I just went through this SSL stuff... here are some suggestions...
1) Since Pound uses OpenSSL as a resource, the problems you'll have, are
with SSL keys and certificates, and how they're generated. These Pound
folks aren't necessarily keen on answering OpenSSL questions. OpenSSL's
mailing list is quite good, as well, at http://www.openssl.org
2) Make sure Pound is working with a self-generated certificate, as per
the man pages. That way you can rule out Pound and its config files as
3) Pound is expecting a single file (I use combo1.pem) with a decoded
private key followed by a PEM-encoded certificate (This file is declared
in the Listen directive). Two distinct blocks of encryption. If you
need intermediate certificates or a complete chain, they are added to
the end, in sequence.
4) The certificate needs to be in PEM format, OpenSSL provides tools for
conversion from DER, an older standard. (and I guess NET). OpenSSL has
commands to test for PEM.
- To test for PEM: openssl x509 -text -in filename --- This will
yield a certificate in English from Encrypted PEM
- To test for DER: openssl x509 -inform der -text -in filename ---
This will yield a certificate in English from Encrypted DER
- To convert DER to PEM: openssl x509 -inform der -in filename -out
filename.pem --- Will convert from DER to PEM, then test
- To decrypt private key: openssl rsa -in foo.key >> cert.pem ---
This will prompt you for a passphrase and decode the file in cert.pem,
the -nodes flag in the self-signed command (Pound man pages) provides
this for the self-signed version
- All of the above commands, are from O'Reilly's Linux Security
Cookbook, available on Safari at http://safari.oreilly.com
5) These filename extensions dont seem to matter, they all become .pem's
6) OpenSSL provides a client command to query your setup, with
feedback... very helpful for debugging.
7) Pound and OpenSSL have no direct or ongoing linkage. OpenSSL's dev
resources are accessed during compilation of Pound, and that's it.
OpenSSL seems to be a toolkit, a resource (ie Apache mod_ssl) and a
generator for all of the pieces of the SSL puzzle. Pound uses OpenSSL
more like a IMAP mail server would, rather than how Apache does.
It's not easy to find your way. The relationship between Pound, SSL,
and the OpenSSL tool, is lacking in documentation, fortunately both have
very helpful message boards,
Chris Gamache wrote:
>The process is a bit rusty in my mind. I don't have to do it often. Please
>forgive the rough edges. This is one of those close-enough(tm) suggestions. :)
>Export your cert. (I think you might have to export it in IIS 4 compatibility
>mode...) Make sure you export the whole thing, public and private key. IIS
>give you some warnings about storing your private key in the exported format.
>You can take those into consideration as you do this. Then use openssl to
># openssl rsa -inform NET -in iisfile.key -out private.pem
>And there you have it...
>--- Martin Schubert <Martin(at)Amalien45.de> wrote:
>>I want to use Pound as a reverse proxy for my IIS.
>>As the IIS has one SSL site I need to use the webserver certificate
>>generated by a private windows CA
>>for the pound ssl-wraper.
>>How do I convert the certificate so that pound will accept it ? I've been
>>trying for days now so please give a hint
>Do you Yahoo!?
>Yahoo! Domains - Claim yours for only $14.70/year