Skip to content

Instantly share code, notes, and snippets.

@l4rm4nd

l4rm4nd/README.md

Created September 2, 2025 08:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save l4rm4nd/963f1ecf576941fb40d9659074c804f6 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save l4rm4nd/963f1ecf576941fb40d9659074c804f6 to your computer and use it in GitHub Desktop.
Download ZIP
TrueNAS Core // Create new CA and SSL Certificate
Raw
README.md

TrueNAS CORE: Create a CA, Issue a Certificate, Apply to WebUI

This README shows how to:

  1. Create a new internal Certificate Authority (CA)
  2. Issue a 10-year certificate signed by that CA
  3. List CAs and certs
  4. Set the WebUI to use the new certificate
  5. Restart the WebUI so the cert takes effect

Notes
• Commands are for TrueNAS CORE, using midclt.
• Your build may require certain subject fields and SAN. The examples include conservative defaults that satisfy strict validators.
• Replace hostnames, org info, and emails as needed.

1) Create a new internal CA (RSA, 10 years)

Edit the values if you like. The san field is included because some CORE builds require it for CA creation too.

midclt call certificateauthority.create '{
  "create_type": "CA_CREATE_INTERNAL",
  "name": "My-Default-CA",
  "key_length": 2048,
  "lifetime": 3650,
  "digest_algorithm": "SHA256",
  "country": "US",
  "state": "California",
  "city": "Los Angeles",
  "organization": "TrueNAS",
  "email": "admin@localhost.lan",
  "common": "nas.local",
  "san": ["nas.local"]
}'

List all CAs

midclt call certificateauthority.query | jq -r 'sort_by(.id) | .[] | "\(.id)\t\(.name)\t\(.issuer)\t\(.until)"'

2) Create a certificate signed by that CA

Use the CA_ID returned above.

JOB_ID=$(midclt call certificate.create '{
  "create_type": "CERTIFICATE_CREATE_INTERNAL",
  "name": "My-UI-Cert",
  "key_length": 2048,
  "lifetime": 3650,
  "digest_algorithm": "SHA256",
  "country": "US",
  "state": "California",
  "city": "Los Angeles",
  "organization": "TrueNAS",
  "email": "admin@localhost.lan",
  "common": "nas.local",
  "san": ["nas.local"],
  "signedby": '"<CA-ID>"'
}')
echo "JOB_ID=$JOB_ID"

# Check job result for success / certificate ID
midclt call core.get_jobs "[[\"id\",\"=\",$JOB_ID]]" | jq '.[0] | {id,state,error,result}'

List all certificates

midclt call certificate.query | jq -r 'sort_by(.id) | .[] | "\(.id)\t\(.name)\t\(.common)\t\(.until)"'

3) Assign the certificate to the WebUI

Replace <CERT_ID> with the certificate ID shown in the job result above.

midclt call system.general.update "{\"ui_certificate\": <CERT_ID>}"

Verify the new assignment:

midclt call system.general.config | jq '.ui_certificate, .ui_certificate_name'

4) Restart the WebUI

Option A — restart middleware:

service middlewared restart

if that does not work, please reboot TrueNAS:

reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment