TrueNAS CORE
TrueNAS Enterprise
TrueNAS SCALE
Compare Editions
TrueCommand
Software Status
FreeNAS
Compare Systems
F-Series
M-Series
X-Series
R-Series
Mini Series
Download TrueNAS CORE
Download TrueNAS SCALE
Get TrueNAS Enterprise
Where to BuyTrueNAS CORE Nightly Development Documentation
This content follows experimental early release software. Use the Product and Version selectors above to view content specific to a stable software release.
CAs
5 minute read.
Last Modified 2024-03-15 13:07 EDT
| Setting | Description |
|---|---|
| Name | Descriptive identifier for this certificate authority. |
| Type | Select the CA type from the dropdown list of options. Select Internal CA for a certificate authority that functions like a publicly-trusted CA used to sign certificates for an internal network. This CA is not trusted outside the private network. Select Intermediate CA for a CA that lives between the root and end-entity certificates. Its main purpose is to define and authorize the types of certificates requested from the root CA. Select Import CA for a CA that allows importing an existing CA onto the system. For more information, see What are Subordinate CAs and Why Would You Want Your Own?. |
| Profiles | Select predefined certificate extensions from the dropdown list. Options are Opentvpn Root CA and CA. Choose a profile that best matches your certificate usage scenario. |
Certificate options change based on the option selected in Type.
| Setting | Description |
|---|---|
| Signing Certificate Authority | (Required) Select a previously imported or created CA. Displays when Type is set to Intermediate CA. |
| Key Type | (Required) Select the key type from the dropdown list of options. Default is RSA. Select EC for EC curve certificates. See Why is elliptic curve cryptography not widely used, compared to RSA? for more information about key types. |
| Key Length | (Required) Select the number of bits in the key used by the cryptographic algorithm from the dropdown list. Options are 1024, 2048 or 4096. For security reasons, a minimum key length of 2048 is recommended. |
| Digest Algorithm | (Required) Select the cryptographic algorithm to use from the dropdown list of options. Only change the default SHA256 if the organization requires a different algorithm. |
| Lifetime | (Required) Enter the lifetime of the CA specified in days. |
| Setting | Description |
|---|---|
| Country | (Required) Select the country of the organization from the dropdown list. |
| State | (Required) Enter the state or province of the organization. |
| Locality | (Required) Enter the location of the organization. For example, the city. |
| Organization | (Required) Enter the name of the company or organization. |
| Organizational Unit | Organizational unit of the entity. |
| (Required) Enter the email address of the person responsible for the CA. | |
| Common Name | Enter the fully-qualified hostname (FQDN) of the system. This name must be unique within a certificate chain. |
| Subject Alternate Names | (Required) Enter additional domains to secure for multi-domain support. Separate domains by pressing Enter. For example, if the primary domain is example.com, entering www.example.com secures both addresses. |
| Setting | Description |
|---|---|
| Enabled | Select to activate this certificate extension. |
| Path Length | Enter the number of non-self-issued intermediate certificates that can follow this certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path. Cannot be less than 0. |
| Basic Constraints Config | Select the basic constraints extension that identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. See RFC 3280, section 4.2.1.10 for more information. |
| Setting | Description |
|---|---|
| Enabled | Select to activate this certificate extension. |
| Authority Key Config | Select the authority key identifier extension that provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification can be based on either the key identifier (the subject key identifier in the issuer certificate) or on the issuer name and serial number. See RFC 3280, section 4.2.1.1 for more information. |
| Setting | Description |
|---|---|
| Enabled | Select to activate this certificate extension. |
| Usages | Select the options that identify the purpose for this public key from the dropdown list. Is used for end entity certificates. Multiple usages can be selected. Do not mark this extension critical when the Usage is ANY_EXTENDED_KEY_USAGE. Using both Extended Key Usage and Key Usage extensions requires that the purpose of the certificate is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details. |
| Critical Extension | Select to identify this extension as critical for the certificate. The certificate-using system must recognize critical extensions, or it will reject the certificate. The certificate-using system can ignore non-critical extensions and still approve the certificate. |
| Setting | Description |
|---|---|
| Enabled | Select to activate this certificate extension. |
| Key Usage Config | Select the key usage extension that defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the Digital Signature bits would be asserted. Likewise, when an RSA key should be used only for key management, the Key Encipherment bit would be asserted. See RFC 3280, section 4.2.1.3 for more information. |
| Setting | Description |
|---|---|
| Certificate | Paste the certificate for the CA. |
| Private Key | Paste the private key associated with the Certificate when available. Provide a key at least 1024 bits long. |
| Passphrase | Enter the passphrase for the private key. |
| Confirm Passphrase | Confirm the passphrase for the Private Key. |