Creating Certificates
4 minute read.
Last Modified 2022-09-21 13:06 -0400By default, TrueNAS comes equipped with an internal, self-signed certificate that enables encrypted access to the web interface. You can either import or create a Certificate or Signing Request by navigating to System > Certificates and clicking ADD. Enter the name for the certificate, then choose the Type. The four options are Internal Certificate, Certificate Signing Request (CSR), Import Certificate, and Import Certificate Signing Request. The process for each type is slightly different.
Select Internal Certificate as the Type.
You can select a profile for the CA to auto-fill options like Key Type, Key Length, Digest Algorithm. Otherwise, you must set options manually.
- Select a Signing Certificate Authority from the drop-down.
- Select a Key Type from the drop-down. We recommend the RSA key type.
- Select the Key Length. We recommend a minimum of 2048 for security reasons.
- Select a Digest Algorithm. We recommend SHA256.
- Enter the Lifetime of the CA in days to set how long the CA will remain valid.
- Fill out the geographic information by entering the Country, Locality, Organizational Unit (optional), Common Name, State, Organization, Email, and Subject Alternate Names.
- The Common Name is the fully-qualified hostname (FQDN) and must be unique within a certificate chain.
- If you would like to have Basic Constraints, set Enabled to see more options.
- Set a Path Length to determine how many non-self-issued intermediate certificates can follow the certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path.
- Select one or more Basic Constraints Configs.
If you want an Authority Key Identifier, set it to Enabled, then select one or more Authority Key Configs.
TrueNAS uses Extended Key Usage for end-entity certificates.
- If you want to utilize Extended Key Usage, set it to Enabled, then select one or more usages for the public key from the Usages drop-down.
- Enable Critical Extension if you want to identify this extension as critical for the certificate. Do not enable Critical Extension if Usages contains ANY_EXTENDED_KEY_USAGE.
Using Extended Key Usage and Key Usage extensions requires that the certificate purpose is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details.
- Select Certificate Signing Request as the Type.
- You can select a profile for the CA to auto-fill options like Key Type, Key Length, Digest Algorithm. Otherwise, you must set options manually.
- Select a Key Type from the drop-down. We recommend the RSA key type.
- Select a Digest Algorithm. We recommend SHA256.
- Fill out the geographic information by entering the Country, Locality, Organizational Unit (optional), Common Name, State, Organization, Email, and Subject Alternate Names.
- The Common Name is the fully-qualified hostname (FQDN) and must be unique within a certificate chain.
- If you would like to have Basic Constraints, set Enabled to see more options.
- Set a Path Length to determine how many non-self-issued intermediate certificates can follow the certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path.
- Select one or more Basic Constraints Configs.
If you want an Authority Key Identifier, set it to Enabled, then select one or more Authority Key Configs.
TrueNAS uses Extended Key Usage for end-entity certificates.
- If you want to utilize Extended Key Usage, set it to Enabled, then select one or more usages for the public key from the Usages drop-down.
- Enable Critical Extension if you want to identify this extension as critical for the certificate. Do not enable Critical Extension if Usages contains ANY_EXTENDED_KEY_USAGE.
Using Extended Key Usage and Key Usage extensions requires that the certificate purpose is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details.
Select Import Certificate as the Type.
If you want to import an existing CSR, enable CSR exists on this system, then select one from the drop-down.
- Copy the certificate for the CA you want to import and paste it into the Certificate field.
- Paste the certificate Private Key when available. Provide a key at least 1024 bits long.
- Enter and confirm the Private Key Passphrase.
Select Import Certificate as the Type.
- Copy the certificate for the CA you want to import and paste it into the Certificate field.
- Paste the certificate Private Key when available. Provide a key at least 1024 bits long.
- Enter and confirm the Private Key Passphrase.