c_rehash.1s

c_rehash [options] [directory...]

-h, --help
    Displays a brief help message and exits.

-v, --verbose
    Enables verbose output, showing details of processed files and created links.

-n, --dry-run
    Performs a simulated run without making any actual changes to the filesystem, showing what would be done.

-old, --hash-compat
    Uses the old (MD5) hash algorithm for symbolic links, for compatibility with older OpenSSL versions.

-md5
    Explicitly forces the use of the MD5 hash algorithm for links (same as -old).

-sha1
    Explicitly forces the use of the SHA1 hash algorithm for links (default for modern OpenSSL).

c_rehash is a utility script, usually written in Perl and distributed with OpenSSL, designed to manage certificate symbolic links within directories.

Its primary function is to scan one or more specified directories for certificate files (e.g., .pem, .crt) and create symbolic links whose names are derived from the subject hash of each certificate, followed by a sequence number (e.g., abcdef12.0, abcdef12.1). This hashing scheme allows OpenSSL-based applications, such as openssl verify or applications using OpenSSL for SSL/TLS, to efficiently locate and load trusted certificates or Certificate Authority (CA) certificates by their subject name hash without having to scan every file in a directory. It effectively builds an index for certificate lookups.

If a certificate already has a link, c_rehash ensures it points to the correct file; if the target file has changed or the link is stale, it updates it. This command is crucial for maintaining well-formed CA certificate directories, commonly found at locations like /etc/ssl/certs or /etc/pki/tls/certs, enabling robust SSL/TLS verification in Linux systems. It supports both older (MD5) and newer (SHA1) hash algorithms for compatibility.

• c_rehash requires write permissions on the specified directories to create or update symbolic links.
• It depends on the openssl binary being accessible in the system's PATH.
• As it is typically a Perl script, a Perl interpreter must be installed on the system.
• Using the -old or -md5 options might be necessary for compatibility with very old systems but is generally not recommended for new deployments due to the weaker security of the MD5 hash algorithm.

c_rehash iterates through certificate files in specified directories. For each .pem, .crt, or similar certificate file, it extracts the X.509 subject name. It then calculates a cryptographic hash of this subject name (by default, SHA1; historically, MD5). This hash forms the base name for a symbolic link, followed by a .0 suffix (e.g., abcdef12.0). If multiple certificates share the same subject name hash, subsequent links are created with incrementing suffixes (.1, .2, etc.). The symbolic link then points to the original certificate file. This allows OpenSSL functions like X509_LOOKUP_add_dir() to find certificates by their hash, significantly speeding up certificate chain building and verification processes.

This command is typically run after adding new CA certificates to a trusted store or after removing obsolete ones. For instance, after placing a new CA certificate in /etc/ssl/certs/, one would run c_rehash /etc/ssl/certs/ to ensure the new certificate is properly indexed and available for applications that rely on OpenSSL's hashed directory lookup.

c_rehash has been a fundamental part of the OpenSSL distribution for many years, serving as the canonical method for preparing certificate directories for efficient lookup. Its evolution primarily tracks changes in recommended cryptographic hash algorithms (e.g., the transition from MD5 to SHA1 for certificate subject hashing) and minor improvements in script robustness and command-line options. It remains a widely used utility due to its simplicity and effectiveness in maintaining the structure required by OpenSSL for certificate verification.

openssl(1), x509(1), certs(5), ssl(7)