Recently, I have been working with setting up some web servers, using Pound as the front-end. The idea is that there are multiple back-end servers, and the single front-end that controls which server requests go to. One of the problems is using SSL for HTTPS pages. All of the documentation I can find online covered creating a self-signed certificate.
But if anyone has followed the self signed certificate problem knows that this is not a great idea, especially if the site is to be used by anyone. Poking around, I finally found my answer, partly through an older post on the Pound mailing list.
Your first step is to make sure that Pound is up and running all on it’s own. That is not the focus of this article, so don’t complain. Also, you will need to have openssl installed on the server.
Now, you need to generate an RSA private key for the server.
openssl genrsa -out server.key 1024
Then, you need to create the Certificate Signing Request file, or CSR.
openssl req -new -key server.key -out server.csr
Now, you go online, find yourself a certificate vendor, and fill out the form to request a certificate. In that form will be a text field for the csr data, just open up your server.csr file, and copy and paste that data. It should start with:
—–BEGIN CERTIFICATE REQUEST—–
and end with:
—–END CERTIFICATE REQUEST—–
Once that is done, you wait. Eventually you will get a response that includes the certificate. That will have BEGIN CERTIFICATE and END CERTIFICATE lines with encrypted data. Just save this as a text file named server.crt.
Now, you will want to verify the certificate:
openssl x509 -in server.crt -text
If that outputs something real, and not an error message, you can now create the PEM file for Pound:
openssl x509 -in server.crt -out server.pem
Now you need to add the key to the PEM file:
openssl rsa -in server.key >> server.pem
Now, copy your new PEM file to the correct location (as per the pound.cfg file) and restart pound. Now, connect to the HTTPS port for your server, and see if it works.