SSL Certificate Options
To secure the login process or to proxy remote https web sites, you must use an SSL certificate. EZproxy allows you to create a self-signed certificate for no cost or to create a certificate signing request which you process through a certificate authority to purchase a certificate.
Depending on the choices made during certificate setup, remote users may encounter various browser warnings. The following table summarizes the warning that appear based on the choices made.
Regular versus Wildcard
In the following, Regular refers to a certificate that is issued in the exact name of your EZproxy server (e.g., ezproxy.yourlib.org) whereas Wildcard refers to a certificate that is issued as *. followed by the exact name of your EZproxy server (e.g., *.ezproxy.yourlib.org). These form of certificate names are the two types that can be created from within the SSL configuration option provided by EZproxy.
If you create a wildcard certificate outside of EZproxy that is a wildcard for your domain (e.g., *.yourlib.org) and if you are using proxy by hostname, you must edit config.txt/ezproxy.cfg and add "Option IgnoreWildcardCertificate" to indicate that your wildcard is not in the form EZproxy expects. If you do this, your wildcard certificate will behave as a Regular certificate, which includes providing browser warnings when https web sites are proxied.
| Proxy by Port | Proxy By Hostname | |
| Self-Signed Regular | Free Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site | Free During login, single browser warning about unknown certificate during login On first access to each different https proxied web server, hostname mismatch browser warning Since there is no cost difference, self-signed wildcard is recommended over self-signed regular for proxy by hostname |
| Self-Signed Wildcard | Not Applicable | Free Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site |
| Certificate Authority Issued Regular | Annual purchase No browser warnings Recommended solution for proxy by port | Annual purchase No browser warnings during login Multiple hostname mismatch browser warnings, one for each https proxied web site accessed |
| Certificate Authority Issued Wildcard | Not Applicable | Annual purchase; markedly more expensive than regular certificate if purchased No browser warnings during login or when proxying https web sites Recommended solution for proxy by hostname |
In Internet Explorer 7, any of the combinations that result in a browser warning present to remote users in a page similar to this:
If this happens, the user is required to click "Continue to this website (not recommended)" to proceed, which users may be unwilling to do.
Microsoft knowledgebase article 931850 at support.microsoft.com/kb/931850/en-us describes a few alternatives that are available for this issue.