Pound, SSL, and real Certificates

I have written an update for this at Pound, SSL, and real Certificates, redux.

Recently, I have been working with setting up some web servers, using Pound as the front-end. The idea is that there are multiple back-end servers, and the single front-end that controls which server requests go to. One of the problems is using SSL for HTTPS pages. All of the documentation I can find online covered creating a self-signed certificate.

But if anyone has followed the self signed certificate problem knows that this is not a great idea, especially if the site is to be used by anyone.

Poking around, I finally found my answer, partly through an older post on the Pound mailing list.

Your first step is to make sure that Pound is up and running all on it’s own. That is not the focus of this article, so don’t complain. Also, you will need to have openssl installed on the server.

Now, you need to generate an RSA private key for the server.
openssl genrsa -out server.key 1024

Then, you need to create the Certificate Signing Request file, or CSR.
openssl req -new -key server.key -out server.csr

Now, you go online, find yourself a certificate vendor, and fill out the form to request a certificate. In that form will be a text field for the csr data, just open up your server.csr file, and copy and paste that data. It should start with:
and end with:

Once that is done, you wait. Eventually you will get a response that includes the certificate. That will have BEGIN CERTIFICATE and END CERTIFICATE lines with encrypted data. Just save this as a text file named server.crt.

Now, you will want to verify the certificate:
openssl x509 -in server.crt -text

If that outputs something real, and not an error message, you can now create the PEM file for Pound:
openssl x509 -in server.crt -out server.pem

Now you need to add the key to the PEM file:
openssl rsa -in server.key >> server.pem

Now, copy your new PEM file to the correct location (as per the pound.cfg file) and restart pound. Now, connect to the HTTPS port for your server, and see if it works.

I have written an update for this at Pound, SSL, and real Certificates, redux.


6 Responses

  1. Thank you very much! This made our day

  2. After all the research we did – and the stress over making sure we moved our production site properly, this was by far the simplest and accurate description of what we needed to do. Literally spent hours researching what is summed up in this page in just 2 minutes. THANK YOU THANK YOU THANK YOU!

  3. Waseem and Cory,

    Glad that this covered the information you needed. Sorry that this wasn’t the first site you found, but I can hope that it helped verify all of the research you had done.

  4. Could be wrong, though wouldn’t it be better to generate a 2048 bit key?

  5. Yes, it works with a 2048 bit key, too.
    Simply use

    openssl genrsa -out server.key 2048

    GoDaddy recommends to use a 2048 bit key.

    Thank you for the instructions – I’ve been able to install a GoDaddy Certificate on Pound easily!! By the way, Pound 2.6+ supports SNI – meaning you can have several certificates on one IP address.

    I’ve compiled a DEB package for Pound 2.6 for Debian 6

  6. Excellent … thanks for posting this… made my job just a bit easier today, thanks !!! :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: