On 1 Feb 2018, at 11:46, Viktor Dukhovni wrote:
On Feb 1, 2018, at 11:43 AM, Bill Cole
<postfixlists-070...@billmail.scconsult.com> wrote:
The "c_rehash" tool is an OpenSSL utility that generates symlinks in
a directory full of certificate files such that each symlink name is
derived from a cryptographic hash of the "Subject" of the certificate
file to which it points. This is to support rapid identification of
trusted certificates cited as the "Issuer" of a certificate being
verified. If your OpenSSL is properly installed, you can get all the
details from 'man c_rehash' and if not, you can see the man page for
v1.0.2 at https://www.openssl.org/docs/man1.0.2/apps/c_rehash.html.
Good clarification, thanks. I just want to emphasize that
the "directory full of certificate files" needs to have one
certificate per file, as only the first certificate in each
file is processed by c_rehash. There's not much point in
using CApath if all the certificates are in the same file,
so that's not supported.
Yes, that's an important point.
If one has a bundle of certs in one file, one can do something like this
to split them into single-cert files (assuming you have GNU csplit):
csplit -f ca-cert -b '.%03d.pem' curl-ca-bundle.crt '/END
CERTIFICATE/+1' {*}
