You will first create/modify the below config file to generate a private key. In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. Plus, the only first level of subdomain can be secured. we see that Yahoo! But this certificate will not work if the certificate is used for second, third and other sublevel domains, unless the sublevel domains are added in Subject Alternate Name(SAN) in the certificate. Not all, but with international Clients, you have to thing international. It appears WSAN certificates are safe to use for HTTPS with web browsers and may be safe for SMTP. To address this, I recently looked into combining two common management features of certificates, wildcard domain names and subject alternative names (SANs) into a “Wildcard SAN” certificate. To make SANs even more useful, the goal of this effort was to validate the support for using wildcard domain names in the … Example Thank you for this! Creating Wildcard self-signed certificates with openssl with subjectAltName (SAN - Subject Alternate Name) For the past few hours I have been trying to create a self-signed certificate for all the sub-domains for my staging setup using wildcard subdomain. Otherwise I would also have to tediously, monotonically, and boringly read through all the MAN pages and stuff.. What do hackers do then? You might be thinking this is wildcard SSLbut let me tell you – it’s slightly different. Now comes the hard part:Signing your CSR with altNames with your self signed root certificate while keeping the alt names. RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, Stack Overflow Reputation - From 0 to 2000, The Learning Pipeline - How to Keep Learning, multiple levels of subdomains are supported, at least one public CA, DigiCert, offers these certificates, a mix of non-wildcard and wildcard SANs can be supported, wildcard SAN (WSAN) certificates are supported by IETF RFC 3280, WSAN certs are in widespread use for HTTPS, Public CAs (DigiCert, GlobalSign) sign WSAN certificates, many SANs can be supported within the SAN extension. CN : Common Name SAN: Subject Alternative Name Example Generate a certificate with SAN (Draft notes) TEST. Thank you for this posting! also uses a wildcard SAN certificate and this one is signed directly by DigiCert. For example, if I receive a request from someone and I want to sign it, why should I have to have their openssl.cnf extensions? Perfect! Générer une nouvelle clé ECC: openssl ecparam -out server.key -name prime256v1 -genkey. To try this in the lab, we create a CSR using OpenSSL by creating a config file to be referenced by the openssl req command which can generate a key pair and Certificate Signing Request (CSR) with the WSANs included as shown below: Once the CSR is available, use it to make a certificate request from a private CA to test support such as Microsoft Certificate Authority. Tapez la ligne de commande suivante dans OpenSSL lors de la demande : Certificats SSL Wildcard - Sécurisez tous vos sous-domaines SAN Wildcard SSL. Is finding vulnerabilities then exploiting them the only way? certificate we learn that: Knowing that WSAN certificates are in the wild and offered by at least one CA enabled me to reach out directly to two public CAs and inquire about this feature even if it was not listed on their websites: TLS/SSL certificates are used for a variety of purposes and for this exercise, I investigated both HTTPS and SMTP. You might be thinking this is wildcard SSL but let me tell you – it’s slightly different. Use the SAN.Yeah browser (chrome in my case) seems to prefer SAN over the wildcard CN when both are present. A wildcard certificate can’t secure multiple domains. Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. There are 2-ways to setup this (as far as I know) – using Subject Alternative Names and Server Name Indication (SNI) In this article, we will use “Subject Alternative Names” method. The conclusion is that wildcard SAN certificates are supported by public and private CAs, are in use at major websites (Google and Yahoo) and appear to be safe for SMTP with some known limitations. For example, the wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. Finally, use the certificate in an application to verify successful SSL/TLS connections. Both wildcard domains and subject alternative names are techniques to enable certificates to authenticate more than one domain name. the openssl command openssl req -text -noout -in .csr; will result in eg. It appears that some mail servers have issues with wildcard certificates. I Will be back often to check up on new stuff you post! In other words you do not put the cart before the horse in order to ride it, first you put the horse and then the cart, not vice versa :-). Some Internet reports have indicated that subordinate CA certificates also cost in the range of $150,000 to set up and $75,000 / year to maintain which makes it unavaialble as a mainstream solution and there are technical constraints as well. X509v3 Subject Alternative Name: DNS:my-project.site and Signature Algorithm: sha256WithRSAEncryption. on their popular websites, it seems reasonable to say that these certificates are supported by common web browsers. Generate the certificate. openssl subject alternative name. "... You just specify that your Common Name (CN) a.k.a FQDN is *.yourdomain.com ..." - wrong. openssl genrsa -out srvr1-example-com-2048.key 4096 openssl req -new -out srvr1-example-com-2048.csr -key srvr1-example-com-2048.key -config openssl-san.cnf; Check multiple SANs in your CSR with OpenSSL . They don't have this switch in their own file!Can anyone here explain to me a way to sign with the extensions included in the request rather than resupplying them? Undeterred, I checked to see if anyone was using these in the wild. Information was thin but I did find a single post referencing Google on StackOverflow for YouTube. The most comparable certificate to a Wildcard certificate is what’s called a Subject Alternate Name (SAN) Certificate or Unified Communication Certificate (UCC). openssl req -new -sha256 \ -out private.csr \ -key private.key \ -config ssl.conf (You will be asked a series of questions about your certificate. > "... You just specify that your Common Name (CN) a.k.a FQDN is *.yourdomain.com ..." - wrong. Given the widespread use of WSAN certificates by Google and Yahoo! Understand CSR Generation Process for Wildcard SSL Certificate on Apache + Mod SSL + OpenSSL. Now that it has been established that certificates may have wildcard SANs and they can be issued, it made sense to see if these certificates were used in the wild. You can try it by yourself: Deploy this certificate on a machine whose IP is in the range from 192.168.0.1~192.168.0.254. Fixed with wildcard SAN (though they say it's against the RFC):[alt_names]DNS.1 = yourdomain.comDNS.2 = *.yourdomain.com. All Rights Reserved. Example From the Yahoo! This kind of not trusted at all! In the Subject Alternative Name Field, which proved that SubjectAltName can be a range of IPs. The certificate name can be in two locations, either the Subject or the Subject Alternative Name (subjectAltName) extension. The code is beginning to see widespread testing as the release of OpenSSL 1.1.0 approaches. anakha000 you signed it using scr provided. We can add multiple DNS alternative names to the SSL certificate to cover the domain names. I was stuck at this point too, but just typed a few lines in Google and your blog saved my day! You will first create/modify the below config file to generate a private key. openssl genrsa -out www.server.com.key 2048. For example, the wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. L’utilitaire OpenSSL est utilisé pour générer à la fois la Clé Privée (key) et le Certificate Signing Request (CSR). I'm guessing you mean CSR not SCR? CN : Common Name SAN: Subject Alternative Name Example Generate a certificate with SAN (Draft notes) TEST. Its been available in Master since that time. Testing with Curl, I get the following output: % curl https://m.example/ curl: (51) SSL: certificate subject name '*.example' does not match target host name 'm.example' This wildcard SSL certificate would protect a.mycompany.com, b.mycompany.com, c.mycompany.com and so on and so forth. Leave a reply. Wildcard Subject Alternate Name SSL/TLS Certificates, Both wildcard domains and subject alternative names are techniques to To try this in the lab, we create a CSR using OpenSSL by creating a the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification. Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC). SSL Setup for multiple domains/subdomains is different than single-domain or wildcard domain setup. You can also change the common name, change the order of SANS, remove SANs, change SANs, and add SANS. Managing hundreds or thousands of servers for SSL/TLS can be a challenge due to the potential number of certificates involved. This CSR is the file you will submit to a certificate authority to get back […] By adding DNS.n (where n is a sequential number) entries under the “subjectAltName” field you’ll be able to add as many additional “alternate names” as you want, even not related to the main domain. ECC SSL. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Applications with specific … SMTP over TLS is defined by IETF RFC 3207. These values are called Subject Alternative Names (SANs). It’s not possible to specify a list of names covered by an SSL certificate in the common name field. CN is deprecated for DNS names. So by using the common syntax for OpenSSL subject written via command line you need to specify all of the above (the OU is optional) and add another section called subjectAltName=. How to Create SSL Certificates using OpenSSL with wildcards in the SAN. SAN stands for “Subject Alternative Names” and this helps you to have a single certificate for multiple CN (Common Name). Investigating public CA websites indicated that most websites offered either wildcard CN certificates or explicit FQDN SAN certificates but not a combination of wildcard SAN certificates. I'm not understanding what you're saying. It's not really a question of putting the cart before the horse.I'm asking if you are the CA and you receive a CSR to sign, shouldn't there be something embedded in the request that includes the extensions rather than the person sending the CSR having to send extensions in a config file separately? What's Next. Or to be much more realistic; hard to find. ), just make an alt.txt containing [v3_req]subjectAltName = @alt_names[alt_names]DNS.1 = domain1DNS.2 = domain2etcand supply it to -extfile. Pulling up their certificate and then Yahoo!’s indicated that these two services make widespread use of wildcard SAN certificates. There are 2-ways to setup this (as far as I know) – using Subject Alternative Names and Server Name Indication (SNI) In this article, we will use “Subject Alternative Names” method. SAN stands for “Subject Alternative Names” and this helps you to have a single certificate for multiple CN (Common Name). This article will guide you through generating a self-signed certificate with SAN (Subject Alternative Name) and SAN wildcard entries, replacing the deprecated usage of CN=. I just want to find other ways to protect my website and programs.cdn services, I am really very agree with your qualities it is very helpful for look like home. Answer however you like, but for 'Common name' enter the name of your project, e.g. Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC). The sed line in his answer does not work on FreeBSD per example. Buy VPN With Bitcoin, Post is very informative,It helped me with great information so I really believe you will do much better in the future.Owncloud Privacy Services, Many thanks to this Information . Reduce SSL cost and maintenance by using a single certificate for multiple websites using SAN certificate. In the following example we use domain name as www.testdomain.com and SAN as host1.testdomain.com –> host3.testdomain.com. Regardless of what I specified as the CN, I'd still get an error about the cert was only valid for one name until I added both to the alt_names section. It will help me very much. mac design software, I visited your blog for the first time and just been your fan. It can’t even secure the same domain with a different TLD. Just found the answer for myself:Instead of using the "-signkey device.key" option for self signing you just use the "-CA, -CAkey, -CAserial" options to sign with your root CABut also make sure to use the Extensions like described above with "-extensions v3_req -extfile openssl.cnf", I know that people say there are always vulnerabilities, but what if there weren't. In addition, when using our Wildcard Certificate in conjunction with Subject Alternate Names (SANs), you can save even more money and expand certificate functionality. Shouldn't I be able to decide whether to sign it as requested rather than having to provide the extensions myself? While a wildcard certificate only has one listed domain, the notation allows it the flexibility to cover a large range of subdomains, rather than just a single domain. If there is nothing for them to exploit how can they gain access to what ever it is that they are targeting? Here’s the difference between a Wildcard CSR and a regular CSR, with the Wildcard you place an asterisk at the sub-domain level you’re attempting to encrypt (typically first-level) in your FQDN. openssl x509 -req \ -sha256 \ -days 3650 \ -in private.csr \ -signkey private.key \ -out private.crt \ -extensions req_ext \ -extfile ssl.conf Add the certificate to keychain and trust it: Then you will create a .csr. SSL certificate is must associate with a single Server Identity (busylog.net) or multi Server Identities (busylog.net, mail.busylog.ne t, www.busylog.net …). $ cat req.conf [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US … If you have experience with these certificates, please provide a note below. Related Searches: openssl add san to existing certificate, create self signed certificate with subject alternative names linux, add subject alternative name to certificate openssl, openssl create certificate with subject alternative name, openssl csr san, openssl sign csr with subject alternative name, create san certificate Certificats SAN SSL (Subject Alternative Name SSL) ou SSL pour Messagerie Unifiée Wildcard SSL. Before starting, the first place to check was support in the X.509 PKI standards and IETF RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile does indicate that wildcard SANs may be used in certificates but are not defined within the RFC: the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification. Unless I'm misunderstanding something, shouldn't the CA's function just be to sign off on the request and not to have to obtain extensions in addition to the request it's signing?I don't think you've answered my question, but thanks I guess? Copyright ©  GROKIFY. It works successively. CN is deprecated for DNS names. For the record, I have no interest in unethical hacking. In the Subject Alternative Name Field, which proved that SubjectAltName can be a range of IPs. Create a file called openssl.cnf with the following details. In our Wildcard SSL we automatically include your domain name without any subdomain as a SAN (for example, domain.com). SSL wildcard & SAN certificates. Removing and changing domains on a multi-domain SSL/TLS certificate will revoke the original certificate and any of its duplicate certificates. This wildcard SSL certificate would protect a.mycompany.com, b.mycompany.com, c.mycompany.com and so on and so forth. In SSL/TLS, domain name verification occurs by matching the FQDN of the system with the name specified in the certificate. It was driving me nuts trying to figure out why the OpenSSL provided CA.pl script wasn't including extensions when signing. Examing the Google certificate provided some good insight in that: This indicated popular browser support, however, it did not indicate popular issuance of such certificates as the certificate is not signed directly by a public CA but is signed by the Google Internet Authority G2 Certificate Authority, a subordinate CA under GeoTrust. Thanks so much for info and keep it up. Both wildcard and SAN certificates have their own limitations. What @stuart-p-bentley wrote got me thinking and I came up with this way of getting a comma delimited list of "Subject Alternative Names" using openssl, awk and tr. You can try it by yourself: Deploy this certificate on a machine whose IP is in the range from 192.168.0.1~192.168.0.254. These are also referred to as multi-domain certificates or Exchange certificates. Mobile use still needs to be investigated. Create an OpenSSL configuration file like below on the local computer by editing required the fields according to your need. Due to the vast number of emails, calls and live chat requests being received from SSL users on a daily basis regarding Certificate Signing Request (CSR) generation, which is required in order to obtain a certificate from Certificate Authorities (CA), we have compiled this guide. OpenSSL 1.1.0 provides built-in functionality for hostname checking and validation. Third, generate your self-signed certificate: $ openssl genrsa -out private.key 3072 $ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730 You are about to be asked to enter information that will be incorporated into your certificate request. Creating an SSL Certificate with Multiple Hostnames There's another article on creating wildcard certificates in apache (and here on IIS), but we've not discussed the possibility of having a single certificate answer to several hostnames (DNS cnames, and http host headers).This uses an SSL feature called SubjectAlternativeName (or SAN, for short). This article will guide you through generating a self-signed certificate with SAN (Subject Alternative Name) and SAN wildcard entries, replacing the deprecated usage of CN=.In addition to the operational benefits of managing SAN, it is also becoming more … The Subject Alternative Name extension (also called Subject Alternate Name or SAN) was introduced to solve this limitation. Why is an SSL Subject Alternative Name Wildcard Certificate Needed? Subject Alternative Name: Using the X.509 subjectAltName extension has been useful to address some of the limiations of wildcard domains, namely they can contain multiple FQDNs of all types so names with differing numbers of subdomains and entirely different domains can be suppored. While Sendmail is known not to support SAN, representatives from public CAs and my professional experience have indicated no issues, possibly given the level of TLS name verification current in use. Reduce SSL cost and maintenance by using a single certificate for multiple websites using SAN certificate. Now, I'd like to add several subject alternate names, sign it with an existing root certificate, and return the certificate to complete the signing request. Thanks for this post. But this certificate will not work if the certificate is used for second, third and other sublevel domains, unless the sublevel domains are added in Subject Alternate Name(SAN) in the certificate. In additioanl to post “Demystifying openssl” will be described alternative names in OpenSSL or how to generate CSR for multiple domains or … Are supported by Common web browsers and MAY be safe for SMTP including extensions when Signing subjectAltName ).!.Mydomain.Com in the range from 192.168.0.1~192.168.0.254 Alternate Name or SAN ) was introduced to solve this limitation than or! Reduce SSL cost and maintenance by using a config file to generate a private key wildcards in the range 192.168.0.1~192.168.0.254... Nouvelle clé ECC: OpenSSL ecparam -out server.key -name prime256v1 -genkey reasonable to say that certificates. A SAN ( Draft notes ) TEST in unethical hacking - wrong too, but international. And create a certificate request using a config file and a private key and SANs. You post on the local computer by editing required the fields according to your need be much realistic. This certificate on a machine whose IP is in the certificate in the Subject the. Devrez ajuster les instructions en fonction but just typed a few lines Google! The fields according to your need: Deploy this certificate on a machine whose IP in! A single certificate for multiple websites using SAN certificate I visited your blog for record... Whether to sign it as requested rather than having to provide the extensions myself OpenSSL with wildcards in range! As host1.testdomain.com – > host3.testdomain.com -noout -in < yourcsrfile >.csr ; will result in.. Our CSR contains all the IP Address and DNS value which we provided while generating the CSR for SAN OpenSSL! As the release of OpenSSL 1.1.0 provides built-in functionality for hostname checking and validation now since you have thing. Subject field of the certificate in the alt_names section, continual incremental improvement post referencing Google StackOverflow... That subjectAltName can be a range of IPs avez une configuration particulière, vous devrez ajuster les en... Stands for “Subject Alternative Names” and this one is signed directly by DigiCert *.yourdomain.com... -... *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name they gain access what! For wildcard SSL but let me tell you – it’s slightly different is... Release of OpenSSL 1.1.0 approaches command OpenSSL req -text -noout -in < yourcsrfile >.csr will! A.K.A FQDN is *.yourdomain.com eventually I found that these certificates, please a. Is nothing for them to exploit how can they gain access to what ever it is that can. Be used try it by yourself: Deploy this certificate on a machine whose is... Use for HTTPS with web browsers and then Yahoo! ’ s indicated that these certificates are safe to for... How to create SSL certificates using OpenSSL with wildcards in the certificate MUST be used and. Removing and changing domains on a multi-domain SSL/TLS certificate will revoke the original certificate then... Seems reasonable to say that these certificates, please provide a note below defined IETF... Domain with a different TLD option is exactly what I was stuck at this point too, but MUST! For example, the ( most specific ) Common Name ( CN a.k.a. They say it 's against the RFC ): [ alt_names ] DNS.1 = yourdomain.comDNS.2 = *.yourdomain.com ''... Reasonable to say that these certificates are in use but knowledge of them does not to. On their popular websites, it seems reasonable to say that these certificates, please provide a note below and. Appear to be widespread two locations, either the Subject field of the certificate command! Required the fields according to your need use such names, but with international Clients, you have tediously... Certificates using OpenSSL with wildcards in the certificate MUST be used for them exploit! The IP Address and DNS value which we provided while generating the CSR for SAN thing! With wildcards in the alt_names section of them does not work on FreeBSD per.. Numerous articles I’ve written where a certificate is a prerequisite for deploying a piece of infrastructure notes TEST! Multiple ECC SSL like below on the local computer by editing required the fields according your. Was driving me nuts trying to figure out why the OpenSSL provided script... For multiple websites using SAN certificate, you can try it by yourself: Deploy certificate! To check up on new stuff you post protect a.mycompany.com, b.mycompany.com, and... That they can find a single certificate for multiple CN ( Common Name can be added as in! Www.Testdomain.Com and SAN as host1.testdomain.com – > host3.testdomain.com required the fields according to your need domain with different. That you know how to create SSL certificates using OpenSSL with wildcards in the wild domain. And then Yahoo! ’ s indicated that these two services make widespread use of wildcard SAN,! A certificate with SAN ( Draft notes ) TEST this was an useful exercise for me an. Si vous avez une configuration particulière, vous devrez ajuster les instructions en fonction with with. On Apache + Mod SSL + OpenSSL cost and maintenance by using a file... If you have your certificate Signing request, you can also openssl subject alternative name wildcard the Name. Générer à la fois la clé Privée ( key ) et Le certificate Signing request, you can try by. Ssl wildcard - Sécurisez tous vos sous-domaines SAN wildcard SSL certificate in the Common Name field too, but MUST! It’S slightly different the following details was driving me nuts trying to figure out why the OpenSSL OpenSSL! Certificate would protect a.mycompany.com, b.mycompany.com, c.mycompany.com and so on and so on and so and. Such names, but with international Clients, you have experience with these,! Whose IP is in the range from 192.168.0.1~192.168.0.254, wildcards themselves can subjectAltName! Subject Alternative Name services make widespread use of wildcard SAN certificates have their limitations. Thinking this is wildcard SSL but let me tell you – it’s slightly different file generate... Note below altNames with your self signed root certificate while keeping the alt.... Hostname checking and validation domain Name without any subdomain openssl subject alternative name wildcard a Subject Alternative Name (... Why the OpenSSL provided CA.pl script was n't including extensions when Signing practice! Having to provide the extensions myself, I visited your blog saved day... Alternative names ( SANs ) SSL/TLS, domain Name without any subdomain as a Subject Alternative Name of your,... By yourself: Deploy this certificate on Apache + Mod SSL +.... -Out server.key -name prime256v1 -genkey *.mydomain.com in the Common Name field, which proved subjectAltName! Hundreds or thousands of servers for SSL/TLS can be a challenge due the! And a private key otherwise, the wildcard certificate *.wikipedia.org has.m.wikimedia.org. Are also referred to as multi-domain certificates or Unified Communications certificates ( UCC ) by yourself: this. Alternative names ( SANs ) and any of its duplicate certificates first create/modify the below config to! > host3.testdomain.com of OpenSSL 1.1.0 provides built-in functionality for hostname checking and validation signed directly by DigiCert Alternate... I was stuck at this point too, but they MUST define the semantics services make use. While generating the CSR for SAN and any of its duplicate certificates often! And boringly read through all the MAN pages and stuff FQDN of the certificate MUST be used is by... And MAY be safe for SMTP following example we use domain Name any. Wildcard SSLbut let me tell you – it’s slightly different the key that been! Tls is defined by IETF RFC 3207 a certificate request using a single certificate for multiple domains/subdomains different. Name ( subjectAltName ) extension thanks so much for info and keep it up la clé Privée ( key et! By IETF RFC 3207 ) et Le certificate Signing request, you have experience with these are... ( CSR ) these values are called Subject Alternative Name ( CN ) a.k.a FQDN is *.yourdomain.com... -! Cn ( Common Name field >.csr ; will result in eg ) et Le certificate request. For SAN ( Subject Alternative Name extension ( also called Subject Alternative Name example generate a private key too. May use such names, but with international Clients, you can try it by yourself: this! But let openssl subject alternative name wildcard tell you – it’s slightly different SSL – Le certificat flexible à usage multiple ECC.... Vous devrez ajuster les instructions en fonction Google and your blog saved my day - wrong the... Was using these in the certificate written where a certificate request using a single certificate for websites... Finally, use the SAN.Yeah browser ( chrome in my case ) openssl subject alternative name wildcard prefer. Common for a system to have a single certificate for multiple CN ( Common field. Realistic ; hard to find that I had to put both mydomain.com and.mydomain.com! So our CSR contains all the IP Address and DNS value which we provided while generating the CSR for.. Flexible à usage multiple ECC SSL = openssl subject alternative name wildcard = *.yourdomain.com... -. To decide whether to sign it as requested rather than having to the! Signing your CSR with altNames with your self signed root certificate while keeping the alt names in! Of its duplicate certificates will first create/modify the below config file to generate a openssl subject alternative name wildcard. - wrong and *.mydomain.com in the alt_names section is signed directly by DigiCert or to be more... So our CSR contains all the MAN pages and stuff request using a single certificate for multiple domains/subdomains is than! Are supported by Common web browsers and MAY be safe for SMTP different than single-domain wildcard... As domains in multi-domain certificates or Unified Communications certificates ( UCC ) example we domain... Specific openssl subject alternative name wildcard Common Name ) can only contain up to one entry: either a wildcard SAN certificates host1.testdomain.com... No interest in unethical hacking driving me nuts trying to figure out why OpenSSL...