FRG: System

Descriptions of each field in the System section of the TrueNAS web interface.

  27 minute read

General

GUI

GUI SSL CertificateThe system uses a self-signed certificate to enable encrypted web interface connections. To change the default certificate, select a different certificate that was created or imported in the Certificates menu.
Web Interface IPv4 AddressChoose a recent IP address to limit the usage when accessing the administrative GUI. The built-in HTTP server binds to the wildcard address of 0.0.0.0 (any address) and issues an alert if the specified address becomes unavailable.
Web Interface IPv6 AddressChoose a recent IPv6 address to limit the usage when accessing the administrative GUI. The built-in HTTP server binds to the wildcard address of 0.0.0.0 (any address) and issues an alert if the specified address becomes unavailable.
Web Interface HTTP PortAllow configuring a non-standard port to access the GUI over HTTP. Changing this setting might require changing a Firefox configuration setting.
Web Interface HTTPS PortAllow configuring a non-standard port to access the GUI over HTTPS.
HTTPS ProtocolsCryptographic protocols for securing client/server connections. Select which Transport Layer Security (TLS) versions TrueNAS can use for connection security.
Web Interface HTTP -> HTTPS RedirectRedirect HTTP connections to HTTPS. A GUI SSL Certificate is required for HTTPS. Activating this also sets the HTTP Strict Transport Security (HSTS) maximum age to 31536000 seconds (one year). This means that after a browser connects to the web interface for the first time, the browser continues to use HTTPS and renews this setting every year.

Localization

LanguageSelect a language from the drop-down menu.
Date FormatChoose a date format.
Console Keyboard MapSelect a keyboard layout.
TimezoneSelect a time zone.
Time FormatChoose a time format.

Other Options

Crash reportingSend failed HTTP request data which can include client and server IP addresses, failed method call tracebacks, and middleware log file contents to iXsystems.
Usage collectionEnable sending anonymous usage statistics to iXsystems.

NTP Servers: Add or Edit

NTP Server Settings

AddressEnter the hostname or IP address of the NTP server.
BurstRecommended when Max. Poll is greater than 10. Only use on personal NTP servers or those under direct control. Do not enable when using public NTP servers.
IBurstSpeeds up the initial synchronization (seconds instead of minutes).
PreferShould only be used for highly accurate NTP servers such as those with time monitoring hardware.
Min PollThe minimum polling interval, in seconds, as a power of 2. For example, 6 means 2^6, or 64 seconds. The default is 6, minimum value is 4.
Max PollThe maximum polling interval, in seconds, as a power of 2. For example, 10 means 2^10, or 1,024 seconds. The default is 10, maximum value is 17.
ForceForces the addition of the NTP server, even if it is currently unreachable.

Boot

Add

NameBoot environment name. Alphanumeric characters, dashes (-), underscores (_), and periods (.) are allowed.

Clone

NameBoot environment name. Alphanumeric characters, dashes (-), underscores (_), and periods (.) are allowed.
SourceBoot environment to be cloned.

Advanced

Console

Show Text Console without Password PromptUnset to add a login prompt to the system before the console menu is shown.
Enable Serial ConsoleDo not set this if the Serial Port is disabled.
MOTD BannerThe message to show when a user logs in with SSH.

Storage

Swap Size in GiBBy default, all data disks are created with the amount of swap specified. Changing the value does not affect the amount of swap on existing disks, only disks added after the change. Does not affect log or cache devices as they are created without swap. Setting to 0 disables swap creation completely. STRONGLY DISCOURAGED
LOG (Write Cache) Overprovision Size in GiBOverprovisioning a ZFS Log SSD can increase its performance and lifespan by distributing writes and erases across more drive flash blocks. Defining a number of GiB here overprovisions ZFS Log disks during pool creation or extension. Examples: 50 GiB, 10g, 5GB

GUI

Show Console MessagesDisplay console messages in real time at the bottom of the browser.
Show Advanced Fields by DefaultSet to always show advanced fields, when available.

Kernel

Show Console MessagesDisplay console messages in real time at the bottom of the browser.
Show Advanced Fields by DefaultSet to always show advanced fields, when available.

Self-Encrypting Drive

ATA Security UserUser passed to camcontrol security -u to unlock SEDs
SED PasswordGlobal password to unlock SEDs.

Syslog

Use FQDN for LoggingSet to include the Fully-Qualified Domain Name (FQDN) in logs to precisely identify systems with similar hostnames.
Syslog LevelWhen Syslog Server is defined, only logs matching this level are sent.
Syslog ServerRemote syslog server DNS hostname or IP address. Nonstandard port numbers can be used by adding a colon and the port number to the hostname, like mysyslogserver:1928. Log entries are written to local logs and sent to the remote syslog server.
Syslog TransportTransport Protocol for the remote system log server connection. Choosing Transport Layer Security (TLS) also requires selecting a preconfigured system Certificate.

Email

General Options

From EmailThe user account Email address to use for the envelope From email address. The user account Email in Accounts > Users > Edit must be configured first.
From NameThe friendly name to show in front of the sending email address. Example: Storage System 01it@example.com

Authentication

SMTPEnable SMTP AUTH using PLAIN SASL. Requires a valid Username and Password.

Access when SMTP is selected | | | |-|-| | Outgoing Mail Server | Hostname or IP address of SMTP server to use for sending this email. | | Mail Server Port | SMTP port number. Typically 25,465 (secure SMTP), or 587 (submission). | | Security | Email encryption type. Choices are Plain (No Encryption), SSL (Implicit TLS), or TLS (STARTTLS). | | Username Password | Enter the username if the SMTP server requires authentication.Enter the password for the SMTP server. Only plain ASCII characters are accepted. |

System Dataset

Configure System Dataset

System Dataset PoolSelect the pool to contain the system dataset.
Syslog LevelStore system logs on the system dataset. Unset to store system logs in /var/ on the operating system device.

Reporting

General Options

Report CPU usage in PercentWhen set, report CPU usage in percent instead of units of kernel time.
Graphite Separate InstancesEnabling sends the plugin instance and type instance to Graphite as separate path components: host.cpu.0.cpu.idle. Disabling sends the plugin and plugin instance as one path component and type and type instance as another component: host.cpu-0.cpu-idle.
Remote Graphite Server HostnameHostname or IP address of a remote Graphite server.
Graph age in MonthsMaximum time a graph is stored in months (allowed values are 1-60). Changing this value causes the Confirm RRD Destroy dialog to appear. Changes do not take effect until the existing reporting database is destroyed.
Number of Graph PointsNumber of points for each hourly, daily, weekly, monthly, or yearly graph (allowed values are 1-4096). Changing this value causes the Confirm RRD Destroy dialog to appear. Changes do not take effect until the existing reporting database is destroyed.
ForceForces the addition of the NTP server, even if it is currently unreachable.

Alert Services: Add or Edit

Name and Type

NameName of the new alert service.
EnabledUnset to disable this service without deleting it.
TypeChoose an alert service to display options for that service.
LevelSelect the level of severity.

Authentication

(sorted by Type)

AWS

AWS RegionEnter the AWS account region.
ARNTopic Amazon Resource Name (ARN) for publishing. Example: arn:aws:sns:us-west-2:111122223333:MyTopic.
Key IDAccess Key ID for the linked AWS account.
Secret KeySecret Access Key for the linked AWS account.

Email

Email AddressEnter a valid email address to receive alerts from this system.

InfluxDB

HostEnter the InfluxDB hostname.
UsernameUsername for this service.
PasswordEnter password.
DatabaseName of the InfluxDB database.
SeriesInfluxDB time series name for collected points.

Mattermost

Webhook URLEnter or paste the incoming webhook URL associated with this service.
UsernameMattermost username.
ChannelName of the channel to receive notifications. This overrides the default channel in the incoming webhook settings.
Icon UrlIcon file to use as the profile picture for new messages. Example: https://mattermost.org/wp-content/uploads/2016/04/icon.png. Requires configuring Mattermost to override profile picture icons.

OpsGenie

API KeyEnter or paste the API key. Find the API key by signing into the OpsGenie web interface and going to Integrations/Configured Integrations. Click the desired integration, Settings, and read the API Key field.
API URLLeave empty for default (OpsGenie API

Pager Duty

Service KeyEnter or paste the “integration/service” key for this system to access the PagerDuty API.
Client NamePagerDuty client name.

Slack

Webhook URLPaste the incoming webhook URL associated with this service.

SNMP Trap

HostnameHostname or IP address of the system to receive SNMP trap notifications.
PortUDP port number on the system receiving SNMP trap notifications. The default is 162.
SNMPv3 Security ModelEnable the SNMPv3 security model.
SNMP CommunityNetwork community string. The community string acts like a user ID or password. A user with the correct community string has access to network information. The default is public. For more information, see What is an SNMP Community String?.

Victor Ops

API KeyEnter or paste the VictorOps API key.
Routing KeyEnter or paste the VictorOps routing key.

Alert Settings

Options

Set Warning LevelCustomizes the importance of the alert. Each level of importance has a different icon and color to express the level of importance: Info, Notice, Warning, Error, Critical (Default), Alert, and Emergency.
Set FrequencyAdjust how often alert notifications are sent. Setting the Frequency to NEVER prevents that alert from being added to alert notifications, but the alert can still show in the web interface if it is triggered. Options:
Immediately (Default), Hourly, Daily, and Never.

Cloud Credentials: Add

Name and Provider

NameEnter a name for the new credential.
ProviderThird-party Cloud service providers. Choose a provider to configure connection credentials.

Authentication

Authentication options change according to the chosen Provider.

Amazon S3

Access Key IDAmazon Web Services Key ID. This is found on Amazon AWS by going through My account -> Security Credentials -> Access Keys (Access Key ID and Secret Access Key). Must be alphanumeric and between 5 and 20 characters.
Secret Access KeyAmazon Web Services password. If the Secret Access Key cannot be found or remembered, go to My Account -> Security Credentials -> Access Keys and create a new key pair. Must be alphanumeric and between 8 and 40 characters.
Maximum Upload PortsDefine the maximum number of chunks for a multipart upload. This can be useful if a service does not support the 10,000 chunk AWS S3 specification.

Amazon S3 Advanced Options

Endpoint URLS3 API endpoint URL. When using AWS, the endpoint field can be empty to use the default endpoint for the region, and available buckets are automatically fetched. Refer to the AWS Documentation for a list of Simple Storage Service Website Endpoints.
RegionAWS resources in a geographic area. Leave empty to automatically detect the correct public region for the bucket. Entering a private region name allows interacting with Amazon buckets created in that region. For example, enter us-gov-east-1 to discover buckets created in the eastern AWS GovCloud region.
Disable Endpoint RegionSkip automatic detection of the Endpoint URL region. Set this when configuring a custom Endpoint URL.
User Signature Version 2Force using Signature Version 2 to sign API requests. Set this when configuring a custom Endpoint URL.

BackBlaze B2

Key IDAlphanumeric Backblaze B2 Application Key ID. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the application keyID string to this field.
Application KeyBackblaze B2 Application Key. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the applicationKey string to this field.

Box

Access TokenA User Access Token for Box. An access token enables Box to verify a request belongs to an authorized session. Example token: T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl.

DropBox

Access TokenAccess Token for a Dropbox account. A token must be generated by the Dropbox account before adding it here.

FTP

HostFTP Host to connect to. Example: ftp.example.com.
PortFTP Port number. Leave blank to use the default port 21.
UsernameA username on the FTP Host system. This user must already exist on the FTP Host.
PasswordPassword for the user account.

Google Cloud Storage

Preview JSON Service Account KeyContents of the uploaded Service Account JSON file.
Choose FileUpload a Google Service Account credential file. The file is created with the Google Cloud Platform Console.

Google Drive

Access TokenToken created with Google Drive. Access Tokens expire periodically and must be refreshed.
Team Drive IDOnly needed when connecting to a Team Drive. The ID of the top level folder of the Team Drive.

HTTP

URLHTTP host URL.

Hubic

Access TokenAccess Token generated by a Hubic account.

Mega

UsernameMEGA account username.
PasswordMEGA account password.

Microsoft Azure Blob Storage

Account NameMicrosoft Azure account name.
Account KeyBase64 encoded key for Azure Account

Microsoft One Drive

Access TokenMicrosoft Onedrive Access Token. Log in to the Microsoft account to add an access token.
Drives ListDrives and IDs registered to the Microsoft account. Selecting a drive also fills the Drive ID field.
Drive Account TypeType of Microsoft acount. Logging in to a Microsoft account automatically chooses the correct account type. Options: Personal, Business, Document_Library
Drive IDUnique drive identifier. Log in to a Microsoft account and choose a drive from the Drives List drop-down to add a valid ID.

OpenStack Swift

User NameOpenstack user name for login. This is the OS_USERNAME from an OpenStack credentials file.
API Key or PasswordOpenstack API key or password. This is the OS_PASSWORD from an OpenStack credentials file.
Authentication URLAuthentication URL for the server. This is the OS_AUTH_URL from an OpenStack credentials file.
Auth VersionAuthVersion - optional - set to (1,2,3) if your auth URL has no version (rclone documentation).
Authentication Advanced Options
Tenant NameThis is the OS_TENANT_NAME from an OpenStack credentials file.
Tenant IDTenant ID - optional for v1 auth, this or tenant required otherwise (rclone documentation).
Auth TokenAuth Token from alternate authentication - optional (rclone documentation).

OpenStack Swift Advanced Options

Region NameRegion name - optional (rclone documentation).
Storage URLStorage URL - optional (rclone documentation).
Endpoint TypeEndpoint type to choose from the service catalogue. Public is recommended, see the rclone documentation.

pCloud

Access TokenpCloud Access Token. These tokens can expire and require extension.
HostnameEnter the hostname to connect to.

SFTP

HostSSH Host to connect to.
PortSSH port number. Leave empty to use the default port 22.
UsernameSSH Username.
PasswordPassword for the SSH Username account.
Private Key IDImport the private key from an existing SSH keypair or select Generate New to create a new SSH key for this credential.

WebDav

URLURL of the HTTP host to connect to.
WebDav ServiceName of the WebDAV site, service, or software being used.
UsernameWebDAV account username.
PasswordWebDAV account password.

Yandex

Access TokenYandex Access Token.

SSH Connections: Add

Name and Method

NameName of this SSH connection. SSH connection names must be unique.
Setup MethodManual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system.
Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

TrueNAS URLHostname or IP address of the remote system. A valid URL scheme is required. Example: https://10.231.3.76
UsernameUsername for logging in to the remote system.
PasswordUser account password for logging into the remote system.
Private KeyChoose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.

More Options

CipherStandard is most secure, but has the greatest impact on connection speed.
Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed.
Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect TimeoutTime (in seconds) before the system stops attempting to establish a connection with the remote system.

SSH Keypairs: Add

SSH Keypair

NameA unique name to identify this keypair. Automatically generated keypairs are named after the object that generated the keypair with " Key” appended to the name.
Private KeySee Public key authentication in SSH/Authentication.
Public KeySee Public key authentication in SSH/Authentication.

Tuneables: Add

Tunable

VariableEnter the name of the loader, sysctl, or rc.conf variable to configure. loader tunables are used to specify parameters to pass to the kernel or load additional modules at boot time. rc.conf tunables are for enabling system services and daemons and only take effect after a reboot. sysctl tunables are used to configure kernel parameters while the system is running and generally take effect immediately.
ValueEnter a value to use for the loader, sysctl, or rc.conf variable.
TyoeCreating or editing a sysctl immediately updates the Variable to the configured Value. A restart is required to apply loader or rc.conf tunables. Configured tunables remain in effect until deleted or Enabled is unset.
DescriptionEnter a description of the tunable.
EnabledEnable this tunable. Unset to disable this tunable without deleting it.

Update

Options

Check for Update Daily and Download if AvailbaleCheck the update server daily for any updates on the chosen train. Automatically download an update if one is available. Click APPLY PENDING UPDATE to install the downloaded update.

CAs (Certificate Authorities): Add

Identifier and Type

NameDescriptive identifier for this certificate authority.
TypeChoose between Internal CA, Intermediate CA, and Import CA. An Internal CA functions like a publicly trusted CA to sign certificates for an internal network. They are not trusted outside the private network. An Intermediate CA lives between the root and end entity certificates and its main purpose is to define and authorize the types of certificates that can be requested from the root CA. Import CA allows an existing CA to be imported onto the system. For more information see What are Subordinate CAs and Why Would You Want Your Own?
ProfilesPredefined certificate extensions. Choose a profile that best matches your certificate usage scenario.

Certificate Options

RSASee Why is elliptic curve cryptography not widely used, compared to RSA? for more information about key types.
Key LengthThe number of bits in the key used by the cryptographic algorithm. For security reasons, a minimum key length of 2048 is recommended.
Digest AlgorithmThe cryptographic algorithm to use. The default SHA256 only needs to be changed if the organization requires a different algorithm.
LifetimeThe lifetime of the CA specified in days.

Certificate Subject

CountrySelect the country of the organization.
StateEnter the state or province of the organization.
LocalityEnter the location of the organization. For example, the city.
OrganizationEnter the name of the company or organization.
Organizational UnitOrganizational unit of the entity.
EmailEnter the email address of the person responsible for the CA.
Common NameEnter the fully-qualified hostname (FQDN) of the system. This name must be unique within a certificate chain.
Subject Alternate NamesMulti-domain support. Enter additional domains to secure. Separate domains by pressing Enter For example, if the primary domain is example.com, entering www.example.com secures both addresses.

Basic Constraints

EnabledActivate this certificate extension.
Path LengthHow many non-self-issued intermediate certificates that can follow this certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path. Cannot be less than 0.
Basic Constraints Config
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
See RFC 3280, section 4.2.1.10 for more information.

Authority Key Identifier

EnabledActivate this certificate extension.
Authority Key IdentifierThe authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer’s certificate) or on the issuer name and serial number.
See RFC 3280, section 4.2.1.1 for more information.

Extended Key Usage

EnabledActivate this certificate extension.
UsagesIdentify the purpose for this public key. Typically used for end entity certificates. Multiple usages can be selected. Do not mark this extension critical when the Usage is ANY_EXTENDED_KEY_USAGE. Using both Extended Key Usage and Key Usage extensions requires that the purpose of the certificate is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details.
Critical ExtensionIdentify this extension as critical for the certificate. Critical extensions must be recognized by the certificate-using system or this certificate will be rejected. Extensions identified as not critical can be ignored by the certificate-using system and the certificate still approved.

Key Usage

EnabledActivate this certificate extension.
Key Usage ConfigThe key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the Digital Signature bits would be asserted. Likewise, when an RSA key should be used only for key management, the Key Encipherment bit would be asserted.
See RFC 3280, section 4.2.1.3 for more information.

Certificates: Add

Fields are sorted by certificate Type.

Internal Certificate

Identifier and Type

NameDescriptive identifier for this certificate.
TypeInternal Certificate is used for internal or local systems. Certificate Signing Request (CSR) is used to get a CA signature. Import Certificate allows an existing certificate to be imported onto the system. Import Certificate Signing Request allows an existing CSR to be imported onto the system.
ProfilesPredefined certificate extensions. Choose a profile that best matches your certificate usage scenario.

Certificate Options

Signing Certificate AuthoritySelect a previously imported or created CA.
Key TypeSee Why is elliptic curve cryptography not widely used, compared to RSA? for more information about key types.
EC CurveBrainpool curves can be more secure, while secp curves can be faster. See Elliptic Curve performance: NIST vs Brainpool for more information.
Key LengthThe number of bits in the key used by the cryptographic algorithm. For security reasons, a minimum key length of 2048 is recommended.
Digest AlgorithmThe cryptographic algorithm to use. The default SHA256 only needs to be changed if the organization requires a different algorithm.
LifetimeThe lifetime of the CA specified in days.

Certificate Subject

CountrySelect the country of the organization.
StateEnter the state or province of the organization.
LocalityEnter the location of the organization. For example, the city.
OrganizationEnter the name of the company or organization.
Organizational UnitOrganizational unit of the entity.
EmailEnter the email address of the person responsible for the CA.
Common NameEnter the fully-qualified hostname (FQDN) of the system. This name must be unique within a certificate chain.
Subject Alternate NamesMulti-domain support. Enter additional domains to secure. Separate domains by pressing Enter For example, if the primary domain is example.com, entering www.example.com secures both addresses.

Basic Constraints

EnabledActivates this certificate extension.
Path LengthHow many non-self-issued intermediate certificates that can follow this certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path. Cannot be less than 0.
Basic Constraints ConfigThe basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
See RFC 3280, section 4.2.1.10 for more information.

Authority Key Identifier

EnabledActivates this certificate extension.
Authority Key ConfigThe authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer’s certificate) or on the issuer name and serial number.
See RFC 3280, section 4.2.1.1 for more information.

Extended Key Usage

EnabledActivates this certificate extension.
UsagesIdentify the purpose for this public key. Typically used for end entity certificates. Multiple usages can be selected. Do not mark this extension critical when the Usage is ANY_EXTENDED_KEY_USAGE. Using both Extended Key Usage and Key Usage extensions requires that the purpose of the certificate is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details.
Critical ExtensionIdentify this extension as critical for the certificate. Critical extensions must be recognized by the certificate-using system or this certificate will be rejected. Extensions identified as not critical can be ignored by the certificate-using system and the certificate still approved.

Key Usage

EnabledActivates this certificate extension.
Key Usage ConfigThe key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the Digital Signature bits would be asserted. Likewise, when an RSA key should be used only for key management, the Key Encipherment bit would be asserted. See RFC 3280, section 4.2.1.3 for more information.

Certificate Signing Request

Identifier and Type

NameDescriptive identifier for this certificate.
TypeInternal Certificate is used for internal or local systems. Certificate Signing Request (CSR) is used to get a CA signature. Import Certificate allows an existing certificate to be imported onto the system. Import Certificate Signing Request allows an existing CSR to be imported onto the system.
ProfilesPredefined certificate extensions. Choose a profile that best matches your certificate usage scenario.

Certificate Options

Key TypeSee Why is elliptic curve cryptography not widely used, compared to RSA? for more information about key types.
EC CurveBrainpool curves can be more secure, while secp curves can be faster. See Elliptic Curve performance: NIST vs Brainpool for more information.
Key LengthThe number of bits in the key used by the cryptographic algorithm. For security reasons, a minimum key length of 2048 is recommended.
Digest AlgorithmThe cryptographic algorithm to use. The default SHA256 only needs to be changed if the organization requires a different algorithm.

Certificate Subject

CountrySelect the country of the organization.
StateEnter the state or province of the organization.
LocalityEnter the location of the organization. For example, the city.
OrganizationEnter the name of the company or organization.
Organizational UnitOrganizational unit of the entity.
EmailEnter the email address of the person responsible for the CA.
Common NameEnter the fully-qualified hostname (FQDN) of the system. This name must be unique within a certificate chain.
Subject Alternate NamesMulti-domain support. Enter additional domains to secure. Separate domains by pressing Enter For example, if the primary domain is example.com, entering www.example.com secures both addresses.

Basic Constraints

EnabledActivates this certificate extension.
Path LengthHow many non-self-issued intermediate certificates that can follow this certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path. Cannot be less than 0.
Basic Constraints ConfigThe basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
See RFC 3280, section 4.2.1.10 for more information.

Authority Key Identifier

EnabledActivates this certificate extension.
Authority Key ConfigThe authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer’s certificate) or on the issuer name and serial number.
See RFC 3280, section 4.2.1.1 for more information.

Extended Key Usage

EnabledActivates this certificate extension.
UsagesIdentify the purpose for this public key. Typically used for end entity certificates. Multiple usages can be selected. Do not mark this extension critical when the Usage is ANY_EXTENDED_KEY_USAGE. Using both Extended Key Usage and Key Usage extensions requires that the purpose of the certificate is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details.
Critical ExtensionIdentify this extension as critical for the certificate. Critical extensions must be recognized by the certificate-using system or this certificate will be rejected. Extensions identified as not critical can be ignored by the certificate-using system and the certificate still approved.

Key Usage

EnabledActivates this certificate extension.
Key Usage ConfigThe key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the Digital Signature bits would be asserted. Likewise, when an RSA key should be used only for key management, the Key Encipherment bit would be asserted. See RFC 3280, section 4.2.1.3 for more information.

Import Certificate

Identifier and Type

NameDescriptive identifier for this certificate.
TypeInternal Certificate is used for internal or local systems. Certificate Signing Request (CSR) is used to get a CA signature. Import Certificate allows an existing certificate to be imported onto the system. Import Certificate Signing Request allows an existing CSR to be imported onto the system.

Certificate Options

CSR exists on this systemSet when importing a certificate for which a Certificate Signing Request (CSR) exists on this system.
Signing Certificate AuthoritySelect a previously imported or created CA.

Certificate Subject

CertificatePaste the certificate for the CA.
Private KeyPaste the private key associated with the Certificate when available. Please provide a key at least 1024 bits long.
PassphraseEnter and confirm the passphrase for the Private Key.

Import Certificate Signing Request

Identifier and Type

NameDescriptive identifier for this certificate.
TypeInternal Certificate is used for internal or local systems. Certificate Signing Request (CSR) is used to get a CA signature. Import Certificate allows an existing certificate to be imported onto the system. Import Certificate Signing Request allows an existing CSR to be imported onto the system.

Certificate Subject

Signing RequestPaste the contents of your Certificate Signing Request here.
Private KeyPaste the private key associated with the Certificate when available. Please provide a key at least 1024 bits long.
PassphraseEnter and confirm the passphrase for the Private Key.

ACME DNS: Add

Select Authenticator

NameInternal identifier for the authenticator.
AuthenticatorChoose a DNS provider and configure any required authenticator attributes.

Authenticator Attributes

Access ID KeyKey generated by the Amazon Web Services account. See the [AWS Access Key documentation]https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for instructions to generate the key.
Secret Access KeyKey generated by the Amazon Web Services account. See the AWS Access Key documentation for instructions to generate the key.

Support

Contact Support

UsernameEnter a valid username for the TrueNAS bug tracking system
PasswordEnter the bug tracker account password.
TypeSelect Bug when reporting an issue or Feature when requesting new functionality.
CategoryThis field remains empty until a valid Username and Password is entered. Choose the category that best describes the bug or feature being reported.
Attach DebugSet to generate and attach to the new issue a report containing an overview of the system hardware, build string, and configuration. This can take several minutes.
SubjectEnter a descriptive title for the new issue.
DescriptionEnter a one to three paragraph summary of the issue. Describe the problem and provide any steps to replicate the issue.
Attach ScreenshotsSelect one or more screenshots that illustrate the problem.

2FA (Two Factor Authentication)

User Settings

One Time Passsword (OTP) DigitsThe number of digits in the One-Time Password. The default value is 6, which is the length of the standard OTP from Google. Check the settings of your app or device before selecting this.
IntervalThe lifespan (in seconds) of each One-Time Password. Default is 30 seconds. The minimum lifetime is 5 seconds.
WindowUse Window to extend the validity of passwords beyond the Interval setting. For example, a window setting of 1 means that one password before and after the current one is valid. leaving three valid passwords. Extending the window can be useful in high-latency situations. IMPORTANT: Two-factor authentication is time-based and requires that the system time is set correctly.
Enable Two-Factor Auth for SSHEnable two-factor authentication for SSH access to the system. It is recommended to leave this DISABLED until after two-factor authentication is successfully tested with the UI.

System Generated Settings

Secret (Read Only)The secret used to generate OTPs. The secret is produced by the system when Two-Factor Authentication is first activated.
Provisioning URI (includes Secret - Read Only)The URI used to provision an OTP. The URI (which contains the secret) is encoded in a QR Code. To set up an OTP app like Google Authenticator, use the app to scan the QR code or enter the secret manually into the app. The URI is produced by the system when Two-Factor Authentication is first activated.

Last modified February 10, 2021: Update SystemFields.md (2e037ffa)