OpenSSL 3.0 FIPS module configuration file

Thomas Dwyer III tomiii at
Mon Feb 14 23:57:51 UTC 2022

I believe the relevant standard is described in the Implementation Guidance
for FIPS 140-2:
(see IG 9.11 beginning on page 179). I searched briefly for similar text in
FIPS 140-3 IG but didn't see anything relevant.


On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale <pauli at> wrote:

> Yes, this has to do with the FIPS standards.  I forget which standard it
> is but the self tests are mandated to be run on each device independently.
> The fipsinstall process runs the self tests before generating the
> configuration file.  If the self tests fail, the module doesn't install.
> Copying the configuration file across avoids the self tests and therefore
> isn't compliant.
> Pauli
> On 15/2/22 02:25, Richard Dymond wrote:
> Hi
> Probably a dumb question, but why must the FIPS module configuration file
> for OpenSSL 3.0 be generated on every machine that it is to be used on
> (i.e. must not be copied from one machine to another)?
> I just ran 'openssl fipsinstall' on two different machines with the same
> FIPS module and it produced exactly the same output each time, so
> presumably the reason has nothing to do with the config file being unique
> to the machine.
> Does it have something to do with the FIPS standard itself?
> Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list