How to Install OpenSSL on an Ubuntu Server

Posted on

How to Install OpenSSL on Ubuntu

OpenSSL is a powerful, open-source command-line tool used to implement Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It’s indispensable for securing network communications, managing digital certificates, and performing cryptographic operations.

If you’re a system administrator, developer, or security enthusiast working with Ubuntu, knowing how to install and configure OpenSSL is crucial. Whether you are managing a dedicated server, VPS, or cloud-based environment, OpenSSL is an essential piece of your security infrastructure.

This guide provides a clear, step-by-step walkthrough of installing and verifying OpenSSL on an Ubuntu system.

Let’s dive in!

Step 1: System Update

Before proceeding with the installation, it’s vital to update your Ubuntu system’s package lists to ensure you have the latest available versions. This also prepares the system for installing new software.

sudo apt update
sudo apt upgrade -y

Step 2: OpenSSL Installation

While Ubuntu often includes OpenSSL by default, this step ensures it’s present or reinstalls it if needed. Use the following command to install OpenSSL:

sudo apt install openssl -y

Step 3: Verification of Installation

Confirm the successful installation of OpenSSL by checking its version. This verifies that the software is correctly installed and accessible.

openssl version

The command will output the installed OpenSSL version. For example:

root@geeks:~# openssl version
OpenSSL 1.1.1  11 Sep 2018

Step 4: Exploring OpenSSL Commands

OpenSSL boasts a wide array of commands. Familiarize yourself with the available options using the `help` command:

openssl help

This will display a comprehensive list of OpenSSL commands, such as:

root@geeks:~# openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb  

Step 5: Configuration (Optional)

For advanced usage, you can customize OpenSSL’s behavior by editing its configuration file. Remember to back up the file before making changes.

sudo nano /etc/ssl/openssl.cnf

This file controls various aspects of OpenSSL’s operation. Common configurations include:

1. Default Certificate Details

Simplify certificate creation by pre-defining common values:

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
prompt              = no

[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = New York
localityName            = New York City
organizationName        = My Organization
organizationalUnitName  = My Department
commonName              = www.mywebsite.com
emailAddress            = admin@mywebsite.com

2. Default CA (Certificate Authority)

Specify the location of your custom CA:

[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = /etc/ssl/myCA
database          = $dir/index.txt
new_certs_dir     = $dir/newcerts
certificate       = $dir/myCA.crt
private_key       = $dir/myCA.key
serial            = $dir/serial

3. Policy Constraints

Enforce rules for certificate field matching:

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

4. Certificate Extensions

Add information to certificates, such as usage restrictions:

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

5. Cipher Suite Selection

Define the cryptographic algorithms OpenSSL utilizes:

[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ tsa_config1 ]
dir             = ./demoCA
serial          = $dir/tsaserial
crypto_device   = builtin
signer_cert     = $dir/tsacert.pem
certs           = $dir/cacert.pem
signer_key      = $dir/private/tsakey.pem
default_policy  = tsa_policy1
other_policies  = tsa_policy2, tsa_policy3
digests         = md5, sha1
accuracy        = secs:1, millisecs:500, microsecs:100
clock_precision_digits  = 0
ordering                = yes
tsa_name                = yes
ess_cert_id_chain       = no

These examples only scratch the surface of OpenSSL configuration. After making any changes, thoroughly test your setups to prevent unexpected issues.

See also  14 Tips to Easily Optimize Nginx Performance on Ubuntu

Commands Recap

  • sudo apt update – Refreshes the package listings. Crucial before adding any new software.
  • sudo apt upgrade – Updates currently installed packages to their latest versions.
  • sudo apt install openssl – Installs (or reinstalls) the OpenSSL software.
  • openssl version – Displays which version of OpenSSL is active.
  • openssl help – Shows the available commands and parameters for OpenSSL.
  • sudo nano /etc/ssl/openssl.cnf – Opens the main configuration file for OpenSSL using the nano text editor. You’ll need root privileges.

Frequently Asked Questions (FAQ)

  1. What is OpenSSL’s primary purpose?

    OpenSSL offers a toolkit essential for implementing SSL/TLS protocols, encrypting network traffic, managing certificates, and ensuring secure communications.

  2. Does Ubuntu include OpenSSL by default?

    While often pre-installed, it’s always wise to verify its presence and install it if missing to guarantee you have it available.

  3. How can I effectively update OpenSSL on Ubuntu systems?

    Employ the package manager utilizing the commands ‘sudo apt update’ followed by ‘sudo apt upgrade openssl’.

  4. Where is the primary OpenSSL configuration file situated?

    The configuration file resides at ‘/etc/ssl/openssl.cnf’ within Ubuntu systems.

  5. Why is OpenSSL so crucial for servers?

    OpenSSL offers fundamental tools for encrypting network traffic, securing communications, handling SSL/TLS certificates, and preserving data integrity.

See also  How to Install Nmap on Ubuntu

Concluding Remarks

OpenSSL remains absolutely necessary for any server admin, especially when handling security sensitive communications. Confirming correct installation and configuration is essential to a vps or dedicated setup.

By taking the steps illustrated here, you can smoothly install OpenSSL on an Ubuntu-powered server.

Keeping your base software up to date ensures you have the latest advancements and protections.

See also  How to Update to PHP 7.4 on Ubuntu?

Leave a Reply

Your email address will not be published. Required fields are marked *