ITOperative
Dabbler
- Joined
- Feb 11, 2023
- Messages
- 20
Good morning!
I'm a little lacking on the depth of CAs than I'd like, but I'm hoping to create a PKI for both extending to other VMs and machines, as well as authenticating VPN, etc.
I know in a proper 3-tier PKI, you would have Root CA > Intermediate CA(s) > Issuing CA(s).
From what I've read, an Intermediate CA creates certificates for other CAs, whereas an issuing CA does the typical issuing for the end of the chain.
I do know that one typically keeps a Root CA offline. I don't know if an Intermediate CA can also be used as the issuing CA or not.
So first, in TrueNAS Core, can an Internal CA be used as a Root CA, or should I make a separate Root CA and import it as an External CA?
Next, looking at Internal CA, I don't see the option to select a certificate to base it off of, so how would one create a subordinate CA, would I just use an Intermediate CA to sign, or is this functionality beyond what TrueNAS provides?
I do intend to use this both as a standard CA for anything in my network that requires a cert, but would also like to use it for OpenVPN.
Would I set the profile to Openvpn Root CA, or just CA?
Finally, do I need to enable any extension in the Root CA that I'd want on subordinate CAs, such as Extended Key Usage, or can I do that entirely in the subordinate CA to restrict security on the Root CA itself?
Thanks for any time and assistance with this!
I feel know just enough to get by with PKI for most of my needs, but I don't fully grasp the setup and want to ensure I do it right.
I'm a little lacking on the depth of CAs than I'd like, but I'm hoping to create a PKI for both extending to other VMs and machines, as well as authenticating VPN, etc.
I know in a proper 3-tier PKI, you would have Root CA > Intermediate CA(s) > Issuing CA(s).
From what I've read, an Intermediate CA creates certificates for other CAs, whereas an issuing CA does the typical issuing for the end of the chain.
I do know that one typically keeps a Root CA offline. I don't know if an Intermediate CA can also be used as the issuing CA or not.
So first, in TrueNAS Core, can an Internal CA be used as a Root CA, or should I make a separate Root CA and import it as an External CA?
Next, looking at Internal CA, I don't see the option to select a certificate to base it off of, so how would one create a subordinate CA, would I just use an Intermediate CA to sign, or is this functionality beyond what TrueNAS provides?
I do intend to use this both as a standard CA for anything in my network that requires a cert, but would also like to use it for OpenVPN.
Would I set the profile to Openvpn Root CA, or just CA?
Finally, do I need to enable any extension in the Root CA that I'd want on subordinate CAs, such as Extended Key Usage, or can I do that entirely in the subordinate CA to restrict security on the Root CA itself?
Thanks for any time and assistance with this!
I feel know just enough to get by with PKI for most of my needs, but I don't fully grasp the setup and want to ensure I do it right.
