]>
Commit | Line | Data |
---|---|---|
cf2239b3 JW |
1 | =pod |
2 | ||
3 | =for comment | |
4 | Original text by James Westby, contributed under the OpenSSL license. | |
5 | ||
6 | =head1 NAME | |
7 | ||
3f2181e6 | 8 | openssl-c_rehash, openssl-rehash, |
8f6f1441 | 9 | c_rehash, rehash - Create symbolic links to files named by the hash values |
cf2239b3 JW |
10 | |
11 | =head1 SYNOPSIS | |
12 | ||
8f6f1441 TT |
13 | B<openssl> |
14 | B<rehash> | |
7d959c35 | 15 | B<[-h]> |
169394d4 | 16 | B<[-help]> |
a787c259 | 17 | B<[-old]> |
a787c259 MA |
18 | B<[-n]> |
19 | B<[-v]> | |
cf2239b3 JW |
20 | [ I<directory>...] |
21 | ||
8f6f1441 TT |
22 | B<c_rehash> |
23 | I<flags...> | |
24 | ||
cf2239b3 JW |
25 | =head1 DESCRIPTION |
26 | ||
8f6f1441 | 27 | On some platforms, the OpenSSL B<rehash> command is available as |
ff2f6bb0 RS |
28 | an external script called B<c_rehash>. They are functionally equivalent, |
29 | except for minor differences noted below. | |
8f6f1441 TT |
30 | |
31 | B<rehash> scans directories and calculates a hash value of each | |
80ec8d4e | 32 | C<.pem>, C<.crt>, C<.cer>, or C<.crl> |
cf2239b3 JW |
33 | file in the specified directory list and creates symbolic links |
34 | for each file, where the name of the link is the hash value. | |
a787c259 | 35 | (If the platform does not support symbolic links, a copy is made.) |
cf2239b3 JW |
36 | This utility is useful as many programs that use OpenSSL require |
37 | directories to be set up like this in order to find certificates. | |
38 | ||
39 | If any directories are named on the command line, then those are | |
40 | processed in turn. If not, then the B<SSL_CERT_DIR> environment variable | |
4c583c36 | 41 | is consulted; this should be a colon-separated list of directories, |
cf2239b3 JW |
42 | like the Unix B<PATH> variable. |
43 | If that is not set then the default directory (installation-specific | |
44 | but often B</usr/local/ssl/certs>) is processed. | |
45 | ||
46 | In order for a directory to be processed, the user must have write | |
ff2f6bb0 RS |
47 | permissions on that directory, otherwise an error will be generated. |
48 | ||
cf2239b3 JW |
49 | The links created are of the form C<HHHHHHHH.D>, where each B<H> |
50 | is a hexadecimal character and B<D> is a single decimal digit. | |
8f6f1441 | 51 | When processing a directory, B<rehash> will first remove all links |
ff2f6bb0 RS |
52 | that have a name in that syntax, even if they are being used for some |
53 | other purpose. | |
a787c259 | 54 | To skip the removal step, use the B<-n> flag. |
cf2239b3 JW |
55 | Hashes for CRL's look similar except the letter B<r> appears after |
56 | the period, like this: C<HHHHHHHH.rD>. | |
57 | ||
58 | Multiple objects may have the same hash; they will be indicated by | |
59 | incrementing the B<D> value. Duplicates are found by comparing the | |
60 | full SHA-1 fingerprint. A warning will be displayed if a duplicate | |
61 | is found. | |
62 | ||
80ec8d4e | 63 | A warning will also be displayed if there are files that |
ff2f6bb0 RS |
64 | cannot be parsed as either a certificate or a CRL or if |
65 | more than one such object appears in the file. | |
66 | ||
67 | =head2 Script Configuration | |
cf2239b3 | 68 | |
ff2f6bb0 RS |
69 | The B<c_rehash> script |
70 | uses the B<openssl> program to compute the hashes and | |
cf2239b3 JW |
71 | fingerprints. If not found in the user's B<PATH>, then set the |
72 | B<OPENSSL> environment variable to the full pathname. | |
73 | Any program can be used, it will be invoked as follows for either | |
74 | a certificate or CRL: | |
75 | ||
a787c259 MA |
76 | $OPENSSL x509 -hash -fingerprint -noout -in FILENAME |
77 | $OPENSSL crl -hash -fingerprint -noout -in FILENAME | |
cf2239b3 | 78 | |
a787c259 | 79 | where B<FILENAME> is the filename. It must output the hash of the |
cf2239b3 JW |
80 | file on the first line, and the fingerprint on the second, |
81 | optionally prefixed with some text and an equals sign. | |
82 | ||
a787c259 MA |
83 | =head1 OPTIONS |
84 | ||
85 | =over 4 | |
86 | ||
7d959c35 | 87 | =item B<-help> B<-h> |
169394d4 MR |
88 | |
89 | Display a brief usage message. | |
90 | ||
a787c259 MA |
91 | =item B<-old> |
92 | ||
93 | Use old-style hashing (MD5, as opposed to SHA-1) for generating | |
ff2f6bb0 RS |
94 | links to be used for releases before 1.0.0. |
95 | Note that current versions will not use the old style. | |
a787c259 | 96 | |
a787c259 MA |
97 | =item B<-n> |
98 | ||
99 | Do not remove existing links. | |
100 | This is needed when keeping new and old-style links in the same directory. | |
101 | ||
adaf3cfa RL |
102 | =item B<-compat> |
103 | ||
104 | Generate links for both old-style (MD5) and new-style (SHA1) hashing. | |
105 | This allows releases before 1.0.0 to use these links along-side newer | |
106 | releases. | |
107 | ||
a787c259 MA |
108 | =item B<-v> |
109 | ||
110 | Print messages about old links removed and new links created. | |
8f6f1441 | 111 | By default, B<rehash> only lists each directory as it is processed. |
a787c259 MA |
112 | |
113 | =back | |
114 | ||
cf2239b3 JW |
115 | =head1 ENVIRONMENT |
116 | ||
e1271ac2 | 117 | =over 4 |
cf2239b3 JW |
118 | |
119 | =item B<OPENSSL> | |
120 | ||
121 | The path to an executable to use to generate hashes and | |
122 | fingerprints (see above). | |
123 | ||
124 | =item B<SSL_CERT_DIR> | |
125 | ||
126 | Colon separated list of directories to operate on. | |
127 | Ignored if directories are listed on the command line. | |
128 | ||
129 | =back | |
130 | ||
131 | =head1 SEE ALSO | |
132 | ||
9b86974e RS |
133 | L<openssl(1)>, |
134 | L<crl(1)>. | |
135 | L<x509(1)>. | |
99ec4fdb | 136 | |
e2f92610 RS |
137 | =head1 COPYRIGHT |
138 | ||
28428130 | 139 | Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
140 | |
141 | Licensed under the OpenSSL license (the "License"). You may not use | |
142 | this file except in compliance with the License. You can obtain a copy | |
143 | in the file LICENSE in the source distribution or at | |
144 | L<https://www.openssl.org/source/license.html>. | |
145 | ||
146 | =cut |