truenas · DjP-iX · Nov 13, 2025 · Oct 16, 2025 · Oct 31, 2025 · Nov 11, 2025
@@ -1,6 +1,6 @@
 ---
-title: "Adding ACME DNS-Authenticators"
-description: "Provides basic instructions on adding and managing ACME DNS-authenticators in TrueNAS."
+title: "Adding ACME DNS Authenticators"
+description: "Provides basic instructions on adding and managing ACME DNS authenticators in TrueNAS."
 weight: 40
 tags:
  - certificates
@@ -12,36 +12,50 @@ keywords:
 - acme dns authenticator
 ---
 
-Automatic Certificate Management Environment (ACME) DNS authenticators allow users to automate certificate issuing and renewal. The user must verify ownership of the domain before TrueNAS allows certificate automation.
+Automatic Certificate Management Environment (ACME) DNS authenticators allow users to automate certificate issuing and renewal.
+The user must verify ownership of the domain before TrueNAS allows certificate automation.
 
 {{< hint type=important >}}
 ACME DNS is an advanced feature intended for network administrators or AWS professionals. Misconfiguring ACME DNS can prevent you from accessing TrueNAS.
 {{< /hint >}}
 
-The system requires an ACME DNS Authenticator and CSR to configure ACME certificate automation.
+The system requires an ACME DNS Authenticator and CSR to configure ACME certificate automation to proceed.
 
 ## Adding a DNS Authenticator
 
-To add an authenticator,
+Before you begin this procedure, log in to your DNS authenticator provider service to obtain an API global key or an API token, whichever your service provider requires.
+When configuring an ACME DNS authenticator in TrueNAS using Cloudflare as the provider, you need the global API key but not the API token.
+
+This procedure uses Cloudflare as the example.
+To add an authenticator:
 
 Click **Add** on the **ACME DNS-Authenticator** widget to open the **Add DNS Authenticator** screen.
 
 {{< trueimage src="/images/SCALE/Credentials/AddDNSAuthenticatorCloudflare.png" alt="Add DNS Authenticator" id="Add DNS Authenticator" >}}
 
-Enter a name, and select the authenticator you want to configure. **Cloudflare** shows by default.
+Enter a name.
+
+Select the authenticator you want to configure. **Cloudflare** shows by default.
 Supported authenticator options are [Cloudflare](https://www.cloudflare.com), [DigitalOcean](https://www.digitalocean.com/), [Amazon Route 53](https://aws.amazon.com/route53/), [OVHcloud](https://www.ovhcloud.com/en/domains/), and **shell**.
 **Authenticator** selection changes the configuration fields.
 
-If you select **cloudflare** as the authenticator, you must enter your Cloudflare account email address and API key, or the Cloudflare API token. If using an API token, do not enter the Cloudflare account email address.
+When selecting **cloudflare** as the authenticator, enter the Cloudflare account email address associated API key and the DNS domain.
+For Cloudflare, copy/paste the global API key from Cloudflare into the **API Key** field.
+If using an API token, do not enter the Cloudflare account email address.
 
-If you select **digitalocean** as the authenticator, you must enter your DigitalOcean Token.
+When selecting **digitalocean** as the authenticator, enter your DigitalOcean Token.
 
-If you select **route53** as the authenticator, you must enter your Route53 Access key ID and secret access key.
+When selecting **route53** as the authenticator, enter your Route53 Access key ID and secret access key.
 
-If you select **OVH** as the authenticator, you must enter your OVH application key, application secret, consumer key, and endpoint.  
+When selecting **OVH** as the authenticator, enter your OVH application key, application secret, consumer key, and endpoint.  
 
 Click **Save** to add the authenticator.
 
+The DNS authenticator shows on the **ACME DNS-Authenticator** widget. To make changes, click on the <span class="material-icons">more_vert</span> for the authenticator, and then on **Edit**.
+
+After adding the authenticator, you can configure a certificate signing request (CSR) for this authentictor and create an ACME certificate.
+For more information, see [Managing Certificate Signing Requests]({{< ref "AddCSRsSCALE" >}}).
+
 ### Adding an Authenticator with a Shell Script
 
 {{< hint type=warning >}}
@@ -52,4 +66,3 @@ If you select **shell** as the authenticator, you must enter the path to an auth
 
 Advanced users can select this option to pass an authenticator script, such as *acme.sh*, to the shell and add an external DNS authenticator.
 This requires an ACME authenticator script saved to the system.
-
@@ -17,45 +17,67 @@ The **Certificate Signing Requests** widget allows users to configure a message
 ## Adding a CSR
 
 {{< hint type=info >}}
-An ACME certificate is created based on the settings in the selected CSR.
-
 If you plan to create an ACME certificate, before adding a CSR, make sure the certificate authority provider account (i.e., Cloudflare, DigitalOcean, etc.) is correctly configured with all domains entered in this CSR.
+
+When adding an ACME certificate for a CSR, it is created based on the settings in the selected CSR.
+
+When adding an ACME certificate for a CSR, it is created based on the settings in the selected CSR.
+
 For example, if using a Cloudflare DNS authenticator, in the Cloudflare account, register the domain(s) entered in the **Subject Alternative Name** field on the **Certificate Subject** screen in the **Add CSR** wizard.
-If the CSR and provider accounts are not properly configured, TrueNAS shows an error indicating the problem with the configuration.
-For information on how to add a DNS authenticator in TrueNAS, [click here]({{< relref "AddACMESCALE.md" >}}).
+
+If the CSR and provider accounts are not properly configured, a dialog with an error indicating the configuration problem opens.
+
+For information on how to add a DNS authenticator in TrueNAS, see [Adding ACME DNS Authenticators]({{< relref "AddACMESCALE.md" >}}).
 {{< /hint >}}
 
-You can only edit the name of the CSR after you click **Save**.
+You can only edit the name of the CSR after clicking **Save**.
+If you make a mistake or want to change any setting, delete the CSR and create a new one with the desired or correct settings.
 
 To add a CSR:
 
-First, enter a name and select the CSR type. The **Add CSR** allows a user to create a certificate signing request(CSR) or import a certificate for a CSR. Users can select a predefined certificate extension from the **Profiles** dropdown list.
+1. Enter a name and select the CSR type.
+   The **Add CSR** wizard allows creating a certificate signing request (CSR) or importing a certificate for a CSR.
+   Users can select a predefined certificate extension from the **Profiles** dropdown list.
 
-{{< trueimage src="/images/SCALE/Credentials/AddCSRIdentifierAndType.png" alt="Add CSR Certificate Options RSA Type" id="Add CSR Certificate Options RSA Type" >}}
+   {{< trueimage src="/images/SCALE/Credentials/AddCSRIdentifierAndType.png" alt="Add CSR Certificate Options RSA Type" id="Add CSR Certificate Options RSA Type" >}}
 
-Next, select or enter the certificate options for the CSR.
-Choose options that specify the type of private key to use, the number of bits in the key used by the cryptographic algorithm, and the cryptographic algorithm the CSR uses.
+   Click **Next**.
 
-When entering values for the **Certificate Subject** settings, enter short values for the geographic information, where possible.
-For example, enter TN instead of Tennessee for the State. Enter all required values (indicated by the asterisk).
-The **Common Name** can be the full domain assigned to the TrueNAS system, or just the example.net portion of the domain name. Include this in the **Subject Alternative Name** field. You can enter any other system [fully-qualified hostname (FQDN)](https://kb.iu.edu/d/aiuv) and domains for multi-domain support.
+2. Select or enter the certificate options for the CSR. TrueNAS shows default settings in each field.
+   **Key Type** shows the option matching the selection made in **Profiles** in step 1.
+   Accept the default values or choose the number of bits in the key used by the cryptographic algorithm, and the cryptographic algorithm the CSR uses.
 
-{{< trueimage src="/images/SCALE/Credentials/AddCSRCertificateSubject.png" alt="Add CSR Certificate Subject Screen" id="Add CSR Certificate Subject Screen" >}}
+   Click **Next**.
 
-(Optional) Enter any extra constraints you need for your scenario. The **Extra Constraints** step contains certificate extension options.
+3. Enter the  **Certificate Subject** settings. When entering values, enter short values for the geographic information, where possible.
+   For example, enter TN instead of Tennessee for the **State**. Enter all required values (indicated by the asterisk).
 
-* **Basic Constraints** limits the path length for a certificate chain.
-* **Authority Key Identifier** identifies the public key corresponding to the private key used to sign a certificate.
-* **Key Usage** defines the purpose of the public key contained in a certificate.
-* **Extended Key Usage** further refines key usage extensions.
+   If specifying a value in **Common Name**, it can be the full domain assigned to the TrueNAS system or just the *example.net* portion of the domain name.
+   Include this in the **Subject Alternative Name** field.
+   You can enter any other system [fully-qualified hostname (FQDN)](https://kb.iu.edu/d/aiuv) and domains for multi-domain support.
 
-Review the certificate options. If you want to change something, click **Back** to reach the screen with the setting option you want to change, then click **Next** to advance to the **Confirm Options** step.
+   When specifying an IP address in **Subject Alternative Name** do not enter the IP address of the system.
+   This results in an error if you try to create an ACME certificate for the CSR.
 
-Click **Save** to add the CSR.
+   {{< trueimage src="/images/SCALE/Credentials/AddCSRCertificateSubject.png" alt="Add CSR Certificate Subject Screen" id="Add CSR Certificate Subject Screen" >}}
+
+   Click **Next**.
+
+4. (Optional) Enter any extra constraints if needed for your scenario. The **Extra Constraints** step contains certificate extension options.
+
+   * **Basic Constraints** limits the path length for a certificate chain.
+   * **Authority Key Identifier** identifies the public key corresponding to the private key used to sign a certificate.
+   * **Key Usage** defines the purpose of the public key contained in a certificate.
+   * **Extended Key Usage** further refines key usage extensions.
+
+5. Review the certificate options.
+   Click **Back** until reaching the screen with the setting option you want to change, make the change, and then click **Next** to advance to the **Confirm Options** step.
+
+6. Click **Save** to add the CSR.
 
 ## Importing a CSR
 
-When importing a certificate into TrueNAS for the CSR, enter a name, then select **Import Certificate Signing Request** in **Type**. Click **Next**.
+When importing a certificate into TrueNAS for the CSR, enter a name, and then select **Import Certificate Signing Request** in **Type**. Click **Next**.
 
 {{< trueimage src="/images/SCALE/Credentials/AddCSRImportCSR.png" alt="Add CSR Import Certificate" id="Add CSR Import Certificate" >}}
 
@@ -64,26 +86,31 @@ Enter the password for the private key in **Password** and **Confirm Password**.
 
 ## Creating an ACME Certificate
 
-You can access the **Create ACME Certificate** from the <span class="material-icons">more_vert</span> dropdown list or the **Edit CSR** screen, to add a certificate by selecting an ACME DNS authenticator configured in TrueNAS.
+TrueNAS provides a way to add a certificate for an ACNE DNS authenticator added to the system.
+After adding the DNS authenticator, create a CSR for it.
+Click on the <span class="material-icons">more_vert</span> for the CSR on the **Certificate Signing Requests** widget, then click on **Create ACME Certificate** to open the **Create ACME Certificate** screen.
 
 {{< hint type=info >}}
 You must [configure a DNS authenticator]({{< relref "AddACMESCALE.md" >}}) to create an ACME certificate!
 The ACME certificate is created based on the settings in the selected CSR.
 
 You must have the domains added to the account providing the DNS authenticator.
 For example, if using Cloudflare to create the DNS authenticator, the Cloudflare account must have the domain(s) entered in the **Subject Alternative Name** field in the **Add CSR** wizard on the **Certificate Subject** screen.
-If not properly configured, TrueNAS shows an error with the configuration problem.
+If not properly configured, a dialog with an error indicating the configuration problem opens.
 {{< /hint >}}
 
 {{< trueimage src="/images/SCALE/Credentials/CreateACMECertificateScreen.png" alt="Create ACME Certificate Screen" id="Create ACME Certificate Screen" >}}
 
-Enter a name in **Identifier**, then select **Terms of Service**.
+Enter a name in **Identifier**. The underscore (_) and dash (-) are allowed characters in the name.
+
+Select **Terms of Service**.
 
-Enter a number that specifies the time (in days) before the certificate expires  in **Renew Certificate Days**.
+Enter a number that specifies the time (in days) before the certificate expires in **Renew Certificate Days**.
 
 Select the URI of the ACME server directory from the **ACME Server Directory URI** dropdown list.
 
-The **Domains** area shows a domain for each entry made in the **Subject Alternative Name** field on the **Certificate Subject** screen of the **Add CSR** wizard.
+The **Domains** area shows domains for each entry made in the **Subject Alternative Name** field on the **Certificate Subject** screen of the **Add CSR** wizard.
 Select the option from the dropdown list for each domain shown. This sets the authenticator to validate the domain.
 
 Click **Save**.
+The new ACME certificate shows on the **Certificates** and the **Certificate Signing Requests** widgets.