creation of a certification authority (CA)

R

Rosin0416

Patron
Joined
Apr 11, 2016
Messages
214
Hello to all,
I want to create a certificate authority on truenas and then create an SSL certificate.
But I am blocked by a mandatory field : "Subject Alternate Names".
I don't know what to put there.
I specify that I am on a domestic installation and that I do not have a domain name.
Do you have an idea of what to put?
Regards
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
There's no reason that a CA cert should have SANs on it, which makes it sound like yet another reason that using your NAS as a CA isn't a good idea. But you can put anything you want in that field.
 
R

Rosin0416

Patron
Joined
Apr 11, 2016
Messages
214
Hello ,
I'm sorry I didn't understand all your answer.
I know that self-signed certificates are not ideal. But it is an encryption in the context of a domestic use and is not exposed to the internet (at least not directly), I can access my local network via a VPN.

What do you mean by: "you can put anything you want in that field."?
i.e. any ip address ?
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Rosin0416 said:
I know that self-signed certificates are not ideal.
Click to expand...
Not really my point; I'm saying that the way the Certificate Authority feature is implemented in Free/TrueNAS is somewhere between lame and downright idiotic, so it might be better to use a different device or software as your CA (I've been partial to a Raspberry Pi running SmallStep CA for some time). But that's neither here nor there.
Rosin0416 said:
What do you mean by: "you can put anything you want in that field."?
Click to expand...
I mean that you can put literally any text you want there. There's no reason for this to be part of a CA cert, clients don't parse it, so it doesn't matter what you put there.
 
R

Rosin0416

Patron
Joined
Apr 11, 2016
Messages
214
Rosin0416 said:
What do you mean by: "you can put anything you want in that field."?
Click to expand...
I mean that you can put literally any text you want there. There's no reason for this to be part of a CA cert, clients don't parse it, so it doesn't matter what you put there.
Click to expand...
Ok.

Rosin0416 said:
I know that self-signed certificates are not ideal.
Click to expand...
Not really my point; I'm saying that the way the Certificate Authority feature is implemented in Free/TrueNAS is somewhere between lame and downright idiotic, so it might be better to use a different device or software as your CA (I've been partial to a Raspberry Pi running SmallStep CA for some time). But that's neither here nor there.
Click to expand...
I don't know enough about the subject to understand it well.
However, if I rephrase what I understood, it would require another device that acts as a "third party", therefore as a certification authority and that generates the certificates?
Can it be a laptop that is in my local network?
If so, does that laptop need to be turned on constantly?

regards
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
Rosin0416 said:
it would require another device that acts as a "third party", therefore as a certification authority and that generates the certificates?
Click to expand...
What I'm suggesting is that, if you want to use a local certificate authority, there are probably better ways to do that than with your NAS. Yes, your NAS has the capability. It's pretty poorly-implemented IMO (and I don't think it gets used much, so there may not be much help here for that feature), but it's there. I use the Raspberry Pi-based solution I linked earlier, though the same could be done with any Ubuntu machine (even a VM if you like, though that would be inherently a bit less secure). OPNsense and pfSense both include this feature, and I think it's better-implemented in either of them than in TrueNAS (though overall OPNsense has a better UI). Or you could run certificate authority software on one of your other computers. But there needs to be some device, whose certificate all your other devices trust, which will issue whatever local certificates you need.
Rosin0416 said:
If so, does that laptop need to be turned on constantly?
Click to expand...
The CA only needs to be available when certificates need to be issued.
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
danb35 said:
The CA only needs to be available when certificates need to be issued.
Click to expand...
Right. To elaborate, you can use OpenSSL on the command line to do everything you need. If you happen to have a Mac or Linux laptop, everything is included. On Windows probably WSL also contains OpenSSL.

Like so (search engine result, looks reasonable to me):

OpenSSL Creating a Certificate Authority (CA)

In this post we’ll look at how to create our own Certificate Authority (CA) using OpenSSL.
node-security.com node-security.com
 
R

Rosin0416

Patron
Joined
Apr 11, 2016
Messages
214
Ok. I understand better. I will take your advice.
Thank you for your advice, which I will follow.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "creation of a certification authority (CA)"

Similar threads

B
  • Locked
self signed ca
Replies
16
Views
6K
dlavigne
D
O
SSL certificate error
Replies
3
Views
2K
zwilcoxen
Z
D
Will this procedure work to get rid of browser warnings for self-signed certificates?
Replies
4
Views
2K
DavidYLau
D
IonutZ
Internal SSL doesn't include chain
Replies
0
Views
575
IonutZ
IonutZ
Darren Myers
Windows CA signed SSL certificate
Replies
9
Views
5K
Damien SIMON
D
Top