Importing a PEM-formatted Certificate into EZproxy

The following directions are only needed for EZproxy 5.0 or earlier. EZproxy 5.1 or later provides an option to import an existing PEM-formatted certificate directly. This option can be reached from the EZproxy Administration Page and then the Manage SSL (https) Certificates page.

The following steps detail what is required to import an existing PEM-formatted certificate into EZproxy 5.0 or earlier.

Throughout this document, references are made to the EZproxy ssl directory. This directory is located inside the directory where EZproxy is installed. If you performed a default installation of EZproxy, this is /usr/local/ezproxy/ssl for Linux and Solaris or C:\ezproxy\ssl for Windows. If you have not created any certificates from within EZproxy, you will have to create the ssl subdirectory manually before you can proceed with these steps.

  1. If you are importing a wildcard certificate that matches the base name of your EZproxy server (e.g., your server is ezproxy.yourlib.org and the certificate is for *.yourlib.org), you must be using EZproxy 3.2a (2005-03-28) or later and must edit config.txt/ezproxy.cfg and add:

    Option IgnoreWildcardCertificate

    This options warns EZproxy that the wildcard certificate is not in the form that it expects, which would be *.ezproxy.yourlib.org in this example.

    If you use this type of certificate in proxy by hostname, your remote users will receive a browser warning whenever they access proxied https services. The only way to avoid that warning in proxy by hostname is to use a wildcard certificate that ends in exactly the name of your EZproxy server.

  2. EZproxy stores its certificates in files that start with 8 digit numbers. Examine the EZproxy ssl directory and note the highest number in use on a file such as 00000006.crt. For the rest of these steps, use the next highest number, adding enough zeros on the left to make 8 digits. If there are no files in this directory, do not use 00000000, but rather start from 00000001. For the balance of this document, 00000007 is used for the examples.
  3. Using a text editor or file transfer, copy the private key into the EZproxy ssl directory to a file such as 00000007.key. The private key file must not be encrypted. If it is encrypted, you will need to remove the encryption using a utility such as OpenSSL.
  4. Using a text editor or file transfer, copy the certificate into the EZproxy ssl directory to a file such as 00000007.crt.
  5. If you have a certificate authority chain, using a text editor or file transfer, copy the certificate authority chain into the EZproxy ssl directory to a file named such as 00000007.ca.
  6. Verify that the the new files are owned by the account that is used to run EZproxy and that this account has full access to the files.
  7. At this point, the certificate and key should be available to EZproxy. Use the information at:
    SSL Configuration
    to setup an admin account and access the /ssl administration page of your server. The imported certificate should be the top certificate in the list. Click into the certificate to verify that EZproxy considers it valid. If it does, use the information from the SSL configuration page to configure EZproxy to use this certificate, skipping all steps that relate to generating a new certificate.