bg-tutorials

How to Generate the CSR for Pound

This tutorial explains how to generate a CSR (Certificate Signing Request) for Pound, the lightweight reverse proxy and load balancer. Because Pound has no built-in CSR tool, you will use OpenSSL to create the CSR and private key, then submit the CSR to a Certificate Authority.

Note: The original Apsis Pound project was discontinued in September 2022 when Apsis GmbH was dissolved. The actively maintained successor is the graygnuorg/pound fork (currently at version 4.x). The CSR generation process below works for both legacy Pound and the current fork, since it relies on OpenSSL rather than Pound itself.

Generate the CSR and private key

You have two options for generating your CSR:

  • Use the CSR Generator to create the CSR automatically, without running any commands.
  • Generate the CSR manually with OpenSSL on the server where Pound runs, as described below.

Step 1: Run the OpenSSL command

Connect to your Pound server via SSH and run the following command. Replace every placeholder with your actual details:

openssl req -new -newkey rsa:2048 -sha256 -nodes \
  -keyout yourdomain.key \
  -out yourdomain.csr \
  -subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=yourdomain.com" \
  -addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"

This single command creates two files in the current directory:

  • yourdomain.key, your private key. Keep this file secure and do not share it.
  • yourdomain.csr, the Certificate Signing Request you will submit to the CA.

Step 2: Understand the fields

Each field in the -subj string identifies your organization to the Certificate Authority:

  • C: two-letter country code (e.g., US).
  • ST: state or province (e.g., California).
  • L: city or locality (e.g., San Jose).
  • O: full legal organization name (e.g., Your Company LLC).
  • CN: the fully qualified domain name you want to secure (e.g., yourdomain.com).

The -addext option adds Subject Alternative Names (SANs). Modern browsers validate the certificate against the SAN list, not the CN field. Include every domain variant that should be covered, such as both yourdomain.com and www.yourdomain.com.

Step 3: Verify and submit the CSR

Open the CSR file with any text editor or print it to the terminal:

cat yourdomain.csr

The output starts with -----BEGIN CERTIFICATE REQUEST----- and ends with -----END CERTIFICATE REQUEST-----. Copy the entire block, including those boundary lines, and paste it into the CSR field when you order your certificate. You can also verify the CSR contents with the Decode CSR tool before submitting it.

Step 4: Secure the private key

The private key file (yourdomain.key) is created alongside the CSR. Move it to a secure location and restrict its permissions:

sudo mkdir -p /etc/ssl/private
sudo mv yourdomain.key /etc/ssl/private/
sudo chmod 600 /etc/ssl/private/yourdomain.key

You will need this key during the SSL installation on Pound. If you lose the private key, you will need to generate a new CSR and reissue the certificate.

What happens next: installing the certificate on Pound

After the CA validates your request and issues the certificate, you will receive the certificate files (typically a server certificate and a CA bundle of intermediates). Pound requires all of these, plus the private key, concatenated into a single PEM file in a specific order:

  1. Your server certificate (e.g., yourdomain.crt).
  2. The intermediate certificates (the CA bundle).
  3. Your private key (e.g., yourdomain.key).

The concatenation command looks like this:

cat yourdomain.crt yourdomain.ca-bundle yourdomain.key > /etc/ssl/pound.pem

You then point Pound’s ListenHTTPS block to this combined file using the Cert directive. For the full installation walkthrough, see How to Install an SSL Certificate on Pound.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.