OpenSSL is an open-source implementation of the SSL and TLS protocols, designed to be as flexible as possible. It is supported on a variety of platforms, including BSD, Linux, OpenVMS, Solaris and Windows.
is installed by default on Arch Linux (as a dependency of ).
There are various OpenSSL library bindings available for developers:
- , ,
On Arch Linux the
The OpenSSL configuration file, conventionally placed in
/etc/ssl/openssl.cnf, may appear complicated at first. Remember that variables may be expanded in assignments, much like how shell scripts work. For a thorough explanation of the configuration file format, see .
Settings related to generating keys, requests and self-signed certificates.
The req section is responsible for the DN prompts. A general misconception is the Common Name (CN) prompt, which suggests that it should have the user's proper name as a value. End-user certificates need to have the machine hostname as CN, whereas CA should not have a valid TLD, so that there is no chance that, between the possible combinations of certified end-users' CN and the CA certificate's, there is a match that could be misinterpreted by some software as meaning that the end-user certificate is self-signed. Some CA certificates do not even have a CN, such as Equifax:
$ openssl x509 -subject -noout < /etc/ssl/certs/Equifax_Secure_CA.pem
subject= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
This sections assumes you have read Transport Layer Security#Obtaining a certificate.
Generate a Curve25519 private key
$ openssl genpkey -algorithm x25519 -out file
Generate an ECDSA private key
$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out file
Generate an RSA private key
With, which supersedes genrsa according to :
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:keysize -out file
If an encrypted key is desired, use the
Generate a certificate signing request
$ openssl req -new -sha256 -key private_key -out filename
Generate a self-signed certificate
$ openssl req -key private_key -x509 -new -days days -out filename
Generate a self-signed certificate with private key in a single command
You can combine the above command in OpenSSL into a single command which might be convenient in some cases:
$ openssl req -x509 -newkey rsa:4096 -days days -keyout key_filename -out cert_filename
Generate Diffie–Hellman parameters
See Diffie–Hellman key exchange for more information.
Alternatively you can generate a random group of your own:
$ openssl dhparam -out filename 2048
Show certificate information
$ openssl x509 -text -in cert_filename
Show certificate fingerprint
$ openssl x509 -noout -in cert_filename -fingerprint -digest
-digest is optional and one of
-sha512. See "-digest" in for when the digest is unspecified.
"bad decrypt" while decrypting
OpenSSL 1.1.0 changed the default digest algorithm for the dgst and enc commands from MD5 to SHA256. 
Therefore if a file has been encrypted using OpenSSL 1.0.2 or older, trying to decrypt it with an up to date version may result in an error like:
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:540
-md md5 option should solve the issue:
$ openssl enc -d -md md5 -in encrypted -out decrypted
Python 3.10 and "ca md too weak" errors
In Python 3.10 by default there is a hardcoded list of allowed OpenSSL ciphers. Some of the less secure, like MD5, have been disabled at the
ssl module level, ignoring the system-wide configuration of OpenSSL. It results sometimes in strange errors on older certificates, sometimes even when establishing
https connections, like:
requests.exceptions.SSLError: HTTPSConnectionPool(host='a.kind.of.example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(398, '[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:3862)')))
To make Python follow the system configuration, you may have to rebuild it, adding
--with-ssl-default-suites=openssl parameter to
./configure. The issue has been also reported as FS#73549.
- Wikipedia page on OpenSSL, with background information.
- OpenSSL project page.
- FreeBSD Handbook
- Step-by-step guide to create a signed SSL certificate
- OpenSSL Certificate Authority: A guide demonstrating how to act as your own certificate authority.
- Bulletproof SSL and TLS by Ivan Ristić, a more formal introduction to SSL/TLS