PR: 2136

Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0

1 files changed, 16 insertions, 0 deletions

diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 09aaed421e..3002b08123 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name.
 
 synonym for "-subject_hash" for backward compatibility reasons.
 
+=item B<-subject_hash_old>
+
+outputs the "hash" of the certificate subject name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
+=item B<-issuer_hash_old>
+
+outputs the "hash" of the certificate issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-subject>
 
 outputs the subject name.
@@ -837,4 +847,10 @@ L<x509v3_config(5)|x509v3_config(5)>
 
 Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
 
+The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
+before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
+canonical version of the DN using SHA1. This means that any directories using
+the old form must have their links rebuilt using B<c_rehash> or similar. 
+
 =cut