# Install openssl@3 with Homebrew, apk, MacPorts, zypper, chocolatey, apt, dnf, Nix, pacman, scoop, winget

Cryptography and SSL/TLS Toolkit. Version 3.6.3 via Homebrew; verified 2026-07-06.

## Install

```sh
sudo av install brew:openssl@3
```

## Agent safety answer

openssl handles cryptographic keys, certificates, secrets, and encrypted payloads.

- **Credential access:** Can read private keys, certificates, encrypted files, and passphrases.
- **Remote mutation:** Does not mutate remote systems directly but can prepare credentials used elsewhere.
- **Publish/artifact risk:** Can produce keys, CSRs, signatures, and artifacts used in releases.
- **Recommended control:** Gate private-key reads, key generation, signing, and decryption commands.
- **Agent-use guidance:** Allow public certificate inspection; require approval before reading or producing secret key material.

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install openssl@3
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install openssl3
```

  Evidence: MacPorts ports tree: devel/openssl3/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add libssl3
```

  Evidence: Alpine Linux edge package indexes: libssl3 from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- zypper (92%):

```sh
sudo zypper install libopenssl-3-devel
```

  Evidence: openSUSE Tumbleweed package metadata: libopenssl-3-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

- Debian apt (92%):

```sh
sudo apt install libssl-dev
```

  Evidence: Debian stable package indexes: libssl-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install openssl
```

  Evidence: Fedora Rawhide package metadata: openssl from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#openssl
```

  Evidence: nixpkgs package indexes: openssl from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

- pacman (92%):

```sh
sudo pacman -S openssl
```

  Evidence: Arch Linux sync databases: openssl from https://geo.mirror.pkgbuild.com/core/os/x86_64/core.db.tar.gz

### Windows

- Chocolatey (92%):

```sh
choco install openssl
```

  Evidence: Chocolatey community package catalog: openssl from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','openssh'

- Scoop (92%):

```sh
scoop install main/openssl
```

  Evidence: Scoop official bucket manifest trees: bucket/openssl.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id ShiningLight.OpenSSL.Dev -e
```

  Evidence: Windows Package Manager source index: ShiningLight.OpenSSL.Dev from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:openssl@3
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/openssl@3>
- **Version:** 3.6.3
- **Source summary:** Cryptography and SSL/TLS Toolkit
- **Homepage:** <https://openssl-library.org>
- **Repository:** <https://github.com/openssl/openssl>
- **Upstream docs:** <https://docs.openssl.org/3.6/man1/openssl>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/openssl/openssl/releases/download/openssl-3.6.3/openssl-3.6.3.tar.gz>
- **Last updated:** 2026-07-06T17:12:11Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Dependencies

- ca-certificates

## Install behavior

- Post-install hook: not defined
- Caveats: To add additional certificates, place .pem files in $HOMEBREW_PREFIX/etc/openssl@3/certs and run $HOMEBREW_PREFIX/opt/openssl@3/bin/c_rehash OpenSSL 3.6 is only supported until 2026-11-01 so the `openssl@3` formula will be downgraded to OpenSSL 3.5 (LTS) in a future update.
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sequoia, sonoma, tahoe, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.6.3
- Package-manager updated: 2026-07-06
- Local data: ok
- Upstream repository: https://github.com/openssl/openssl
- info: No cached GitHub release or tag data was available.
## Project history and usage

Homebrew's `openssl@3` is the main OpenSSL 3 formula, providing the OpenSSL command-line tool plus libssl and libcrypto for TLS, SSL, certificate, and general cryptography workloads. The formula follows the default OpenSSL 3 branch while separate formulae such as `openssl@3.0` and `openssl@3.5` preserve branch-specific targets.

### Project history

OpenSSL was founded in 1998 as an open-source successor to SSLeay, the SSL library by Eric A. Young and Tim J. Hudson. The first OpenSSL release, 0.9.1c, shipped on December 23, 1998 after the initial project team chose the OpenSSL name to signal continuity for users of SSL-era tooling.

The library became a default dependency for secure internet software, from Apache modules and mail servers to package managers, language runtimes, and appliance firmware. Heartbleed in 2014 revealed both the scale of OpenSSL deployment and the fragility of its funding and maintenance model, prompting foundation and governance changes.

The OpenSSL 3 generation began with 3.0.0 on September 7, 2021. Its provider architecture, Apache-2.0 licensing, FIPS provider support, and deprecation of low-level APIs reshaped how applications link, configure, and certify OpenSSL-based cryptography.

### Adoption history

`openssl@3` is the broad Homebrew adoption path for OpenSSL 3. The cited formula page lists it as also known as `openssl` and `openssl@3.6`, bottled across macOS and Linux, with yearly installs in the millions.

Homebrew's page also shows the package-manager policy dimension: `openssl@3` can move between OpenSSL 3 minor branches, while `openssl@3.5` and `openssl@3.0` exist for consumers that need a pinned branch. That split lets Homebrew balance default freshness against downstream reproducibility.

### How it is used

Users invoke the `openssl` CLI to inspect and generate certificates, create CSRs, test TLS endpoints, hash and sign data, convert PEM/DER/PKCS formats, and manage CA directories. Build systems link against libssl and libcrypto when compiling software that needs TLS, X.509, ASN.1, message digests, public-key cryptography, or provider-backed algorithms.

On Homebrew systems, dependent formulae use `openssl@3` as the normal OpenSSL 3 dependency, while users may need the formula's prefix, include path, library path, and certificate directory when compiling software outside Homebrew.

### Why package nerds care

`openssl@3` is one of the packages that makes a package manager feel like infrastructure. A minor OpenSSL branch change can affect build flags, test suites, compliance assumptions, certificate lookup, and runtime behavior for a large dependency graph.

It is also a clean example of why versioned formula names matter. The package name encodes a compatibility promise at the major-version level, while sibling formulae encode stricter branch promises for software that cannot simply follow the default.

### Timeline

- December 23, 1998: OpenSSL 0.9.1c is released.
- 2014: Heartbleed becomes a watershed event for OpenSSL maintenance and funding.
- September 7, 2021: OpenSSL 3.0.0 launches the OpenSSL 3 line.
- April 8, 2025: OpenSSL 3.5.0 is released in the OpenSSL 3 family.
- October 1, 2025: OpenSSL 3.6.0 appears in the OpenSSL release timeline.
- 2026: Homebrew lists `openssl@3` stable at 3.6.3 and notes a planned downgrade to 3.5 LTS before the 3.6 support window ends.

### Related projects

- OpenSSL's ecosystem includes LibreSSL, BoringSSL, AWS-LC, GnuTLS, NSS, wolfSSL, and platform TLS stacks. Downstream packages such as OpenSSH, curl, web servers, database clients, and programming-language runtimes make OpenSSL branch choices visible far beyond cryptography specialists.

### Sources

- <https://docs.openssl.org/3.0/man7/migration_guide/>
- <https://formulae.brew.sh/formula/openssl@3>
- <https://github.com/openssl/openssl>
- <https://openssl-library.org/news/openssl-3.0-notes/>
- <https://openssl-library.org/news/openssl-3.5-notes/>
- <https://openssl-library.org/news/timeline/>
- <https://openssl-library.org/post/2018-12-20-20years/index.html>
- <https://openssl.foundation/about/history>


## Security Notes

No matching local secret-handling manifest was found for openssl@3. Nucleus package metadata is still published here so future coverage has a stable package URL.

- **Approval gate rules:** 5


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: $OPENSSLDIR/openssl.cnf

## Credential files

- Unix: ~/.ssl, ~/.certs, ~/certs, ~/.config/openssl
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** openssl@3
- **Aliases:** openssl, openssl@3.6
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- apk - libssl3 - 3.5.7-r0: normalized package name match | Alpine Linux edge package indexes: libssl3 from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | SSL shared libraries | https://www.openssl.org/
- zypper - libopenssl-3-devel - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl-3-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Development files for OpenSSL | https://www.openssl.org/
- zypper - libopenssl-3-devel-32bit - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl-3-devel-32bit from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Development files for OpenSSL | https://www.openssl.org/
- zypper - libopenssl-3-fips-provider - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl-3-fips-provider from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | OpenSSL FIPS provider | https://www.openssl.org/
- zypper - libopenssl-3-fips-provider-32bit - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl-3-fips-provider-32bit from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | OpenSSL FIPS provider | https://www.openssl.org/
- zypper - libopenssl-3-fips-provider-x86-64-v3 - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl-3-fips-provider-x86-64-v3 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | OpenSSL FIPS provider | https://www.openssl.org/
- zypper - libopenssl3 - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl3 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Secure Sockets and Transport Layer Security | https://www.openssl.org/
- zypper - libopenssl3-32bit - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl3-32bit from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Secure Sockets and Transport Layer Security | https://www.openssl.org/
- zypper - libopenssl3-x86-64-v3 - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: libopenssl3-x86-64-v3 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Secure Sockets and Transport Layer Security | https://www.openssl.org/
- zypper - openssl-3 - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: openssl-3 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Secure Sockets and Transport Layer Security | https://www.openssl.org/
- zypper - openssl-3-doc - 3.5.3-5.1: normalized package name match | openSUSE Tumbleweed package metadata: openssl-3-doc from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Manpages and additional documentation for openssl | https://www.openssl.org/
- MacPorts - openssl3: normalized package name match | MacPorts ports tree: devel/openssl3/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Debian apt - libssl-dev - 3.5.6-1~deb13u1: versioned package alias match | Debian stable package indexes: libssl-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Secure Sockets Layer toolkit - development files | https://openssl-library.org
- Debian apt - libssl-doc - 3.5.6-1~deb13u1: versioned package alias match | Debian stable package indexes: libssl-doc from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Secure Sockets Layer toolkit - development documentation | https://openssl-library.org
- Debian apt - libssl3t64 - 3.5.6-1~deb13u1: versioned package alias match | Debian stable package indexes: libssl3t64 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Secure Sockets Layer toolkit - shared libraries | https://openssl-library.org
- Debian apt - openssl - 3.5.6-1~deb13u1: versioned package alias match | Debian stable package indexes: openssl from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Secure Sockets Layer toolkit - cryptographic utility | https://openssl-library.org


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [ca-certificates](https://www.automicvault.com/pkg/brew/ca-certificates/) - Runtime dependency declared by Homebrew.
- [activemq-cpp](https://www.automicvault.com/pkg/brew/activemq-cpp/) - Popular package that depends on this formula.
- [adios2](https://www.automicvault.com/pkg/brew/adios2/) - Popular package that depends on this formula.
- [afflib](https://www.automicvault.com/pkg/brew/afflib/) - Popular package that depends on this formula.
- [alpine](https://www.automicvault.com/pkg/brew/alpine/) - Popular package that depends on this formula.
- [amber](https://www.automicvault.com/pkg/brew/amber/) - Popular package that depends on this formula.
- [aoe](https://www.automicvault.com/pkg/brew/aoe/) - Popular package that depends on this formula.
- [apache-arrow](https://www.automicvault.com/pkg/brew/apache-arrow/) - Popular package that depends on this formula.
- [openssl@3.0](https://www.automicvault.com/pkg/brew/openssl-3-0/) - Package name indicates the same formula family.
- [openssl@3.5](https://www.automicvault.com/pkg/brew/openssl-3-5/) - Package name indicates the same formula family.
- [openssl@4](https://www.automicvault.com/pkg/brew/openssl-4/) - Package name indicates the same formula family.

## Combined YAML source

View the package source record on GitHub. [combined/openssl@3.yml](https://github.com/automic-vault/db/blob/main/combined/openssl@3.yml)


## Sources

- Nucleus package database
- approval-gate seed metadata
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
- curated agent safety answer
