Yes, you’re correct.
Edit: To elaborate a bit, with the advent of Let’s Encrypt, IMO, there’s much less value in running a local CA than was once the case. Using DNS validation, you can easily obtain trusted certs for internal resources that can’t be reached from the Internet (and using acme-dns, you can use DNS validation regardless of your DNS host)–the only real restriction is that you need an actual public domain name; you can’t use hostnames like freenas.local.
Some time ago, a contrib was developed for SME Server (from which Neth forked previously) to run a local CA using PHPki. It’s possible that it could be adapted to work with Neth, though I imagine it would take a fair bit of work. See https://wiki.contribs.org/PHPki