This module guides you through configuring Ubuntu 25.10 with OpenSSL 3.5.x and the Open Quantum Safe (OQS) provider to access alternative post-quantum algorithms not available in native OpenSSL. While OpenSSL 3.5.x includes native support for NIST FIPS algorithms (ML-KEM, ML-DSA, SLH-DSA), algorithms like FrodoKEM, BIKE, and HQC require the OQS provider.
After completing this module, you will be able to:
- Verify Ubuntu 25.10 and OpenSSL 3.5.x installation
- Build and install liboqs from source
- Build and install the OQS provider for OpenSSL
- Configure OpenSSL to load the OQS provider
- Verify access to alternative PQC algorithms
- Create the lab structure
- Fresh Ubuntu 25.10 installation (or upgraded system), you do you
- Root or sudo access
- Connectivity to github for downloading source code
lsb_release -dExpected output:
Description: Ubuntu 25.10
openssl versionExpected output:
OpenSSL 3.5.x <date>
Ubuntu 25.10 includes OpenSSL 3.5.x by default. To enable alternate algorithms, first compile the liboqs and oqsproviders found in the Updating Openssl PQC Addendum). It's rather annoying but you'll need it.
openssl list -kem-algorithms | grep -i hqcExpected output:
hqc128 @ oqsprovider
hqc192 @ oqsprovider
hqc256 @ oqsprovider
If these didn't show up, did you complete the addedum? No? The link is right above you. The addendum's oqsprovider will add FrodoKEM, BIKE, and HQC. I'll wait.
Create a dedicated user account for CA administration:
sudo useradd -r -m -d /opt/sassycorp-pqc-alt -s /bin/bash pqcaltadminFlags explained:
| Flag | Purpose |
|---|---|
-r |
System account |
-m |
Create home directory |
-d /opt/sassycorp-pqc-alt |
Home directory location |
-s /bin/bash |
Login shell |
Set a password for the account:
sudo passwd pqcaltadminAdd your user to the pqcadmin group (optional, for easier administration):
sudo usermod -aG pqcaaltdmin $USERSwitch to the pqcadmin user:
sudo su - pqcaltadminCreate the working directory for alternative algorithm testing:
mkdir -p /opt/sassycorp-pqc-alt/{certs,keys,tests}If you don't have certificates from the FIPS or CNSA paths, create a simple ML-DSA test certificate for TLS demonstrations:
openssl genpkey -algorithm mldsa65 -out /opt/sassycorp-pqc-alt/keys/test.keychmod 400 /opt/sassycorp-pqc-alt/keys/test.keyopenssl req -new -x509 \
-key /opt/sassycorp-pqc-alt/keys/test.key \
-out /opt/sassycorp-pqc-alt/certs/test.crt \
-days 365 \
-subj "/C=US/ST=California/L=San Francisco/O=Sassy Corp/CN=test.sassycorp.lab"openssl x509 -in /opt/sassycorp-pqc-alt/certs/test.crt -noout -text | head -20Before proceeding to the next module, verify:
| Check | Command | Expected Result |
|---|---|---|
| OQS provider active | openssl list -providers |
oqsprovider: active |
| FrodoKEM available | openssl list -kem-algorithms | grep frodo |
frodo640aes, etc. |
| BIKE available | openssl list -kem-algorithms | grep bike |
bikel1, etc. |
| HQC available | openssl list -kem-algorithms | grep hqc |
hqc128, etc. |
Symptom: openssl list -providers doesn't show oqsprovider
Solutions:
- Go back to the OpenSSL oqsprovider addendum and validate the troubleshooting steps (don't run this under your pqcaltadmin)
Symptom: error while loading shared libraries: liboqs.so
Solution:
sudo ldconfigIf still failing, check library path:
sudo ldconfig -p | grep oqsYour environment is now configured with access to alternative PQC algorithms. Proceed to Module 02: FrodoKEM to begin working with the conservative unstructured lattice KEM.
Module Navigation:
| Previous | Current | Next |
|---|---|---|
| 00 - Introduction | 01 - Environment Setup | 02 - FrodoKEM |