Pound, SSL, and real Certificates, redux

This is a follow-up to my original Pound, SSL, and real Certificates post from some time ago.

Well, the time came around for me to not only replace the certificate we had, but upgrade both from 1024bit to 2048bit, and from SHA1 to SHA2 (aka: SHA256).  So, what follows is the instructions to get Pound up and running with SSL, updated for 2048bit and SHA2.

As with before, you will need to have Pound up and running already, and I am not going to go into that here.  Also, you will need openssl installed on your server.

We start off by generating an RSA private key for the server.
openssl genrsa -out server.key 2048

The 2048 at the end indicates that it is a 2048-bit key.  You don’t need to copy this to any special location on the server, because it will be copied into the PEM file used by Pound.

The next step is to generate the Certificate Signing Request file, or CSR.
openssl req -new -sha256 -key server.key -out server.csr

The -sha256 indicates that this CSR, and resulting certificate, will be using the SHA2 encryption algorithm, aka: SHA256, to create the certificates’ message digest section.  Also, this is the part will you will need to enter in all of your information for Country, State, City, Street Address, Company Name, Server name, blood type, favorite movie… you get the idea.

Once you have found yourself a certificate vendor, fill out their form to request a certificate.  If this is an online vendor, then the form will have a text field for the csr data, just open up your server.csr file, and copy and paste that data. It should start with:
and end with:

Other than that, the only other way to submit the request is to email the request with the server.csr file attached.  Once that part is done, you wait. Eventually you will get a response that includes the certificate. That will have BEGIN CERTIFICATE and END CERTIFICATE lines with encrypted data. Just save this as a text file named server.crt. If you are using a certificate vendor that requires intermediate certificates for authentication, then you will need to save the “x509 certificate only, Base64 encoded” certificate as server.crt.

Now, you will want to verify the certificate:
openssl x509 -in server.crt -text

If that outputs something real, and not an error message, you can now create the PEM file for Pound:
openssl x509 -in server.crt -out server.pem

Now you need to add the key to the PEM file:
openssl rsa -in server.key >> server.pem

If you are using a certificate vendor which requires an intermediate certificate, you will need to save the “x509 Intermediates/root only, Base64 encoded” certificate as intermediate.crt. Since this certificate could have multiple certificates chained after each other, you will need to use cat to add it to the PEM file:
cat intermediate.crt >> server.pem

Now, copy your new PEM file to the correct location (as per the pound.cfg file) and restart pound. Now, connect to the HTTPS port for your server, and see if it works.


One Response

  1. Great tutorial, thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: