How to generate hashed file names of certificates

OpenSSL needs hashed file names of server certificates. The hashed file name consists of a hash obtained from OpenSSL, with a numerical extension starting at 0.

During SSL negotiation OpenSSL receives a server certificate. It calculates the hash of the certificate and uses the hash to find the appropriate certificate. For example, the hash of the vsign3 certificate can be 415660c1. OpenSSL attempts to open the file named 415660c1.0. When successful OpenSSL compares the contents with the received server certificate. If they match OpenSSL continues. Otherwise, OpenSSL attempts to open the file named 415660c1.1, and follows the same procedure etc. If in the end no matching certificate is found, the connection is refused. The hash of a certificate, in this case the vsign3 certificate, can be obtained with this command:

openssl x509 -hash -noout -in vsign3.pem


Use version 1.0 or later of OpenSSL. The hashes of earlier versions of OpenSSL are incompatible with the version of the OpenSSL library linked to the bshell.

The first part 415660c1 of the hashed file name is the hash returned by the openssl command. The extension .0 of the hashed file name is there to support multiple certificates that have the same hash; one of them gets extension .0, the other gets extension .1.

The OpenSSL distribution can contain the c_rehash script. This convenient Perl script can be used to create hashed file names of all certificates in a certain folder. For example, to create hash file names of all certificates in the $BSE/security/certs/server folder use this command:

c_rehash $BSE/security/certs/server

Ensure that the c_rehash script uses OpenSSL version 1.0 or later, otherwise unusable hash names are created. Set the environment variable OPENSSL to use a specific installation of OpenSSL.