diff options
Diffstat (limited to 'doc/apps/rehash.pod')
-rw-r--r-- | doc/apps/rehash.pod | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/doc/apps/rehash.pod b/doc/apps/rehash.pod new file mode 100644 index 0000000000..00ab29b140 --- /dev/null +++ b/doc/apps/rehash.pod @@ -0,0 +1,121 @@ +=pod + +=for comment +Original text by James Westby, contributed under the OpenSSL license. + +=head1 NAME + +c_rehash, rehash - Create symbolic links to files named by the hash values + +=head1 SYNOPSIS + +B<openssl> +B<rehash> +B<[-old]> +B<[-h]> +B<[-n]> +B<[-v]> +[ I<directory>...] + +B<c_rehash> +I<flags...> + +=head1 DESCRIPTION + +On some platforms, the OpenSSL B<rehash> command is available as +an external script called B<c_rehash>. They are functionally equivalent. + +B<rehash> scans directories and calculates a hash value of each +C<.pem>, C<.crt>, C<.cer>, or C<.crl> +file in the specified directory list and creates symbolic links +for each file, where the name of the link is the hash value. +(If the platform does not support symbolic links, a copy is made.) +This utility is useful as many programs that use OpenSSL require +directories to be set up like this in order to find certificates. + +If any directories are named on the command line, then those are +processed in turn. If not, then the B<SSL_CERT_DIR> environment variable +is consulted; this should be a colon-separated list of directories, +like the Unix B<PATH> variable. +If that is not set then the default directory (installation-specific +but often B</usr/local/ssl/certs>) is processed. + +In order for a directory to be processed, the user must have write +permissions on that directory, otherwise it will be skipped. +The links created are of the form C<HHHHHHHH.D>, where each B<H> +is a hexadecimal character and B<D> is a single decimal digit. +When processing a directory, B<rehash> will first remove all links +that have a name in that syntax. If you have links in that format +used for other purposes, they will be removed. +To skip the removal step, use the B<-n> flag. +Hashes for CRL's look similar except the letter B<r> appears after +the period, like this: C<HHHHHHHH.rD>. + +Multiple objects may have the same hash; they will be indicated by +incrementing the B<D> value. Duplicates are found by comparing the +full SHA-1 fingerprint. A warning will be displayed if a duplicate +is found. + +A warning will also be displayed if there are files that +cannot be parsed as either a certificate or a CRL. + +The program uses the B<openssl> program to compute the hashes and +fingerprints. If not found in the user's B<PATH>, then set the +B<OPENSSL> environment variable to the full pathname. +Any program can be used, it will be invoked as follows for either +a certificate or CRL: + + $OPENSSL x509 -hash -fingerprint -noout -in FILENAME + $OPENSSL crl -hash -fingerprint -noout -in FILENAME + +where B<FILENAME> is the filename. It must output the hash of the +file on the first line, and the fingerprint on the second, +optionally prefixed with some text and an equals sign. + +=head1 OPTIONS + +=over 4 + +=item B<-old> + +Use old-style hashing (MD5, as opposed to SHA-1) for generating +links for releases before 1.0.0. Note that current versions will +not use the old style. + +=item B<-h> + +Display a brief usage message. + +=item B<-n> + +Do not remove existing links. +This is needed when keeping new and old-style links in the same directory. + +=item B<-v> + +Print messages about old links removed and new links created. +By default, B<rehash> only lists each directory as it is processed. + +=back + +=head1 ENVIRONMENT + +=over + +=item B<OPENSSL> + +The path to an executable to use to generate hashes and +fingerprints (see above). + +=item B<SSL_CERT_DIR> + +Colon separated list of directories to operate on. +Ignored if directories are listed on the command line. + +=back + +=head1 SEE ALSO + +L<openssl(1)>, +L<crl(1)>. +L<x509(1)>. |