SSL Configuration

  • SSL Certificate Options

SSL Certificate Options

To secure the login process or to proxy remote https web sites, you must use an SSL certificate. EZproxy allows you to create a self-signed certificate for no cost or to create a certificate signing request which you process through a certificate authority to purchase a certificate.

Depending on the choices made during certificate setup, remote users may encounter various browser warnings. The following table summarizes the warning that appear based on the choices made.

Regular versus Wildcard

In the following, Regular refers to a certificate that is issued in the exact name of your EZproxy server (e.g., ezproxy.yourlib.org) whereas Wildcard refers to a certificate that is issued as *. followed by the exact name of your EZproxy server (e.g., *.ezproxy.yourlib.org). These forms of certificate names are the two types that can be created from within the SSL configuration option provided by EZproxy.

If you create a wildcard certificate outside of EZproxy that is a wildcard for your domain (e.g., *.yourlib.org) and if you are using Proxy by Hostname you will receive browser warnings. This certificate will work effectively for Proxy by Port configuration with additional options enabled. You will need the certificate and the corresponding private RSA key to import this certificate into EZproxy.

Note on wildcard certificates: EZproxy expects the wildcard domain name to be specified with the CN element in the Subject field.  The non-wildcard domain should be specified as a DNS element in the Subject Alternative Name (SAN) field.

  Proxy by Port Proxy By Hostname
Self-Signed Regular

Free

Should be used for TESTING ONLY

Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site

Free

Should be used for TESTING ONLY

During login, single browser warning about unknown certificate during login

On first access to each different https proxied web server, hostname mismatch browser warning

Since there is no cost difference, self-signed wildcard is recommended over self-signed regular for proxy by hostname

Self-Signed Wildcard Not Applicable

Free

Should be used for TESTING ONLY

Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site

Certificate Authority Issued Regular

(ezproxy.library.edu OR *.library.edu)

Annual purchase

No browser warnings

Recommended solution for Proxy by Port
Annual purchase

Browser warnings after login

Multiple hostname mismatch browser warnings, one for each https proxied web site accessed

Certificate Authority Issued Wildcard

(*.ezproxy.library.edu)

Not Applicable Annual purchase; markedly more expensive than regular certificate if purchased

No browser warnings during login or when proxying https web sites

Recommended solution for Proxy by Hostname

This page last revised: August 23, 2017