SSL Certificate Options

To secure the login process or to proxy remote https web sites, you must use an SSL certificate. EZproxy allows you to create a self-signed certificate for no cost or to create a certificate signing request which you process through a certificate authority to purchase a certificate.

Depending on the choices made during certificate setup, remote users may encounter various browser warnings. The following table summarizes the warning that appear based on the choices made.

Regular versus Wildcard

In the following, Regular refers to a certificate that is issued in the exact name of your EZproxy server (e.g., ezproxy.yourlib.org) whereas Wildcard refers to a certificate that is issued as *. followed by the exact name of your EZproxy server (e.g., *.ezproxy.yourlib.org). These form of certificate names are the two types that can be created from within the SSL configuration option provided by EZproxy.

If you create a wildcard certificate outside of EZproxy that is a wildcard for your domain (e.g., *.yourlib.org) and if you are using proxy by hostname, you must edit config.txt/ezproxy.cfg and add "Option IgnoreWildcardCertificate" to indicate that your wildcard is not in the form EZproxy expects. If you do this, your wildcard certificate will behave as a Regular certificate, which includes providing browser warnings when https web sites are proxied.

As of February, 2007, ipsCA at certs.ipsca.com/ provides certificate authority issued certificates for no cost to .edu domains, including wildcard certificates.

	Proxy by Port	Proxy By Hostname
Self-Signed Regular	Free Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site	Free During login, single browser warning about unknown certificate during login On first access to each different https proxied web server, hostname mismatch browser warning Since there is no cost difference, self-signed wildcard is recommended over self-signed regular for proxy by hostname
Self-Signed Wildcard	Not Applicable	Free Single browser warning about unknown certificate authority the first time https is accessed, either during login or when accessing a proxied https web site
Certificate Authority Issued Regular	Annual purchase (except ipsCA) No browser warnings Recommended solution for proxy by port	Annual purchase (except ipsCA) No browser warnings during login Multiple hostname mismatch browser warnings, one for each https proxied web site accessed
Certificate Authority Issued Wildcard	Not Applicable	Annual purchase (except ipsCA); markedly more expensive than regular certificate if purchased No browser warnings during login or when proxying https web sites Recommended solution for proxy by hostname

In Internet Explorer 7, any of the combinations that result in a browser warning present to remote users in a page similar to this:

If this happens, the user is required to click "Continue to this website (not recommended)" to proceed, which users may be unwilling to do.

Microsoft knowledgebase article 931850 at support.microsoft.com/kb/931850/en-us describes a few alternatives that are available for this issue.

Domestic and international trademarks and/or service marks of OCLC Online Computer Library Center, Inc. and its affiliates

	Search:
United States (English) Change	About OCLC Public Purpose News and Events Contact us