Certificate Signing Requests Screens

The Certificate Signing Requests widget, on the Certificates screen, shows a list of certificate signing requests (CSRs) configured on the system. CSR.

Certificate Signing Request Widget No CSRs
Figure 1: Certificate Signing Request Widget No CSRs
Certificate Signing Request Widget with CSR
Figure 2: Certificate Signing Request Widget with CSR

The more_vert icon for a listed CSR shows a dropdown list of options to create an ACME certificate, download, edit, or delete an existing CSR.

Create ACME Certificate opens the Create ACME Certificate screen.

Edit opens the Edit CA screen for the selected CSR.

Download puts a copy of the CSR on your server.

delete Delete opens the Delete Certificate dialog.

Add opens the Add CSR wizard.

Create ACME Certificate Screen

The Create ACME Certificate screen shows settings to create an ACME Certificate by selecting an ACME Server Directory URI.

Create ACME Certificate Screen
Figure 3: Create ACME Certificate Screen
SettingDescription
IdentifierA text entry field that accepts manual or copy/paste entry of a name for the certificate. A name consists of alphanumeric characters, and can use the underscore (_), and/or dash (-) special characters.
Terms of ServiceAccepts the terms of service for the given ACME server.
Renew Certificate DaysSpecified the number of days to renew the certificate before it expires.
Custom ACME Server Directory URIEnables using a custom ACME server directory URI.
If the ACME Server Directory URI is set to Lets Encrypt Staging Directory, enabling this option changes the ACME Server Directory URI value to show https://acme-staging-v02.api.letsencrypt.org/directory.
If the ACME Server Directory URI is set to Let’s Encrypt Production Directory, enabling this option changes the ACME Server Directory URI value changes to show https://acme-v02.api.letsencrypt.org/directory.
ACME Server Directory URISets the URI of the ACME server directory. Shows two preconfigured URI options on a dropdown list: Lets Encrypt Staging Directory and Let’s Encrypt Production Directory.
  • Lets Encrypt Staging Directory
  • Let’s Encrypt Production Directory
  • DNS:UnitedStatesSets the authenticator to validate the domain. Shows a dropdown list of previously configured ACME DNS authenticators.

    Edit CSR Screen

    The Edit CSR screen shows the current CSR settings. It allows changing the CSR name (identifier), downloading or viewing the CSR, and provides access to the Create ACME Certificate screen.

    Edit CSR Screen
    Figure 4: Edit CSR Screen
    SettingDescription
    CommonShows the common name for the certificate. A name can include the underscore (_) or dash (-) special characters. The default value for the truenas_default certificate is localhost.
    SANShows the subject alternative name (SAN) of the certificate. The default value for the truenas_default certificate is DNS:localhost.
    Distinguished NameShows the full directory service distinguished name for the certificate. This includes the country, organization, common name, email address, state, locality, and SAN properties.
    CountryShows the country where the certificate is issued. The default value for the truenas_default certificate is US.
    StateShows the organization for the certificate. The default value for the truenas_default certificate is iXsystems.
    CityShows the city where the certificate organization is located. The default value for the truenas_default certificate is Maryville
    OrganizationShows the country where the certificate is issued. The default value for the truenas_default certificate is US
    Organizational UnitShows the department in the organization for the certificate. No default value for the truenas_default certificate is specified.
    EmailShows the email address associated with the certificate. The default value for the truenas_default certificate is info@ixsystems.com.
    TypeShows the type of certificate. The default value for the truenas_default certificate is Certificate.
    PathShows the path to where the certificate is stored. The default value for the truenas_default certificate is /etc/certificates.
    Digest AlgorithmShows the authentication protocol for the certificates. The default value for the truenas_default certificate is SHA256S.
    Key LengthShows the number of characters in the key for the certificate. The default value for the truenas_default certificate is 2048.

    View/Download Certificate opens a window with the certificate string.

    View/Download Key opens a window with the certificate private key.

    The assignment clipboard icon copies the certificate or public key to the clipboard.

    Delete Certificate Dialog

    The Delete Certificate dialog removes the certificate from the TrueNAS system.

    Force deletes the certificate if it is in use by a feature or function in the UI. For example, an application uses it for authentication.

    Delete removes the certificate.

    Add CSR Wizard Screens

    Certificate signing requests (CSR) allow configuring a message the TrueNAS system sends to a registration authority of the public key infrastructure to apply for a digital identity certificate.

    The Add CSR wizard has five screens to configure a new certificate signing request (CSR) on TrueNAS. The wizard screens are:

    1 Identifier and Type

    2 Certificate Options

    3 Certificate Subject

    4 Extra Constraints

    5 Confirm Options

    Identifier and Type Options

    The Add CSR wizard Identifier and Type settings specify the name, type, and profile to use when creating a new CSR. Changing the Type setting to import a CSR changes the setting options and wizard screens shown.

    SettingDescription
    NameText entry field that accepts manual or copy/paste entry of a descriptive identifier for this CSR.
    TypeSet the type of CSR and change the settings shown in the Add CSR wizard. Options are:
  • Certificate Signing Request - Controls when an external CA issues (signs) the certificate. Typically used with ACME or other CAs that most popular browsers trust by default.
  • Import Certificate Signing Request - Imports an existing CSR onto the system. Typically used with ACME CAs. Selecting Import Certificate Signing Request removes the Profile field, and the Certificate Subject and Extra Constraints wizard screens.
  • ProfileSets the predefined certificate extention to either HTTPS RSA Certificate or HTTPS ECC Certificate.

    Certificate Options Screen

    Certificate Options show when Type is set to Certificate Signing Request on the Identifier and Type wizard screen. The settings specify the private key type, number of bits in the key used by the cryptographic algorithm, and the cryptographic algorithm the CSR uses.

    When Type is set to Import Certificate Signing Request, the settings shown add the signing request and private key of the imported certificate and the authentication credentials for the private key.

    SettingDescription
    Key TypeSets the type of certificate to RSA or EC, and changes settings shown on the screen.
    RSA shows the Key Length field.
    EC shows the EC Curve field. See Why is elliptic curve cryptography not widely used, compared to RSA? for more information about key types.
    EC CurveShows when Key Type is set to EC. Shows EC type curve options: BrainpoolP512R1, BrainpoolP384R1, BrainpoolP256R1, SECP256K1, SECP384R1, SECP521R1, and ed25519. Brainpool curves can be more secure, while SECP curves can be faster. See Elliptic Curve performance: NIST vs Brainpool for more information.
    Key LengthShows when Key Type is set to RSA. Sets the number of bits in the key used by the cryptographic algorithm. Options are: 1024, 2048 or 4096. A minimum key length of 2048 is recommended for security reasons.
    Digest AlgorithmSets the cryptographic algorithm used. The options are: SHA1, SHA224, SHA256, SHA384 and SHA512. Only change the default SHA256 if the organization requires a different algorithm.

    Import Certificate Screen

    The Import Certificate screen shows when Type on the Identifier and Type screen is set to Import Certificate Signing Request.

    Add CSR Import Certificate
    Figure 10: Add CSR Import Certificate
    SettingDescription
    Signing RequestText entry field that accepts manual or copy/paste entry of the certificate for the signing request.
    Private KeyText entry field that accepts manual or copy/paste entry of the 1024-bit private key associated with the certificate when available.
    PassphraseText entry field that accepts manual or copy/paste entry of the passphrase for the private key.
    Confirm PassphraseText entry field that accepts manual or copy/paste re-entry of the passphrase for the private key.

    Certificate Subject Settings

    The Certificate Subject settings define the geographical location, name, and email for the organization using the certificate. Users can also enter the system fully-qualified hostname (FQDN) and any additional domains for multi-domain support.

    Add CSR Certificate Subject Screen
    Figure 11: Add CSR Certificate Subject Screen
    SettingDescription
    CountrySets the country where the organization is located. Accepts keyboard entry to filter the dropdown list.
    StateText entry field that sets the state or province where the organization is located.
    LocalityText entry field that sets the city where the organization is located. For example, New York.
    OrganizationText entry field that accepts manual or copy/paste entry of the name of the company or organization.
    Organizational UnitText entry field that accepts manual of copy/paste entry of the organizational unit (department) name.
    EmailText entry field that accepts manual or copy/paste entry of the email address of the person responsible for the certificate.
    Common NameText entry field that accepts manual or copy/paste entry of the fully qualified host name (FQHN) of the system. This name must be unique within a certificate chain.
    Subject Alternate NamesSets multi-domain support of additional domains to secure. Text entry field that accepts manual or copy/paste entry of additional domains to secure for multi-domain support. Separate each domain by pressing Enter. For example, if the primary domain is example.com, entering www.example.com secures both addresses.

    Extra Constraints Settings

    The Extra Constraints screen shows when adding a CSR. Settings on this screen are optional.

    The Extra Constraints settings contain certificate extension options:

    • Basic Constraints limits the path length for a certificate chain.
    • Authority Key Identifier identifies the public key corresponding to the private key used to sign a certificate.
    • Key Usage defines the purpose of the public key contained in a certificate.
    • Extended Key Usage further refines key usage extensions.

    The Extra Constraints settings change based on the selection in Type on the Identifier and Type screen.

    After selecting Basic Constraints, Authority Key Identifier, Extended Key Usage, or Key Usage, more settings show for that option.

    Add CSR Extra Constraints Screen
    Figure 12: Add CSR Extra Constraints Screen
    SettingDescription
    Basic ConstraintsActivates this extension. Identifies whether the subject of this certificate subject is a CA, and the maximum depth of valid certification paths that include this certificate.
    Path LengthShows when Basic Constraints is enabled. Text entry field that accepts manual or copy/paste entry of a number that sets the number of non-self-issued intermediate certificates that can follow this certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path. Value cannot be less than 0.
    Basic Constraints ConfigSpecifies the extension type. The dropdown list options are:
  • CA - Select when the certificate is a certificate authority (CA)
  • Critical Extension - Select when the certificate is a critical extension. Clients must recognize critical extensions to prevent rejection.
  • Web certificates typically require you to disable CA and enable Critical Extension.
    Extended Key UsageActivates this certificate extension, and shows the Usages setting. The extended key usage extension identifies and limits valid uses for this certificate, such as client or server authentication. See RFC 3280, section 4.2.1.13 for more details.
    UsagesShows after selecting Extended Key Usage, and sets the options to identify the purpose of this public key. Typically used for the end entity certificates. You can select multiple usages. These show in the field separated by a comma (,). Options are ANY_EXTENDED_KEY_USAGE, CERTIFICATE_TRANSPARENCY, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, IPSEC_IKE, KERBEROS_PKINIT_KDC, OCSP_SIGNING, SERVER_AUTH, SMARTCARD_LOGON, or TIME_STAMPING. Do not mark this extension critical when set to ANY_EXTENDED_KEY_USAGE. Using the Extended Key Usage and Key Usage extensions requires the purpose of the certificate to be consistent with both extensions. See RFC 3280, section 4.2.13 for more details.
    Critical ExtensionShows after selecting Extended Key Usage. Sets the extension to critical or non-critical for the certificate. Critical extensions must be recognized by the system using the certificate, or this certificate is rejected. Extensions identified as non-critical can be ignored by the system using the certificate, and the certificate is still approved.
    Key UsageActivate this certificate extension, and shows the Key Usage Config field. The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that can be used for a few operations should be restricted. For example, when an RSA key should only be used to verify signatures on objects other than public key certificates and CRLs, and the digital signature bits are asserted. Likewise, when an RSA key should only be used for key management, the key encipherment bit should be asserted. See RFC 3280, section 4.2.1.3 for more information.
    Key Usage ConfigShows after selecting Extended Key Usage or Key Usage. Sets the key usage extension to valid option(s) on the dropdown list. Options are: Digital Signature, Content Commitment, Key Encipherment, Data Encipherment, Key Agreement, Key Cert Sign, CRL Sign, Encipher Only, Decipher Only or Critical Extension. Web certificates typically need at least a digital signature and possibly key ecncipherment or key agreement, while other applications might need other usages.

    Confirm Options

    The Confirm Options screen shows a summary of settings for the CSR when adding a new certificate. It shows the Type, Key Type, Key Length, Digest Algorithm, Lifetime, Country, and Basic Constraints Config setting values. When importing a certificate, the screen shows the Type, Signing Request, and Private Key setting values.

    Add CSR Confirm Options
    Figure 13: Add CSR Confirm Options

    Save adds the certificate to TrueNAS. Back returns to previous screens to make changes before you save. Next advances to the next screen in the sequence to return to Confirm Options.