Yeah, in the latest EZProxy version you can use a multi-domain cert with
the wildcard in the SAN. Be sure when you request your cert with the
EZProxy CSR you get a multi-domain cert, otherwise it won't matter what
you've selected for the SAN.
Best regards,
*Jason Bengtson*
www.jasonbengtson.com
On Wed, Feb 17, 2016 at 12:17 PM, Gorman, Jon <[log in to unmask]> wrote:
> > Hi Code4Lib,
> > We're looking into applying an SSL certificate to an EZproxy server and
> aren't
> > sure exactly how a wildcard cert gets handled in that context.
> > Anyone have experience with this?
>
> Yup.
>
> > The fuzzy part is that we're not clear how wildcard certificates that
> handle
> > subdomain matching (e.g., *.example.org) translate into wild-looking
> proxied
> > domains (like search.whatever.com.proxy.example.org).
>
> This depends a lot on the version number of EzProxy.
>
> The older versions of EzProxy look for a couple of things:
>
> * proxy-by-hostname needs to be on (sounds like you have that)
> * The wildcard MUST be in the CN, not a SAN. You'll likely want to use
> your login domain in the SN, depending on levels.
>
> Given those two things, when ezproxy sees that it has a wildcard in the
> CN, it'll change from using periods to hypens.
>
> I think, although I can't remember for sure, at some point in 6.x this was
> fixed so a wildcard in a CN or SAN will work. I'd definitely verify that
> through testing though.
>
> A license of ezproxy should let you run a separate test instance on
> another machine. You can verify this by just creating a self-signed
> wildcard cert. You'll get a warning, but you should also see the ezproxy
> behavior change. I find dnsmasq can be helpful as well.
>
> So you'll want to get a wildcard cert for the one level of subdomain.
> While you're at it, make sure it's a 2048 bit key and SHA-2. I've been
> seeing a lot of people running into problems with old 3 year certs that
> they finally gotten around to putting into place.
>
>
> > This might be more of an EZproxy config question and more appropriate to
> that
> > list. There's also documentation
> > <
> https://www.oclc.org/support/services/ezproxy/documentation/cfg/ssl.en.ht
> > ml>
> > out there. But if anyone can comment on the process, whether the
> > documentation was helpful to you, what sort of wildcard cert you got to
> > address this problem, etc., we'd be interested to hear from you.
>
> It's asked frequently enough that if I wasn't quite so lazy, I'd make it
> into the top FAQ question. The documentation was ok, but it's really not
> all that complicated.
>
>
>
> Jon Gorman
> Library IT
> University of Illinois
> 217 244-4688
>
|