c_rehash.pod revision 279264
1=pod 2 3=for comment 4Original text by James Westby, contributed under the OpenSSL license. 5 6=head1 NAME 7 8c_rehash - Create symbolic links to files named by the hash values 9 10=head1 SYNOPSIS 11 12B<c_rehash> 13[ I<directory>...] 14 15=head1 DESCRIPTION 16 17B<c_rehash> scans directories and calculates a hash value of each C<.pem> 18file in the specified directory list and creates symbolic links 19for each file, where the name of the link is the hash value. 20This utility is useful as many programs that use OpenSSL require 21directories to be set up like this in order to find certificates. 22 23If any directories are named on the command line, then those are 24processed in turn. If not, then the B<SSL_CERT_DIR> environment variable 25is consulted; this shold be a colon-separated list of directories, 26like the Unix B<PATH> variable. 27If that is not set then the default directory (installation-specific 28but often B</usr/local/ssl/certs>) is processed. 29 30In order for a directory to be processed, the user must have write 31permissions on that directory, otherwise it will be skipped. 32The links created are of the form C<HHHHHHHH.D>, where each B<H> 33is a hexadecimal character and B<D> is a single decimal digit. 34When processing a directory, B<c_rehash> will first remove all links 35that have a name in that syntax. If you have links in that format 36used for other purposes, they will be removed. 37Hashes for CRL's look similar except the letter B<r> appears after 38the period, like this: C<HHHHHHHH.rD>. 39 40Multiple objects may have the same hash; they will be indicated by 41incrementing the B<D> value. Duplicates are found by comparing the 42full SHA-1 fingerprint. A warning will be displayed if a duplicate 43is found. 44 45A warning will also be displayed if there are B<.pem> files that 46cannot be parsed as either a certificate or a CRL. 47 48The program uses the B<openssl> program to compute the hashes and 49fingerprints. If not found in the user's B<PATH>, then set the 50B<OPENSSL> environment variable to the full pathname. 51Any program can be used, it will be invoked as follows for either 52a certificate or CRL: 53 54 $OPENSSL x509 -hash -fingerprint -noout -in FFFFFF 55 $OPENSSL crl -hash -fingerprint -noout -in FFFFFF 56 57where B<FFFFFF> is the filename. It must output the hash of the 58file on the first line, and the fingerprint on the second, 59optionally prefixed with some text and an equals sign. 60 61=head1 ENVIRONMENT 62 63=over 64 65=item B<OPENSSL> 66 67The path to an executable to use to generate hashes and 68fingerprints (see above). 69 70=item B<SSL_CERT_DIR> 71 72Colon separated list of directories to operate on. 73Ignored if directories are listed on the command line. 74 75=back 76 77=head1 SEE ALSO 78 79L<openssl(1)|openssl(1)>, 80L<crl(1)|crl(1)>. 81L<x509(1)|x509(1)>. 82