As interconnected computer networks enter more and more fields of everyday life, cybersecurity is getting louder and louder. We protect our websites, the traffic on our websites, the computers we initiate the traffic from, maybe (part of) the disks our operating system run from, our connection to work, the computers we attach to at work, and so on.
openssl is an essential tool on any recent GNU/Linux distribution if one have to work with various certificates.
In this tutorial we will install (and reinstall) the openssl package, and test it's functionality by checking a website's certificate chain with it's help.In this tutorial you will learn:
- How to install openssl
- How to reinstall openssl
- How to check a website's SSL certificate chain with openssl
Software Requirements and Conventions Used
|Category||Requirements, Conventions or Software Version Used|
|System||RHEL 8 / CentOS 8|
|Other||Privileged access to your Linux system as root or via the
# - requires given linux commands to be executed with root privileges either directly as a root user or by use of
How to install ssl on RHEL 8 / CentOS 8 step by step instructions
openssl is a base package present by default on even a minimal RHEL 8 / CentOS 8 installation. If removed by accident or broken, the package can be installed after enabling the subscription management repositories.
- To install packages on RHEL 8 / CentOS 8 we can use
dnfcommand. Use the below command to install
# dnf install openssl
- If the installed package is somehow broken,
dnfcan also be used to renistall it:
# dnf renistall openssl
opensslhas many functions, but as for a simple functional test we don't want to fiddle with certificate stores, we'll use it as a client to connect to a remote SSL-ready website, get and verify it's SSL certificate and the certificate's chain.
This is the same thing any security-aware browser does before showing the connection is secure with a web page, or not. We'll get the certificate chain of the website home to this tutorial:
If you are not familiar with pki, and the whole certificate business, the lengthy output will be alien to you at first glance (maybe for the second look, too). Experienced eyes can see the certificate chain from these outputs, but for the question of "is this site using a trusted certificate?", the answer is in the last few lines:
# openssl s_client -connect linuxconfig.org:443 --showcerts
We also verified our openssl tool is working.
[...] Start Time: 1546710774 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK