xref: /freebsd/crypto/openssl/doc/man1/openssl-rehash.pod.in (revision b077aed33b7b6aefca7b17ddb250cf521f938613)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=for comment
5Original text by James Westby.
6
7=head1 NAME
8
9openssl-rehash, c_rehash - Create symbolic links to files named by the hash
10values
11
12=head1 SYNOPSIS
13
14B<openssl>
15B<rehash>
16[B<-h>]
17[B<-help>]
18[B<-old>]
19[B<-compat>]
20[B<-n>]
21[B<-v>]
22{- $OpenSSL::safe::opt_provider_synopsis -}
23[I<directory>] ...
24
25B<c_rehash>
26[B<-h>]
27[B<-help>]
28[B<-old>]
29[B<-n>]
30[B<-v>]
31{- $OpenSSL::safe::opt_provider_synopsis -}
32[I<directory>] ...
33
34=head1 DESCRIPTION
35
36This command is generally equivalent to the external
37script B<c_rehash>,
38except for minor differences noted below.
39
40B<openssl rehash> scans directories and calculates a hash value of
41each F<.pem>, F<.crt>, F<.cer>, or F<.crl>
42file in the specified directory list and creates symbolic links
43for each file, where the name of the link is the hash value.
44(If the platform does not support symbolic links, a copy is made.)
45This command is useful as many programs that use OpenSSL require
46directories to be set up like this in order to find certificates.
47
48If any directories are named on the command line, then those are
49processed in turn. If not, then the B<SSL_CERT_DIR> environment variable
50is consulted; this should be a colon-separated list of directories,
51like the Unix B<PATH> variable.
52If that is not set then the default directory (installation-specific
53but often F</usr/local/ssl/certs>) is processed.
54
55In order for a directory to be processed, the user must have write
56permissions on that directory, otherwise an error will be generated.
57
58The links created are of the form I<HHHHHHHH.D>, where each I<H>
59is a hexadecimal character and I<D> is a single decimal digit.
60When a directory is processed, all links in it that have a name
61in that syntax are first removed, even if they are being used for
62some other purpose.
63To skip the removal step, use the B<-n> flag.
64Hashes for CRL's look similar except the letter B<r> appears after
65the period, like this: I<HHHHHHHH.>B<r>I<D>.
66
67Multiple objects may have the same hash; they will be indicated by
68incrementing the I<D> value. Duplicates are found by comparing the
69full SHA-1 fingerprint. A warning will be displayed if a duplicate
70is found.
71
72A warning will also be displayed if there are files that
73cannot be parsed as either a certificate or a CRL or if
74more than one such object appears in the file.
75
76=head2 Script Configuration
77
78The B<c_rehash> script
79uses the B<openssl> program to compute the hashes and
80fingerprints. If not found in the user's B<PATH>, then set the
81B<OPENSSL> environment variable to the full pathname.
82Any program can be used, it will be invoked as follows for either
83a certificate or CRL:
84
85  $OPENSSL x509 -hash -fingerprint -noout -in FILENAME
86  $OPENSSL crl -hash -fingerprint -noout -in FILENAME
87
88where I<FILENAME> is the filename. It must output the hash of the
89file on the first line, and the fingerprint on the second,
90optionally prefixed with some text and an equals sign.
91
92=head1 OPTIONS
93
94=over 4
95
96=item B<-help> B<-h>
97
98Display a brief usage message.
99
100=item B<-old>
101
102Use old-style hashing (MD5, as opposed to SHA-1) for generating
103links to be used for releases before 1.0.0.
104Note that current versions will not use the old style.
105
106=item B<-n>
107
108Do not remove existing links.
109This is needed when keeping new and old-style links in the same directory.
110
111=item B<-compat>
112
113Generate links for both old-style (MD5) and new-style (SHA1) hashing.
114This allows releases before 1.0.0 to use these links along-side newer
115releases.
116
117=item B<-v>
118
119Print messages about old links removed and new links created.
120By default, this command only lists each directory as it is processed.
121
122{- $OpenSSL::safe::opt_provider_item -}
123
124=back
125
126=head1 ENVIRONMENT
127
128=over 4
129
130=item B<OPENSSL>
131
132The path to an executable to use to generate hashes and
133fingerprints (see above).
134
135=item B<SSL_CERT_DIR>
136
137Colon separated list of directories to operate on.
138Ignored if directories are listed on the command line.
139
140=back
141
142=head1 SEE ALSO
143
144L<openssl(1)>,
145L<openssl-crl(1)>,
146L<openssl-x509(1)>
147
148=head1 COPYRIGHT
149
150Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
151
152Licensed under the Apache License 2.0 (the "License").  You may not use
153this file except in compliance with the License.  You can obtain a copy
154in the file LICENSE in the source distribution or at
155L<https://www.openssl.org/source/license.html>.
156
157=cut
158