LinuxCommandLibrary

c_rehash.1s

Updates OpenSSL's hash symlinks for certificate lookup

SYNOPSIS

c_rehash [-n] [-v] [-h] [-debug] [-deprecate] [-rehash] [-f] [-extend] [-suffix suffix] [directory]

PARAMETERS

-n
    No action. Print commands that would be executed without actually executing them.

-v
    Verbose mode. Print extra information about the actions being performed.

-h
    Display help message.

-debug
    Enable debugging output for troubleshooting.

-deprecate
    Do not use the default hashing algorithm (MD5).

-rehash
    Rehash all files.

-f
    Force creation of new links, overwriting existing ones.

-extend
    Extend the link with information (certificate serial number and issuer subject name hash).

-suffix suffix
    Set a suffix to the link name.

[directory]
    The directory to scan for certificate files. If not specified, defaults to the system-wide certificate directory.

DESCRIPTION

The c_rehash command is a utility provided by OpenSSL to help manage certificate directories. It creates symbolic links, properly named, in a directory containing certificate files. These links are essential for applications using OpenSSL to efficiently find and verify certificates by subject name hash. When an application needs to verify a certificate chain, it uses the subject name hash of the certificate authority (CA) to locate the CA's certificate file in the directory. c_rehash automates the process of creating these links, ensuring that OpenSSL-based applications can reliably locate and use certificates. It scans the specified directory, identifies certificate files (typically .pem or .crt files), calculates their subject name hashes, and creates symbolic links from the hash value to the corresponding certificate file. This eliminates the need for manual link creation and ensures consistency in the directory structure, thus improving certificate management and security in OpenSSL environments. It handles various certificate formats and tries to avoid creating links that would overwrite existing ones.

CAVEATS

c_rehash relies on consistent naming conventions and file formats for certificates. Incorrectly formatted certificates or files can lead to errors or incorrect link creation. Ensure your certificates are valid and properly formatted before running c_rehash.

CERTIFICATE DIRECTORY STRUCTURE

The typical structure of a certificate directory after running c_rehash includes the original certificate files (e.g., .pem) and symbolic links named after the hash of the subject's distinguished name. These links point to the corresponding certificate files, enabling OpenSSL to quickly locate certificates based on their hash value.

PERMISSIONS

Ensure the user running c_rehash has the necessary permissions to read the certificate files and create symbolic links in the target directory. Insufficient permissions can lead to errors during execution.

HISTORY

The c_rehash script was originally created to simplify the management of certificate directories used by OpenSSL. It addresses the need to create symbolic links based on subject name hashes, a requirement for many applications using OpenSSL for certificate verification. Over time, it has become a standard utility for OpenSSL administrators, automating a task that would otherwise be manual and error-prone. The command might have evolved in different distributions with minor modifications or added features but the main purpose remains the same.

SEE ALSO

openssl(1), x509(1)

Copied to clipboard