How To Install OpenSSL on Rocky Linux 10

OpenSSL serves as the backbone of secure communications across modern computing infrastructure. This powerful, open-source cryptographic toolkit implements SSL and TLS protocols that protect data transmission between servers and clients. Whether securing web traffic, managing digital certificates, or encrypting sensitive information, OpenSSL remains an indispensable component of any Rocky Linux 10 system.

Rocky Linux 10 typically ships with OpenSSL pre-installed as part of the base system packages. However, administrators often need to verify the installation, update to newer versions, or compile specific releases from source to meet particular security requirements or application dependencies. This comprehensive guide walks through both installation methods—using the DNF package manager for straightforward deployment and compiling from source for maximum flexibility and control.

Understanding the installation process ensures your Rocky Linux 10 environment maintains the highest security standards. The following sections provide detailed, step-by-step instructions suitable for system administrators at all experience levels.

What is OpenSSL and Why It Matters

OpenSSL functions as a robust, full-featured open-source toolkit designed for general-purpose cryptography and secure network communication. At its core, the library implements the Secure Sockets Layer and Transport Layer Security protocols, which establish encrypted connections between networked applications. Beyond protocol implementation, OpenSSL provides extensive cryptographic functions including data encryption and decryption, message authentication codes, digital signatures, and comprehensive certificate management capabilities.

The toolkit has evolved significantly over its development history. Currently, two major version families exist: the legacy OpenSSL 1.x series and the modern OpenSSL 3.x branch. OpenSSL 3.x introduces substantial improvements including a redesigned API architecture, enhanced performance optimizations, and strengthened security features compared to its predecessor. Rocky Linux 9 and 10 have transitioned to OpenSSL 3.x as the default cryptographic library, with version 3.2.2 appearing in recent releases.

The cryptographic library underpins countless applications and services running on Linux systems. Web servers like Apache and Nginx depend on OpenSSL for HTTPS connections. Database systems utilize it for encrypted client-server communications. Email servers rely on OpenSSL for secure message transmission. Even command-line tools for secure shell access incorporate OpenSSL functionality.

Maintaining an up-to-date OpenSSL installation is critical for system security and application integrity. Security vulnerabilities discovered in cryptographic software can expose sensitive data, compromise authentication mechanisms, and allow unauthorized system access. Regular updates ensure protection against known exploits while providing access to improved encryption algorithms and stronger security defaults.

Prerequisites for Installing OpenSSL

Successfully installing OpenSSL on Rocky Linux 10 requires meeting several fundamental prerequisites. First and foremost, a functioning Rocky Linux 10 installation with network connectivity is essential. The system should be accessible either through direct console access or remote SSH connections.

Administrative privileges represent another critical requirement. Root access or a user account with sudo privileges enables the installation of system packages and modification of system-wide configurations. Most commands throughout this guide require elevated permissions to complete successfully.

When compiling OpenSSL from source code, additional development tools become necessary. The GNU Compiler Collection (GCC) compiles C source files into executable binaries. The Make utility automates the build process according to instructions in configuration files. Perl scripting support is required for various build scripts included in the OpenSSL source distribution. The zlib-devel package provides compression library headers needed for certain OpenSSL features.

A stable internet connection facilitates downloading packages from Rocky Linux repositories or retrieving OpenSSL source code from official distribution channels. Bandwidth requirements remain modest, but network reliability ensures downloads complete without corruption.

Before proceeding with installation, verify the current system status. Check whether OpenSSL is already present and identify the installed version. This preliminary assessment helps determine whether a fresh installation, upgrade, or custom compilation best serves your requirements.

Checking Current OpenSSL Installation

Verifying the existing OpenSSL installation provides valuable baseline information before proceeding with any installation or upgrade operations. Rocky Linux 10 typically includes OpenSSL by default, but confirming its presence and version establishes a clear starting point.

Execute the following command to check for an existing OpenSSL installation:

openssl version

This command displays the installed OpenSSL version in a concise format. For more comprehensive details about the installation, including configuration directories and compilation options, use the extended version flag:

openssl version -a

The detailed output reveals several important pieces of information. The version line identifies the specific OpenSSL release number and build date. The OPENSSLDIR line shows where OpenSSL looks for configuration files and certificates. The platform line indicates the system architecture and compiler used during compilation.

If the command returns “command not found,” OpenSSL is not currently installed on the system, and a fresh installation is required. When OpenSSL is present, compare the reported version against your requirements. Rocky Linux 10 systems typically include OpenSSL 3.2.x or later from the base repositories.

Understanding the installed version helps determine the appropriate next steps. Systems running significantly outdated releases may benefit from updates through the package manager. Specific application requirements might necessitate compiling a particular version from source. In all cases, documenting the current state before making changes enables easier troubleshooting if issues arise.

Method 1: Installing OpenSSL Using DNF Package Manager

The DNF package manager provides the simplest and most straightforward method for installing OpenSSL on Rocky Linux 10. This approach automatically handles dependency resolution, applies security patches through the distribution’s update channels, and integrates seamlessly with system package management.

Step 1: Update System Packages

Begin by refreshing the system package index and installing available updates. Maintaining current system packages prevents potential conflicts and ensures security patches are applied. Execute the following command with administrative privileges:

sudo dnf update -y

The DNF package manager contacts configured repositories, downloads package metadata, and installs any available updates. The -y flag automatically confirms all prompts, streamlining the update process. Depending on the number of pending updates, this operation may take several minutes to complete.

After updates finish installing, consider rebooting the system if kernel updates were included. While not strictly necessary for OpenSSL installation, restarting ensures the system runs the latest kernel and applies all pending updates.

Step 2: Install OpenSSL Package

With the system fully updated, proceed to install OpenSSL using the DNF package manager. The base OpenSSL package provides the cryptographic library and command-line tools:

sudo dnf install openssl -y

This command retrieves the OpenSSL package and its dependencies from Rocky Linux repositories, then installs them on the system. The installation process typically completes within moments, as OpenSSL packages are relatively compact.

For software development or building applications that depend on OpenSSL, install the development package as well:

sudo dnf install openssl-devel -y

The openssl-devel package includes header files, development libraries, and documentation necessary for compiling software that links against OpenSSL. Applications written in C, C++, or other compiled languages that utilize OpenSSL for cryptographic operations require these development files during compilation.

Step 3: Verify Package Installation

After installation completes, confirm OpenSSL is properly installed and accessible. Run the version check command:

openssl version

Successful installation displays the OpenSSL version number provided by Rocky Linux repositories. For comprehensive installation details, use the verbose flag:

openssl version -a

This output confirms the installation succeeded and provides configuration information. Verify that the version matches expectations for Rocky Linux 10 system packages.

Step 4: Check Installation Path

Understanding where OpenSSL files reside helps with configuration and troubleshooting tasks. The which command locates the OpenSSL executable:

which openssl

Typically, package-managed installations place the OpenSSL binary in /usr/bin/openssl. The configuration files usually reside in /etc/pki/tls/ or /usr/share/pki/. Certificate bundles and related files occupy these directories as well.

To identify the configuration directory explicitly, examine the OPENSSLDIR value from the version command output:

openssl version -d

This displays the directory path where OpenSSL searches for configuration files. Understanding these locations proves valuable when customizing OpenSSL behavior or troubleshooting certificate verification issues.

Method 2: Installing OpenSSL from Source

Compiling OpenSSL from source code provides maximum flexibility and control over the installation. This method allows installing the absolute latest versions before they reach distribution repositories, enabling specific features or optimizations, and creating isolated installations that don’t interfere with system packages.

Why Compile from Source

Several compelling reasons justify choosing source compilation over package management. Access to the latest OpenSSL releases enables immediate deployment of new features and security improvements without waiting for distribution updates. Custom compilation allows enabling or disabling specific features based on organizational security policies or application requirements. Parallel installations permit running multiple OpenSSL versions simultaneously when supporting legacy applications with specific version dependencies.

However, source compilation increases administrative complexity. Manual tracking of security updates becomes necessary, as compiled versions don’t receive automatic security patches through the distribution update mechanism. Dependency management requires careful attention to avoid conflicts with system libraries. These trade-offs make source compilation most appropriate for specialized requirements rather than general-purpose deployments.

Step 1: Install Build Dependencies

Before compiling OpenSSL from source, install the necessary development tools and libraries. Rocky Linux 10 requires several packages to successfully build OpenSSL.

First, install the Development Tools group package, which includes GCC, Make, and related build utilities:

sudo dnf groupinstall "Development Tools" -y

This command installs a comprehensive collection of compilers, build automation tools, and development utilities. The installation may take several minutes depending on network speed and system performance.

Next, install specific dependencies required by OpenSSL:

sudo dnf install zlib-devel perl perl-IPC-Cmd perl-Test-Simple -y

Each package serves a specific purpose during compilation. The zlib-devel package provides compression library development headers for compression support in OpenSSL. Perl and its modules execute configuration scripts and test suites included in the OpenSSL source distribution. Without these dependencies, the compilation process will fail with error messages indicating missing components.

Step 2: Download OpenSSL Source Code

Obtain the latest stable OpenSSL source code from the official OpenSSL project repository. Navigate to a working directory, then download the source archive using wget:

cd /usr/src
sudo wget https://github.com/openssl/openssl/releases/download/openssl-3.6.0/openssl-3.6.0.tar.gz

This command downloads OpenSSL version 3.6.0 from the official GitHub releases page. Replace the version number with your desired release if a different version is required. Always download OpenSSL from official sources to ensure authenticity and avoid potentially compromised packages.

For enhanced security, verify the download integrity using checksums or GPG signatures provided on the OpenSSL website. This verification step confirms the downloaded file hasn’t been tampered with during transmission.

Step 3: Extract Source Archive

Once the download completes, extract the compressed tarball to access the source code:

sudo tar -xzf openssl-3.6.0.tar.gz

The tar command with -x (extract), -z (gzip decompression), and -f (file) flags unpacks the archive. This creates a directory named openssl-3.6.0 containing the complete source tree.

Change into the newly created directory to begin the build process:

cd openssl-3.6.0

All subsequent compilation commands must be executed from within this source directory.

Step 4: Configure the Build

The configuration script prepares OpenSSL for compilation by detecting system capabilities and setting build options. Execute the config script with appropriate parameters:

sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib

Understanding each configuration flag ensures proper installation. The --prefix=/usr/local/ssl option specifies the base directory for installation files, keeping the custom build separate from system packages. The --openssldir=/usr/local/ssl parameter defines where OpenSSL searches for configuration files and certificates. The shared flag instructs the build system to create shared libraries in addition to static libraries, enabling dynamic linking for applications. The zlib option enables compression support using the system zlib library.

The configuration script analyzes the system environment, detects available compilers, and generates Makefiles tailored to the specific platform. Review the configuration output for any warnings or errors before proceeding. Issues at this stage typically indicate missing dependencies or system configuration problems.

Step 5: Compile OpenSSL

With configuration complete, begin the compilation process using the make command:

sudo make

Compilation transforms source code into executable binaries and libraries. The process may take several minutes depending on system resources and OpenSSL version. Modern multi-core systems can accelerate compilation by adding the -j flag followed by the number of parallel jobs, such as make -j4 for four parallel compilation threads.

After compilation finishes, run the test suite to verify the build completed correctly:

sudo make test

The test suite exercises various OpenSSL functions, cryptographic algorithms, and protocol implementations to ensure everything works as expected. Pay attention to test results. While occasional skipped tests are normal, failures may indicate compilation problems or system incompatibilities. Investigate and resolve any test failures before proceeding to installation.

Step 6: Install Compiled Binaries

Having successfully compiled and tested OpenSSL, install the binaries and libraries to the configured location:

sudo make install

This command copies executables, libraries, header files, and documentation to their designated directories under the prefix path specified during configuration. The installation includes the openssl command-line tool, cryptographic libraries, development headers, and manual pages.

Installation completes within moments, as the process merely copies files to their final destinations. The newly installed OpenSSL resides in /usr/local/ssl/ by default, maintaining separation from system packages in /usr/.

Configuring System to Use New OpenSSL Version

After compiling OpenSSL from source, additional configuration ensures the system recognizes and uses the newly installed version. Without these steps, the system continues using the package-managed OpenSSL installation.

Setting Up Library Paths

The dynamic linker must know where to find the custom OpenSSL shared libraries. Create a configuration file in the dynamic linker configuration directory:

sudo tee /etc/ld.so.conf.d/openssl.conf <<EOF
/usr/local/ssl/lib64
/usr/local/ssl/lib
EOF

This configuration file instructs the dynamic linker to search the custom OpenSSL library directories when resolving shared library dependencies. Including both lib64 and lib paths ensures compatibility across different architectures and OpenSSL versions.

After creating the configuration file, rebuild the dynamic linker cache:

sudo ldconfig

The ldconfig command processes all configuration files in /etc/ld.so.conf.d/ and updates the library cache. This cache enables fast library lookups when applications load shared libraries at runtime. Without updating the cache, applications may fail to locate the custom OpenSSL libraries.

Verify library configuration by checking which OpenSSL libraries the system recognizes:

ldconfig -p | grep ssl

This command displays all SSL-related libraries in the dynamic linker cache. Confirm that entries point to the custom installation path.

Updating PATH Environment Variable

To use the custom OpenSSL command-line tool by default, add its binary directory to the system PATH variable. Create a shell profile script:

sudo tee /etc/profile.d/openssl.sh <<EOF
export PATH=/usr/local/ssl/bin:\$PATH
export LD_LIBRARY_PATH=/usr/local/ssl/lib:\$LD_LIBRARY_PATH
EOF

This script sets environment variables that modify program search paths. The PATH variable determines where the shell searches for executable commands. The LD_LIBRARY_PATH variable influences dynamic library resolution at runtime.

Apply the environment changes to the current shell session:

source /etc/profile.d/openssl.sh

The source command executes the script in the current shell context, immediately applying the environment modifications. Future login sessions automatically source this script during shell initialization.

Verify the system uses the correct OpenSSL version:

openssl version
which openssl

The version command should display the custom-compiled version number. The which command should return /usr/local/ssl/bin/openssl, confirming the custom binary takes precedence over the system package.

Verifying the OpenSSL Installation

Thorough verification confirms OpenSSL installation succeeded and functions correctly. Comprehensive testing validates not only successful installation but also proper configuration and functionality.

Version Verification

Begin with basic version checks to confirm OpenSSL responds to commands:

openssl version

This displays the version string, indicating successful installation. For detailed information about the installation:

openssl version -a

Review the comprehensive output carefully. The version line confirms the installed release. The built-on line shows compilation date. The platform line indicates the target system architecture. The OPENSSLDIR path shows where OpenSSL looks for configuration files. The ENGINESDIR path indicates the plugin directory for cryptographic engines.

Compare the binary version with library versions to ensure consistency:

openssl version
ldd $(which openssl) | grep ssl

Both should reference the same installation path. Mismatches between binary and library versions indicate configuration problems that require resolution.

Testing Basic Functionality

Beyond version checks, test actual cryptographic functionality to ensure OpenSSL operates correctly. List available cipher suites:

openssl ciphers -v

This command displays all cryptographic cipher suites OpenSSL supports. A lengthy list of ciphers indicates proper functionality. Empty output or errors suggest compilation or configuration problems.

Test encryption and decryption operations with a simple example:

echo "Test message" | openssl enc -aes-256-cbc -a -salt -pass pass:testpassword

This encrypts a test message using AES-256 encryption. Successful execution produces encrypted output, confirming cryptographic operations work correctly. Decrypt the output to verify bidirectional functionality:

echo "encrypted_output" | openssl enc -aes-256-cbc -d -a -pass pass:testpassword

The original message should appear, confirming encryption and decryption function properly.

Verifying Library Links

Examine dynamic library linkage to ensure applications will correctly utilize OpenSSL:

ldd $(which openssl)

This command lists all shared libraries the OpenSSL binary depends on. Verify that libssl and libcrypto entries point to the intended OpenSSL installation. Incorrect library paths indicate configuration issues that may cause runtime errors.

For source-compiled installations, confirm libraries come from the custom installation directory:

ldd /usr/local/ssl/bin/openssl | grep -E 'libssl|libcrypto'

Both libraries should show paths under /usr/local/ssl/lib or /usr/local/ssl/lib64. If they reference system directories like /usr/lib64, PATH or LD_LIBRARY_PATH configuration needs adjustment.

Post-Installation Configuration Best Practices

Proper OpenSSL configuration enhances security and ensures optimal operation. Implementing best practices immediately after installation establishes a strong security foundation.

Securing OpenSSL Configuration

The main OpenSSL configuration file controls default behaviors and security settings. Locate the configuration file:

openssl version -d

This displays the OPENSSLDIR containing openssl.cnf. Edit this file to customize OpenSSL behavior. Key settings include default message digest algorithms, certificate extension definitions, and cryptographic policy configurations.

Secure file permissions on OpenSSL directories prevent unauthorized modifications:

sudo chmod 755 /usr/local/ssl
sudo chmod 644 /usr/local/ssl/openssl.cnf

These permissions allow all users to read configuration files while restricting write access to administrators. Private keys should have even more restrictive permissions to prevent unauthorized access.

Implementing Strong Cryptographic Standards

Configure OpenSSL to use modern, secure cryptographic algorithms while disabling weak or obsolete options. Modern systems should prioritize TLS 1.2 and TLS 1.3 protocols, avoiding legacy versions like SSLv2, SSLv3, and TLS 1.0.

When generating cryptographic keys, use appropriate key lengths. RSA keys should be at least 2048 bits, with 4096 bits providing additional security margin for long-lived keys. Elliptic curve cryptography should use curves like P-256 or stronger.

Symmetric encryption should employ AES-256 or ChaCha20 algorithms. Avoid deprecated algorithms like DES, 3DES, and RC4, which provide insufficient security by contemporary standards.

Regular Update Strategy

Maintaining current OpenSSL versions is essential for security. Subscribe to OpenSSL security announcements to receive notifications about vulnerabilities and patches. The official OpenSSL mailing lists and security advisories provide authoritative information about emerging threats.

For package-managed installations, regularly check for updates:

sudo dnf check-update openssl

Apply available updates promptly:

sudo dnf update openssl

Package-managed installations receive security backports from the distribution vendor, even when version numbers remain constant. Rocky Linux incorporates security fixes into existing package versions, maintaining stability while addressing vulnerabilities.

Source-compiled installations require manual monitoring and updating. Establish a schedule for checking OpenSSL releases and security advisories. Document the compilation process to streamline future updates. Consider scripting the build and installation procedure for consistency across update cycles.

Common Use Cases for OpenSSL

OpenSSL’s versatility extends across numerous security and cryptography applications. Understanding common use cases helps leverage OpenSSL effectively in production environments.

Generating SSL/TLS Certificates

Self-signed certificates serve valuable roles in development environments, internal systems, and testing scenarios. Generate a private key and self-signed certificate with a single command:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

This creates a 2048-bit RSA private key and corresponding self-signed certificate valid for 365 days. The -nodes flag creates an unencrypted private key, suitable for automated systems. For interactive use, omit this flag to encrypt the key with a passphrase.

Generate certificate signing requests for commercial certificates:

openssl req -new -key key.pem -out request.csr

Submit the resulting CSR to a certificate authority for signing. The CA validates domain ownership and organizational details before issuing a trusted certificate.

Data Encryption and Decryption

OpenSSL provides robust file encryption capabilities for protecting sensitive data at rest. Encrypt files using strong symmetric encryption:

openssl enc -aes-256-cbc -salt -in plaintext.txt -out encrypted.dat -pass pass:securepassword

This command encrypts the input file using AES-256 in CBC mode with password-based key derivation. Salt randomization strengthens password-based encryption against dictionary attacks.

Decrypt encrypted files with the corresponding decryption command:

openssl enc -aes-256-cbc -d -in encrypted.dat -out plaintext.txt -pass pass:securepassword

The -d flag specifies decryption mode. All other parameters must match the original encryption settings.

Certificate Verification

Verify certificate validity and inspect certificate contents:

openssl x509 -in cert.pem -text -noout

This displays detailed certificate information including issuer, subject, validity dates, and extensions. Verify certificate chains to ensure proper trust relationships:

openssl verify -CAfile ca-bundle.crt cert.pem

Certificate verification confirms certificates haven’t expired and chain properly to trusted root authorities. Check certificate and private key matching:

openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5

Matching MD5 hashes confirm the certificate and key constitute a valid pair.

Troubleshooting Common Issues

Even careful installations occasionally encounter problems. Understanding common issues and their resolutions accelerates troubleshooting.

Command Not Found Errors

When the shell cannot locate the openssl command, several causes warrant investigation. Verify OpenSSL actually installed:

rpm -qa | grep openssl

For package installations, this lists installed OpenSSL packages. Absence indicates installation didn’t complete or failed silently.

Check the PATH environment variable:

echo $PATH

Ensure the directory containing openssl appears in PATH. For custom installations, add the binary directory to PATH as described in the configuration section.

Reload shell configuration after modifying profile scripts:

source ~/.bashrc
source /etc/profile

This applies PATH changes without logging out.

Library Version Mismatches

Multiple OpenSSL installations can cause version conflicts and runtime errors. Identify all installed versions:

find /usr -name "libssl.so*"
rpm -qa | grep openssl

These commands locate OpenSSL libraries and packages system-wide. Multiple results indicate parallel installations that may conflict.

Examine which libraries applications actually load:

ldd $(which openssl) | grep ssl

Mismatches between expected and actual library paths indicate configuration issues. Adjust LD_LIBRARY_PATH or ldconfig configuration to resolve conflicts.

Missing Dependencies

Compilation failures often stem from missing development packages. Error messages typically indicate which components are absent. Common missing dependencies include:

sudo dnf install gcc make perl perl-IPC-Cmd zlib-devel

Install reported missing packages and retry compilation. Review configuration output carefully for warnings about disabled features due to missing dependencies.

Permission Denied Errors

Installation and configuration commands require administrative privileges. Prepend sudo to commands that modify system directories or install software:

sudo make install
sudo dnf install openssl

Ensure the user account has sudo privileges configured in /etc/sudoers. File permission issues on OpenSSL directories require ownership or permission adjustments:

sudo chown -R root:root /usr/local/ssl
sudo chmod 755 /usr/local/ssl

These commands reset ownership and permissions to standard values.

Certificate Verification Failures

SSL/TLS certificate verification errors appear when applications cannot validate certificate chains. Common causes include missing CA certificate bundles, incorrect certificate paths, or expired certificates.

Verify the CA bundle location:

openssl version -d
ls -la /etc/pki/tls/certs/ca-bundle.crt

Ensure certificate bundles exist and contain up-to-date root certificates. Update certificate bundles:

sudo dnf update ca-certificates

This refreshes system trust stores with current root certificates. For specific application certificate problems, verify certificate validity, check expiration dates, and confirm proper certificate chain configuration.

Security Considerations

Security-conscious OpenSSL deployment requires attention to multiple factors beyond basic installation. Always obtain OpenSSL from official sources to avoid potentially compromised packages. Download source code directly from openssl.org or use signed packages from Rocky Linux repositories.

Verify download integrity when compiling from source. Official releases include SHA256 checksums and GPG signatures for verification. Compare checksums before extracting archives:

sha256sum openssl-3.6.0.tar.gz

Match the output against official checksums published on the OpenSSL website.

Keep OpenSSL current with security patches. Critical vulnerabilities receive prompt attention from the OpenSSL security team. Subscribe to security announcements and establish procedures for rapid patching when vulnerabilities emerge.

Implement proper key management practices. Store private keys securely with restrictive file permissions. Never commit private keys to version control systems. Use key encryption for keys stored on disk. Rotate keys periodically according to security policy requirements.

Disable weak or deprecated cryptographic algorithms in OpenSSL configurations. Modern systems should avoid SSLv2, SSLv3, TLS 1.0, and TLS 1.1 protocols. Remove cipher suites using MD5, SHA1, or deprecated algorithms like RC4.

Monitor security bulletins regularly. The OpenSSL project maintains detailed security advisories documenting vulnerabilities, affected versions, and remediation steps. National vulnerability databases like NIST’s NVD provide additional vulnerability information.

Upgrading OpenSSL to Newer Versions

Periodic OpenSSL upgrades maintain security and provide access to enhanced features. Package-managed installations simplify the upgrade process through DNF commands. Check for available updates:

sudo dnf check-update openssl

This queries repositories for newer OpenSSL packages. Apply available updates:

sudo dnf update openssl

DNF automatically handles dependency resolution and safely replaces older packages. Rocky Linux uses conservative update policies, upgrading OpenSSL only when necessary for security fixes or major distribution releases.

Source-compiled installations require manual upgrade procedures. Download the new OpenSSL version, extract it, and follow the compilation steps described earlier. Install the new version to the same prefix path to replace the existing installation:

./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
make
make test
sudo make install

Test applications thoroughly after OpenSSL upgrades. Some applications link against specific OpenSSL versions or API functions that change between releases. Compatibility testing identifies issues before they affect production systems.

Managing multiple OpenSSL versions simultaneously supports legacy applications with specific version requirements. Install additional versions to separate directories:

./config --prefix=/opt/openssl-1.1.1 shared zlib

Applications can link against specific versions by setting appropriate paths at compile time. This approach maintains compatibility while allowing newer applications to use modern OpenSSL releases.

Uninstalling OpenSSL

Uninstalling OpenSSL is rarely recommended, as numerous system components depend on cryptographic libraries. However, removing redundant installations or cleanly uninstalling source-compiled versions occasionally becomes necessary.

For package-managed installations, DNF handles removal:

sudo dnf remove openssl

DNF displays dependent packages that will also be removed. Review the list carefully, as removing OpenSSL typically breaks many applications. System package managers usually prevent removing packages with critical dependencies.

Removing source-compiled OpenSSL requires manual file deletion. Navigate to the source directory and use the install manifest if available:

cd /usr/src/openssl-3.6.0
sudo make uninstall

Not all OpenSSL versions support make uninstall. Manual removal requires deleting installation directories:

sudo rm -rf /usr/local/ssl

Remove library configuration files created during installation:

sudo rm /etc/ld.so.conf.d/openssl.conf
sudo ldconfig

Delete environment variable scripts:

sudo rm /etc/profile.d/openssl.sh

Reload shell configurations or log out and back in to clear environment variables. Consider upgrading rather than uninstalling when addressing security concerns or compatibility issues. Upgrades maintain functionality while resolving problems.

Congratulations! You have successfully installed OpenSSL. Thanks for using this tutorial for installing OpenSSL on Rocky Linux 10 system. For additional help or useful information, we recommend you check the official OpenSSL website.