period, like this: C<HHHHHHHH.rD>.

Multiple objects may have the same hash; they will be indicated by
incrementing the B<D> value. Duplicates are found by comparing the
full SHA-1 fingerprint. A warning will be displayed if a duplicate
is found.

A warning will also be displayed if there are files that
cannot be parsed as either a certificate or a CRL or if
more than one such object appears in the file.

=head2 Script Configuration

The B<c_rehash> script
uses the B<openssl> program to compute the hashes and
fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname.
Any program can be used, it will be invoked as follows for either
a certificate or CRL:

  $OPENSSL x509 -hash -fingerprint -noout -in FILENAME
  $OPENSSL crl -hash -fingerprint -noout -in FILENAME

where B<FILENAME> is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign.

=head1 OPTIONS

=over 4

=item B<-help> B<-h>

Display a brief usage message.

=item B<-old>

Use old-style hashing (MD5, as opposed to SHA-1) for generating
links to be used for releases before 1.0.0.
Note that current versions will not use the old style.

=item B<-n>

Do not remove existing links.
This is needed when keeping new and old-style links in the same directory.

=item B<-compat>

Generate links for both old-style (MD5) and new-style (SHA1) hashing.
This allows releases before 1.0.0 to use these links along-side newer
releases.

=item B<-v>

Print messages about old links removed and new links created.
By default, B<rehash> only lists each directory as it is processed.

=back

=head1 ENVIRONMENT

=over 4

=item B<OPENSSL>

The path to an executable to use to generate hashes and
fingerprints (see above).

=item B<SSL_CERT_DIR>

Colon separated list of directories to operate on.
Ignored if directories are listed on the command line.

=back

=head1 SEE ALSO

L<openssl(1)>,
L<crl(1)>.
L<x509(1)>.

=head1 COPYRIGHT

Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
cf2239b3 JW	1	=pod
	2
	3	=for comment
	4	Original text by James Westby, contributed under the OpenSSL license.
	5
	6	=head1 NAME
	7
3f2181e6	8	openssl-c_rehash, openssl-rehash,
8f6f1441	9	c_rehash, rehash - Create symbolic links to files named by the hash values
cf2239b3 JW	10
	11	=head1 SYNOPSIS
	12
8f6f1441 TT	13	B<openssl>
8f6f1441 TT	14	B<rehash>
7d959c35	15	B<[-h]>
169394d4	16	B<[-help]>
a787c259	17	B<[-old]>
a787c259 MA	18	B<[-n]>
a787c259 MA	19	B<[-v]>
cf2239b3 JW	20	[ I<directory>...]
cf2239b3 JW	21
8f6f1441 TT	22	B<c_rehash>
	23	I<flags...>
	24
cf2239b3 JW	25	=head1 DESCRIPTION
cf2239b3 JW	26
8f6f1441	27	On some platforms, the OpenSSL B<rehash> command is available as
ff2f6bb0 RS	28	an external script called B<c_rehash>. They are functionally equivalent,
ff2f6bb0 RS	29	except for minor differences noted below.
8f6f1441 TT	30
8f6f1441 TT	31	B<rehash> scans directories and calculates a hash value of each
80ec8d4e	32	C<.pem>, C<.crt>, C<.cer>, or C<.crl>
cf2239b3 JW	33	file in the specified directory list and creates symbolic links
cf2239b3 JW	34	for each file, where the name of the link is the hash value.
a787c259	35	(If the platform does not support symbolic links, a copy is made.)
cf2239b3 JW	36	This utility is useful as many programs that use OpenSSL require
	37	directories to be set up like this in order to find certificates.
	38
	39	If any directories are named on the command line, then those are
	40	processed in turn. If not, then the B<SSL_CERT_DIR> environment variable
4c583c36	41	is consulted; this should be a colon-separated list of directories,
cf2239b3 JW	42	like the Unix B<PATH> variable.
	43	If that is not set then the default directory (installation-specific
	44	but often B</usr/local/ssl/certs>) is processed.
	45
	46	In order for a directory to be processed, the user must have write
ff2f6bb0 RS	47	permissions on that directory, otherwise an error will be generated.
ff2f6bb0 RS	48
cf2239b3 JW	49	The links created are of the form C<HHHHHHHH.D>, where each B<H>
cf2239b3 JW	50	is a hexadecimal character and B<D> is a single decimal digit.
8f6f1441	51	When processing a directory, B<rehash> will first remove all links
ff2f6bb0 RS	52	that have a name in that syntax, even if they are being used for some
ff2f6bb0 RS	53	other purpose.
a787c259	54	To skip the removal step, use the B<-n> flag.
cf2239b3 JW	55	Hashes for CRL's look similar except the letter B<r> appears after
	56	the period, like this: C<HHHHHHHH.rD>.
	57
	58	Multiple objects may have the same hash; they will be indicated by
	59	incrementing the B<D> value. Duplicates are found by comparing the
	60	full SHA-1 fingerprint. A warning will be displayed if a duplicate
	61	is found.
	62
80ec8d4e	63	A warning will also be displayed if there are files that
ff2f6bb0 RS	64	cannot be parsed as either a certificate or a CRL or if
	65	more than one such object appears in the file.
	66
	67	=head2 Script Configuration
cf2239b3	68
ff2f6bb0 RS	69	The B<c_rehash> script
ff2f6bb0 RS	70	uses the B<openssl> program to compute the hashes and
cf2239b3 JW	71	fingerprints. If not found in the user's B<PATH>, then set the
	72	B<OPENSSL> environment variable to the full pathname.
	73	Any program can be used, it will be invoked as follows for either
	74	a certificate or CRL:
	75
a787c259 MA	76	$OPENSSL x509 -hash -fingerprint -noout -in FILENAME
a787c259 MA	77	$OPENSSL crl -hash -fingerprint -noout -in FILENAME
cf2239b3	78
a787c259	79	where B<FILENAME> is the filename. It must output the hash of the
cf2239b3 JW	80	file on the first line, and the fingerprint on the second,
	81	optionally prefixed with some text and an equals sign.
	82
a787c259 MA	83	=head1 OPTIONS
	84
	85	=over 4
	86
7d959c35	87	=item B<-help> B<-h>
169394d4 MR	88
	89	Display a brief usage message.
	90
a787c259 MA	91	=item B<-old>
	92
	93	Use old-style hashing (MD5, as opposed to SHA-1) for generating
ff2f6bb0 RS	94	links to be used for releases before 1.0.0.
ff2f6bb0 RS	95	Note that current versions will not use the old style.
a787c259	96
a787c259 MA	97	=item B<-n>
	98
	99	Do not remove existing links.
	100	This is needed when keeping new and old-style links in the same directory.
	101
adaf3cfa RL	102	=item B<-compat>
	103
	104	Generate links for both old-style (MD5) and new-style (SHA1) hashing.
	105	This allows releases before 1.0.0 to use these links along-side newer
	106	releases.
	107
a787c259 MA	108	=item B<-v>
	109
	110	Print messages about old links removed and new links created.
8f6f1441	111	By default, B<rehash> only lists each directory as it is processed.
a787c259 MA	112
	113	=back
	114
cf2239b3 JW	115	=head1 ENVIRONMENT
cf2239b3 JW	116
e1271ac2	117	=over 4
cf2239b3 JW	118
	119	=item B<OPENSSL>
	120
	121	The path to an executable to use to generate hashes and
	122	fingerprints (see above).
	123
	124	=item B<SSL_CERT_DIR>
	125
	126	Colon separated list of directories to operate on.
	127	Ignored if directories are listed on the command line.
	128
	129	=back
	130
	131	=head1 SEE ALSO
	132
9b86974e RS	133	L<openssl(1)>,
	134	L<crl(1)>.
	135	L<x509(1)>.
99ec4fdb	136
e2f92610 RS	137	=head1 COPYRIGHT
e2f92610 RS	138
28428130	139	Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
e2f92610 RS	140
	141	Licensed under the OpenSSL license (the "License"). You may not use
	142	this file except in compliance with the License. You can obtain a copy
	143	in the file LICENSE in the source distribution or at
	144	L<https://www.openssl.org/source/license.html>.
	145
	146	=cut