Pound HTTPS Configuration
The following steps will guide you through the generation of a self-signed certificate for your ]project-open[ server.During the process you will create:
- server.key: This is a 1024 bit random string ("private key") that uniquely identifies your server
- server.csr: This is a "Certificate Signing Request" file. You can send this to a Certificate Authorities (CA), or sign it yourself.
- server.crt: This is a "certificate" that certifies that server.key belongs to you.
- server.pem: This is the file that Pound needs to work correctly. A PEM file is a bundle of a the "server.key" priviate key and a certificate.
- Generate an RSA private key for the server:
openssl genrsa -out server.key 1024
- Remove the passphrase from the key. Please make sure that nobody will have access to this file except for you. Otherwise the security of your server is at risk:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
- Create the Certificate Signing Request file, or CSR:
openssl req -new -key server.key -out server.csr
You will have to provide certain information for your CSR. Here are some sample values for ]project-open[:
Country Name (2 letter code) [GB]: ES
State or Province Name (full name) [Berkshire]: Catalonia
Locality Name (eg, city) [Newbury]: Barcelona
Organization Name (eg, company) [My Company Ltd]: Project Open Business Solutions S.L.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: www.project-open.org
Email Address []:webmaster@project-open.com
A challenge password []:
An optional company name []:
- Now you could go to some Certificate Authority in the Web (for example: http://www.instantssl.com/ currently offers free certificates for 90 days) and sign your key there. As a result, you will receive a "certificate" file that you can save as "server.crt".
- As an alternative you can sign the key yourself.
The server.crt certificate will be technically valid. However, your browser will show a security warning if it encounters such a self-signed certificate:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- Verify your certificat. The following command should output some data, and not an error message:
openssl x509 -in server.crt -text
- Create a PEM file:
openssl x509 -in server.crt -out server.pem
openssl rsa -in server.key >> server.pem
- Now you can add a HTTPS listener configuration to your pound.cfg configuration file:
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/server.pem"
End
Older versions of Pound (<2.2) may require a different listener configuration, please consult the man-page of your installed version of Pound.
You can execute "netstat -nlp" to list all network connections. In the upper part your should see something like this:
... tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 24804/nsd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 375/pound ... tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 375/pound ...
- 0.0.0.0:8000: This is the AOLserver itself
- 0.0.0.0:80: This is Pound listening for unincrypted HTTP connections
- 0.0.0.0.443: This is the Pound HTTPS listener.