What settings to use for new 'freenas_default' certificate

[newguy_815]

I'm running a TrueNAS-12.0-U5.1 CORE server. I got a notification on my server saying "Certificate 'freenas_default' is expiring within 6 days". I found threads explaining how to create a new one, but my questions are a bit different from "how to create one".

What is a certificate? What is it used for, and do I need one? If it expires, will that lock services on my server, or the server itself?

If I do need a new certificate, how do I know what settings to use? I'm not sure why the current certificate on my server was created (I did not set up this server), or what the certificate was used for. So I'm not sure what is and is not required in the new certificate. Viewing the current certificate does not give me any of this information. My server is used to run plex and store data. That's it. Not sure if the certificate is used for any of that.

Any and all help would be appreciated. If you need more information about my server, just ask. If you do need more information though, please be descriptive in what you need from me, but also on how I get that information. I'm not very knowledgeable when it comes to TrueNAS servers. Thank in advance.

 

[danb35]

What is a certificate?

It's an encryption certificate, used mainly to serve the web GUI via HTTPS, though it can also be used for some other services. You need to have a cert in order to use those, and you have one. If the cert expires and isn't replaced, you'll get (additional) certificate errors, but it won't lock the server or its services.

I'm not sure why the current certificate on my server was created

As its name suggests, it's created by default--at installation. I'm not sure that you have a particular need to "renew" it (i.e., replace it with a new cert that has a later expiration date)--Plex doesn't use the cert, nor do the core file-sharing services.

 

[newguy_815]

used mainly to serve the web GUI via HTTPS

Are you referring to the web GUI for the server itself, and/or the web GUI for plex? I use both GUI's quite often, and I can't have those not work, as I don't know how to connect to the server without those. If that is true, what basic loadout for a certificate would be needed if it's only for the server web GUI? If you meant something else by that, then I probably don't need to renew it.

I guess I should clarify how exactly I connect to the server. I connect to it via a local ip address, and a local network drive. Other than Plex, a virtual machine (I forgot to mention I run one), and any updates for those services (and the server itself), the server does not use internet for anything else. With all that in mind, am I still ok letting the certificate expire? It doesn't seem like it takes a lot of work to make one, so would it just be better overall making a new one? Seems like it might be better to make a new one and not use it, than to not have one, but need it.

 

[danb35]

Are you referring to the web GUI for the server itself, and/or the web GUI for plex?

For the server itself.

I use both GUI's quite often, and I can't have those not work, as I don't know how to connect to the server without those.

The GUI will continue to work. You'll likely get a certificate warning when the cert expires, but you can bypass that (as you've likely already done, since it's a self-signed cert). But it's only a factor, as I said above, if you're accessing the GUI via HTTPS.

so would it just be better overall making a new one?

Probably. I don't see super-strong arguments either way, but it seems you might as well use a current cert as one that's expired.

 

[newguy_815]

Ok. Thank you for your help in clarifying this for me.

Probably. I don't see super-strong arguments either way, but it seems you might as well use a current cert as one that's expired.

So if I were to create a new cert for the purpose of potentially accessing the GUI through HTTPS one day, is there a default or common set of settings to use for the new cert, or do the settings not really matter (in this case, given I don't really use the cert) and I can choose whatever settings I want? Is it as simple as just creating a new one and then I'm done, or do I need to apply it somehow as well?