Crypto.generate_self_signed_certificate() it appears the "CN" value must be the IP or URL of the WebSocketServer. My clients will be setting
WebSocketClient.trusted_ssl_certificate to the expected certificate for the server.
If the server is behind a firewall using NAT and can be accessed from both the LAN and Internet, do I need to generate two certificates (one for LAN and one for Internet) and instance two WebSocketServers listening on different ports (one of which is port forwarded by the firewall)? If so, I guess the WebSocketServer accessible via port forwarding must set the certificate CN to the public IP?
Maybe I'm missing something?