AlmaLinuxRHEL Based

How To Install OpenSSL on AlmaLinux 10

Install OpenSSL on AlmaLinux 10

OpenSSL stands as the cornerstone of secure communications across the internet, providing essential cryptographic functions that protect sensitive data transmission. As enterprises migrate to AlmaLinux 10, understanding how to properly install and configure OpenSSL becomes crucial for maintaining robust security infrastructure. This comprehensive guide walks through multiple installation methods, configuration best practices, and troubleshooting techniques to ensure your AlmaLinux 10 system leverages OpenSSL’s full cryptographic capabilities. Whether deploying web servers, securing email services, or managing VPN connections, mastering OpenSSL installation lays the foundation for enterprise-grade security.

Understanding OpenSSL and Its Role

OpenSSL functions as both a cryptographic library and a versatile command-line toolkit that implements SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols. These protocols secure network communications by encrypting data transmitted between clients and servers. The toolkit provides essential functionalities including certificate generation, key management, encryption operations, and digital signature creation. Modern applications rely on OpenSSL for securing web traffic through HTTPS, protecting email communications via SMTPS and IMAPS, and establishing secure VPN tunnels.

AlmaLinux 10 ships with OpenSSL version 3.5.0 by default, representing a significant advancement over the legacy 1.1.1 series. The 3.x series introduces enhanced security algorithms, improved performance optimizations, and a modernized provider architecture that separates cryptographic implementations. Understanding these architectural changes helps system administrators leverage new capabilities while maintaining backward compatibility with existing applications. Organizations benefit from staying current with OpenSSL versions to protect against emerging vulnerabilities and utilize cutting-edge encryption standards.

Prerequisites Before Installation

Before proceeding with OpenSSL installation on AlmaLinux 10, ensure your system meets specific requirements. Root or sudo privileges are mandatory for installing system packages and modifying configuration files. An active internet connection enables downloading packages from official repositories or source code archives. Basic familiarity with Linux command-line operations streamlines the installation process and reduces potential errors.

System administrators should verify their AlmaLinux 10 installation is current by running system updates before beginning. Creating system backups or snapshots provides a safety net for reverting changes if complications arise during installation. Having at least 2GB of free disk space accommodates both package installations and source compilation if choosing that route. Document your current OpenSSL version if one exists to track changes and verify successful upgrades.

Method 1: Installing OpenSSL via DNF Package Manager

The DNF package manager offers the most straightforward approach for installing OpenSSL on AlmaLinux 10. This method ensures automatic dependency resolution, seamless security updates through the system package manager, and minimal configuration overhead.

Step 1: Update System Packages

Begin by refreshing package repositories and updating existing system packages. Open your terminal and execute the following command:

sudo dnf update -y

This command contacts AlmaLinux repositories, downloads package metadata, and upgrades any outdated software. The -y flag automatically confirms prompts, streamlining the update process. Wait for completion, which typically takes 2-5 minutes depending on internet speed and pending updates. Updating ensures compatibility between new OpenSSL packages and existing system libraries.

Step 2: Install OpenSSL Using DNF

Install OpenSSL along with development libraries using a single comprehensive command:

sudo dnf install openssl openssl-libs openssl-devel -y

This command installs three essential packages. The openssl package provides the command-line utility for cryptographic operations. The openssl-libs package contains shared libraries that applications link against for SSL/TLS functionality. The openssl-devel package includes header files and development tools necessary for compiling software that depends on OpenSSL.

DNF automatically resolves and installs dependencies like zlib compression libraries and Perl modules required for OpenSSL operations. The installation process typically completes within 1-2 minutes on modern systems. Monitor the output for any error messages indicating repository connectivity issues or package conflicts.

Step 3: Verify Installation

Confirm successful installation by checking the OpenSSL version:

openssl version -a

This command displays comprehensive version information including the OpenSSL version number, compilation date, build flags, and directory paths. AlmaLinux 10 systems typically show OpenSSL 3.5.0 or newer. The output also reveals the platform identifier, compiler details, and enabled cryptographic algorithms.

Additional verification commands include:

which openssl
rpm -qa | grep openssl

The which command shows the binary location, typically /usr/bin/openssl. The rpm query lists all installed OpenSSL-related packages with version numbers, confirming complete package installation.

Understanding Installed Components

The DNF installation places OpenSSL components across multiple system directories. The primary binary resides at /usr/bin/openssl, providing command-line access to cryptographic functions. Shared libraries install to /usr/lib64/ directory, allowing applications to dynamically link OpenSSL functionality. Header files for development work appear in /usr/include/openssl/, enabling compilation of software utilizing OpenSSL APIs.

The main configuration file lives at /etc/pki/tls/openssl.cnf, defining default behaviors for certificate generation, cryptographic algorithms, and security policies. This centralized configuration allows system-wide SSL/TLS parameter adjustments. Documentation and manual pages install automatically, accessible through the man openssl command for comprehensive reference material covering all OpenSSL utilities and options.

Method 2: Installing OpenSSL from Source

Compiling OpenSSL from source provides access to the absolute latest versions, enables custom configuration options, and allows optimization for specific hardware architectures. This method requires more technical expertise but delivers maximum flexibility.

When to Compile from Source

Source compilation suits scenarios where bleeding-edge features are required, custom cryptographic providers need integration, or specific compliance requirements demand particular OpenSSL versions. Development environments benefit from source installations when testing applications against multiple OpenSSL versions. However, source installations require manual security update monitoring since they bypass system package management.

The trade-offs include increased maintenance overhead, longer initial installation time, and responsibility for tracking security advisories. Weigh these factors against your specific needs before choosing source compilation over package management installation.

Step 1: Install Development Tools and Dependencies

Prepare your build environment by installing compilation tools:

sudo dnf groupinstall "Development Tools" -y
sudo dnf install perl-core zlib-devel wget -y

The “Development Tools” group package includes essential compilers (GCC), make utilities, and build automation tools. Perl-core provides scripting support required during OpenSSL’s configuration phase. The zlib-devel package enables compression support within OpenSSL. These packages collectively provide the complete toolchain for compiling complex software projects.

Installation of development tools typically requires 200-300MB of disk space and completes within 3-5 minutes on standard internet connections. Verify successful installation by running gcc --version to confirm compiler availability.

Step 2: Download OpenSSL Source Code

Navigate to a suitable directory for downloading and extracting source code:

cd /usr/local/src
sudo wget https://github.com/openssl/openssl/releases/download/openssl-3.6.0/openssl-3.6.0.tar.gz

This downloads the OpenSSL 3.5.0 source archive from the official OpenSSL website. The /usr/local/src directory conventionally stores locally compiled software sources. For enhanced security, download the corresponding SHA256 checksum file and verify archive integrity:

sudo wget https://github.com/openssl/openssl/releases/download/openssl-3.6.0/openssl-3.6.0.tar.gz.sha256
sha256sum -c openssl-3.6.0.tar.gz.sha256

Extract the downloaded archive:

sudo tar -xzf openssl-3.6.0.tar.gz
cd openssl-3.6.0

The extraction creates a directory containing complete OpenSSL source code, documentation, and build scripts.

Step 3: Configure the Build

Configure OpenSSL with custom installation paths and compilation options:

sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib

Understanding these configuration flags optimizes your installation. The --prefix=/usr/local/ssl parameter sets the installation directory for binaries, libraries, and includes. The --openssldir=/usr/local/ssl specifies where OpenSSL stores configuration files and certificates. The shared option builds shared libraries alongside static libraries, enabling efficient memory usage when multiple applications use OpenSSL. The zlib flag enables compression support for SSL/TLS connections, reducing bandwidth consumption.

The configuration script detects your system architecture, available compilers, and optimal compilation settings. Review the output for any warnings about missing dependencies or unsupported features. The configuration phase typically completes within 30 seconds.

Step 4: Compile and Test OpenSSL

Compile the configured source code:

sudo make

Compilation transforms human-readable source code into executable binaries and libraries. This CPU-intensive process takes 5-15 minutes depending on system performance. Modern multi-core systems benefit from parallel compilation using make -j$(nproc) to utilize all available processor cores.

Run OpenSSL’s comprehensive test suite:

sudo make test

The test suite validates cryptographic algorithm implementations, verifies SSL/TLS protocol handling, and checks certificate operations. All tests should pass successfully. Any failures indicate compilation issues requiring investigation before proceeding. Testing adds 3-5 minutes but ensures reliability of your OpenSSL installation.

Step 5: Install Compiled OpenSSL

Install the compiled binaries and libraries:

sudo make install

This copies binaries to /usr/local/ssl/bin/, libraries to /usr/local/ssl/lib64/, and configuration files to /usr/local/ssl/. The installation preserves your system’s package-managed OpenSSL, allowing both versions to coexist. Verify installation by checking the new binary:

/usr/local/ssl/bin/openssl version

Post-Installation Configuration

Proper configuration ensures system-wide accessibility and optimal functionality of your newly installed OpenSSL.

Configuring Shared Libraries

Create a library configuration file for the dynamic linker:

sudo nano /etc/ld.so.conf.d/openssl-3.6.0.conf

Add the OpenSSL library path:

/usr/local/ssl/lib64

Save the file and reload the dynamic linker cache:

sudo ldconfig -v

This command updates the system’s shared library database, making OpenSSL libraries available to applications. Verify proper loading by checking ldconfig output for references to /usr/local/ssl/lib64. Without this configuration, applications fail to locate OpenSSL libraries, generating “cannot open shared object file” errors.

Updating PATH Environment Variable

Make OpenSSL binaries easily accessible system-wide. Create a profile script:

sudo nano /etc/profile.d/openssl.sh

Add these lines:

OPENSSL_PATH="/usr/local/ssl/bin"
export OPENSSL_PATH
PATH=$PATH:$OPENSSL_PATH
export PATH

Make the script executable:

sudo chmod +x /etc/profile.d/openssl.sh

Load the environment immediately:

source /etc/profile.d/openssl.sh

Verify the PATH update:

echo $PATH
which openssl

The which openssl command should now display /usr/local/ssl/bin/openssl, confirming successful PATH configuration. All new shell sessions automatically include this PATH modification.

Setting Up OpenSSL Configuration File

The primary configuration file at /usr/local/ssl/openssl.cnf controls default behaviors. Review and customize key sections for enhanced security. The [default] section sets global parameters. The [req] section defines certificate request defaults including key size and digest algorithms. The [ca] section configures certificate authority operations if managing internal PKI infrastructure.

Consider increasing default key sizes to 4096 bits for enhanced security. Disable weak cipher suites like DES and RC4. Enable modern TLS protocols exclusively by configuring minimum protocol versions to TLS 1.2 or higher.

Verifying OpenSSL Installation

Comprehensive verification confirms all components function correctly.

Version and Build Information

Display detailed version information:

openssl version -a

This reveals compilation timestamp, platform details, directory paths, and compiler version. The OPENSSLDIR line shows configuration file location. The ENGINESDIR indicates engine module storage for hardware acceleration support.

Testing OpenSSL Functionality

Perform basic functionality tests. Generate random data:

openssl rand -base64 32

This produces a 32-byte random string encoded in base64, verifying random number generation capabilities. Calculate file hashes:

echo "test" | openssl dgst -sha256

Test encryption and decryption:

echo "sensitive data" | openssl enc -aes-256-cbc -a -salt -pass pass:testpassword

These commands confirm cryptographic algorithm availability and proper OpenSSL functionality.

Checking SSL/TLS Connection Capabilities

Test connectivity to remote SSL/TLS servers:

openssl s_client -connect www.example.com:443

This establishes an SSL connection, displays certificate details, and shows supported cipher suites. Successful connection confirms network SSL/TLS capabilities. Press Ctrl+D to disconnect. Examine certificate expiration dates, issuer information, and protocol versions negotiated during handshake.

Common OpenSSL Use Cases on AlmaLinux 10

Generating SSL/TLS Certificates

Create self-signed certificates for development environments:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

This generates a 4096-bit RSA private key and self-signed certificate valid for one year. The -nodes flag creates an unencrypted private key for testing purposes. For production, generate Certificate Signing Requests (CSRs):

openssl req -new -newkey rsa:4096 -keyout domain.key -out domain.csr

Submit the CSR to certificate authorities for signed certificates. Convert between certificate formats using OpenSSL’s format conversion utilities to ensure compatibility across different server platforms.

Securing Web Services

Integrate OpenSSL certificates with web servers like Apache or Nginx. For Apache, configure SSL directives in virtual host configurations pointing to certificate and key files. Nginx requires similar configuration in server blocks. Enable HTTPS by listening on port 443 and specifying SSL certificate locations. Configure strong cipher suites and prefer server cipher order for optimal security.

Test web server SSL configuration using OpenSSL client mode to verify certificate installation and protocol support. Modern configurations enforce TLS 1.2 and 1.3 exclusively while disabling obsolete SSL protocols.

Encrypting and Decrypting Data

Encrypt sensitive files using symmetric encryption:

openssl enc -aes-256-cbc -salt -in sensitive.txt -out sensitive.txt.enc

Decrypt encrypted files:

openssl enc -d -aes-256-cbc -in sensitive.txt.enc -out sensitive.txt

These operations protect data at rest using strong AES-256 encryption. For public-key encryption scenarios, generate RSA key pairs and encrypt data using recipient public keys, ensuring only private key holders decrypt content.

Creating and Managing Certificate Authorities

Establish internal certificate authority infrastructure for issuing certificates to internal services. Initialize CA directory structure, generate root CA certificates, and configure certificate policies. Issue certificates for internal servers, employee authentication, or code signing purposes while maintaining certificate revocation lists for compromised certificates.

Security Best Practices

Keeping OpenSSL Updated

Regular updates protect against discovered vulnerabilities. For package-managed installations, update through DNF:

sudo dnf update openssl -y

Source-compiled installations require manual monitoring of OpenSSL security advisories. Subscribe to the OpenSSL security mailing list for vulnerability notifications. Test updates in staging environments before production deployment to catch compatibility issues.

Using Strong Cryptographic Algorithms

Configure applications to utilize robust cipher suites. Prioritize ECDHE key exchange for perfect forward secrecy. Use AES-256-GCM for symmetric encryption providing both confidentiality and authentication. Disable weak algorithms including MD5, SHA-1, DES, 3DES, and RC4.

Set minimum TLS version to 1.2, preferably 1.3 for enhanced security and performance. Configure security levels in openssl.cnf using the CipherString directive specifying approved algorithms. Modern configurations set SECLEVEL=2 or higher restricting to secure algorithms exclusively.

Secure Key Management

Protect private keys with strict file permissions:

chmod 600 /path/to/private.key
chown root:root /path/to/private.key

Store keys in encrypted filesystems when possible. Implement key rotation policies replacing certificates and keys before expiration. Maintain secure backups of private keys in encrypted storage, ensuring business continuity while preventing unauthorized access.

Configuration Hardening

Edit /usr/local/ssl/openssl.cnf or /etc/pki/tls/openssl.cnf based on installation method. Disable SSLv2 and SSLv3 protocols completely. Configure default certificate parameters including minimum key sizes, approved signature algorithms, and certificate validity periods. Enable OCSP stapling for efficient certificate revocation checking.

Troubleshooting Common Issues

OpenSSL Command Not Found

If the openssl command returns “command not found,” verify PATH configuration. Check binary location:

find /usr -name openssl 2>/dev/null

Create symbolic links if necessary:

sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

Alternatively, reload profile scripts: source /etc/profile.d/openssl.sh. Verify shell startup files properly load environment configurations.

Library Loading Errors

“Cannot open shared object file” errors indicate library path issues. Verify ldconfig configuration contains OpenSSL library directories. Manually check library presence:

ls -l /usr/local/ssl/lib64/libssl.so*

Rerun ldconfig with verbose output to diagnose loading failures. Check file permissions ensuring libraries have read access for all users. Verify SELinux contexts if enabled, as incorrect contexts prevent library loading.

Version Conflicts

Multiple OpenSSL versions may cause application compatibility issues. Determine which version applications use:

ldd /path/to/application | grep ssl

This shows linked OpenSSL libraries. Applications compiled against specific OpenSSL versions may fail with different versions. Solutions include recompiling applications against new OpenSSL versions or maintaining multiple OpenSSL installations with careful library path management.

Compilation Errors

Missing dependencies generate configuration or compilation errors. Review config.log files for detailed error information. Install missing Perl modules using DNF or CPAN. Ensure C compiler version compatibility with OpenSSL source code. Clear previous build attempts before retrying: make clean.

Upgrading OpenSSL on AlmaLinux 10

Upgrade package-managed OpenSSL installations seamlessly:

sudo dnf upgrade openssl openssl-libs openssl-devel -y

DNF handles dependency updates automatically. Test applications post-upgrade confirming compatibility with new OpenSSL versions. For source-compiled installations, download newer source archives, repeat compilation steps, and replace existing installations. Maintain rollback capability by backing up working installations before upgrading.

Monitor application logs for SSL/TLS-related errors after upgrades. Some applications require restarting to load updated libraries. Test SSL/TLS connections to critical services verifying continued functionality.

Performance Optimization

Modern processors include AES-NI instruction sets accelerating encryption operations. Verify OpenSSL detects hardware acceleration:

openssl speed -evp aes-256-gcm

Compare performance with and without hardware acceleration. Configure OpenSSL to utilize available engine modules for cryptographic hardware acceleration. Tune cipher suite selection balancing security and performance requirements.

For high-traffic environments, optimize by reducing SSL handshake overhead through session caching and ticket reuse. Configure web servers to maintain SSL sessions, eliminating repeated public-key operations. Monitor OpenSSL performance using benchmarking tools identifying optimization opportunities specific to workload patterns.

Congratulations! You have successfully installed OpenSSL. Thanks for using this tutorial for installing OpenSSL on AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official OpenSSL website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button