# OpenSSL CA certificates in /etc/ssl/certs/*

## eccerr0r

How are the files in there accessed in general?  Is there another list/database that points to these files?

It seems the names of the files are arbitrary.  And the symlinks?  What are they for?

There are a bunch of files:

descriptive_name.pem

(32-bit hex number).0

I suspect the 32-bit hex number is some sort of hash... How is this hash generated?  Are the descriptive_names ever used or are they always indexed by the hash.0 file?

Has the contents of the directory or database changed from older OpenSSL?  Implementation specific?  Other SSL implementations?

Root problem:  I have an ancient Linux using OpenSSL 0.9.8 I believe.  The CA certificates in this directory are... shall we say... old.  I wonder if it's possible to update the certificates by copying updated ones into the certificate directory manually?

As this is not a Gentoo box I think I may have misplaced this post, but I am planning to copy the CA certificates from a Gentoo box to this machine...

----------

## Princess Nell

Yes, that hash has changed. See x509(1ssl) for details (HISTORY section). For details on the computation, see openssl source code. Or take a look at https://stackoverflow.com/questions/30261296/generate-subject-hash-of-x509certificate-in-java for an overview description. If you want to regenerate the hash directory for the old version, you may need to use c_rehash on the old box, or regenerate the directory on the new box (preferably into a temp location) using openssl's -subject_hash_old option. See also c_rehash(1ssl).

----------

