dyzulk/trustlab-docs
1
0
Fork 0
mirror of https://github.com/dyzulk/trustlab-docs.git synced 2026-01-26 13:32:08 +07:00
Code Issues Packages Projects Releases Wiki Activity

doc: merge knowledge base into guide

Browse Source
This commit is contained in:
dyzulk
2026-01-08 19:27:50 +07:00
parent 097dfb6da9
commit 33d1dd6356
10 changed files with 46 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pages/guide/concepts/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"pki-intro": "What is PKI?",
"cert-types": "Certificate Types"
}

76
pages/guide/concepts/index.mdx Normal file
View File

@@ -0,0 +1,76 @@
import { Callout, Cards, Card } from 'nextra/components'
import { ShieldCheck, ShieldAlert, BadgeCheck, Lock } from 'lucide-react'
# PKI Fundamentals & Trust Context
Understanding the difference between **Private PKI** (TrustLab) and **Public PKI** (Let's Encrypt, DigiCert) is critical for using SSL/TLS effectively and safely.
## The Two Lanes of Trust
The internet security model is built on two distinct "lanes" of trust. Mixing them up causes errors, but using them correctly provides **Military-Grade Security**.
<Cards>
<Card icon={<ShieldCheck />} title="Public Lane (Global)" href="#1-public-pki" arrow />
<Card icon={<Lock />} title="Private Lane (Internal)" href="#2-private-pki-trustlab" arrow />
</Cards>
### 1. Public PKI
* **Issuer**: Let's Encrypt, DigiCert, Google Trust Services.
* **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
* **Verification**: Requires you to own a public domain (e.g., `google.com`).
* **Limitation**: **Cannot** issue certificates for:
* Private IP Addresses (e.g., `192.168.1.50`).
* Internal Domain Names (e.g., `company.local`, `dev.internal`).
* Intranet servers behind a firewall.
### 2. Private PKI (TrustLab)
* **Issuer**: TrustLab Root CA (Your Organization).
* **Trust Model**: Trusted **ONLY** by devices that have installed your Root CA.
* **Strength**: Uses the **exact same math** (RSA-2048/4096, SHA-256) as Public CAs.
* **Superpower**: Can secure **ANYTHING**:
* Localhost (`localhost`).
* Database Servers (`10.0.0.5`).
* Development Environments.
* Internal APIs.
---
## Why "Military Grade"?
TrustLab utilizes **OpenSSL**, the same cryptographic core used by majority of the world's secure servers, banks, and military networks.
| Feature | TrustLab (Private) | Public CA (Paid) |
| :--- | :--- | :--- |
| **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 |
| **Signature** | SHA-256 | SHA-256 |
| **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 |
| **Global Trust** | ❌ (Manual Install Required) | ✅ (Pre-installed) |
| **Internal IPs** | ✅ Supported | ❌ Forbidden |
| **Cost** | **Free** | $400+/month (for Private CA) |
## Appropriate Use Cases
<Callout type="info" emoji={<BadgeCheck className="w-5 h-5" />}>
**The Golden Rule:**
Use **TrustLab** for anything the Public Internet CANNOT access.
Use **Public CAs** for anything the Public Internet MUST access.
</Callout>
### ✅ Perfect For (Green Lane)
* **Internal Tools**: Admin Panels, HR Portals, Dashboards.
* **Development**: Testing HTTPS on `localhost` or `dev.local`.
* **Databases**: Securing connection to MySQL/Postgres/Mongo.
* **IoT Devices**: Securing communication between sensors and local hubs.
* **S/MIME**: Encrypting email between employees.
### ❌ Do Not Use For (Red Lane)
* **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning.
* **Public Blogs/Websites**: Random visitors will not have your Root CA installed.
## The "Trust Split" Myth
There is **no conflict** between having TrustLab installed and visiting public websites.
* When you visit `google.com`, your browser uses the **Public Lane**.
* When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**.
They coexist peacefully, providing comprehensive security for your entire digital life.

26
pages/guide/concepts/pki-intro.mdx Normal file
View File

@@ -0,0 +1,26 @@
# What is PKI?
**Public Key Infrastructure (PKI)** is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, store, and revoke digital certificates.
## Core Concepts
### 1. Asymmetric Encryption
PKI relies on a pair of keys:
- **Public Key**: Shared with everyone. Used to encrypt data.
- **Private Key**: Kept secret. Used to decrypt data and *sign* digital assets.
### 2. The Chain of Trust
A certificate is only trusted if it is signed by a trusted issuer.
- **Root CA**: The anchor of trust. It signs itself (Self-Signed). You explicitly trust this on your device.
- **Intermediate CA**: Signed by Root CA. Used to sign End-Entity certificates for security.
- **End-Entity (Leaf)**: The certificate used on your Web Server or Email.
TrustLab manages this entire chain for your internal organization.
### 3. Why Internal PKI?
Using Public CAs (like Let's Encrypt) is great for public websites, but incompatible with:
- **Intranet IPs** (e.g., `10.0.0.1`).
- **Internal Domains** (e.g., `.local`, `.corp`).
- **VPN Services**.
TrustLab fills this gap by acting as your private authority.