Compile OpenSSL from sources

OpenSSL 3.0.9 FIPS and 1.1.1

OpenSSL library is used for:

  • self signed certificates, chainining certificates within each other, removing secrets from private keys, etc.
  • it is just more convinient to perform it outside of the Mikrotik or NetScaler box, especially for one who is not doing this in regular basis


Debian 12


  • Details about OpenSSL can be found on github
  • All releases can be found here


  • preferably, machine with linux
  1. Install Debian / Rocky
  2. Install VM tools
# Rocky contains an alternative way of installing the management tools
# the method below works for the CentOS 8 Stream which is not supported anymore
sudo mount /dev/cdrom /mnt
sudo bash /mnt/Linux/ -d rhel -m 8
sudo umount /dev/cdrom

Debian 12 - OpenSSL

# login as sudoUser

# install prerequisites
sudo apt install build-essential

mkdir -p sources
cd sources
tar -xf openssl-3.0.9.tar.gz 
cd openssl-3.0.9/
./Configure enable-fips

make test
sudo make install

openssl version

### at this stage the openssl is ready, further configuration is with regrads with the FIPS compliance

### Configuring the FIPS provider
openssl version -d
# Locate the openssl.cnf file in the OEPNSSLDIR directory and load it into an editor
# find the line that includes the fipsmodule.cnf file, uncomment it, and replace the filename with the full absolute path to fipsmodule.cnf

.include /usr/local/ssl/fipsmodule.cnf

# do not use a relative filename
# find the line specifying the fips section and uncomment it
fips = fips_sect

# next load the fipsmodule.ndf file (in t he same directory) into an editor
# for now we are goind to stop the FIPS provider from activating itself by default
# this way we can use the FIPS provider if we want to, but we can also use OpenSSL without FIPS
# comment out the "activate" line:

# activate = 1

# Note that this is NOT sufficient to set activate to 0

# Check that everything worked

openssl list -providers -provider fips -provider base

# If we don't explicitly load the fips/base providers then we should get the default provider

openssl list -providers


### Make everything use FIPS

Rocky 8 - Open SSL

Compile OpenSSL from sources

# Install prereq packages and libraries
yum group install 'Development Tools'
yum install perl-core zlib-devel -y
#download openssl - at this point of time 1.1.1n
tar -xf openssl-1.1.1n.tar.gz
cd openssl-1.1.1n
openssl version -a
# 1.1.1k in the system
# now the existing version is replaced by the one downloaded
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
make test
# wait until the compilation process ends
# once completed, install OpenSSL
make install
# configure shared libraries for OpenSSL
cd /etc/
nano openssl-1.1.1n.conf
# paste the openssl library path directory
# reload dynamic link
ldconfig -v
# configure openSSL binary, to have it linked with the version compiled
mv /bin/openssl /bin/
# create new environment for OpenSSL
nano /etc/profile.d/
# paste following content
export PATH
# save and exit
# add execute permissions to
chmod +x /etc/profile.d/
# load OpenSSL environment and check the PATH bin directory
source /etc/profile.d/
echo $PATH
which openssl
# should result as /usr/local/ssl/bin/openssl
# it would mean thatn OpenSSL on CentOS has been updated
openssl version
# should result with 1.1.1n


It may be far from being perfect, though good enough for a home lab. Tested on Debian 12.5, Cento8 Stream. OpenSSL 3.0.9 FIPS and 1.1.1n.

Last update: 2024.06.25

Share: X (Twitter) LinkedIn