Security
Self-signed certificates & TOFU
Many TrueNAS systems use self-signed certificates by default. A strict TLS client will reject those certificates because they are not issued by a public CA.
How NAS Guard Agent handles this
- The Agent first tries a normal, strict TLS connection.
- If TLS verification fails due to certificate issues, the Agent can fall back to TOFU (Trust On First Use) by pinning the certificate fingerprint.
- On the next connection, the Agent will only accept the same certificate fingerprint.
Result: No insecure "accept everything" behavior. The connection becomes secure after the first successful pin.
When do I need to reset the pin?
- If you replaced the TrueNAS certificate.
- If you changed the TrueNAS address/host in a way that points to a different system.
Action: Use the Reset certificate pin button in the Agent UI, then reconnect.
Pin mismatch
If the Agent reports a pinned certificate mismatch, do not ignore it. It can mean that the certificate changed unexpectedly.
Security note: Only reset the pin if you are sure you are connecting to your real TrueNAS.