OpenSSL is the TLS and cryptography toolkit behind HTTPS, openssl CLI certificate operations, and the libssl libraries linked by nginx, OpenSSH, Python, and thousands of other packages. Ubuntu ships OpenSSL 3.x in main—on most machines it is already installed before you run any extra steps.
This guide shows how to install or reinstall OpenSSL on Ubuntu, add libssl-dev when you compile software, verify versions with real command output, and create a test key and certificate. I also cover when a source build is justified—and when apt is the right choice.
Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic; amd64.
Prerequisites
- Ubuntu 22.04 LTS, 24.04 LTS, or newer (25.04 tested here) on amd64 or arm64.
- sudo for package installation.
- For compiling against OpenSSL:
build-essentialpluslibssl-dev.
See check Ubuntu version if you are unsure which release you are on.
Choose an install method
| Method | Best for | Jump to |
|---|---|---|
Ubuntu apt (openssl) |
Most users, servers, and developers who only need the CLI and distro-maintained libraries | Method 1 |
Ubuntu apt (libssl-dev) |
Developers compiling C/C++, Python extensions, or nginx modules against OpenSSL | Method 2 |
| Build from upstream source | Advanced users who need a custom prefix or upstream tarball outside Ubuntu security updates | Method 3 |
For almost every Ubuntu system, use apt. Ubuntu’s security team patches openssl through the archive—replacing it with a hand-built /usr/local/ssl copy shifts that burden to you.
Method 1: Install OpenSSL from Ubuntu apt (recommended)
Check whether openssl is already present:
openssl version
dpkg -l opensslOn Ubuntu 25.04:
OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)
ii openssl 3.4.1-1ubuntu4 amd64 Secure Sockets Layer toolkit - cryptographic utilityIf the package is missing, refresh and install:
sudo apt update
apt-cache policy openssl
sudo apt install -y opensslReinstall when the binary behaves oddly after a partial upgrade:
sudo apt install --reinstall opensslConfirm the CLI path:
which openssl
openssl list -digest-algorithms | head -5For day-to-day TLS tasks, see the OpenSSL cheatsheet on this site.
Method 2: Install OpenSSL development headers (libssl-dev)
Install headers when you build software that links against libssl (custom nginx modules, some Ruby/Python native gems, C projects):
sudo apt install -y libssl-dev
dpkg -l libssl-devii libssl-dev 3.4.1-1ubuntu4 amd64 Secure Sockets Layer toolkit - development fileslibssl-dev version should match the openssl runtime package from the same archive pocket.
Method 3: Build OpenSSL from upstream source (advanced)
/usr/local/ssl does not replace Ubuntu’s system libssl used by apt packages. Mixing two OpenSSL versions on one host causes link errors and missed security updates. Use this path only in isolated build containers or when you fully control PATH and LD_LIBRARY_PATH.
Install build dependencies (includes cURL to download the tarball):
sudo apt update
sudo apt install -y build-essential checkinstall zlib1g-dev curlDownload a stable release from openssl.org/source—avoid alpha tarballs for production:
cd /usr/local/src
sudo curl -LO https://www.openssl.org/source/openssl-3.4.1.tar.gz
sudo tar -xzf openssl-3.4.1.tar.gz
cd openssl-3.4.1Configure with a dedicated prefix:
sudo ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib linux-x86_64
sudo make -j"$(nproc)"
sudo make test
sudo make installAdd /usr/local/ssl/bin to your user PATH in ~/.bashrc—do not overwrite /usr/bin/openssl on a desktop server.
Verify the custom build:
/usr/local/ssl/bin/openssl versionVerify OpenSSL after install
| Check | Command |
|---|---|
| CLI version | openssl version -a |
| Package version | apt-cache policy openssl |
| Linked library (one binary) | `ldd "$(which openssl)" |
openssl version -aLook for OpenSSL and built on: lines that match your expected Ubuntu or custom build.
Generate a test key and self-signed certificate
Use this to learn the toolchain or for local HTTPS labs—not for public websites.
Create a 2048-bit key:
openssl genrsa -out server.key 2048
chmod 600 server.keyCreate a certificate signing request and self-signed cert (one year):
openssl req -new -key server.key -out server.csr -subj "/CN=localhost"
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
ls -l server.key server.csr server.crtInspect the certificate:
openssl x509 -in server.crt -noout -subject -datesFor production PKI workflows, continue with OpenSSL CA vs x509 and X.509 extensions on this site.
Troubleshooting
| Symptom | Fix |
|---|---|
openssl: command not found |
sudo apt install openssl |
libssl.so errors when compiling |
sudo apt install libssl-dev and rebuild your project |
version shows old number after source install |
You are calling /usr/bin/openssl; check which -a openssl |
apt wants to remove half the system when purging openssl |
Stop—openssl is a core dependency; reinstall instead of purge |
Uninstall notes
- libssl-dev only:
sudo apt purge libssl-dev - Custom
/usr/local/sslbuild: remove the directory and drop PATH entries you added - Do not
apt purge opensslon a normal system
Summary
On Ubuntu, OpenSSL is usually already installed. Use sudo apt install openssl libssl-dev when you need the CLI or headers, verify with openssl version, and prefer apt security updates over hand-built copies unless you have a strong isolation reason. Generate test keys with openssl genrsa and openssl x509 for learning; use proper CA certificates for real services.
References
- OpenSSL project
- OpenSSL 3.4 man pages
- On-site: OpenSSL cheatsheet, duplicate certificates, check Ubuntu version
