This tutorial explains how to generate a CSR (Certificate Signing Request) for Pound, the lightweight reverse proxy and load balancer. Because Pound has no built-in CSR tool, you will use OpenSSL to create the CSR and private key, then submit the CSR to a Certificate Authority.
Note: The original Apsis Pound project was discontinued in September 2022 when Apsis GmbH was dissolved. The actively maintained successor is the graygnuorg/pound fork (currently at version 4.x). The CSR generation process below works for both legacy Pound and the current fork, since it relies on OpenSSL rather than Pound itself.
Generate the CSR and private key
You have two options for generating your CSR:
- Use the CSR Generator to create the CSR automatically, without running any commands.
- Generate the CSR manually with OpenSSL on the server where Pound runs, as described below.
Step 1: Run the OpenSSL command
Connect to your Pound server via SSH and run the following command. Replace every placeholder with your actual details:
openssl req -new -newkey rsa:2048 -sha256 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=California/L=San Jose/O=Your Company LLC/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"
This single command creates two files in the current directory:
- yourdomain.key, your private key. Keep this file secure and do not share it.
- yourdomain.csr, the Certificate Signing Request you will submit to the CA.
Step 2: Understand the fields
Each field in the -subj string identifies your organization to the Certificate Authority:
- C: two-letter country code (e.g., US).
- ST: state or province (e.g., California).
- L: city or locality (e.g., San Jose).
- O: full legal organization name (e.g., Your Company LLC).
- CN: the fully qualified domain name you want to secure (e.g., yourdomain.com).
The -addext option adds Subject Alternative Names (SANs). Modern browsers validate the certificate against the SAN list, not the CN field. Include every domain variant that should be covered, such as both yourdomain.com and www.yourdomain.com.
Step 3: Verify and submit the CSR
Open the CSR file with any text editor or print it to the terminal:
cat yourdomain.csr
The output starts with -----BEGIN CERTIFICATE REQUEST----- and ends with -----END CERTIFICATE REQUEST-----. Copy the entire block, including those boundary lines, and paste it into the CSR field when you order your certificate. You can also verify the CSR contents with the Decode CSR tool before submitting it.
Step 4: Secure the private key
The private key file (yourdomain.key) is created alongside the CSR. Move it to a secure location and restrict its permissions:
sudo mkdir -p /etc/ssl/private
sudo mv yourdomain.key /etc/ssl/private/
sudo chmod 600 /etc/ssl/private/yourdomain.key
You will need this key during the SSL installation on Pound. If you lose the private key, you will need to generate a new CSR and reissue the certificate.
What happens next: installing the certificate on Pound
After the CA validates your request and issues the certificate, you will receive the certificate files (typically a server certificate and a CA bundle of intermediates). Pound requires all of these, plus the private key, concatenated into a single PEM file in a specific order:
- Your server certificate (e.g., yourdomain.crt).
- The intermediate certificates (the CA bundle).
- Your private key (e.g., yourdomain.key).
The concatenation command looks like this:
cat yourdomain.crt yourdomain.ca-bundle yourdomain.key > /etc/ssl/pound.pem
You then point Pound’s ListenHTTPS block to this combined file using the Cert directive. For the full installation walkthrough, see How to Install an SSL Certificate on Pound.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


