190 lines
6.5 KiB
HTML
Executable File
190 lines
6.5 KiB
HTML
Executable File
<?xml version="1.0" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>openssl-rehash</title>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
|
<link rev="made" href="mailto:root@localhost" />
|
|
</head>
|
|
|
|
<body style="background-color: white">
|
|
|
|
|
|
<!-- INDEX BEGIN -->
|
|
<div name="index">
|
|
<p><a name="__index__"></a></p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#name">NAME</a></li>
|
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
|
<li><a href="#description">DESCRIPTION</a></li>
|
|
<ul>
|
|
|
|
<li><a href="#script_configuration">Script Configuration</a></li>
|
|
</ul>
|
|
|
|
<li><a href="#options">OPTIONS</a></li>
|
|
<li><a href="#environment">ENVIRONMENT</a></li>
|
|
<li><a href="#see_also">SEE ALSO</a></li>
|
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
|
</ul>
|
|
|
|
<hr name="index" />
|
|
</div>
|
|
<!-- INDEX END -->
|
|
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="name">NAME</a></h1>
|
|
<p>openssl-rehash, c_rehash - Create symbolic links to files named by the hash
|
|
values</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
|
<p><strong>openssl</strong>
|
|
<strong>rehash</strong>
|
|
[<strong>-h</strong>]
|
|
[<strong>-help</strong>]
|
|
[<strong>-old</strong>]
|
|
[<strong>-compat</strong>]
|
|
[<strong>-n</strong>]
|
|
[<strong>-v</strong>]
|
|
[<em>directory</em>] ...</p>
|
|
<p><strong>c_rehash</strong>
|
|
[<strong>-h</strong>]
|
|
[<strong>-help</strong>]
|
|
[<strong>-old</strong>]
|
|
[<strong>-n</strong>]
|
|
[<strong>-v</strong>]
|
|
[<em>directory</em>] ...</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="description">DESCRIPTION</a></h1>
|
|
<p>This command is generally equivalent to the external
|
|
script <strong>c_rehash</strong>,
|
|
except for minor differences noted below.</p>
|
|
<p><strong>openssl rehash</strong> scans directories and calculates a hash value of
|
|
each <em class="file">.pem</em>, <em class="file">.crt</em>, <em class="file">.cer</em>, or <em class="file">.crl</em>
|
|
file in the specified directory list and creates symbolic links
|
|
for each file, where the name of the link is the hash value.
|
|
(If the platform does not support symbolic links, a copy is made.)
|
|
This command is useful as many programs that use OpenSSL require
|
|
directories to be set up like this in order to find certificates.</p>
|
|
<p>If any directories are named on the command line, then those are
|
|
processed in turn. If not, then the <strong>SSL_CERT_DIR</strong> environment variable
|
|
is consulted; this should be a colon-separated list of directories,
|
|
like the Unix <strong>PATH</strong> variable.
|
|
If that is not set then the default directory (installation-specific
|
|
but often <em class="file">/usr/local/ssl/certs</em>) is processed.</p>
|
|
<p>In order for a directory to be processed, the user must have write
|
|
permissions on that directory, otherwise an error will be generated.</p>
|
|
<p>The links created are of the form <em>HHHHHHHH.D</em>, where each <em>H</em>
|
|
is a hexadecimal character and <em>D</em> is a single decimal digit.
|
|
When a directory is processed, all links in it that have a name
|
|
in that syntax are first removed, even if they are being used for
|
|
some other purpose.
|
|
To skip the removal step, use the <strong>-n</strong> flag.
|
|
Hashes for CRL's look similar except the letter <strong>r</strong> appears after
|
|
the period, like this: <em>HHHHHHHH.</em><strong>r</strong><em>D</em>.</p>
|
|
<p>Multiple objects may have the same hash; they will be indicated by
|
|
incrementing the <em>D</em> value. Duplicates are found by comparing the
|
|
full SHA-1 fingerprint. A warning will be displayed if a duplicate
|
|
is found.</p>
|
|
<p>A warning will also be displayed if there are files that
|
|
cannot be parsed as either a certificate or a CRL or if
|
|
more than one such object appears in the file.</p>
|
|
<p>
|
|
</p>
|
|
<h2><a name="script_configuration">Script Configuration</a></h2>
|
|
<p>The <strong>c_rehash</strong> script
|
|
uses the <strong>openssl</strong> program to compute the hashes and
|
|
fingerprints. If not found in the user's <strong>PATH</strong>, then set the
|
|
<strong>OPENSSL</strong> environment variable to the full pathname.
|
|
Any program can be used, it will be invoked as follows for either
|
|
a certificate or CRL:</p>
|
|
<pre>
|
|
$OPENSSL x509 -hash -fingerprint -noout -in FILENAME
|
|
$OPENSSL crl -hash -fingerprint -noout -in FILENAME</pre>
|
|
<p>where <em>FILENAME</em> is the filename. It must output the hash of the
|
|
file on the first line, and the fingerprint on the second,
|
|
optionally prefixed with some text and an equals sign.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="options">OPTIONS</a></h1>
|
|
<dl>
|
|
<dt><strong><a name="help_h" class="item"><strong>-help</strong> <strong>-h</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display a brief usage message.</p>
|
|
</dd>
|
|
<dt><strong><a name="old" class="item"><strong>-old</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Use old-style hashing (MD5, as opposed to SHA-1) for generating
|
|
links to be used for releases before 1.0.0.
|
|
Note that current versions will not use the old style.</p>
|
|
</dd>
|
|
<dt><strong><a name="n" class="item"><strong>-n</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not remove existing links.
|
|
This is needed when keeping new and old-style links in the same directory.</p>
|
|
</dd>
|
|
<dt><strong><a name="compat" class="item"><strong>-compat</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generate links for both old-style (MD5) and new-style (SHA1) hashing.
|
|
This allows releases before 1.0.0 to use these links along-side newer
|
|
releases.</p>
|
|
</dd>
|
|
<dt><strong><a name="v" class="item"><strong>-v</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Print messages about old links removed and new links created.
|
|
By default, this command only lists each directory as it is processed.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="environment">ENVIRONMENT</a></h1>
|
|
<dl>
|
|
<dt><strong><a name="openssl" class="item"><strong>OPENSSL</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The path to an executable to use to generate hashes and
|
|
fingerprints (see above).</p>
|
|
</dd>
|
|
<dt><strong><a name="ssl_cert_dir" class="item"><strong>SSL_CERT_DIR</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Colon separated list of directories to operate on.
|
|
Ignored if directories are listed on the command line.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
|
<p><em>openssl(1)</em>,
|
|
<em>openssl-crl(1)</em>,
|
|
<em>openssl-x509(1)</em></p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
|
<p>Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.</p>
|
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
|
|
|
</body>
|
|
|
|
</html>
|