.crt .ca .key generated under LibreSSL vs OpenSSL.


Well-Known Member

Thanks: 9
Messages: 338

Hello guys,

I'm using OpenVPN under FreeBSD and HardenedBSD.

HardenedBSD has implemented LibreSSL which is great secure step forward. FreeBSD is still using OpenSSL. I have generated .crt .ca .key by easy-rsa under FreeBSD. I moved it all: keys and certs on HardenedBSD where LibreSSL is and everything works great. My question is: Are there any differences in some kind of way to generate those certs under OpenSSL and LibreSSL ? Or are they just tools ? I admit that much easier is use to easy-rsa then manually under HBSD where easy-rsa is not supported.



Well-Known Member

Thanks: 357
Messages: 374

I think the format is the same, though LibreSSL should have fixed some critical OpenSSL vulnerabilities, as I read on libressl.org, and, as of 2015 (I don't think it's been updated yet) the OpenBSD's libressl security track record evidenced a clear gap in the high risk CVE count between the two.

That said, security/libressl is in ports, and despite base system relies on OpenSSL, nobody keeps one to install it if preferred. To use it as default ssl library provider, you can add:
DEFAULT_VERSIONS= ssl=libressl
to your /etc/make.conf, and make will rely on it to compile ports.

Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
alias  libressl   /usr/local/bin/openssl
in my .tcshrc, in order to safely use the version provided by security/libressl to produce .pem rsa keys and certs


Staff member

Thanks: 6,606
Messages: 28,131

Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
alias  libressl   /usr/local/bin/openssl
Hey, that's a simple, smart idea, I might have to steal that :)