This guide shows you how to install an SSL/TLS certificate on Pound, the lightweight HTTP/HTTPS reverse proxy. It covers the part that trips most operators up: building the single combined PEM file Pound expects, in the correct order, then writing a working ListenHTTPS block that disables obsolete protocols, points Pound at a backend, and survives a configuration check before you restart the service.
A quick note on which Pound this guide targets. The original Apsis Pound project was discontinued in September 2022. Active development moved to the fork maintained by Sergey Poznyakoff at github.com/graygnuorg/pound, which is now the canonical upstream and the version packaged by current Linux distributions. The directives below match the modern 4.x series.
Generate the CSR for Pound
If you already generated your CSR and have the issued certificate files in hand, skip ahead to Install the SSL certificate on Pound.
Before a Certificate Authority can issue your certificate, you need to submit a CSR (Certificate Signing Request): a small text block that contains your domain details and a public key, paired with a private key that stays on the server. You have two options:
- Generate the CSR automatically with our CSR Generator. The tool returns both the CSR and the matching private key, which you then move to the server.
- Generate the CSR on the server itself with OpenSSL by following our tutorial on how to generate a CSR on Pound. The private key stays on the server.
When applying for the certificate, paste the full CSR block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. If you want to confirm the CSR contents before submitting, paste it into our CSR decoder. Keep the matching private key file (usually yourdomain.key) somewhere safe and readable only by root; you will need it during installation.
Install the SSL certificate on Pound
Once the CA has issued the certificate, you will typically receive:
- Your primary (server) certificate, usually a .crt or .pem file named after your domain.
- One or more intermediate certificates, either as separate files or bundled into one .ca-bundle file.
- The private key (a .key file) that was generated together with your CSR.
Pound expects a single PEM file that contains the certificate, the intermediate chain, and the unencrypted private key. The graygnuorg manual is explicit about the order: certificate, then intermediate certificates (if any), then the private key, in that order. Skipping the chain is the most common installation mistake: the certificate looks fine in a desktop browser but fails on Android, on iOS, and in command-line clients.
Step 1: Build the combined PEM file
This guide assumes the certificate files are staged in /etc/pound/. Adjust the paths to match your layout. Concatenate the three files into one PEM file. The pipe-to-tee pattern below runs the redirect with root privileges, which is necessary because /etc/pound/ is usually writable only by root (a plain sudo cat … > /etc/pound/… would fail, since the shell opens the output file as your normal user before sudo ever runs):
cat your_domain.crt intermediate.crt your_domain.key | sudo tee /etc/pound/your_domain.pem > /dev/null
If the CA shipped the intermediates as a single .ca-bundle file, use that instead:
cat your_domain.crt your_domain.ca-bundle your_domain.key | sudo tee /etc/pound/your_domain.pem > /dev/null
Replace the file names with your own. The private key inside the combined file must be unencrypted, since Pound starts non-interactively and cannot prompt for a passphrase. Lock the resulting file down so only root can read it:
sudo chown root:root /etc/pound/your_domain.pem
sudo chmod 600 /etc/pound/your_domain.pem
Step 2: Edit pound.cfg
Open the Pound configuration file (commonly /etc/pound/pound.cfg on Debian and Ubuntu, or /etc/pound.cfg on some other distributions) and add a ListenHTTPS block that points at the combined PEM file. A minimal modern block looks like this:
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/your_domain.pem"
# Modern TLS only: disables SSLv2, SSLv3, TLSv1.0 and TLSv1.1,
# leaving TLSv1.2 and TLSv1.3 enabled.
Disable TLSv1_1
Ciphers "ECDHE+AESGCM:ECDHE+CHACHA20:!aNULL:!MD5:!DSS"
Service
Backend
Address 127.0.0.1
Port 8080
End
End
End
A few notes on the directives above:
- Cert supplies the combined PEM file you built in Step 1. The manual is clear that Cert must precede all other SSL-specific directives inside the listener, so keep it at the top of the block.
- Disable turns off the named protocol and every protocol older than it. Disable TLSv1_1 therefore disables SSLv2, SSLv3, TLSv1.0 and TLSv1.1, leaving TLSv1.2 and TLSv1.3 active, which matches current industry guidance.
- Ciphers sets the OpenSSL cipher list (used for TLS 1.2; TLS 1.3 negotiates its own ciphersuites). The list above restricts the proxy to modern ECDHE suites with AEAD; if you need to support older clients, swap in the Mozilla “intermediate” profile from ssl-config.mozilla.org.
- Service / Backend is where Pound proxies the decrypted traffic. The example forwards to a single backend on the loopback interface (port 8080); replace the address and port with whatever your application listens on, and add more Backend blocks if you want Pound to load-balance.
If you also want Pound to accept plain HTTP and forward it (typically only for redirecting to HTTPS, see Step 4), add a separate ListenHTTP block in the same file.
Step 3: Check the configuration and restart Pound
Before reloading the service, validate the configuration file so a typo cannot take the proxy offline. Pound has a built-in check mode:
sudo pound -c -f /etc/pound/pound.cfg
It exits with status 0 and prints nothing on success, or status 1 with a file-and-line error message on failure. Add -v if you want an explicit “configuration OK” confirmation. When the check passes, restart Pound so it picks up the new listener:
sudo systemctl restart pound
On systems without systemd, use the older init script instead:
sudo /etc/init.d/pound restart
Confirm the service is running and listening on port 443:
sudo systemctl status pound
sudo ss -tlnp | grep ':443'
Step 4 (recommended): Redirect HTTP to HTTPS
To make sure visitors who type the bare domain land on the secure URL, add a plain HTTP listener that responds to every request with a permanent redirect to the HTTPS version of the same path:
ListenHTTP
Address 0.0.0.0
Port 80
Service
Redirect 301 "https://example.com$1"
End
End
Replace example.com with your own domain. The $1 back-reference preserves the original request path. Run sudo pound -c -f /etc/pound/pound.cfg again, then restart the service.
Test the SSL installation
Open your site over https:// in a browser and check that the padlock is closed and the certificate matches your domain. Then run a deeper scan with our SSL Checker for an instant report on the certificate, the chain, and the protocols and ciphers Pound is offering. A clean result there means clients on every major platform, including mobile and API clients, will trust the certificate.
Frequently Asked Questions
The original Apsis project was abandoned in 2022. The actively maintained fork is graygnuorg/pound by Sergey Poznyakoff, currently in the 4.x series, and it is what the major Linux distributions package as pound. If you are running anything from the old 2.x line, plan to move to a current release: the configuration directives in this guide assume the modern fork.
Per the Pound manual: the server certificate first, then the intermediate certificates (if any), then the private key, all PEM-encoded, in that single file. The private key must not be passphrase-protected, because Pound starts as a daemon and has no way to prompt for one.
Use the Disable directive inside the ListenHTTPS block. Pound’s Disable turns off the named protocol and every protocol older than it, so Disable TLSv1_1 disables SSLv2, SSLv3, TLSv1.0 and TLSv1.1, leaving only TLSv1.2 and TLSv1.3. That is the recommended setting for new deployments.
Yes. Pound supports SNI, so you can declare multiple Cert statements inside the same ListenHTTPS listener (or point Cert at a directory of PEM files). Pound walks the certificates in order and serves the first one whose Common Name or SAN matches the requested host name, so list more specific certificates (host names) before wildcards.
Run sudo pound -c -f /etc/pound/pound.cfg. The -c flag checks the configuration file for syntax errors and exits without starting the proxy; exit status 0 means OK, status 1 means there is an error (the message tells you which file and line). Add -v for an explicit success message.
As of March 15, 2026, publicly trusted SSL/TLS certificates are capped at 200 days, and the CA/Browser Forum has scheduled further reductions (to 100 days in 2027 and 47 days in 2029). Plan to repeat the install above well before each expiry, or automate renewals with ACME.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


