doc: merge knowledge base into guide

2026-01-26 05:25:38 +07:00 · 2026-01-08 19:27:50 +07:00
parent 097dfb6da9
commit 33d1dd6356
10 changed files with 46 additions and 49 deletions
--- a/pages/guide/_meta.json
+++ b/pages/guide/_meta.json
@@ -1,6 +1,8 @@
 {
    "index": "Overview",
    "getting-started": "Getting Started",
+    "concepts": "Core Concepts",
    "certificates": "Certificate Operations",
-    "integrations": "Integrations"
+    "integrations": "Integrations",
+    "troubleshooting": "Troubleshooting"
 }
--- a/pages/guide/concepts/_meta.json
+++ b/pages/guide/concepts/_meta.json
@@ -0,0 +1,4 @@
+{
+    "pki-intro": "What is PKI?",
+    "cert-types": "Certificate Types"
+}
--- a/pages/guide/concepts/index.mdx
+++ b/pages/guide/concepts/index.mdx
@@ -0,0 +1,76 @@
+import { Callout, Cards, Card } from 'nextra/components'
+import { ShieldCheck, ShieldAlert, BadgeCheck, Lock } from 'lucide-react'
+
+# PKI Fundamentals & Trust Context
+
+Understanding the difference between **Private PKI** (TrustLab) and **Public PKI** (Let's Encrypt, DigiCert) is critical for using SSL/TLS effectively and safely.
+
+## The Two Lanes of Trust
+
+The internet security model is built on two distinct "lanes" of trust. Mixing them up causes errors, but using them correctly provides **Military-Grade Security**.
+
+<Cards>
+  <Card icon={<ShieldCheck />} title="Public Lane (Global)" href="#1-public-pki" arrow />
+  <Card icon={<Lock />} title="Private Lane (Internal)" href="#2-private-pki-trustlab" arrow />
+</Cards>
+
+### 1. Public PKI
+*   **Issuer**: Let's Encrypt, DigiCert, Google Trust Services.
+*   **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
+*   **Verification**: Requires you to own a public domain (e.g., `google.com`).
+*   **Limitation**: **Cannot** issue certificates for:
+    *   Private IP Addresses (e.g., `192.168.1.50`).
+    *   Internal Domain Names (e.g., `company.local`, `dev.internal`).
+    *   Intranet servers behind a firewall.
+
+### 2. Private PKI (TrustLab)
+*   **Issuer**: TrustLab Root CA (Your Organization).
+*   **Trust Model**: Trusted **ONLY** by devices that have installed your Root CA.
+*   **Strength**: Uses the **exact same math** (RSA-2048/4096, SHA-256) as Public CAs.
+*   **Superpower**: Can secure **ANYTHING**:
+    *   Localhost (`localhost`).
+    *   Database Servers (`10.0.0.5`).
+    *   Development Environments.
+    *   Internal APIs.
+
+---
+
+## Why "Military Grade"?
+
+TrustLab utilizes **OpenSSL**, the same cryptographic core used by majority of the world's secure servers, banks, and military networks.
+
+| Feature | TrustLab (Private) | Public CA (Paid) |
+| :--- | :--- | :--- |
+| **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 |
+| **Signature** | SHA-256 | SHA-256 |
+| **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 |
+| **Global Trust** | ❌ (Manual Install Required) | ✅ (Pre-installed) |
+| **Internal IPs** | ✅ Supported | ❌ Forbidden |
+| **Cost** | **Free** | $400+/month (for Private CA) |
+
+## Appropriate Use Cases
+
+<Callout type="info" emoji={<BadgeCheck className="w-5 h-5" />}>
+  **The Golden Rule:**
+  Use **TrustLab** for anything the Public Internet CANNOT access.
+  Use **Public CAs** for anything the Public Internet MUST access.
+</Callout>
+
+### ✅ Perfect For (Green Lane)
+*   **Internal Tools**: Admin Panels, HR Portals, Dashboards.
+*   **Development**: Testing HTTPS on `localhost` or `dev.local`.
+*   **Databases**: Securing connection to MySQL/Postgres/Mongo.
+*   **IoT Devices**: Securing communication between sensors and local hubs.
+*   **S/MIME**: Encrypting email between employees.
+
+### ❌ Do Not Use For (Red Lane)
+*   **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning.
+*   **Public Blogs/Websites**: Random visitors will not have your Root CA installed.
+
+## The "Trust Split" Myth
+
+There is **no conflict** between having TrustLab installed and visiting public websites.
+*   When you visit `google.com`, your browser uses the **Public Lane**.
+*   When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**.
+
+They coexist peacefully, providing comprehensive security for your entire digital life.
--- a/pages/guide/concepts/pki-intro.mdx
+++ b/pages/guide/concepts/pki-intro.mdx
@@ -0,0 +1,26 @@
+# What is PKI?
+
+**Public Key Infrastructure (PKI)** is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, store, and revoke digital certificates.
+
+## Core Concepts
+
+### 1. Asymmetric Encryption
+PKI relies on a pair of keys:
+- **Public Key**: Shared with everyone. Used to encrypt data.
+- **Private Key**: Kept secret. Used to decrypt data and *sign* digital assets.
+
+### 2. The Chain of Trust
+A certificate is only trusted if it is signed by a trusted issuer.
+- **Root CA**: The anchor of trust. It signs itself (Self-Signed). You explicitly trust this on your device.
+- **Intermediate CA**: Signed by Root CA. Used to sign End-Entity certificates for security.
+- **End-Entity (Leaf)**: The certificate used on your Web Server or Email.
+
+TrustLab manages this entire chain for your internal organization.
+
+### 3. Why Internal PKI?
+Using Public CAs (like Let's Encrypt) is great for public websites, but incompatible with:
+- **Intranet IPs** (e.g., `10.0.0.1`).
+- **Internal Domains** (e.g., `.local`, `.corp`).
+- **VPN Services**.
+
+TrustLab fills this gap by acting as your private authority.
--- a/pages/guide/troubleshooting/_meta.json
+++ b/pages/guide/troubleshooting/_meta.json
@@ -0,0 +1,4 @@
+{
+    "browser-errors": "NET::ERR_CERT Errors",
+    "missing-root": "System Doesn't Trust CA"
+}
--- a/pages/guide/troubleshooting/browser-errors.mdx
+++ b/pages/guide/troubleshooting/browser-errors.mdx
@@ -0,0 +1,43 @@
+import { Callout, Cards, Card } from 'nextra/components'
+import { AlertTriangle, Globe, Calendar, XCircle, HelpCircle } from 'lucide-react'
+
+# Common Browser Errors
+
+When using internal certificates, browsers are very strict. Below are the most common error codes and how to resolve them.
+
+### `NET::ERR_CERT_AUTHORITY_INVALID`
+
+<Callout type="error" emoji={<AlertTriangle className="w-5 h-5" />}>
+  **The Logic:** The browser simply **does not know** the "TrustLab Root CA" that signed your website's certificate, so it assumes it's fake.
+</Callout>
+
+**Solution:**
+You have not installed the Root CA on your device yet.
+*   [**Install Root CA Guide**](/guide/getting-started/install-root-ca)
+
+---
+
+### `NET::ERR_CERT_COMMON_NAME_INVALID`
+
+<Callout type="warning" emoji={<Globe className="w-5 h-5" />}>
+  **The Logic:** You are visiting `app.local`, but the certificate was only issued for `api.local`. The names **do not match**.
+</Callout>
+
+**Solution:**
+The domain is missing from the certificate's **SANs (Subject Alternative Names)**.
+1.  Click the **"Not Secure"** icon > **Certificate**.
+2.  Check the **DNS Name** or SAN field.
+3.  If missing, you must **[Generate a New Certificate](/guide/certificates/request-new)** that includes the correct domain.
+
+---
+
+### `NET::ERR_CERT_DATE_INVALID`
+
+<Callout type="info" emoji={<Calendar className="w-5 h-5" />}>
+  **The Logic:** The certificate has expired, OR your computer's clock is set to the wrong date (past/future).
+</Callout>
+
+**Solution:**
+1.  Check your system clock first.
+2.  If the clock is correct, the certificate is truly expired.
+3.  **[Renew the Certificate](/guide/certificates/renewal)** immediately.