Red Hat Enterprise Linux Common Criteria and FIPS certificates

As a global organization with employees and customers scattered around the world, Red Hat recognizes that there are a multitude of compliance mandates that different regions or industries need to adhere to. This post provides some important updates around recent certifications or validations that various releases of Red Hat Enterprise Linux (RHEL) support have obtained. 

Federal Information Processing Standards 140 (FIPS 140)

The Federal Information Processing Standards (FIPS) were developed by the National Institute of Standards and Technology (NIST) to establish a set of practices for nonmilitary government agencies and contractors to follow to enable computer security. While NIST is based in the United States and FIPS is mandated there, it has been widely adopted globally. With that global use in mind, Red Hat works to certify specific core cryptographic modules within RHEL. The following is a comprehensive list of the various FIPS updates for each major version of RHEL. 

Red Hat Enterprise Linux 8 FIPS 140 updates

RHEL 8 continues to be a mix of FIPS 140-2 and 140-3 standards. Until September 21, 2026, both FIPS 140-2 and FIPS 140-3 certificates are equivalent. After this date, all FIPS 140-2 certificates will be moved to the historical list. Please plan accordingly to upgrade to RHEL 9 or RHEL 10, which are FIPS 140-3 only releases.

On RHEL 8.10, Red Hat submitted all FIPS 140-3 modules (Kernel Cryptographic module and NSS) and performed Scenario 3A (CVE) updates to OpenSSL and GNUTLS modules. 

Red Hat Enterprise Linux 9 FIPS 140 updates

Red Hat completed the first ever FIPS 140-3 cryptographic modules validation on RHEL 9.0 and RHEL 9.2.

• OpenSSL (9.0 as #4746, 9.2, 9.4, 9.5, and 9.6 as #4857)
• GNUTLS (9.0 as #4780, 9.2 as #4846, Implementation Under Test on 9.4)
• Kernel Cryptographic API (9.0 as #4796, 9.2 as #5034, Implementation Under Test on 9.4)
• Libgcrypt (9.0, 9.2, and 9.4 as #4754)
• NSS (9.0 as #4774, 9.2 as #5022, Implementation Under Test on 9.4)

FIPS 140-3 testing was performed on Intel Xeon Silver, IBM z16, and Power 10 hardware platforms. On some of the platforms, resubmissions to support all architectures on all releases are pending. Red Hat plans to resubmit interim validations to receive full five year FIPS 140-3 certificates.

Red Hat is committed to completing FIPS 140-3 cryptographic modules updates on all Extended Updates Support (EUS) releases of RHEL 9 and newer modules are either submitted for validation or are under testing. 

Red Hat’s OpenSSL FIPS 140 updates

Red Hat made a major change in the way OpenSSL is packaged and distributed in RHEL to provide better FIPS 140 experience and coverage. This change follows OpenSSL upstream separation of the FIPS module.

On RHEL 8, OpenSSL stays FIPS 140-2 and only nonsecurity relevant changes and vulnerability fixes are allowed to use Scenario 3A revalidations for CVE fixes. The same binary RPM package is distributed among RHEL 8.6, 8.8, and 8.10. 

On RHEL 9, as of RHEL 9.2, the OpenSSL FIPS 140-3 provider is distributed in a standalone RPM package and hence the same FIPS validation is applicable to multiple RHEL 9 releases (9.2, 9.4, and 9.6). 

As a result, Red Hat now offers FIPS 140-2 or FIPS 140-3 validated OpenSSL cryptographic module on all supported releases of Red Hat Enterprise Linux 8 (8.6, 8.8, and 8.10) and Red Hat Enterprise Linux 9 (9.0, 9.2, 9.4, and 9.6). Red Hat uses the same cryptographic module on RHEL 10.

RHEL 10 FIPS 140 updates

Red Hat follows the same strategy as on previous releases and will submit for FIPS 140-3 validations for all applicable cryptographic modules on all EUS releases.

Common Criteria

Common Criteria is the commonly used reference to Common Criteria for Information Technology Security Evaluation, which focuses on cybersecurity specifications. It was originally signed on by Canada, France, Germany, the United Kingdom, and the United States, but has now been adopted by over 30 countries.  For a software solution to receive a Common Criteria certificate, it must undergo a technical assessment and complete review of its cybersecurity specifications. We are pleased to announce that both RHEL 9.4 and Red Hat Certificate System 10.4 have received a Common Criteria certificate and are now listed on the NIAP Product Compliant List (joining RHEL 8.6 and 9.0 EUS which were already present). RHEL 9.4 Common Criteria was completed on Intel Xeon Silver, IBM z16, and IBM Power 10 hardware platforms.

Red Hat will continue investing in the Common Criteria certification and following the recent release, RHEL 10.0, and RHEL 9.6 Common Criteria evaluations are planned next to cover both EUS releases. 

Continued focus

Red Hat achieves a wide range of cybersecurity validations and certifications for our products and services in global markets. The software development teams who work on Red Hat products and components continue to monitor for changes to existing regulations as well as any new criteria. For an up-to-date listing of Red Hat product’s certifications, please visit: https://access.redhat.com/compliance/.