Home / Crypto

Cryptography & TLS

Crypto policies, FIPS mode, certificate management, and TLS configuration on RHEL 10.

Crypto Policies

RHEL 10 uses the update-crypto-policies tool to manage system-wide cryptographic settings. Available profiles: DEFAULT, LEGACY, FIPS, FIPS-ONLY.

# View current policy
update-crypto-policies --show

# Change to LEGACY (supports older ciphers)
sudo update-crypto-policies --set LEGACY

# Change to FIPS mode
sudo update-crypto-policies --set FIPS

# FIPS-ONLY (FIPS without legacy fallback)
sudo update-crypto-policies --set FIPS-ONLY

# Custom policy with override
sudo update-crypto-policies --set DEFAULT:
  +ADH:
  -RSA-PKCS1-SHA1

# Reboot may be required for FIPS changes
sudo reboot

FIPS Mode

# Check FIPS status
cat /proc/sys/crypto/fips_enabled

# Enable FIPS (requires reboot)
sudo grub2-editenv - set fips=1
sudo reboot

# Verify after reboot
cat /proc/sys/crypto/fips_enabled
fipsmode

# FIPS-compliant SSH (only FIPS-approved ciphers)
sudo sshd -T | grep -i cipher

Certificate Management

# Install OpenSSL tools
sudo dnf install -y openssl

# Generate a private key and CSR
sudo openssl req -newkey rsa:4096 -nodes \
  -keyout /etc/pki/tls/private/server.key \
  -out /etc/pki/tls/certs/server.csr \
  -subj '/CN=server.example.com/O=MyOrg/C=US'

# Self-signed certificate (testing)
sudo openssl req -x509 -newkey rsa:4096 -nodes \
  -sha256 -days 365 \
  -keyout /etc/pki/tls/private/server.key \
  -out /etc/pki/tls/certs/server.crt

# Check certificate details
openssl x509 -in /etc/pki/tls/certs/server.crt -text -noout

# Verify certificate against CA
openssl verify -CAfile ca.crt server.crt

TLS Configuration

# Check supported TLS ciphers
openssl ciphers -v 'ALL' | sort

# Recommended TLS config for nginx:
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
# ssl_prefer_server_ciphers on;

# Test TLS configuration
openssl s_client -connect server.example.com:443 -tls1_2
openssl s_client -connect server.example.com:443 -tls1_3

# System-wide CA trust store
sudo cp my-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

GPG Key Management

# Generate GPG key
gpg --full-generate-key

# List keys
gpg --list-keys

# Import a key
gpg --import key.asc

# Encrypt a file
gpg --encrypt --recipient user@example.com file.txt

# Decrypt a file
gpg --decrypt file.txt.gpg

# Sign a file
gpg --sign file.txt

# Verify signature
gpg --verify file.txt.sig file.txt
📚 Reference

RHEL 10 Crypto Policies · OpenSSL