EZProxy & Wildcard Certificates

If you¹re using the old-style EZProxy configuration with a separate port
number for each proxied host then there is no need for the wildcard cert.

The value: If you¹re using a newer EZProxy configuration using a wildcard
DNS entry, a wildcard entry is the only way to proxy SSL and not have
certificate host name errors. Individual certificates needed could be in the
dozens or hundreds on an EZProxy host and I¹m not sure EZProxy would support
that anyway.

The risk: the certificate issuer doesn¹t have final control of the hostname
it is used with so it if is stolen the exposure is greater. Since it is
probably valid for *.ezproxy.yourschool.edu, whatever mischievous name
matching that pattern could be used with SSL. Broader wildcards like
*.yourschool.edu are riskier. I don¹t see this as much of a problem since
(a) you¹re already using a wildcard DNS entry with a similar risk
calculation and (b) that wildcard DNS entry is still tied to only one
hostname or IP. One way to ease the security concern is to have
shorter-lived certs, and to have the cert require a CRL check to be valid.

When would it be mandatory: When you¹re using a wildcard DNS entry for
EZProxy, you proxy some SSL sites and you¹re users¹ tolerance for
certificate error warnings in their browser is not high. Otherwise a
self-signed wildcard cert is fine. We¹re fortunate that our parent
institution can sign valid certs for us so cost isn¹t an issue. Wildcards
aren¹t cheap.

I recently had the exact same issue with my ipsCA certificate. I replaced it with a wildcard certificate from GoDaddy for $199.99 (for 1yr) After the new ipsCA root gets added to Firefox (+ 3 to 6 months to force adoption) we can switch back to them. The new root is already in IE.

Ezproxy requires a SSL cert if:
A. You are proxying a SSL enabled resource and/or
B. You wish to protect your login page with SSL.

Additionally, EzProxy requires a wildcard cert if A or B is true, and you are running Proxy by Hostname, instead of proxy by port.

The risks of a wildcard cert are pretty low for EzProxy since the cert is only good for any *.ezproxy.somewhere.edu domain. No chance of someone spoofing your www.somewhere.edu domain without a browser warning if they were able to hack your server and steal your private key. Spoofing would be a risk with any compromised SSL cert, wildcard certs would just affect more possible domain names then a single cert.

-Mike

Michael Jewell, CCNA, CCNA-Voice, Cisco Firewall Specialist
Information Systems Support Engineer

Information Technology Department
University of Maryland School of Law
410-706-5771

> -----Original Message-----
> From: teknoids-bounces@ruckus.law.cornell.edu [mailto:teknoids-
> bounces@ruckus.law.cornell.edu] On Behalf Of Tobias Brasier
> Sent: Tuesday, January 05, 2010 12:10 PM
> To: Teknoids
> Subject: [teknoids] EZProxy & Wildcard Certificates
>
> Hi all--
>
> A recent issue with our certificate authority for our EZProxy server has
> us (meaning me) scrambling. Your input is appreciated.
>
> What is the value of a wildcard certificate?
> What are the risks of a wildcard certificate?
> When would a wildcard certificate be mandatory?
>
> Many thanks.
> --
>
> Tobias Brasier
> Director of Web Services
> University of South Carolina School of Law
> 701 Main Street
> Columbia, South Carolina 29208
> tobias@mailbox.sc.edu | v 803-777-5247 | f 803-777-5247
> _______________________________________________
> You are currently subscribed to teknoids as: mjewell@law.umaryland.edu.
> To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
> --
> See the web interface at
> http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list
> password, unsubscribe, and view your list settings.
_______________________________________________
You are currently subscribed to teknoids as: tekarchive@host2.teknoids.net.
To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
--
See the web interface at http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list password, unsubscribe, and view your list settings.

We use the Comodo SGC Wildcard certificate at UC Hastings.

Things to know about wildcard certificates:
- You only make one CSR for the first server with the CN being
*.yourdomain.com
- After the wildcard certificate is installed on the first server you
will have to export/import the certificate and its private key to any
other servers that you wish to use the wildcard certificate on.
- Wildcard certificates work great for web servers. We have our wildcard
certificate running in Tomcat, IIS, Apache, and bluesocket.
- wildcard certificates don't work with IAS or RADIUS (802.1x) due to
the CN in the certificate has to be the same as the server for client
authentication. Since the wildcard certificate CN is *.uchastings.edu
the 802.1x client will not be able to validate the wildcard certificate
on the server.
- the wildcard certificate CN will only work one level deep from the
domain. The CN *.mydomain.edu will work with servers that are named
server.mydomain.edu or webserver.mydomain.edu but not with
frank.server.mydomain.edu or frank.stevens.server.mydomain.edu
- If you use a specialize application like Datatel you will have to
create CSRs and buy single server certificates for each server connector
that you implement. The wildcard certificate will not work. Our problem
is that Datatel doesn't allow you to import a private key for a
certificate.

----
Nicholas Urrea
Information Technology
UC Hastings College of the Law
urrean@uchastings.edu
x4718

-----Original Message-----
From: teknoids-bounces@ruckus.law.cornell.edu
[mailto:teknoids-bounces@ruckus.law.cornell.edu] On Behalf Of Tobias
Brasier
Sent: Tuesday, January 05, 2010 9:10 AM
To: Teknoids
Subject: [teknoids] EZProxy & Wildcard Certificates

Hi all--

A recent issue with our certificate authority for our EZProxy server has
us (meaning me) scrambling. Your input is appreciated.

What is the value of a wildcard certificate?
What are the risks of a wildcard certificate?
When would a wildcard certificate be mandatory?

Many thanks.