I just went through this SSL stuff... here are some suggestions...
1) Since Pound uses OpenSSL as a resource, the problems you'll have, are
with SSL keys and certificates, and how they're generated. These Pound
folks aren't necessarily keen on answering OpenSSL questions. OpenSSL's
mailing list is quite good, as well, at http://www.openssl.org
2) Make sure Pound is working with a self-generated certificate, as per
the man pages. That way you can rule out Pound and its config files as
3) Pound is expecting a single file (I use combo1.pem) with a decoded
private key followed by a PEM-encoded certificate (This file is declared
in the Listen directive). Two distinct blocks of encryption. If you
need intermediate certificates or a complete chain, they are added to
the end, in sequence.
4) The certificate needs to be in PEM format, OpenSSL provides tools for
conversion from DER, an older standard. (and I guess NET). OpenSSL has
commands to test for PEM.
- To test for PEM: openssl x509 -text -in filename --- This will
yield a certificate in English from Encrypted PEM
- To test for DER: openssl x509 -inform der -text -in filename ---
This will yield a certificate in English from Encrypted DER
- To convert DER to PEM: openssl x509 -inform der -in filename -out
filename.pem --- Will convert from DER to PEM, then test
- To decrypt private key: openssl rsa -in foo.key >> cert.pem ---
This will prompt you for a passphrase and decode the file in cert.pem,
the -nodes flag in the self-signed command (Pound man pages) provides
this for the self-signed version
- All of the above commands, are from O'Reilly's Linux Security
Cookbook, available on Safari at http://safari.oreilly.com
5) These filename extensions dont seem to matter, they all become .pem's
6) OpenSSL provides a client command to query your setup, with
feedback... very helpful for debugging.
7) Pound and OpenSSL have no direct or ongoing linkage. OpenSSL's dev
resources are accessed during compilation of Pound, and that's it.
OpenSSL seems to be a toolkit, a resource (ie Apache mod_ssl) and a
generator for all of the pieces of the SSL puzzle. Pound uses OpenSSL
more like a IMAP mail server would, rather than how Apache does.
It's not easy to find your way. The relationship between Pound, SSL,
and the OpenSSL tool, is lacking in documentation, fortunately both have
very helpful message boards,
Chris Gamache wrote: