> Hi Code4Lib,
> We're looking into applying an SSL certificate to an EZproxy server and aren't
> sure exactly how a wildcard cert gets handled in that context.
> Anyone have experience with this?
> The fuzzy part is that we're not clear how wildcard certificates that handle
> subdomain matching (e.g., *.example.org) translate into wild-looking proxied
> domains (like search.whatever.com.proxy.example.org).
This depends a lot on the version number of EzProxy.
The older versions of EzProxy look for a couple of things:
* proxy-by-hostname needs to be on (sounds like you have that)
* The wildcard MUST be in the CN, not a SAN. You'll likely want to use your login domain in the SN, depending on levels.
Given those two things, when ezproxy sees that it has a wildcard in the CN, it'll change from using periods to hypens.
I think, although I can't remember for sure, at some point in 6.x this was fixed so a wildcard in a CN or SAN will work. I'd definitely verify that through testing though.
A license of ezproxy should let you run a separate test instance on another machine. You can verify this by just creating a self-signed wildcard cert. You'll get a warning, but you should also see the ezproxy behavior change. I find dnsmasq can be helpful as well.
So you'll want to get a wildcard cert for the one level of subdomain. While you're at it, make sure it's a 2048 bit key and SHA-2. I've been seeing a lot of people running into problems with old 3 year certs that they finally gotten around to putting into place.
> This might be more of an EZproxy config question and more appropriate to that
> list. There's also documentation
> out there. But if anyone can comment on the process, whether the
> documentation was helpful to you, what sort of wildcard cert you got to
> address this problem, etc., we'd be interested to hear from you.
It's asked frequently enough that if I wasn't quite so lazy, I'd make it into the top FAQ question. The documentation was ok, but it's really not all that complicated.
University of Illinois