If you’re running a web server, building a secure app, or working with SSL/TLS certificates, you need OpenSSL — the gold-standard open-source toolkit for cryptography and secure communications. Without it, your Ubuntu system can’t generate certificates, encrypt data, or verify SSL connections. This guide walks you through exactly how to set up OpenSSL on Ubuntu, from a fresh system all the way to generating your first certificate. Whether you’re a developer or a sysadmin, you’ll have a fully working OpenSSL setup by the end.

Prerequisites

• Ubuntu 22.04 LTS (Jammy Jellyfish) or Ubuntu 24.04 LTS (Noble Numbat) — tested on both
• A user account with sudo privileges
• Access to a terminal (local or via SSH)
• A stable internet connection
• Basic familiarity with the Linux command line

Step 1: Update Your System Package Index

Before installing anything on Ubuntu, always refresh your package list. This ensures apt knows about the latest available versions.

sudo apt update && sudo apt upgrade -y

What this does: apt update fetches the latest package metadata from Ubuntu’s repositories. apt upgrade -y applies any pending system updates automatically. Skipping this step can cause version conflicts or install outdated packages.

Verify the Step Succeeded

lsb_release -a

You should see your Ubuntu version confirmed in the output, e.g., Ubuntu 24.04.1 LTS.

Step 2: Install OpenSSL on Ubuntu

Now install OpenSSL directly from Ubuntu’s default APT repository — no manual downloads needed.

sudo apt install openssl -y

What this does: apt install openssl pulls the latest stable OpenSSL binary and its dependencies from Ubuntu’s official mirror. The -y flag auto-confirms the prompt so you don’t need to type “yes.”

On Ubuntu 22.04, you’ll get OpenSSL 3.0.x. On Ubuntu 24.04, you’ll get OpenSSL 3.0.13 or later.

💡 Pro Tip: If you also need the OpenSSL development headers for compiling C/C++ applications, install the dev library too:

sudo apt install libssl-dev -y

This provides header files like openssl/ssl.h required by many build systems.

Verify the Installation

openssl version

Expected output on Ubuntu 24.04:

OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

Step 3: Explore the OpenSSL Configuration

Understanding where OpenSSL stores its configuration is key for advanced use — especially when you generate certificates.

openssl version -d

Expected output:

OPENSSLDIR: "/usr/lib/ssl"

This shows the OPENSSLDIR — the directory where OpenSSL looks for its default config file (openssl.cnf) and root certificates. On Ubuntu, /usr/lib/ssl is a symlink to /etc/ssl.

Inspect the SSL Directory

ls -la /usr/lib/ssl

You’ll see entries like:

certs -> /etc/ssl/certs
openssl.cnf -> /etc/ssl/openssl.cnf
private -> /etc/ssl/private

Step 4: Configure OpenSSL on Linux

The main OpenSSL configuration file lives at /etc/ssl/openssl.cnf. You won’t need to edit this for most standard tasks, but knowing its location matters when you create custom certificates or a private CA.

sudo nano /etc/ssl/openssl.cnf

Key sections to know:

• [ req ] — Controls certificate request defaults
• [ req_distinguished_name ] — Sets default subject fields (country, org name, etc.)
• default_days — How long self-signed certs remain valid

🔐 Security Best Practice: Set default_days to 365 or less for production certificates. Long-lived certificates increase your attack surface if a private key is ever compromised.

Save and Exit

Press Ctrl+X, then Y, then Enter to save in nano.

Step 5: Generate a Private Key and Self-Signed Certificate

This is where OpenSSL earns its keep. You’ll generate an RSA private key and a self-signed SSL certificate — useful for development servers, internal tools, and testing.

Generate a 2048-bit RSA Private Key

openssl genrsa -out mykey.pem 2048

What this does: Creates a 2048-bit RSA private key and saves it to mykey.pem. Never share this file.

Create a Self-Signed Certificate

openssl req -new -x509 -key mykey.pem -out mycert.pem -days 365

OpenSSL will prompt you for certificate fields:

Country Name (2 letter code) [AU]: ID
State or Province Name [Some-State]: Yogyakarta
Locality Name []: Yogyakarta
Organization Name []: MyOrg
Common Name []: localhost

What this does: req -new -x509 generates a new certificate signing request and self-signs it in one step. -days 365 sets a 1-year validity window.

Verify the Certificate Was Created

openssl x509 -in mycert.pem -text -noout | head -20

You should see the certificate details including issuer, validity dates, and the public key.

Step 6: Test SSL/TLS Connectivity

Use OpenSSL to verify a live SSL connection to any HTTPS server — a great way to confirm your OpenSSL install is fully working.

openssl s_client -connect google.com:443

What this does: Opens a raw TLS connection to google.com on port 443 and dumps the full certificate chain and handshake details. Press Ctrl+C to exit.

Check a Server’s Certificate Expiry Date

echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -dates

Expected output:

notBefore=Jan  1 00:00:00 2025 GMT
notAfter=Apr  1 00:00:00 2026 GMT

💡 Pro Tip: Bookmark this command. Replace google.com with any domain to quickly check certificate expiry on your own servers — no browser needed.

Step 7: (Optional) Install OpenSSL from Source on Linux

If you need a specific OpenSSL version not available in apt — common for enterprise compliance requirements — you can compile from source.

sudo apt install build-essential wget -y
wget https://www.openssl.org/source/openssl-3.3.0.tar.gz
tar -xvzf openssl-3.3.0.tar.gz
cd openssl-3.3.0
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
make
sudo make install

Update the Library Cache

sudo ldconfig

Verify the Source-Built Version

/usr/local/openssl/bin/openssl version

🔐 Security Best Practice: Always verify the checksum of source tarballs before compiling. Download the SHA256 hash from the official OpenSSL website and run sha256sum openssl-3.3.0.tar.gz to confirm integrity.

Troubleshooting Common OpenSSL Errors

Error 1: openssl: command not found

Cause: OpenSSL is not installed or not in your $PATH.

Fix:

sudo apt install openssl -y
which openssl

Error 2: unable to load certificate or PEM_read_bio failures

Cause: Your .pem file is malformed or has incorrect line endings (common when copying from Windows).

Fix:

sed -i 's/\r//' mycert.pem

Error 3: SSL_CTX_use_certificate_file — no such file or directory

Cause: Your application is looking for a certificate in the wrong path.

Fix:

ls -la /etc/ssl/certs/
realpath mycert.pem

Error 4: verify error:num=18:self signed certificate

Cause: You used a self-signed cert and OpenSSL’s verification flagged it. This is expected behavior — not a bug.

Fix:

sudo cp mycert.pem /usr/local/share/ca-certificates/mycert.crt
sudo update-ca-certificates

Error 5: libssl-dev headers missing during compilation

Cause: The dev package isn’t installed, so gcc/g++ can’t find OpenSSL headers.

Fix:

sudo apt install libssl-dev pkg-config -y

Frequently Asked Questions

Is OpenSSL pre-installed on Ubuntu?

Sometimes, but not always. Ubuntu 22.04 and 24.04 often include a base version, but it may be outdated. Running sudo apt install openssl ensures you have the latest stable version.

What’s the difference between openssl and libssl-dev?

openssl is the command-line tool and runtime library used to generate certs and test connections. libssl-dev is the development package containing header files needed to compile applications that use OpenSSL. You need both if you’re a developer.

How do I check which OpenSSL version is installed?

Run openssl version in your terminal. For full build details including compile flags, run openssl version -a.

Can I run multiple OpenSSL versions on the same system?

Yes. You can install a custom version from source at /usr/local/openssl/ while keeping the system version at /usr/bin/openssl. Just be explicit about which binary you call.

How do I uninstall OpenSSL on Ubuntu?

Use sudo apt purge openssl -y to remove it. Note that many system packages depend on OpenSSL, so purging may affect other tools.