I will be using these steps to generate the key and csr:
# openssl genrsa -out /etc/ssl/private/server.key 2048
(without des3 so I get no password prompt)

# openssl req -new -key server.key -out domain.server.csr

I will then cat the above server.key and the returned .crt from thawte (or
verisgn) then create a PEM file.
Then this directive will be added in pound.cfg;
Cert    "/etc/pound/host.pem"

Do I need to worry about the CA file?

Previously we had a thawte cert where I did not need to deal with any CA file
for POUND.  Just the server private key and the return CRT pem'd together
worked fine.

anyone have experience with Thawte/Verisgn and POUND?

TIA

On 1/26/2011 10:56 AM, Joe Dsuzea wrote:
> I will be using these steps to generate the key and csr:
> # openssl genrsa -out /etc/ssl/private/server.key 2048
> (without des3 so I get no password prompt)
>
> # openssl req -new -key server.key -out domain.server.csr
>
> I will then cat the above server.key and the returned .crt from thawte (or
verisgn) then create a PEM file.
> Then this directive will be added in pound.cfg;
> Cert    "/etc/pound/host.pem"
>
> Do I need to worry about the CA file?
>
> Previously we had a thawte cert where I did not need to deal with any CA file
for POUND.  Just the server private key and the return CRT pem'd together
worked fine.
>
> anyone have experience with Thawte/Verisgn and POUND?

I don't have direct experience with Thawte/Verisign certs, but the 
principles ought to be universal.  If they give you intermediate 
certificates, append them onto your PEM file.  Pound's configuration 
doesn't change.  I.e.:

$ cat server.key server.crt intermediate1.crt intermediate2.crt ... > 
server.pem

That should be all that's required.

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/