SSL Certificate Options

To secure the login process or to proxy remote https web sites, you must use an SSL certificate. EZproxy allows you to create a self-signed certificate for no cost or to create a certificate signing request which you process through a certificate authority to purchase a certificate.

Depending on the choices made during certificate setup, remote users may encounter various browser warnings. The following table summarizes the warning that appear based on the choices made.

Regular versus Wildcard

In the following, Regular refers to a certificate that is issued in the exact name of your EZproxy server (e.g., ezproxy.yourlib.org) whereas Wildcard refers to a certificate that is issued as *. followed by the exact name of your EZproxy server (e.g., *.ezproxy.yourlib.org). These form of certificate names are the two types that can be created from within the SSL configuration option provided by EZproxy.

If you create a wildcard certificate outside of EZproxy that is a wildcard for your domain (e.g., *.yourlib.org) and if you are using proxy by hostname, you must edit config.txt/ezproxy.cfg and add "Option IgnoreWildcardCertificate" to indicate that your wildcard is not in the form EZproxy expects. If you do this, your wildcard certificate will behave as a Regular certificate, which includes providing browser warnings when https web sites are proxied.

  Proxy by Port Proxy By Hostname
Self-Signed Regular Free

Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site
Free

During login, single browser warning about unknown certificate during login

On first access to each different https proxied web server, hostname mismatch browser warning

Since there is no cost difference, self-signed wildcard is recommended over self-signed regular for proxy by hostname
Self-Signed Wildcard Not Applicable Free

Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site
Certificate Authority Issued Regular Annual purchase

No browser warnings

Recommended solution for proxy by port
Annual purchase

No browser warnings during login

Multiple hostname mismatch browser warnings, one for each https proxied web site accessed
Certificate Authority Issued Wildcard Not Applicable Annual purchase; markedly more expensive than regular certificate if purchased

No browser warnings during login or when proxying https web sites

Recommended solution for proxy by hostname

In Internet Explorer 7, any of the combinations that result in a browser warning present to remote users in a page similar to this:

If this happens, the user is required to click "Continue to this website (not recommended)" to proceed, which users may be unwilling to do.

Microsoft knowledgebase article 931850 at support.microsoft.com/kb/931850/en-us describes a few alternatives that are available for this issue.