As interconnected computer networks enter more and more fields of everyday life, cybersecurity is getting louder and louder. We protect our websites, the traffic on our websites, the computers we initiate the traffic from, maybe (part of) the disks our operating system run from, our connection to work, the computers we attach to at work, and so on.
openssl
is an essential tool on any recent GNU/Linux distribution if one have to work with various certificates.
In this tutorial we will install (and reinstall) the openssl package, and test it’s functionality by checking a website’s certificate chain with it’s help.
In this tutorial you will learn:
- How to install openssl
- How to reinstall openssl
- How to check a website’s SSL certificate chain with openssl
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | RHEL 8 / CentOS 8 |
Software | openssl 1.1.1.1 |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to install ssl on RHEL 8 / CentOS 8 step by step instructions
openssl
is a base package present by default on even a minimal RHEL 8 / CentOS 8 installation. If removed by accident or broken, the package can be installed after enabling the subscription management repositories.
- To install packages on RHEL 8 / CentOS 8 we can use
dnf
command. Use the below command to installopenssl
package:# dnf install openssl
- If the installed package is somehow broken,
dnf
can also be used to renistall it:# dnf renistall openssl
openssl
has many functions, but as for a simple functional test we don’t want to fiddle with certificate stores, we’ll use it as a client to connect to a remote SSL-ready website, get and verify it’s SSL certificate and the certificate’s chain.This is the same thing any security-aware browser does before showing the connection is secure with a web page, or not. We’ll get the certificate chain of the website home to this tutorial:# openssl s_client -connect linuxconfig.org:443 --showcerts
If you are not familiar with pki, and the whole certificate business, the lengthy output will be alien to you at first glance (maybe for the second look, too). Experienced eyes can see the certificate chain from these outputs, but for the question of “is this site using a trusted certificate?”, the answer is in the last few lines:
[...] Start Time: 1546710774 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK
We also verified our openssl tool is working.