bg-tutorials

How to Install an SSL certificate on Pound

This guide shows you how to install an SSL/TLS certificate on Pound, the lightweight HTTP/HTTPS reverse proxy. It covers the part that trips most operators up: building the single combined PEM file Pound expects, in the correct order, then writing a working ListenHTTPS block that disables obsolete protocols, points Pound at a backend, and survives a configuration check before you restart the service.

A quick note on which Pound this guide targets. The original Apsis Pound project was discontinued in September 2022. Active development moved to the fork maintained by Sergey Poznyakoff at github.com/graygnuorg/pound, which is now the canonical upstream and the version packaged by current Linux distributions. The directives below match the modern 4.x series.

Generate the CSR for Pound

If you already generated your CSR and have the issued certificate files in hand, skip ahead to Install the SSL certificate on Pound.

Before a Certificate Authority can issue your certificate, you need to submit a CSR (Certificate Signing Request): a small text block that contains your domain details and a public key, paired with a private key that stays on the server. You have two options:

  • Generate the CSR automatically with our CSR Generator. The tool returns both the CSR and the matching private key, which you then move to the server.
  • Generate the CSR on the server itself with OpenSSL by following our tutorial on how to generate a CSR on Pound. The private key stays on the server.

When applying for the certificate, paste the full CSR block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. If you want to confirm the CSR contents before submitting, paste it into our CSR decoder. Keep the matching private key file (usually yourdomain.key) somewhere safe and readable only by root; you will need it during installation.

Install the SSL certificate on Pound

Once the CA has issued the certificate, you will typically receive:

  • Your primary (server) certificate, usually a .crt or .pem file named after your domain.
  • One or more intermediate certificates, either as separate files or bundled into one .ca-bundle file.
  • The private key (a .key file) that was generated together with your CSR.

Pound expects a single PEM file that contains the certificate, the intermediate chain, and the unencrypted private key. The graygnuorg manual is explicit about the order: certificate, then intermediate certificates (if any), then the private key, in that order. Skipping the chain is the most common installation mistake: the certificate looks fine in a desktop browser but fails on Android, on iOS, and in command-line clients.

Step 1: Build the combined PEM file

This guide assumes the certificate files are staged in /etc/pound/. Adjust the paths to match your layout. Concatenate the three files into one PEM file. The pipe-to-tee pattern below runs the redirect with root privileges, which is necessary because /etc/pound/ is usually writable only by root (a plain sudo cat … > /etc/pound/… would fail, since the shell opens the output file as your normal user before sudo ever runs):

cat your_domain.crt intermediate.crt your_domain.key | sudo tee /etc/pound/your_domain.pem > /dev/null

If the CA shipped the intermediates as a single .ca-bundle file, use that instead:

cat your_domain.crt your_domain.ca-bundle your_domain.key | sudo tee /etc/pound/your_domain.pem > /dev/null

Replace the file names with your own. The private key inside the combined file must be unencrypted, since Pound starts non-interactively and cannot prompt for a passphrase. Lock the resulting file down so only root can read it:

sudo chown root:root /etc/pound/your_domain.pem
sudo chmod 600 /etc/pound/your_domain.pem

Step 2: Edit pound.cfg

Open the Pound configuration file (commonly /etc/pound/pound.cfg on Debian and Ubuntu, or /etc/pound.cfg on some other distributions) and add a ListenHTTPS block that points at the combined PEM file. A minimal modern block looks like this:

ListenHTTPS
    Address 0.0.0.0
    Port 443
    Cert "/etc/pound/your_domain.pem"

    # Modern TLS only: disables SSLv2, SSLv3, TLSv1.0 and TLSv1.1,
    # leaving TLSv1.2 and TLSv1.3 enabled.
    Disable TLSv1_1
    Ciphers "ECDHE+AESGCM:ECDHE+CHACHA20:!aNULL:!MD5:!DSS"

    Service
        Backend
            Address 127.0.0.1
            Port 8080
        End
    End
End

A few notes on the directives above:

  • Cert supplies the combined PEM file you built in Step 1. The manual is clear that Cert must precede all other SSL-specific directives inside the listener, so keep it at the top of the block.
  • Disable turns off the named protocol and every protocol older than it. Disable TLSv1_1 therefore disables SSLv2, SSLv3, TLSv1.0 and TLSv1.1, leaving TLSv1.2 and TLSv1.3 active, which matches current industry guidance.
  • Ciphers sets the OpenSSL cipher list (used for TLS 1.2; TLS 1.3 negotiates its own ciphersuites). The list above restricts the proxy to modern ECDHE suites with AEAD; if you need to support older clients, swap in the Mozilla “intermediate” profile from ssl-config.mozilla.org.
  • Service / Backend is where Pound proxies the decrypted traffic. The example forwards to a single backend on the loopback interface (port 8080); replace the address and port with whatever your application listens on, and add more Backend blocks if you want Pound to load-balance.

If you also want Pound to accept plain HTTP and forward it (typically only for redirecting to HTTPS, see Step 4), add a separate ListenHTTP block in the same file.

Step 3: Check the configuration and restart Pound

Before reloading the service, validate the configuration file so a typo cannot take the proxy offline. Pound has a built-in check mode:

sudo pound -c -f /etc/pound/pound.cfg

It exits with status 0 and prints nothing on success, or status 1 with a file-and-line error message on failure. Add -v if you want an explicit “configuration OK” confirmation. When the check passes, restart Pound so it picks up the new listener:

sudo systemctl restart pound

On systems without systemd, use the older init script instead:

sudo /etc/init.d/pound restart

Confirm the service is running and listening on port 443:

sudo systemctl status pound
sudo ss -tlnp | grep ':443'

Step 4 (recommended): Redirect HTTP to HTTPS

To make sure visitors who type the bare domain land on the secure URL, add a plain HTTP listener that responds to every request with a permanent redirect to the HTTPS version of the same path:

ListenHTTP
    Address 0.0.0.0
    Port 80
    Service
        Redirect 301 "https://example.com$1"
    End
End

Replace example.com with your own domain. The $1 back-reference preserves the original request path. Run sudo pound -c -f /etc/pound/pound.cfg again, then restart the service.

Test the SSL installation

Open your site over https:// in a browser and check that the padlock is closed and the certificate matches your domain. Then run a deeper scan with our SSL Checker for an instant report on the certificate, the chain, and the protocols and ciphers Pound is offering. A clean result there means clients on every major platform, including mobile and API clients, will trust the certificate.

Frequently Asked Questions

Which Pound should I install?

The original Apsis project was abandoned in 2022. The actively maintained fork is graygnuorg/pound by Sergey Poznyakoff, currently in the 4.x series, and it is what the major Linux distributions package as pound. If you are running anything from the old 2.x line, plan to move to a current release: the configuration directives in this guide assume the modern fork.

What order do the certificate, chain, and key go in the PEM file?

Per the Pound manual: the server certificate first, then the intermediate certificates (if any), then the private key, all PEM-encoded, in that single file. The private key must not be passphrase-protected, because Pound starts as a daemon and has no way to prompt for one.

How do I disable old TLS versions in Pound?

Use the Disable directive inside the ListenHTTPS block. Pound’s Disable turns off the named protocol and every protocol older than it, so Disable TLSv1_1 disables SSLv2, SSLv3, TLSv1.0 and TLSv1.1, leaving only TLSv1.2 and TLSv1.3. That is the recommended setting for new deployments.

Can I host more than one HTTPS site on the same Pound instance?

Yes. Pound supports SNI, so you can declare multiple Cert statements inside the same ListenHTTPS listener (or point Cert at a directory of PEM files). Pound walks the certificates in order and serves the first one whose Common Name or SAN matches the requested host name, so list more specific certificates (host names) before wildcards.

How do I test the Pound configuration without restarting?

Run sudo pound -c -f /etc/pound/pound.cfg. The -c flag checks the configuration file for syntax errors and exits without starting the proxy; exit status 0 means OK, status 1 means there is an error (the message tells you which file and line). Add -v for an explicit success message.

How often do I need to renew the certificate?

As of March 15, 2026, publicly trusted SSL/TLS certificates are capped at 200 days, and the CA/Browser Forum has scheduled further reductions (to 100 days in 2027 and 47 days in 2029). Plan to repeat the install above well before each expiry, or automate renewals with ACME.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.