I hadn't come across a hashed directory before and, having read the relevant sections in the OpenSSL documentation (openssl -verify and x509 -hash), I must admit it still doesn't make an awful lot of sense to me. I am working on Windows so perhaps that is the cause of the problem (amongst many others!) but can anyone enlighten me as to what is a hashed directory and how to provide a hashed directory on Windows.
On a Unix system the usual practice is to make a symbolic link whose name is the hash value of the certificate Subject and that points to the actual certificate. Like this:
# ls -l lrwxrwxrwx 1 root httpd 14 Mar 24 09:51 a0199d1b.0 -> inter.cert.pem lrwxrwxrwx 1 root httpd 14 Mar 24 09:51 bc3a0aa7.0 -> ssign.cert.pem -r--r----- 1 root httpd 1732 Mar 24 09:45 inter.cert.pem -r--r----- 1 root httpd 1720 Mar 17 15:43 root.cert.pem -r--r----- 1 root httpd 1789 Mar 24 09:45 ssign.cert.pem
That way, when constructing a certificate chain, the software can compute the hash of the Issuer of the lower certificate and then find the upper certificate by searching for that hash, as a file name.
If Windows doesn't have links, I don't see any reason why you could not either duplicate the file or just rename the file as the hash (though you would lose readability).
The hash value can be computed by
% openssl x509 -noout -hash -in inter.cert.pem a0199d1b
See also:
http://cert.umd.edu/spickdoc?apache
http://www.ssl.com/support/installation.jsp - (note right column links) http://www.apache.org http://www.openssl.org
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
