1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=for comment 5Original text by James Westby. 6 7=head1 NAME 8 9openssl-rehash, c_rehash - Create symbolic links to files named by the hash 10values 11 12=head1 SYNOPSIS 13=for openssl duplicate options 14 15B<openssl> 16B<rehash> 17[B<-h>] 18[B<-help>] 19[B<-old>] 20[B<-compat>] 21[B<-n>] 22[B<-v>] 23{- $OpenSSL::safe::opt_provider_synopsis -} 24[I<directory>] ... 25 26B<c_rehash> 27[B<-h>] 28[B<-help>] 29[B<-old>] 30[B<-n>] 31[B<-v>] 32{- $OpenSSL::safe::opt_provider_synopsis -} 33[I<directory>] ... 34 35=head1 DESCRIPTION 36 37This command is generally equivalent to the external 38script B<c_rehash>, 39except for minor differences noted below. 40 41B<openssl rehash> scans directories and calculates a hash value of 42each F<.pem>, F<.crt>, F<.cer>, or F<.crl> 43file in the specified directory list and creates symbolic links 44for each file, where the name of the link is the hash value. 45(If the platform does not support symbolic links, a copy is made.) 46This command is useful as many programs that use OpenSSL require 47directories to be set up like this in order to find certificates. 48 49If any directories are named on the command line, then those are 50processed in turn. If not, then the B<SSL_CERT_DIR> environment variable 51is consulted; this should be a colon-separated list of directories, 52like the Unix B<PATH> variable. 53If that is not set then the default directory (installation-specific 54but often F</usr/local/ssl/certs>) is processed. 55 56In order for a directory to be processed, the user must have write 57permissions on that directory, otherwise an error will be generated. 58 59The links created are of the form I<HHHHHHHH.D>, where each I<H> 60is a hexadecimal character and I<D> is a single decimal digit. 61When a directory is processed, all links in it that have a name 62in that syntax are first removed, even if they are being used for 63some other purpose. 64To skip the removal step, use the B<-n> flag. 65Hashes for CRL's look similar except the letter B<r> appears after 66the period, like this: I<HHHHHHHH.>B<r>I<D>. 67 68Multiple objects may have the same hash; they will be indicated by 69incrementing the I<D> value. Duplicates are found by comparing the 70full SHA-1 fingerprint. A warning will be displayed if a duplicate 71is found. 72 73A warning will also be displayed if there are files that 74cannot be parsed as either a certificate or a CRL or if 75more than one such object appears in the file. 76 77=head2 Script Configuration 78 79The B<c_rehash> script 80uses the B<openssl> program to compute the hashes and 81fingerprints. If not found in the user's B<PATH>, then set the 82B<OPENSSL> environment variable to the full pathname. 83Any program can be used, it will be invoked as follows for either 84a certificate or CRL: 85 86 $OPENSSL x509 -hash -fingerprint -noout -in FILENAME 87 $OPENSSL crl -hash -fingerprint -noout -in FILENAME 88 89where I<FILENAME> is the filename. It must output the hash of the 90file on the first line, and the fingerprint on the second, 91optionally prefixed with some text and an equals sign. 92 93=head1 OPTIONS 94 95=over 4 96 97=item B<-help> B<-h> 98 99Display a brief usage message. 100 101=item B<-old> 102 103Use old-style hashing (MD5, as opposed to SHA-1) for generating 104links to be used for releases before 1.0.0. 105Note that current versions will not use the old style. 106 107=item B<-n> 108 109Do not remove existing links. 110This is needed when keeping new and old-style links in the same directory. 111 112=item B<-compat> 113 114Generate links for both old-style (MD5) and new-style (SHA1) hashing. 115This allows releases before 1.0.0 to use these links along-side newer 116releases. 117 118=item B<-v> 119 120Print messages about old links removed and new links created. 121By default, this command only lists each directory as it is processed. 122 123{- $OpenSSL::safe::opt_provider_item -} 124 125=back 126 127=head1 ENVIRONMENT 128 129=over 4 130 131=item B<OPENSSL> 132 133The path to an executable to use to generate hashes and 134fingerprints (see above). 135 136=item B<SSL_CERT_DIR> 137 138Colon separated list of directories to operate on. 139Ignored if directories are listed on the command line. 140 141=back 142 143=head1 SEE ALSO 144 145L<openssl(1)>, 146L<openssl-crl(1)>, 147L<openssl-x509(1)> 148 149=head1 COPYRIGHT 150 151Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. 152 153Licensed under the Apache License 2.0 (the "License"). You may not use 154this file except in compliance with the License. You can obtain a copy 155in the file LICENSE in the source distribution or at 156L<https://www.openssl.org/source/license.html>. 157 158=cut 159