Importing a Windows Certificate into EZproxy

If you are running EZproxy on a Windows server, your server may already have an SSL key that you would like to use with EZproxy. EZproxy is unable to directly access the Windows certificate store. The following steps provide a way to export an SSL certificate from the Windows certificate store and import it into EZproxy. Although these steps work in many instances, there is no guarantee that all Windows certificates can be exported and transformed for use with EZproxy.

Throughout this document, references are made to the EZproxy ssl directory. This directory is located inside the directory where EZproxy is installed. If you performed a default installation of EZproxy, this is /usr/local/ezproxy/ssl for Linux and Solaris or C:\ezproxy\ssl for Windows.

  1. If you are importing a wildcard certificate that matches the base name of your EZproxy server (e.g., your server is ezproxy.yourlib.org and the certificate is for *.yourlib.org), you must be using EZproxy 3.2a (2005-03-28) or later and must edit config.txt/ezproxy.cfg and add:
    Option IgnoreWildcardCertificate
    This options warns EZproxy that the wildcard certificate is not in the form that it expects, which would be *.ezproxy.yourlib.org in this example.
  2. Go to Start | Run and type mmc then OK
  3. Go to Console | Add/Remove Snap-in (may be File | Add/Remove Snap-in)
  4. Click Add..., then select the Certificates Snap-In and click Add, then Computer Account, then Next, then Finish, then Close, then OK
  5. Expand the personal certificates and look for the certificate you purchased. Right click the certificate and select All Tasks -> Export. Do export the private key. Do not choose to export the CA certificates. Specify an arbitrary password. Save the file to a file in the EZproxy ssl directory named iis.pfx.
  6. Download:
    openssl.exe
    into the EZproxy ssl directory.
  7. Open a command prompt window and cd to the EZproxy ssl directory.
  8. EZproxy stores its certificates in files that start with 8 digit numbers. Issue the command:
    dir
    and note the highest number in use on a file such as 00000006.csr. For the rest of these steps, use the next highest number, adding enough zeros on the left to make 8 digits. If there are no files in this directory, do not use 00000000, but rather start from 00000001. For the balance of this document, 00000007 is used for the examples.
  9. Issue:
    openssl pkcs12 -in iis.pfx -out 00000007.crt
    Type the password you specified on the export. You will then be prompted for a password phrase. Type something here as well (could be the same thing).
  10. Remove the password from the private key and move it where EZproxy can use it with:
    openssl rsa -in 00000007.crt -out 00000007.key
    It will ask for the pass phrase, which should be the same one you provided in the previous step.
  11. If your certificate has a chained certificate authority, download the Apache version of this file can save it in the ssl directory as 00000007.ca
  12. At this point, the certificate and key should be available to EZproxy. Use the information at:
    SSL Configuration
    to setup an admin account and access the /ssl administration page of your server. The imported certificate should be the top certificate in the list. Click into the certificate to verify that EZproxy considers it valid. If it does, use the information from the SSL configuration page to configure EZproxy to use this certificate, skipping all steps that relate to generating a new certificate.