Get a Quote     (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode
TrueNAS.com Software Systems Company Community Security iX Portal Download

  1. Documentation Hub
  2. /
  3. TrueNAS CORE and Enterprise
  4. /
  5. UI Reference Guide
  6. /
  7. System
  8. /
  9. CAs
Edit this page

CAs

  4 minute read.

Last Modified 2022-09-21 13:08 -0400

CAInternalIntermediate

Identifier and Type

Name Description
Name Descriptive identifier for this certificate authority.
Type Choose between Internal CA, Intermediate CA, and Import CA. An Internal CA functions like a publicly trusted CA to sign certificates for an internal network. They are not trusted outside the private network. An Intermediate CA lives between the root and end entity certificates and its main purpose is to define and authorize the types of certificates that can be requested from the root CA. Import CA allows an existing CA to be imported onto the system. For more information see What are Subordinate CAs and Why Would You Want Your Own?
Profiles Predefined certificate extensions. Choose a profile that best matches your certificate usage scenario.

Internal and Intermediate CAs

Certificate Options

Name Description
Signing Certificate Authority (Intermediate CA) Select a previously imported or created CA.
Key Type See Why is elliptic curve cryptography not widely used, compared to RSA? for more information about key types.
Key Length The number of bits in the key used by the cryptographic algorithm. For security reasons, a minimum key length of 2048 is recommended.
Digest Algorithm The cryptographic algorithm to use. The default SHA256 only needs to be changed if the organization requires a different algorithm.
Lifetime The lifetime of the CA specified in days.

Certificate Subject

Name Description
Country Select the country of the organization.
State Enter the state or province of the organization.
Locality Enter the location of the organization. For example, the city.
Organization Enter the name of the company or organization.
Organizational Unit Organizational unit of the entity.
Email Enter the email address of the person responsible for the CA.
Common Name Enter the fully-qualified hostname (FQDN) of the system. This name must be unique within a certificate chain.
Subject Alternate Names Multi-domain support. Enter additional domains to secure. Separate domains by pressing Enter. For example, if the primary domain is example.com, entering www.example.com secures both addresses.

Basic Constraints

Name Description
Enabled Activate this certificate extension.
Path Length How many non-self-issued intermediate certificates that can follow this certificate in a valid certification path. Entering 0 allows a single additional certificate to follow in the certificate path. Cannot be less than 0.
Basic Constraints Config The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. See RFC 3280, section 4.2.1.10 for more information.

Authority Key Identifier

Name Description
Enabled Activate this certificate extension.
Authority Key Config The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer’s certificate) or on the issuer name and serial number. See RFC 3280, section 4.2.1.1 for more information.

Extended Key Usage

Name Description
Enabled Activate this certificate extension.
Usages Identify the purpose for this public key. Typically used for end entity certificates. Multiple usages can be selected. Do not mark this extension critical when the Usage is ANY_EXTENDED_KEY_USAGE. Using both Extended Key Usage and Key Usage extensions requires that the purpose of the certificate is consistent with both extensions. See RFC 3280, section 4.2.1.13 for more details.
Critical Extension Identify this extension as critical for the certificate. Critical extensions must be recognized by the certificate-using system or this certificate will be rejected. Extensions identified as not critical can be ignored by the certificate-using system and the certificate still approved.

Key Usage

Name Description
Enabled Activate this certificate extension.
Key Usage Config The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The usage restriction might be employed when a key that could be used for more than one operation is to be restricted. For example, when an RSA key should be used only to verify signatures on objects other than public key certificates and CRLs, the Digital Signature bits would be asserted. Likewise, when an RSA key should be used only for key management, the Key Encipherment bit would be asserted. See RFC 3280, section 4.2.1.3 for more information.

Import CAs

CAImport

Certificate Subject

Name Description
Certificate Paste the certificate for the CA.
Private Key Paste the private key associated with the Certificate when available. Please provide a key at least 1024 bits long.
Passphrase Enter the passphrase for the Private Key.
Confirm Passphrase Confirm the passphrase for the Private Key.

Related Content