Yeah, in the latest EZProxy version you can use a multi-domain cert with the wildcard in the SAN. Be sure when you request your cert with the EZProxy CSR you get a multi-domain cert, otherwise it won't matter what you've selected for the SAN. Best regards, *Jason Bengtson* www.jasonbengtson.com On Wed, Feb 17, 2016 at 12:17 PM, Gorman, Jon <[log in to unmask]> wrote: > > Hi Code4Lib, > > We're looking into applying an SSL certificate to an EZproxy server and > aren't > > sure exactly how a wildcard cert gets handled in that context. > > Anyone have experience with this? > > Yup. > > > The fuzzy part is that we're not clear how wildcard certificates that > handle > > subdomain matching (e.g., *.example.org) translate into wild-looking > proxied > > domains (like search.whatever.com.proxy.example.org). > > This depends a lot on the version number of EzProxy. > > The older versions of EzProxy look for a couple of things: > > * proxy-by-hostname needs to be on (sounds like you have that) > * The wildcard MUST be in the CN, not a SAN. You'll likely want to use > your login domain in the SN, depending on levels. > > Given those two things, when ezproxy sees that it has a wildcard in the > CN, it'll change from using periods to hypens. > > I think, although I can't remember for sure, at some point in 6.x this was > fixed so a wildcard in a CN or SAN will work. I'd definitely verify that > through testing though. > > A license of ezproxy should let you run a separate test instance on > another machine. You can verify this by just creating a self-signed > wildcard cert. You'll get a warning, but you should also see the ezproxy > behavior change. I find dnsmasq can be helpful as well. > > So you'll want to get a wildcard cert for the one level of subdomain. > While you're at it, make sure it's a 2048 bit key and SHA-2. I've been > seeing a lot of people running into problems with old 3 year certs that > they finally gotten around to putting into place. > > > > This might be more of an EZproxy config question and more appropriate to > that > > list. There's also documentation > > < > https://www.oclc.org/support/services/ezproxy/documentation/cfg/ssl.en.ht > > ml> > > out there. But if anyone can comment on the process, whether the > > documentation was helpful to you, what sort of wildcard cert you got to > > address this problem, etc., we'd be interested to hear from you. > > It's asked frequently enough that if I wasn't quite so lazy, I'd make it > into the top FAQ question. The documentation was ok, but it's really not > all that complicated. > > > > Jon Gorman > Library IT > University of Illinois > 217 244-4688 >