Search code examples
macossslhttpsssl-certificateself-signed

Why 1 of 8 self signed certificates does not work?

I have set up the following self-signed certificates on Mac OS X 10.6.8 and made them trusted in Keychain Access: *.la.com *.la.mx *.la.es *.la.ca *.la.com.ar *.la.co.nz *.la.us *.la.co.uk

However, for a reason that I can not understand the *.la.us certificate can not be trusted even though I follow the exact same process in creating it and trusting it. In fact, if I do not trust and then trust each of the certificates they work and I get a green pad lock in Chrome 43.0.2357.132 (64-bit) "except" for the *.la.us.

For *.la.us I get:

Your connection is not private
Attackers might be trying to steal your information from www.la.us (for example, passwords, messages or credit cards). NET_ERR_CERT_COMMON_NAME_INVALID

If I click on Advanced I see:

This server could not prove that it is www.la.us; its security certificate is from *.la.us. This may be caused by a misconfiguration or an attacker intercepting your connection.

If I proceed and click on the red padlock I see:

Server's certificate does not match the URL.

How is it the server's certificate does not match the URL when it clearly tells me it's www.la.us and the certificate is for *.la.us?

Is there something special about the domain la.us? I have re-created the cert several times, re-entered the MAMP Apache virtual conf several times, and tried Keychain Access again and again (removing the cert in between). Any thoughts anyone?

Solution

  • There are special rules for domains inside the .us name space and it looks like Chrome is enforcing these. From the Wikipedia entry for .us:

    A two-letter second-level domain is formally reserved for each U.S. state, federal territory, and the District of Columbia....

    These rules also reflected in the public suffix list where you find special entries for la.us and also various subdomains like k12.la.us.

    These special rules suggest that there is no single owner of the *.la.us namespace and thus you should not be able to get a wildcard certificate for *.la.us. This is similar to the uk and co.uk namespaces where you can not get certificates for *.co.uk but only for *.la.co.uk. Note that not all of the rules in the public suffix list are used by all browsers to check the subject of the certificates.