(408) 943-4100               V   Commercial Support

Certificates

  4 minute read.

Last Modified 2021-06-29 14:41 EDT

The Certificates section contains all the information for certificates, certificate signing requests, certificate authorities, and DNS-authenticators. TrueNAS comes equipped with an internal, self-signed certificate that enables encrypted access to the web interface, but users can make custom certificates for authentication and validation while sharing data.

CertificatesSCALE

Certificates

By default, TrueNAS comes equipped with an internal, self-signed certificate that enables encrypted access to the web interface, but users can import and create more certificates by clicking Add in the Certificates window.

The Identifier and Type step lets users name the certificate and choose whether it will be used for internal or local systems, or import an existing certificate.
Users may also select a predefined certificate extension from the Profiles drop-down.
The Certificate Options step provides options for choosing the Signing Certificate Authority, what type of private key type to use (as well as the number of bits in the key used by the cryptographic algorithm), the cryptographic algorithm the certificate will use, and how many days the certificate authority will last.
The Certificate Subject step lets users define the location, name, and email for the organization using the certificate.
Users may also enter the system’s fully-qualified hostname (FQDN) and any additional domains for multi-domain support.

The Extra Constraints step contains certificate extention options.

  • Basic Constraints: Enable to limit the path length for a certificate chain.
  • Authority Key Identifier: Enable to provide a means of identifying the public key corresponding to the private key used to sign a certificate.
  • Key Usage: Enable to define the purpose of the public key contained in a certificate.
  • Extended Key Usage: Enable to further refine key usage extensions.

Certificate Signing Requests

The Certificate Signing Requests section allows users configure the message(s) the system sends to a registration authority of the public key infrastructure in order to apply for a digital identity certificate.

The Identifier and Type step lets users name the certificate signing request (CSR) and choose whether to create a new CSR or import an existing CSR.
Users may also select a predefined certificate extension from the Profiles drop-down.
The Certificate Subject step lets users define the location, name, and email for the organization using the certificate.
Users may also enter the system’s fully-qualified hostname (FQDN) and any additional domains for multi-domain support.

The Extra Constraints step contains certificate extention options.

  • Basic Constraints: Enable to limit the path length for a certificate chain.
  • Authority Key Identifier: Enable to provide a means of identifying the public key corresponding to the private key used to sign a certificate.
  • Key Usage: Enable to define the purpose of the public key contained in a certificate.
  • Extended Key Usage: Enable to further refine key usage extensions.

Certificate Authorities

The Certificate Authorities section lets users set up a certificate authority (CA) that certifies the ownership of a public key by the named subject of the certificate.

The Identifier and Type step lets users name the CA and choose whether to create a new CA or import an existing CA.
Users may also select a predefined certificate extension from the Profiles drop-down.
The Certificate Options step provides options for choosing what type of private key to use (as well as the number of bits in the key used by the cryptographic algorithm), the cryptographic algorithm the CA will use, and how many days the CA will last.
The Certificate Subject step lets users define the location, name, and email for the organization using the certificate.
Users may also enter the system’s fully-qualified hostname (FQDN) and any additional domains for multi-domain support.

The Extra Constraints step contains certificate extention options.

  • Basic Constraints: Enable to limit the path length for a certificate chain.
  • Authority Key Identifier: Enable to provide a means of identifying the public key corresponding to the private key used to sign a certificate.
  • Key Usage: Enable to define the purpose of the public key contained in a certificate.
  • Extended Key Usage: Enable to further refine key usage extensions.

ACME DNS-Authenticators

The Automatic Certificate Management Environment (ACME) DNS-Authenticators screen allows users to automate certificate issuing and renewal. The user must verify ownership of the domain before certificate automation is allowed.

The system requires an ACME DNS Authenticator and CSR to configure ACME certificate automation.

Users must name the authenticator and choose a DNS provider and configure any required authenticator attributes.

If you select Cloudflare as the authenticator, you must enter your Cloudflare account email address, API Key, and API Token.

If you select Route53 as the authenticator, you must enter you Route53 Access Key ID and Secret Access Key.