# .crt .ca .key generated under LibreSSL vs OpenSSL.



## bryn1u (Feb 16, 2018)

Hello guys,

I'm using OpenVPN under FreeBSD and HardenedBSD.

HardenedBSD has implemented LibreSSL which is great secure step forward. FreeBSD is still using OpenSSL. I have generated .crt .ca .key by easy-rsa under FreeBSD. I moved it all: keys and certs on HardenedBSD where LibreSSL is and everything works great. My question is:  Are there any differences in some kind of way to generate those certs under OpenSSL and LibreSSL ? Or are they just tools ? I admit that much easier is use to easy-rsa then manually under HBSD where easy-rsa is not supported.

Thanks,


----------



## SirDice (Feb 16, 2018)

The certificates should be the same, it's a standard: https://en.wikipedia.org/wiki/X.509

There could be differences in the supported algorithms though, but that doesn't change the format of a X.509 certificate.


----------



## Sensucht94 (Feb 16, 2018)

I think the format is the same, though LibreSSL should have fixed some critical OpenSSL vulnerabilities, as I read on libressl.org, and, as of 2015 (I don't think it's been updated yet) the OpenBSD's libressl security track record  evidenced a clear gap in the high risk CVE count between the two.

That said, security/libressl is in ports, and despite base system relies on OpenSSL, nobody keeps one to install it if preferred. To use it as default ssl library provider, you can add:

```
DEFAULT_VERSIONS= ssl=libressl
```
to your /etc/make.conf, and make will rely on it to compile ports.

Moreover, since base ssl is /usr/bin/openssl, I set an alias like:

```
alias  libressl   /usr/local/bin/openssl
```
in my .tcshrc, in order to safely use the version  provided by security/libressl to produce .pem rsa keys and certs


----------



## SirDice (Feb 16, 2018)

> Moreover, since base ssl is /usr/bin/openssl, I set an alias like:
> 
> ```
> alias  libressl   /usr/local/bin/openssl
> ```


Hey, that's a simple, smart idea, I might have to steal that


----------

