On Thu, Jun 19, 2008 at 11:31:39PM -0700, Sendroiu Eugen wrote:
> If the files are stored locally in a directory,
> then you can specify to the CTX the hash directory (
> X509_STORE_load_locations(store,hashdir,rootfile) ), but you need to
> name your certificate file(s) with the hash of the subject name of the
> certificate. Or you could implement your own method: for each file in
> directory, read it into X509 and compare issuer name, serial number and
> hash value, but this is exactly what openssl does with hashdir :)
>
This is done (somewhat non-optimally) by c_rehash(1). And the links are
hash.<N> where N>0 happens when two CAs have the same issuer DN hash.
When I say "non-optimally", I mean that c_rehash(1) will first delete
all the symlinks (even the ones it does not need to change) and then
re-create them all. This means you cannot run c_rehash on a live
system. The script can and should easily be changed to leave valid
links intact.
- Scan the current hash.<N> links and CA certs, noting
which are paired properly and which are not.
- Delete all links that are orphaned or whose CA cert has
changed.
- Create new links for CA certs that don't have a valid link,
using the lowest unused "N".
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
