L'estensione subjAltTag per i certificati X.509 può contenere nomi di dominio, indirizzi email, URI, ecc. Stavo giocando con un X.509 il cui subjAltTag aveva solo un URI in esso non sembra funzionare. Ecco uno screenshot:
L'URI nella barra degli indirizzi - nella parte superiore - è lo stesso URI nel certificato. Ho aggiornato il file hosts per indicare www.google.com a localhost. Cert è praticamente cert di google.com rassegnato.
La mia domanda è ... perché non funziona? I browser supportano solo i nomi di dominio?
Il certificato X.509 e la corrispondente chiave privata RSA sono allegati:
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCaSBi+M4Gl/qWFOM24QrioNLplsW0MwLH/jDpWdckJIm979pPv/qUt6MUNgq7r
Di87poo6j8Ak726He6Br1bNJoRiTzHtbHqAFVgNp4Cxv5pade8zr4qBX8j9Pl76oq/MB2Yfcg7Rb
N/kblPBlsLwWNfrBt2nLZgn47pccUioNsQIDAQABAoGAFGJgOoktoRQDJJX7wFO4eCj3U8ZchSnU
mtIZRyEq3bUaC8PpifUYN/egSYexusbWAMihTNl/ZqHn9aik6nqCxIqYxgx9grybGOBo36qJzFSC
cszNWeEd1VAi7gJBHSZlSWhOrEHM0faYXh+DRisVTGSnmRsNIltu7Havf5KXua0CQQD9rJRF3lSB
ci3/d5c3Z+S52Lkv1zIvHhsFOYn39LCJVSUv9ufok5d2ktgFlYcVhsdr4La9ks4L8jQeiWQaWqiX
AkEAm7I5foaUX3P71dvaIH2fPXPLMF8h9jcK37YXTkaSeh1waKPUofSDcK2kJq86EZI3HA4bGVk9
QPvzmHGUzAI89wJBAMob0Pqlu+ByjzFmH+W18eccQ9dY9hPSQab1A/a5Tlnsq7c+WeDUjq2bK1+v
lbPR8VsC67W4nE+qRlo6DrZsmrsCQF36V+XdSdXL5miRybnu2Z14NV8/LPq3AqNCABNJWcTH3D/t
E72mH2h2By0qe3x7qzQN96F3UhfVfJW5iT0S5MUCQFhYfOylO4Yi13hpjOQb8M31sCKZUBUJIipP
c/8PFDyfJiTt61ZiMnYgIst5T2ai98S8+XZZwEvxNyu1uiQ2tbI=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDaDCCAtOgAwIBAgIBCTALBgkqhkiG9w0BAQUwazELMAkGA1UEBgwCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2dsZSBJbmMxGjAY
BgNVBAMMEXd3dy5mcm9zdGplZGkuY29tMB4XDTEyMDMyMTE2MzcyM1oXDTEzMDQyMTE2MzcyM1ow
azELMAkGA1UEBgwCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZp
ZXcxEzARBgNVBAoMCkdvb2dsZSBJbmMxGjAYBgNVBAMMEXd3dy5mcm9zdGplZGkuY29tMIGdMAsG
CSqGSIb3DQEBAQOBjQAwgYkCgYEAmkgYvjOBpf6lhTjNuEK4qDS6ZbFtDMCx/4w6VnXJCSJve/aT
7/6lLejFDYKu6w4vO6aKOo/AJO9uh3uga9WzSaEYk8x7Wx6gBVYDaeAsb+aWnXvM6+KgV/I/T5e+
qKvzAdmH3IO0Wzf5G5TwZbC8FjX6wbdpy2YJ+O6XHFIqDbECAwEAAaOCASAwggEcMAwGA1UdEwEB
/wQCMAAwOQYDVR0fAQEABC8wLTAroCmgJ4YlaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNH
Q0NBLmNybDArBgNVHSUBAQAEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEATB1Bggr
BgEFBQcBAQEBAARmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wPgYIKwYB
BQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5L1RoYXd0ZV9TR0NfQ0EuY3J0
MC0GA1UdEQEBAAQjMCGGH2h0dHBzOi8vd3d3Lmdvb2dsZS5jb20vYXNkZmFzZGYwCwYJKoZIhvcN
AQEFA4GBAEWifm73z2rOJd9Io7egHEFRG+GNpUi+owYnSM07cStlwKg0UXesKxEO9Pud942WqwIt
TJUpYuUWyLupMh7R5ZfbrYsFfohwKqctKZLt/0+Lup2SNHDk79mJ0bsEql7ktMmSCSVE7AHt4j2t
hYm2aSTho/PLcjknV7Ul60csqVXJ
-----END CERTIFICATE-----
Ecco gli errori specifici che Firefox mi sta dando:
The certificate is not trusted because it is self-signed.
The certificate is not valid for any server names.
Qualche idea?