Fixes certificate generation when using non-default binding host.

- If you entered a binding host of 0.0.0.0 to bind on all interfaces,
  the certificate would be generated with that as a SAN instead of the
  actual IP address at which you'd be accessing the host.  This was a
  bug!  We should still be including 127.0.0.1 as a host.
- Fixes other miscellaneous certificate problems I found when trying
  to validate our certificate.

src/main.ts

@@ -49,17 +49,28 @@ export default class LocalRestApi extends Plugin {
       expiry.setDate(today.getDate() + 365);
 
       const keypair = forge.pki.rsa.generateKeyPair(2048);
-      const attrs = [{ name: "commonName", value: "Obsidian Local REST API" }];
+      const attrs = [
+        {
+          name: "commonName",
+          value: "Obsidian Local REST API",
+        },
+      ];
       const certificate = forge.pki.createCertificate();
       certificate.setIssuer(attrs);
       certificate.setSubject(attrs);
 
       const subjectAltNames: Record<string, any>[] = [
         {
           type: 7, // IP
-          ip: this.settings.bindingHost ?? DefaultBindingHost,
+          ip: DefaultBindingHost,
         },
       ];
+      if (this.settings.bindingHost) {
+        subjectAltNames.push({
+          type: 7, // IP
+          ip: this.settings.bindingHost,
+        });
+      }
       if (this.settings.subjectAltNames) {
         for (const name of this.settings.subjectAltNames.split("\n")) {
           if (name.trim()) {
@@ -75,14 +86,16 @@ export default class LocalRestApi extends Plugin {
         {
           name: "basicConstraints",
           cA: true,
+          critical: true,
         },
         {
           name: "keyUsage",
           keyCertSign: true,
           digitalSignature: true,
           nonRepudiation: true,
-          keyEncipherment: true,
-          dataEncipherment: true,
+          keyEncipherment: false,
+          dataEncipherment: false,
+          critical: true,
         },
         {
           name: "extKeyUsage",