Add manual for openssl(1) certhash

ok jmc@
author: inoguchi <> 2020-07-14 09:46:17 +0000
committer: inoguchi <> 2020-07-14 09:46:17 +0000
commit: 1a62e4f82836c16074b9e88e16ff84e51ea3c642 (patch)
tree: c6db5b451a593e3afa5bc484bc1884619dce2df5 /src
parent: d504e61a409f63f8ce6c117fe828cd0babb37589 (diff)
download: openbsd-1a62e4f82836c16074b9e88e16ff84e51ea3c642.tar.gz
openbsd-1a62e4f82836c16074b9e88e16ff84e51ea3c642.tar.bz2
openbsd-1a62e4f82836c16074b9e88e16ff84e51ea3c642.zip
1 files changed, 57 insertions, 2 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 7b446f4141..75ef2dc17f 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.122 2020/05/13 10:19:25 inoguchi Exp $
+.\" $OpenBSD: openssl.1,v 1.123 2020/07/14 09:46:17 inoguchi Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: May 13 2020 $
+.Dd $Mdocdate: July 14 2020 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -847,6 +847,61 @@ The default value is
 The same as
 .Fl extensions .
 .El
+.Tg certhash
+.Sh CERTHASH
+.Bl -hang -width "openssl certhash"
+.It Nm openssl certhash
+.Bk -words
+.Op Fl nv
+.Ar dir ...
+.Ek
+.El
+.Pp
+The
+.Nm certhash
+command calculates a hash value of
+.Qq .pem
+file in the specified directory list and creates symbolic links for each file,
+where the name of the link is the hash value.
+See the
+.Xr SSL_CTX_load_verify_locations 3
+manual page for how hash links are used.
+.Pp
+The links created are of the form
+.Qq HHHHHHHH.D ,
+where each
+.Sq H
+is a hexadecimal character and
+.Sq D
+is a single decimal digit.
+The hashes for CRLs look similar, except the letter
+.Sq r
+appears after the period, like this:
+.Qq HHHHHHHH.rD .
+When processing a directory,
+.Nm certhash
+will first remove all links that have a name in that syntax and invalid
+reference.
+.Pp
+Multiple objects may have the same hash; they will be indicated by
+incrementing the
+.Sq D
+value.
+Duplicates are found by comparing the full SHA256 fingerprint.
+A warning will be displayed if a duplicate is found.
+.Pp
+A warning will also be displayed if there are files that cannot be parsed as
+either a certificate or a CRL.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl n
+Perform a dry-run, and do not make any changes.
+.It Fl v
+Print extra details about the processing.
+.It Ar dir ...
+Specify the directories to process.
+.El
 .Tg ciphers
 .Sh CIPHERS
 .Nm openssl ciphers
author	inoguchi <>	2020-07-14 09:46:17 +0000
committer	inoguchi <>	2020-07-14 09:46:17 +0000
commit	1a62e4f82836c16074b9e88e16ff84e51ea3c642 (patch)
tree	c6db5b451a593e3afa5bc484bc1884619dce2df5 /src
parent	d504e61a409f63f8ce6c117fe828cd0babb37589 (diff)
download	openbsd-1a62e4f82836c16074b9e88e16ff84e51ea3c642.tar.gz openbsd-1a62e4f82836c16074b9e88e16ff84e51ea3c642.tar.bz2 openbsd-1a62e4f82836c16074b9e88e16ff84e51ea3c642.zip

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 7b446f4141..75ef2dc17f 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.122 2020/05/13 10:19:25 inoguchi Exp $	1	.\" $OpenBSD: openssl.1,v 1.123 2020/07/14 09:46:17 inoguchi Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: May 13 2020 $	113	.Dd $Mdocdate: July 14 2020 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -847,6 +847,61 @@ The default value is
847	The same as	847	The same as
848	.Fl extensions .	848	.Fl extensions .
849	.El	849	.El
		850	.Tg certhash
		851	.Sh CERTHASH
		852	.Bl -hang -width "openssl certhash"
		853	.It Nm openssl certhash
		854	.Bk -words
		855	.Op Fl nv
		856	.Ar dir ...
		857	.Ek
		858	.El
		859	.Pp
		860	The
		861	.Nm certhash
		862	command calculates a hash value of
		863	.Qq .pem
		864	file in the specified directory list and creates symbolic links for each file,
		865	where the name of the link is the hash value.
		866	See the
		867	.Xr SSL_CTX_load_verify_locations 3
		868	manual page for how hash links are used.
		869	.Pp
		870	The links created are of the form
		871	.Qq HHHHHHHH.D ,
		872	where each
		873	.Sq H
		874	is a hexadecimal character and
		875	.Sq D
		876	is a single decimal digit.
		877	The hashes for CRLs look similar, except the letter
		878	.Sq r
		879	appears after the period, like this:
		880	.Qq HHHHHHHH.rD .
		881	When processing a directory,
		882	.Nm certhash
		883	will first remove all links that have a name in that syntax and invalid
		884	reference.
		885	.Pp
		886	Multiple objects may have the same hash; they will be indicated by
		887	incrementing the
		888	.Sq D
		889	value.
		890	Duplicates are found by comparing the full SHA256 fingerprint.
		891	A warning will be displayed if a duplicate is found.
		892	.Pp
		893	A warning will also be displayed if there are files that cannot be parsed as
		894	either a certificate or a CRL.
		895	.Pp
		896	The options are as follows:
		897	.Bl -tag -width Ds
		898	.It Fl n
		899	Perform a dry-run, and do not make any changes.
		900	.It Fl v
		901	Print extra details about the processing.
		902	.It Ar dir ...
		903	Specify the directories to process.
		904	.El
850	.Tg ciphers	905	.Tg ciphers
851	.Sh CIPHERS	906	.Sh CIPHERS
852	.Nm openssl ciphers	907	.Nm openssl ciphers