In this guide, you’ll learn how to install an SSL Certificate on the Pound reverse proxy server. If you haven’t generated the CSR (Certificate Signing Request) code yet, the first part of the guide will show you how to generate a CSR code. The second part will focus on the SSL installation, while the third section will reveal interesting facts about Pound. Finally, in the last segment, you’ll discover where to buy the best SSL Certificate for your project.

Generate the CSR for Pound

CSR is an acronym for Certificate Signing Request, an encoded block of text that every SSL applicant must submit to the Certificate Authority during the SSL buying process. The CSR contains information about your company and the domain you want to secure. The quickest way to generate your CSR code is via an external tool such as the CSR Generator. Alternatively, you can use the OpenSSL utility if you’re familiar with its commands. 

Here’s how to create the CSR via OpenSSL:

  1. Run the following command to start the CSR generation process:
    openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  2. Replace yourdomain with the domain name you want to secure
    • Yourdomain.key is your private key
    •  Yourdomain.csr is your CSR code
  3. Next, provide the required details. Please fill in the fields as below:
    • Common name: enter the FQDN (fully qualified domain name) to which you want to assign your SSL Certificate (ex: If you bought a Wildcard Certificate, include an asterisk in front of the domain name (ex: *
    • City: enter the city where your business is officially registered (ex: San Jose)
    • State: enter the state where your company is located (ex: California)
    • Country: enter the two-letter country code of your organization (ex: US)
    • Organization: type the official, full name of your organization (ex: Your Company LLC). For Domain Validation (DV) Certificates, type NA instead
    • Organizational Unit: specify the unit responsible for SSL management (ex: IT or Web). If you have a DV certificate, put it NA instead.
    • Email Address: this is an optional field. You can leave it blank
    • Challenge Password: another optional field. We recommend leaving this field blank, otherwise, your CSR will be rejected by the CA.
  4. The OpenSSL utility will generate the CSR file. You can open it with any text editor such as Notepad. When applying for your certificate, please include the full CSR text including the —-BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags.
  5. Along with the CSR, OpenSSL will also create your private key (yourdomain.key). Save and store it in a safe place. You will need it during the SSL configuration.

Install the SSL certificate on Pound

After you receive the SSL installation files from your CA, you need to download the archived folder and extract its contents on your system. Next, you must combine your primary and intermediate certificate files with your private key into a single PEM file, with .pem extension. 

Now, the order of the files is important. The primary certificate, issued specifically for your domain, must be at the top of that new .pem file, and the intermediate at the bottom.

For this guide, we’ll assume the Certificate files are stored in /etc/test/ssl directory. Use the commands below to combine the files:

Private Key

$ cat /etc/test/ssl/private_keys/host_key.pem >> /etc/test/ssl/pound/host_key_and_cert_chain.pem

Primary Certificate

$ cat /etc/test/ssl/certs/host_cert.pem >> /etc/test/ssl/pound/host_key_and_cert_chain.pem

Intermediate Certificate

$ cat /etc/test/ssl/ca/intermediate.pem >> /etc/test/ssl/pound/host_key_and_cert_chain.pem

Note: Replace the private key and certificate names (bolded) we’ve included in the examples with the ones matching your actual files.

Next, open the pound.cfg file and add the following line of code with the actual name of your PEM file.


Finally, restart pound to activate your SSL certificate:

pound -f /etc/pound/pound.cfg -p /var/run/

Test Your SSL installation

After you install an SSL Certificate on Pound, you should run a quick test and check your new SSL certificate for potential errors and vulnerabilities. We have an entire article on our blog describing the best SSL tools to scan your SSL installation.

Pound Overview

Pound is an open-source reverse proxy program and application firewall that can be used as a web server load balancing solution. Developed by the IT security company Apsis GmbH, it has enhanced protection against cyber threats.

Initially released on October 5, 2020, Pound’s latest version 3.0 dates back to November 3, 2020. Among its features are IPv6 support, SNI (Server Name Indication) for SSL/TLS certificates, and virtual hosts support.

Where to buy the best SSL certificate for Pound?

When buying an SSL Certificate, you should consider three essential aspects: validation type, price, and customer service. At SSL Dragon, we offer an entire range of SSL certificates at affordable prices, backed by excellent customer service! Our SSL certificates are signed by leading Certificate Authorities and are compatible with Google Pound reverse proxy server. Here’s our full list of SSL certificate types:

Don’t know what type of SSL certificate to choose? Use our SSL Wizard to find the ideal SSL product for your website.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected] Your input would be greatly appreciated! Thank you.