diff --git a/CHANGES b/CHANGES
index 66e812c8091dff244c135fc2b8134b66440663be..ea5162d78c11d29a56cdd7319677e3c733cb2eaf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
 
  Changes between 0.9.8j and 0.9.9  [xx XXX xxxx]
 
+  *) Enhance the hash format used for certificate directory links. The new
+     form uses the canonical encoding (meaning equivalent names will work
+     even if they aren't identical) and uses SHA1 instead of MD5. This form
+     is incompatible with the older format and as a result c_rehash should
+     be used to rebuild symbolic links.
+     [Steve Henson]
+
   *) Make PKCS#8 the default write format for private keys, replacing the
      traditional format. This form is standardised, more secure and doesn't
      include an implicit MD5 dependency.
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 62e01b1ff5e554ecc692d24dc751b28d34be872c..e779c334e5bf07a95528f271de4f02814f513724 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -963,6 +963,7 @@ unsigned long	X509_subject_name_hash(X509 *x);
 int		X509_cmp(const X509 *a, const X509 *b);
 int		X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long	X509_NAME_hash(X509_NAME *x);
+unsigned long	X509_NAME_hash_old(X509_NAME *x);
 
 int		X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 int		X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 180dedc7faca45612c00b8348c5e24e3348b3b98..ee234b04ad1689ba6eebf3379460cafd8fa1cc67 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -198,11 +198,27 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
 
 	}
 
+unsigned long X509_NAME_hash(X509_NAME *x)
+	{
+	unsigned long ret=0;
+	unsigned char md[16];
+
+	/* Make sure X509_NAME structure contains valid cached encoding */
+	i2d_X509_NAME(x,NULL);
+	EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL);
+
+	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+		)&0xffffffffL;
+	return(ret);
+	}
+
 
 #ifndef OPENSSL_NO_MD5
 /* I now DER encode the name and hash it.  Since I cache the DER encoding,
  * this is reasonably efficient. */
-unsigned long X509_NAME_hash(X509_NAME *x)
+
+unsigned long X509_NAME_hash_old(X509_NAME *x)
 	{
 	unsigned long ret=0;
 	unsigned char md[16];