I currently have a server that has a self-signed SSL cert and viewing it is restricted by using a private key that's been exported to Firefox.
I want to put Pound in front of this and 1 other server, so that both are using the same https listener in pound.cfg and the same private key on the client end for restricting access.
 
My confusion is mostly around where to generate the server.pem for Pound.
Do I generate the server.pem and private browser key on the pound server or import the server.pem from a backend server?
If the second option, does this mean I can only have one SSL backend per Pound instance?

I'm just at point of testing now (creating keys takes me a while) and have created a new CA, self-signed cert, pem file, and private key on the Pound server.
I have commented out all SSL stuff in the Apache httpd.conf files on both backend servers so now they should just pass http requests back to Pound.
I've tested that each backend resolves with http and without need for a private key, as I want Pound to handle this.
But I can't get Pound to resolve the backends. Am I doing something wrong or that isn't possible?

Here's my pound.cfg so far:

ListenHTTPS
        Address  192.168.1.140
                Port    443
                Cert "/usr/etc/server.pem"
                LogLevel 2

    Service
        BackEnd
                Address 192.168.1.141
                Port 8080
        End
    End
   
    Service
        BackEnd
                Address 192.168.1.142
                Port 8083
        End
    End   
   
End