How to Install OpenSSL on an Ubuntu Server

How to Install OpenSSL on Ubuntu

OpenSSL, an open-source toolkit that implements the SSL and TLS protocols, is essential for securing network traffic, generating certificates, and much more.

Whether you’re setting up a dedicated server, a VPS server, or even a cloud hosting environment, OpenSSL is a crucial tool to have in your security arsenal.

In this guide, we’ll walk you through the steps to install and verify OpenSSL on an Ubuntu server.

Let’s get started.

Step 1: Update Your System

Before installing any new software, it’s always a good practice to update your system’s package repository.

sudo apt update
sudo apt upgrade -y

Step 2: Install OpenSSL

Ubuntu typically comes with OpenSSL pre-installed. However, if it’s not present or you need to install a fresh copy, use the following command:

sudo apt install openssl -y

Step 3: Verify the Installation

After installation, you can check the version of OpenSSL to ensure it’s installed correctly:

openssl version

This command should display the version of OpenSSL you’ve installed.

root@geeks:~# openssl version
OpenSSL 1.1.1  11 Sep 2018

Step 4: Explore OpenSSL Commands

OpenSSL offers a plethora of commands. To view a list of available commands:

openssl help

Example:

root@geeks:~# openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb  

Step 5: Configure OpenSSL (Optional)

If you need to make specific configurations to OpenSSL, you can edit its configuration file:

sudo nano /etc/ssl/openssl.cnf

Make the necessary changes, save, and exit.

See also  How to Uninstall Prometheus on Ubuntu

Here are some popular configurations you might consider:

1. Setting Default Certificate Details

When generating a certificate, OpenSSL will prompt you for details such as the country, state, and organization. To streamline this process, you can set default values in the configuration file:

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
prompt              = no

[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = New York
localityName            = New York City
organizationName        = My Organization
organizationalUnitName  = My Department
commonName              = www.mywebsite.com
emailAddress            = admin@mywebsite.com

2. Specifying the Default CA (Certificate Authority)

If you’re running your own CA, you can specify it as the default:

[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = /etc/ssl/myCA
database          = $dir/index.txt
new_certs_dir     = $dir/newcerts
certificate       = $dir/myCA.crt
private_key       = $dir/myCA.key
serial            = $dir/serial

3. Enabling Policy Constraints

You can enforce certain fields to match the CA’s certificate or be present in the request:

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

4. Configuring Certificate Extensions

Extensions can be added to certificates to provide additional information. For example, to specify that a certificate should be used only for server authentication:

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

5. Specifying Cipher Suite

You can specify which ciphers OpenSSL should use:

[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ tsa_config1 ]
dir             = ./demoCA
serial          = $dir/tsaserial
crypto_device   = builtin
signer_cert     = $dir/tsacert.pem
certs           = $dir/cacert.pem
signer_key      = $dir/private/tsakey.pem
default_policy  = tsa_policy1
other_policies  = tsa_policy2, tsa_policy3
digests         = md5, sha1
accuracy        = secs:1, millisecs:500, microsecs:100
clock_precision_digits  = 0
ordering                = yes
tsa_name                = yes
ess_cert_id_chain       = no

These are just a few examples of the many configurations possible with OpenSSL. Always remember to backup your configuration file before making any changes, and after editing, test your configurations to ensure they work as expected.

See also  How to Install Nginx With PHP5 (and PHP-FPM) and MySQL (LEMP) On Ubuntu 14.04

Commands Mentioned

  • sudo apt update – Updates the package lists for upgrades and new packages.
  • sudo apt upgrade – Installs the newest versions of all packages currently installed.
  • sudo apt install openssl – Installs the OpenSSL package.
  • openssl version – Displays the installed version of OpenSSL.
  • openssl help – Lists available OpenSSL commands.
  • sudo nano /etc/ssl/openssl.cnf – Opens the OpenSSL configuration file for editing.

FAQ

  1. What is OpenSSL used for?

    OpenSSL is an open-source toolkit used for implementing the SSL and TLS protocols. It’s essential for encrypting network traffic, generating certificates, and ensuring secure communications.

  2. Is OpenSSL pre-installed on Ubuntu?

    Yes, Ubuntu typically comes with OpenSSL pre-installed. However, it’s always good to check and install it if missing.

  3. How do I update OpenSSL on Ubuntu?

    You can update OpenSSL on Ubuntu using the package manager with the commands ‘sudo apt update’ followed by ‘sudo apt upgrade openssl’.

  4. Where is the OpenSSL configuration file located?

    The OpenSSL configuration file is typically located at ‘/etc/ssl/openssl.cnf’ on Ubuntu systems.

  5. Why is OpenSSL important for servers?

    OpenSSL is crucial for servers as it provides tools for encrypting network traffic, ensuring secure communications, generating SSL/TLS certificates, and protecting data integrity.

See also  How to List, Manage, and Troubleshoot Services in Ubuntu

Conclusion

OpenSSL is an indispensable tool for any server administrator, especially when dealing with secure communications. Whether you’re working on with vps or dedicated setup, ensuring that OpenSSL is correctly installed and configured is paramount for security.

By following the steps outlined in this guide, you can seamlessly install and set up OpenSSL on your Ubuntu server.

Always remember to keep your software updated to benefit from the latest security patches and features.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *