5.2.8 Creating a hash link (in UNIX) (openssl.sh x509 command)
To perform a certificate validity check, specify the certificate of the certificate issuer CA in the SSLCACertificateFile directive or SSLCACertificatePath directive. In the SSLCACertificatePath directive, specify the directory that stores the symbolic link (hash link) with the hash value that points to the certificate of the certificate issuer CA. The hash value is created by using the openssl.sh x509 command.
If the SSLCACertificatePath directive is specified, the certificate search can be performed efficiently on the Web server by using the hash value. If there are many CA certificates, we recommend that you specify the SSLCACertificatePath directive rather than the SSLCACertificateFile directive. Note that one hash value must be assigned per certificate, so you cannot specify a file with multiple certificates when creating the hash link.
When generating the symbolic link in the hash link directory that is specified in the SSLCACertificatePath directive, you must add .0 to the hash value. Grant the read and execution permissions to the directory to be specified in the SSLCACertificatePath directive so that the user specified in the User and Group directives can access the directory.
- Organization of this subsection
(1) Format
openssl.sh x509 -noout -hash -in CA-certificate-file
(2) Parameter
-
-in CA-certificate-file
Specify the CA certificate file for which the hash link value is created.
(3) Usage example
An example of the hash link directory and CA certificate for the following directory and file is given below:
/opt/hitachi/httpsd/conf/ssl/cacerts: Hash link directory
/opt/hitachi/httpsd/conf/ssl/cacert/cacert.pem: Certificate of the CA
cd /opt/hitachi/httpsd/conf/ssl/cacerts ln -s /opt/hitachi/httpsd/conf/ssl/cacert/cacert.pem ` openssl.sh x509 -noout -hash -in /opt/hitachi/httpsd/conf/ssl/cacert/cacert.pem`.0
This creates the xxxxxxxx.0 hash link for /opt/hitachi/httpsd/conf/ssl/cacert/cacert.pem.