Suggested by Serge Caron, SCaron [at] pcevolution [dot] com Instructions how to create an SSL key and certificate to be used with Pound. 1. Generate a private key using the command: # openssl genrsa –out server.domain.key 1024 You can password protect this key using # openssl genrsa –des3 –out server.domain.key 1024 but be aware that pound will require that you manually enter this key on every reboot. A sample (password protected) key looks like this: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,EE373D0ED187BF2A AiQECnNv/C6xpclhGabtros/wFp7LK8OJ/W4fyfYlRKoHxiW2qfY/tR7GgRwS0+b ... pQoydNh8kwC33gWHb2rnTo6DDg98DlTEfQ73EHQd2P3O1rqoflPv0A== -----END RSA PRIVATE KEY----- 2. Create the Certificate Signing Request (CSR) using the command # openssl req –new –key server.domain.key –out server.domain.csr Please note that the Common Name (CN) of this certificate must be the fully qualified domain name of the machine. If you intend to secure the URL “https://owa.company.com” then the CN is owa.company.com As part of the request, openssl encrypts the Organization, Organisation Unit, City, State, Country and the administrator’s email. You can verify your request before submission using the command # openssl req –noout –text –in server.domain.csr A sample CSR looks like this: -----BEGIN CERTIFICATE REQUEST----- MIIB7jCCAVcCAQAwga0xCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxEzAR ... sZohY9qz797nmmjhNVc4Qi+v -----END CERTIFICATE REQUEST----- 3. Send the Certificate Signing Request to the certificate authority (CA) of your choice. The most common are Verisign and Thawte, but there are a few dozen others. The role of the CA is to certify your request by signing it, assuring it really belongs to you. Most of the CAs charge for their services, a typical fee is a few hundred dollars per certificate, and the issued certificate expires in a year or two, so you have to pay and renew it at the end of each period. Note: there is at least one free CA. Free and gratis. Commercial products like Internet Explorer and Opera do not include the root certificate for such CAs and you will have to install the root certificate of your free supplier in these browsers. Other browsers do include the root certificate of the free CAs. Your mileage may vary. 4. Retrieve the certificate signed by the CA using their delivery system: usually you will copy the certificate from an email or web page. An issued certificate looks like this: -----BEGIN CERTIFICATE----- MIIDUTCCArqgAwIBAgIDBlwBMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT ... eRK52ItQpf4TceSXA24M1cHSpKIvwkdDDdx4nzFgidK2Ink7bA== -----END CERTIFICATE----- 5. Edit the sample (pound.pem) file combining the key from step 1 and the certificate from step 4. Using the above examples, the final product looks like this: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,EE373D0ED187BF2A AiQECnNv/C6xpclhGabtros/wFp7LK8OJ/W4fyfYlRKoHxiW2qfY/tR7GgRwS0+b ... pQoydNh8kwC33gWHb2rnTo6DDg98DlTEfQ73EHQd2P3O1rqoflPv0A== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDUTCCArqgAwIBAgIDBlwBMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT ... eRK52ItQpf4TceSXA24M1cHSpKIvwkdDDdx4nzFgidK2Ink7bA== -----END CERTIFICATE-----