dyzulk/trustlab-docs
1
0
Fork 0
mirror of https://github.com/dyzulk/trustlab-docs.git synced 2026-01-26 21:41:54 +07:00
Code Issues Packages Projects Releases Wiki Activity

chore: setup manual localization branch with sidebar fix

Browse Source
This commit is contained in:
dyzulk
2026-01-09 07:50:24 +07:00
parent 0817284eae
commit 3441368552
55 changed files with 1238 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
pages/en/_meta.json Normal file
View File

@@ -0,0 +1,15 @@
{
"index": {
"title": "Home",
"type": "page",
"display": "hidden"
},
"guide": {
"title": "User Guide",
"type": "page"
},
"developer": {
"title": "Developer API",
"type": "page"
}
}

4
pages/en/developer/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"index": "Overview",
"endpoints": "Endpoints"
}

16
pages/en/developer/endpoints.mdx Normal file
View File

@@ -0,0 +1,16 @@
# Endpoints
## Certificates
### List Certificates
`GET /certificates`
### Request Certificate
`POST /certificates`
```json
{
"csr": "-----BEGIN CERTIFICATE REQUEST-----...",
"validity_days": 365
}
```

18
pages/en/developer/index.mdx Normal file
View File

@@ -0,0 +1,18 @@
# Developer API
Welcome to the TrustLab API documentation.
You can use our REST API to automate certificate issuance, revocation, and retrieval for your internal services.
## Base URL
```http
https://trustlab.dyzulk.com/api/v1
```
## Authentication
All API requests must include your API Key in the `Authorization` header.
```bash
Authorization: Bearer <YOUR_API_KEY>
```

8
pages/en/guide/_meta.json Normal file
View File

@@ -0,0 +1,8 @@
{
"index": "Overview",
"getting-started": "Getting Started",
"concepts": "Core Concepts",
"certificates": "Certificate Operations",
"integrations": "Integrations",
"troubleshooting": "Troubleshooting"
}

7
pages/en/guide/certificates/_meta.json Normal file
View File

@@ -0,0 +1,7 @@
{
"request-new": "Requesting a Certificate",
"view-details": "View Details",
"download-install": "Download & Formats",
"renewal": "Renewal Process",
"revocation": "Revocation"
}

43
pages/en/guide/certificates/download-install.mdx Normal file
View File

@@ -0,0 +1,43 @@
# Download & Formats (PEM, PFX, JKS)
Once your certificate is issued, you can download it in various formats suitable for different servers and applications.
## Available Formats
| Format | Extension | Used For |
| :--- | :--- | :--- |
| **PEM (Nginx/Apache)** | `.crt`, `.key` | Standard Linux web servers. You get separate Certificate and Private Key files. |
| **PFX / PKCS#12** | `.pfx`, `.p12` | IIS (Windows), Microsoft Exchange, Client Certificates (S/MIME). Contains both key and cert. |
| **JKS (Java)** | `.jks` | Java applications (Tomcat, Spring Boot). |
## How to Download (Copy & Save)
The dashboard allows you to copy the raw certificate data directly.
1. Navigate to **"My Certificates"** and click the **View (Eye Icon)** button on your certificate.
2. **Certificate:** Scroll to the "Certificate (CRT)" section and click the **Copy Icon** in the top right. Paste this into a file named `domain.crt` or `domain.pem`.
3. **Private Key:** Scroll to the "Private Key (KEY)" section, click **Show**, then click the **Copy Icon**. Paste this into a file named `domain.key`.
> [!TIP]
> Use a plain text editor (Notepad, VS Code, Nano) to save these files. Do not use Word or Rich Text editors.
> [!WARNING]
> The **Private Key** is generated securely. If you lose it, you cannot recover it. You must revoke and re-issue the certificate.
## Installation Examples
### Nginx (PEM)
```nginx
server {
listen 443 ssl;
server_name internal.app;
ssl_certificate /etc/nginx/ssl/internal.app.crt;
ssl_certificate_key /etc/nginx/ssl/internal.app.key;
}
```
### Windows (PFX)
1. Double-click the downloaded `.pfx` file.
2. Follow the "Certificate Import Wizard".
3. When prompted for a password, enter the password you set during download (or the default export password provided in the UI).

29
pages/en/guide/certificates/renewal.mdx Normal file
View File

@@ -0,0 +1,29 @@
# Renewal Process
Certificates expire to ensure security rotation. TrustLab simplifies the renewal process so you don't experience downtime.
## When to Renew
You will receive an email notification:
- **30 days** before expiration.
- **7 days** before expiration.
- **1 day** before expiration.
## How to Renew (Manual Re-issue)
To renew a certificate, you simply generate a fresh one with the same domain name.
1. Go to **Certificates** and click **"Generate New"**.
2. **Identity**: Enter the **same Common Name (CN)** as your expiring certificate.
3. **Generate**: The system will issue a new certificate with a fresh validity period.
4. **Replace**: Download the new `.crt` (and `.key` if you didn't reuse the CSI) and replace the files on your server.
> [!NOTE]
> The old certificate will remain valid until it expires naturally. You can safely delete it after verifying the new one works.
## What Happens Next?
- A **new certificate** is generated with a new validity period.
- The **Private Key** remains the same (if "Reuse Key" was selected) OR a new key is generated (recommended).
- The old certificate remains valid until its original expiration date (unless revoked).
> [!IMPORTANT]
> You must **download and install the new certificate** on your server. Renewal **does not** happen automatically on the server side unless you use our ACME integration.

53
pages/en/guide/certificates/request-new.mdx Normal file
View File

@@ -0,0 +1,53 @@
import { Steps, Callout, Cards, Card } from 'nextra/components'
import { FileBadge, ShieldCheck, Globe, Code, Save, AlertTriangle } from 'lucide-react'
# Requesting a New Certificate
TrustLab provides a streamlined wizard to generate private SSL/TLS certificates for your internal infrastructure.
## Prerequisites
Before starting, ensure you have:
* Active TrustLab account access.
* **Root CA** installed on your machine (to trust the generated certs).
---
<Steps>
### 1. Open Certificates Menu
Navigate to the **Certificates** page. This view lists all your active and expired certificates. Click the **"Generate New"** (or "+") button to start.
![Certificates List](/images/guide/certificates-screen.png)
### 2. Enter Domain Details (Default Mode)
By default, you only need to provide the Identity. The system will auto-fill the Organization & Location metadata.
![Default Generation Modal](/images/guide/certificates-generate-modal-default-metadata-screen.png)
* **Common Name (CN)**: The primary domain (e.g., `app.internal`).
* **SANs**: Additional domains or IP addresses.
* **Key Strength**: Choose the encryption level.
![Key Strength Selector](/images/guide/certificates-generate-modal-key-strength-focused-screen.png)
* **2048-bit**: Industry standard, compatible with all devices.
* **4096-bit**: Higher security, slightly more CPU intensive.
### 3. Customize CSR (Manual Control)
Toggle **"Manual Control"** if you need to override the default Identity fields (e.g., for a specific branch office or legal entity).
![Manual Control Modal](/images/guide/certificates-generate-modal-manual-control-screen.png)
* **Organization (O)**: Override the default company name.
* **Locality (L) / State (ST)**: Set specific location data.
* **Country (C)**: ISO Code.
### 4. Generate & Save
Click **Generate**.
* The **Certificate (.pem)** and **Private Key (.key)** will be generated.
* You can copy them immediately or access them later from the **Certificate Details** page.
<Callout type="info" emoji={<Save className="w-5 h-5" />}>
**Storage:** Your Private Key is securely stored. You can view it anytime by clicking **"View Details"** on the certificate list.
</Callout>
</Steps>

22
pages/en/guide/certificates/revocation.mdx Normal file
View File

@@ -0,0 +1,22 @@
# Revocation (Cabut Sertifikat)
Revocation invalidates a certificate before its expiration date. This is critical if a Private Key is compromised.
## When to Revoke?
- **Key Compromise**: You suspect someone stole your Private Key.
- **Service Change**: The domain name effectively no longer belongs to the service.
- **Mistake**: The certificate was issued with incorrect details.
## How to Remove / Revoke
If a certificate is compromised or no longer needed, you can remove it from the system.
1. Go to the **Certificates** list.
2. Identify the certificate to remove.
3. Click the **Trash Icon** (Delete) on the right side of the row.
4. **Confirm**: Type `DELETE` in the confirmation modal to permanently remove the certificate and its private key from TrustLab.
![Delete Certificate Action](/images/guide/certificates_list_view_1767869137654.png)
## CRL (Certificate Revocation List)
Once revoked, the certificate serial number is added to the TrustLab CRL. All clients checking the CRL will immediately reject the certificate.

40
pages/en/guide/certificates/view-details.mdx Normal file
View File

@@ -0,0 +1,40 @@
import { Callout } from 'nextra/components'
import { ShieldAlert } from 'lucide-react'
# Viewing Certificate Details
After generating a certificate, you can view its full metadata, download the files, or retrieve the Private Key at any time.
## Certificate List
The main **Certificates** page lists all issuing certificates.
* **Status Indicators**: Quickly see if a cert is `Valid`, `Expired`, or `Revoked`.
* **Search**: Filter by Common Name or Serial Number.
![Certificate List](/images/guide/certificates_list_view_1767869137654.png)
## Details View
Clicking the **View Icon** (Eye) or the row opens the detailed management view.
![Certificate Management View](/images/guide/certificate_management_view_1767869044987.png)
### 1. Metadata
The top section displays critical information:
* **Validity Period**: Start and End dates.
* **Issuer**: The CA that signed this certificate.
* **Subject Info**: Organization, Location, and Country.
* **Key Strength**: 2048-bit or 4096-bit.
### 2. Certificate (CRT)
This text box contains the public certificate in **PEM format** (`-----BEGIN CERTIFICATE-----`).
* **Copy**: Click the **Copy Icon** to copy the full block.
* This is safe to share publicly.
### 3. Private Key (KEY)
This section contains your secret Private Key.
* **Hidden by Default**: The specific key content is blurred/hidden for security.
* **Show**: Click the **"Show"** button to reveal the key.
* **Copy**: Click the **Copy Icon** to retrieve it.
<Callout type="error" emoji={<ShieldAlert className="w-5 h-5" />}>
**Security Warning:** Never share your Private Key. Anyone with this key can impersonate your server.
</Callout>

4
pages/en/guide/concepts/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"pki-undamentals": "PKI Fundamentals",
"trust-architecture": "Trust Architecture"
}

83
pages/en/guide/concepts/pki-undamentals.mdx Normal file
View File

@@ -0,0 +1,83 @@
import { Callout, Cards, Card } from 'nextra/components'
import { ShieldCheck, ShieldAlert, BadgeCheck, Lock, Key, Link, CheckCircle2, XCircle } from 'lucide-react'
# PKI Fundamentals & Trust Context
**Public Key Infrastructure (PKI)** is the framework that allows secure communication over the internet. It relies on cryptographic keys and a chain of trust to verify identities.
## Core Concepts
Understanding these two mechanisms is essential to understanding how TrustLab works.
### 1. Asymmetric Encryption
Secure communication relies on a pair of keys:
* <Key className="inline w-4 h-4 mr-1"/> **Public Key**: Shared with everyone. Used to **encrypt** data.
* <Lock className="inline w-4 h-4 mr-1"/> **Private Key**: Kept secret. Used to **decrypt** data and **sign** digital assets.
### 2. The Chain of Trust
A certificate is only trusted if it is signed by a known authority. This forms a chain:
* **Root CA**: The trusted anchor. It signs itself. You must install this on your device to trust the chain.
* **Intermediate CA**: Signed by the Root CA. Used to sign day-to-day certificates for security.
* **Leaf Certificate**: The final certificate used on your Web Server or Email.
---
## The Two Lanes of Trust
The internet security model is built on two distinct "lanes". Mixing them up causes browser errors, but using them correctly provides **Military-Grade Security**.
<Cards>
<Card icon={<ShieldCheck />} title="Public Lane (Global)" href="#public-pki" arrow />
<Card icon={<Lock />} title="Private Lane (Internal)" href="#private-pki-trustlab" arrow />
</Cards>
### Public PKI
* **Issuer**: Let's Encrypt, DigiCert, Google Trust Services.
* **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
* **Limitation**: **Cannot** issue certificates for Private IPs (`192.168.x.x`) or Internal Domains (`.local`, `.lan`).
### Private PKI (TrustLab)
* **Issuer**: TrustLab Root CA (Your Organization).
* **Trust Model**: Trusted **ONLY** by devices that have explicitly installed your Root CA.
* **Superpower**: Can secure **ANYTHING** internal (Localhost, Database Servers, IoT).
---
## Why "Military Grade"?
TrustLab utilizes **OpenSSL**, the same cryptographic core used by the world's highly secure networks.
| Feature | TrustLab (Private) | Public CA (Paid) |
| :--- | :--- | :--- |
| **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 |
| **Signature** | SHA-256 | SHA-256 |
| **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 |
| **Global Trust** | <XCircle className="inline w-4 h-4 text-red-500"/> (Manual Install) | <CheckCircle2 className="inline w-4 h-4 text-green-500"/> (Pre-installed) |
| **Internal IPs** | <CheckCircle2 className="inline w-4 h-4 text-green-500"/> Supported | <XCircle className="inline w-4 h-4 text-red-500"/> Forbidden |
| **Cost** | **Free** | $400+/month (Private CA) |
## Appropriate Use Cases
<Callout type="info" emoji={<BadgeCheck className="w-5 h-5" />}>
**The Golden Rule:**
Use **TrustLab** for anything the Public Internet CANNOT access.
Use **Public CAs** for anything the Public Internet MUST access.
</Callout>
### <CheckCircle2 className="inline w-5 h-5 text-green-500 mr-2"/> Perfect For (Green Lane)
* **Internal Tools**: Admin Panels, HR Portals, Dashboards.
* **Development**: Testing HTTPS on `localhost` or `dev.local`.
* **Databases**: Securing connections to MySQL/Postgres/Mongo.
* **S/MIME**: Encrypting email between internal employees.
### <XCircle className="inline w-5 h-5 text-red-500 mr-2"/> Do Not Use For (Red Lane)
* **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning.
* **Public Blogs/Websites**: Random visitors do not have your Root CA installed.
## The "Trust Split" Myth
There is **no conflict** between having TrustLab installed and visiting public websites.
* When you visit `google.com`, your browser uses the **Public Lane**.
* When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**.
They coexist peacefully, providing comprehensive security for your entire digital life.

56
pages/en/guide/concepts/trust-architecture.mdx Normal file
View File

@@ -0,0 +1,56 @@
import { Callout, Steps } from 'nextra/components'
import { GitGraph, Shield, FileX, Network } from 'lucide-react'
# Trust Architecture
While the [Fundamentals](/guide/concepts/pki-undamentals) page explains *what* PKI is, this page explains *how* the hierarchy is structured to ensure security and scalability.
## The Hierarchy of Authority
TrustLab uses a standard **Three-Tier Architecture** (imulated in some modes) or a Two-Tier architecture to maximize security.
### 1. The Root CA (The Anchor)
* **Role**: The ultimate source of trust.
* **Behavior**: It signs **Intermediate CAs**. It almost **NEVER** signs end-user certificates directly.
* **Security**: If this key is stolen, the entire trust network is compromised. That is why in enterprise environments, the Root CA is often kept offline (air-gapped).
### 2. Intermediate CA (The Manager)
* **Role**: The working horse. It is trusted because the Root signed it.
* **Behavior**: It signs **Leaf Certificates** (for your servers).
* **Benefit**: If an Intermediate CA is compromised, you can revoke it using the Root CA without forcing every user to re-install the Root certificate.
### 3. Leaf Certificate (The Worker)
* **Role**: Validates a specific entity (e.g., `trustlab.local`, `api.internal`).
* **Behavior**: Cannot sign other certificates. It is valid only for a specific time (e.g., 397 days).
---
## The TLS Handshake (Simplified)
When you access `https://trustlab.local`, what actually happens?
<Steps>
### 1. Client Hello
Your browser sends a "Hello" to the server, listing supported encryption methods.
### 2. Server Hello & Certificate
The server responds with its **Leaf Certificate** AND the **Intermediate Certificate**. It does *not* send the Root.
### 3. Verification (The Chain Walk)
The browser looks at the Leaf. "Who signed you?" -> "Intermediate A".
The browser looks at Intermediate A. "Who signed you?" -> "Root CA".
The browser checks its **Local Trust Store**. "Do I have Root CA?"
* **Yes**: <span className="text-green-600 font-bold">Secure Connection Established</span>.
* **No**: <span className="text-red-500 font-bold">NET::ERR_CERT_AUTHORITY_INVALID</span>.
</Steps>
---
## Revocation (CRL & OCSP)
What happens if a private key is stolen *before* the certificate expires? Use Revocation.
* **CRL (Certificate Revocation List)**: A digital "Blacklist" file signed by the CA. Browsers download this list to check if a certificate is banned.
* **OCSP (Online Certificate Status Protocol)**: The browser asks the CA in real-time, "Is this specific serial number still good?".
TrustLab manages these mechanisms internally to ensure that if you delete a compromised certificate, it is effectively effectively untrusted (depending on client support for CRLs).

4
pages/en/guide/getting-started/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"install-root-ca": "Install Root CA",
"access-dashboard": "Access Dashboard"
}

96
pages/en/guide/getting-started/access-dashboard.mdx Normal file
View File

@@ -0,0 +1,96 @@
import { Callout, Steps, Cards, Card } from 'nextra/components'
import { Monitor, Smartphone, LayoutDashboard, Key, Shield, Info, Clock, AlertTriangle } from 'lucide-react'
# Accessing Dashboard
The **TrustLab Dashboard** is your central command center for managing certificates. Here you can request new certificates, download keys, and manage existing ones.
![TrustLab Login Interface](/images/guide/login-screen.png)
## Authentication Methods
We prioritize security by offering modern, passwordless authentication options.
<Cards>
<Card icon={<Shield className="w-6 h-6" />} title="SSO (Google / GitHub)" href="#1-single-sign-on-sso" arrow />
<Card icon={<Key className="w-6 h-6" />} title="Magic Link (Email)" href="#2-magic-link" arrow />
</Cards>
### 1. Single Sign-On (SSO)
The fastest way to log in. Click **Continue with Google** or **Continue with GitHub**.
<Callout type="info" emoji={<Info className="w-5 h-5" />}>
**SSO Behavior:**
* **Existing Users:** You can only Log In via SSO if your email address is already registered.
* **New Users:** You can **Register** a new account instantly by clicking the Social Login buttons on the *Sign In* or *Sign Up* page.
</Callout>
### 2. Magic Link
Secure, passwordless login via email.
<Steps>
### Enter Email
Input your registered email address in the login form and click **"Continue with Email"**.
### Check Inbox
You will receive an email with a unique, time-sensitive login link.
### Click to Verify
Click the **"Sign in to TrustLab"** button in the email. You will be instantly logged in to the dashboard.
</Steps>
<Callout type="warning" emoji={<Clock className="w-5 h-5" />}>
**Expiration:** Magic links are valid for **15 minutes** only. If it expires, simply request a new one by entering your email again.
</Callout>
## Dashboard Overview
Upon successful login, you will land on the main dashboard.
![TrustLab Dashboard Overview](/images/guide/dashboard-screen.png)
This central hub allows you to access:
* **Active Certificates**: View all valid certificates issued to you.
* **Request Certificate**: The wizard to generate a new Private Key and CSR.
* **Revocation**: Interface to mark lost or compromised certificates as invalid.
## Registration
New users can create an account to start managing certificates.
![TrustLab Registration Interface](/images/guide/register-screen.png)
<Steps>
### Option A: Social Registration (Instant)
1. Click **Continue with Google** or **Continue with GitHub**.
2. **Set Password:** First, ensure you have [**Installed the Root CA**](/guide/getting-started/install-root-ca) on your device.count.
![Set Password Screen](/images/guide/set-password-after-social-screen.png)
### Option B: Email Registration
1. Click **"Sign up"** or fill the form.
2. Provide your details and password.
3. **Verify Email:** Click the link sent to your inbox to activate.
</Steps>
## Password Recovery
If you lose access to your account, you can reset your password securely.
![TrustLab Forgot Password Interface](/images/guide/forgot-password-screen.png)
1. Click **"Forgot password?"** on the login screen.
2. Enter your registered email address.
3. Check your inbox for a password reset link.
4. Create a new password and log in.
## Troubleshooting
### I didn't receive the Magic Link
* **Check Spam/Junk**: It often lands there for corporate domains.
* **Wait 1-2 Minutes**: Email delivery can sometimes be delayed.
* **Whitelist Sender**: Add `@trustlab.dyzulk.com` to your email provider's **Safe Senders** list to prevent it from being blocked.
### Access Denied / User Not Found
* **Typos**: Double-check your email address.
* **Not Registered**: If you haven't created an account yet, please **Sign Up** first. You cannot log in via SSO if your email is not in our system (unless you use the Sign Up flow).

62
pages/en/guide/getting-started/install-root-ca.mdx Normal file
View File

@@ -0,0 +1,62 @@
import { Tabs, Steps, Cards, Card, Callout } from 'nextra/components'
import { Monitor, Smartphone, AlertTriangle, Info } from 'lucide-react'
# Installing Root CA
To ensure your browser trusts certificates issued by TrustLab, you must install our Root CA.
## Quick Installation (Bundle)
Instantly install **ALL** TrustLab Root & Intermediate certificates using our automated bundle scripts.
### Linux / Server (CLI)
Select your distribution to get the optimized installation command:
<Tabs items={['Debian/Ubuntu', 'RHEL/CentOS', 'Arch Linux', 'Universal']}>
<Tabs.Tab>
```bash
sudo apt update && sudo apt install -y curl && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
(sudo yum install -y curl || sudo dnf install -y curl) && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
sudo pacman -Sy --noconfirm curl && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
</Tabs>
### Windows & Apple Ecosystem
<Cards>
<Card icon={<Monitor className="w-6 h-6" />} title="Windows Bundle Installer (.bat)" href="https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.bat" arrow />
<Card icon={<Smartphone className="w-6 h-6" />} title="macOS / iOS Profile (.mobileconfig)" href="https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.mobileconfig" arrow />
</Cards>
<Callout type="warning" emoji={<AlertTriangle className="w-5 h-5" />}>
**Windows Users:** You **MUST** right-click the `.bat` file and select **"Run as Administrator"**. Double-clicking directly will likely fail due to permission restrictions.
</Callout>
<Callout type="info" emoji={<Info className="w-5 h-5" />}>
**Apple Users:** After downloading the profile, go to **System Settings > Privacy & Security > Profiles** to install it. For iOS, see the *Individual Installation* section below for detailed trust steps.
</Callout>
---
import { DynamicInstallationGuide } from '../../../../components/DynamicInstallationGuide'
## Individual Certificate Installation
If you need to install specific certificates individually (e.g. only Root, or specific Intermediate), use the live guide below.
<DynamicInstallationGuide />

29
pages/en/guide/index.mdx Normal file
View File

@@ -0,0 +1,29 @@
import { Cards, Card } from 'nextra/components'
import { BookOpen, ShieldCheck, Server, Mail, AlertTriangle, HardDriveDownload, Rocket } from 'lucide-react'
# TrustLab Documentation
Welcome to the **TrustLab User Guide**.
TrustLab is a private Certificate Authority (CA) designed to secure your internal infrastructure (Intranet, APIs, IoT, Databases) with SSL/TLS certificates.
## Quick Start
<Cards>
<Card icon={<Rocket />} title="Install Root CA" href="/guide/getting-started/install-root-ca" arrow />
<Card icon={<HardDriveDownload />} title="Generate Certificate" href="/guide/certificates/request-new" arrow />
<Card icon={<ShieldCheck />} title="Core Concepts (PKI)" href="/guide/concepts/pki-undamentals" arrow />
</Cards>
## Guide Structure
This documentation is organized as follows:
* [**Getting Started**](/guide/getting-started/install-root-ca): Setup Root CA and access the dashboard.
* [**Core Concepts**](/guide/concepts/pki-undamentals): Understand the "Two Lanes of Trust" (Public vs Private PKI).
* [**Certificate Operations**](/guide/certificates/request-new): Request, Download, Renew, and Revoke certificates.
* [**Integrations**](/guide/integrations/web-servers): Configure Nginx, IIS, and S/MIME.
* [**Troubleshooting**](/guide/troubleshooting/browser-errors): Resolve common browser errors like `NET::ERR_CERT_AUTHORITY_INVALID`.
## Why TrustLab?
TrustLab solves the "Not Secure" warnings on internal networks by providing a centralized, managed PKI that acts just like a Public CA (Let's Encrypt), but for your **Private Network**.

4
pages/en/guide/integrations/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"smime": "S/MIME for Email",
"web-servers": "Web Servers (Nginx/IIS)"
}

78
pages/en/guide/integrations/smime.mdx Normal file
View File

@@ -0,0 +1,78 @@
import { Steps, Callout, Tabs } from 'nextra/components'
import { Mail, BadgeAlert, ShieldCheck } from 'lucide-react'
# S/MIME Email Security
Secure/Multipurpose Internet Mail Extensions (S/MIME) allows you to **sign** (prove identity) and **encrypt** (protect content) email messages.
<Callout type="warning" emoji={<BadgeAlert className="w-5 h-5" />}>
**Internal Use Only:**
TrustLab certificates are private. If you send signed emails to **External Recipients** (e.g., Gmail, Yahoo), they will see an "Untrusted/Invalid Signature" warning because they do not trust the TrustLab Root CA.
**Use this for internal corporate communication only.**
</Callout>
## Setup Guide
## Configure Microsoft Outlook
<Tabs items={['Classic Outlook (Desktop)', 'New Outlook (Web Style)']}>
<Tabs.Tab>
**Supported Versions:** Outlook 365, 2019, 2016.
<Steps>
### 1. Open Trust Center
Go to **File > Options > Trust Center > Trust Center Settings**.
### 2. Email Security
Select **Email Security** from the left sidebar.
### 3. Import Certificate
Under *Encrypted Email*, click **Settings...**
* **Signing Certificate**: Click 'Choose' and select your TrustLab cert.
* **Encryption Certificate**: Same as above.
### 4. Save
Click **OK** to apply.
</Steps>
</Tabs.Tab>
<Tabs.Tab>
**Supported Versions:** New Outlook for Windows, OWA.
*Note: Requires S/MIME Control extension.*
<Steps>
### 1. Open Settings
Click the **Gear Icon** (Settings) in the top right.
### 2. S/MIME Menu
Navigate to **Mail > S/MIME**.
### 3. Enable
Enable **"Encrypt with S/MIME"** and select your certificate.
</Steps>
</Tabs.Tab>
</Tabs>
## Configure Thunderbird
**Version Requirement:** v115+ (Supernova) or newer.
<Steps>
### 1. Account Settings
Click the **Menu (≡)** button and select **Account Settings**.
### 2. End-to-End Encryption
Select your email account from the sidebar and click **End-to-End Encryption**.
### 3. Import Certificate
In the **S/MIME** section, click **Add** (or Manager) to import your `.p12` file.
### 4. Apply Certificate
Under *Select Certificate*, choose the imported file for both:
* **Digital Signing**
* **Encryption**
</Steps>
## How to Test
Send an email to a colleague who also has the Root CA installed. They should see a verified **Ribbon/Badge** icon indicating the email is trusted and unmodified.

76
pages/en/guide/integrations/web-servers.mdx Normal file
View File

@@ -0,0 +1,76 @@
import { Tabs, Callout } from 'nextra/components'
import { Server, Globe, Shield } from 'lucide-react'
# Web Server Configuration
To enable HTTPS on your internal services, you need to configure your web server to use the certificates issued by TrustLab.
<Callout type="info" emoji={<Shield className="w-5 h-5" />}>
**Prerequisite:** Ensure you have downloaded the **PEM Bundle** (for Linux) or **PFX** (for Windows) as described in the [Download Guide](/guide/certificates/download-install).
</Callout>
## Configuration Examples
Select your web server environment below:
<Tabs items={['Nginx', 'Apache (httpd)', 'IIS (Windows)']}>
<Tabs.Tab>
### Nginx Setup
Target File: `/etc/nginx/sites-available/default` or `internal.app.conf`
```nginx
server {
listen 80;
server_name internal.app;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name internal.app;
# SSL Configuration
ssl_certificate /etc/ssl/trustlab/internal.app.crt;
ssl_certificate_key /etc/ssl/trustlab/internal.app.key;
# Recommended Security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
```
</Tabs.Tab>
<Tabs.Tab>
### Apache / HTTPD Setup
Target File: `/etc/httpd/conf.d/ssl.conf` or VHost file.
```apache
<VirtualHost *:443>
ServerName internal.app
DocumentRoot /var/www/html/internal
SSLEngine on
SSLCertificateFile "/path/to/internal.app.crt"
SSLCertificateKeyFile "/path/to/internal.app.key"
# Best Practice
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>
```
</Tabs.Tab>
<Tabs.Tab>
### IIS (Internet Information Services)
Requires the **.pfx** file format.
1. **Import Certificate**:
* Open **IIS Manager** > Click Server Node > **Server Certificates**.
* Click **Import...** (Actions pane).
* Select your `.pfx` file and enter the password.
2. **Bind to Site**:
* Go to **Sites** > Select your site (e.g., Default Web Site).
* Click **Bindings...** > **Add...**
* Type: `https` | Port: `443`.
* **SSL Certificate**: Select the certificate you just imported.
</Tabs.Tab>
</Tabs>

4
pages/en/guide/troubleshooting/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"browser-errors": "Common Browser Errors",
"developer-tools": "CLI & Language Support"
}

43
pages/en/guide/troubleshooting/browser-errors.mdx Normal file
View File

@@ -0,0 +1,43 @@
import { Callout, Cards, Card } from 'nextra/components'
import { AlertTriangle, Globe, Calendar, XCircle, HelpCircle } from 'lucide-react'
# Common Browser Errors
When using internal certificates, browsers are very strict. Below are the most common error codes and how to resolve them.
### `NET::ERR_CERT_AUTHORITY_INVALID`
<Callout type="error" emoji={<AlertTriangle className="w-5 h-5" />}>
**The Logic:** The browser simply **does not know** the "TrustLab Root CA" that signed your website's certificate, so it assumes it's fake.
</Callout>
**Solution:**
You have not installed the Root CA on your device yet.
* [**Install Root CA Guide**](/guide/getting-started/install-root-ca)
---
### `NET::ERR_CERT_COMMON_NAME_INVALID`
<Callout type="warning" emoji={<Globe className="w-5 h-5" />}>
**The Logic:** You are visiting `app.local`, but the certificate was only issued for `api.local`. The names **do not match**.
</Callout>
**Solution:**
The domain is missing from the certificate's **SANs (Subject Alternative Names)**.
1. Click the **"Not Secure"** icon > **Certificate**.
2. Check the **DNS Name** or SAN field.
3. If missing, you must **[Generate a New Certificate](/guide/certificates/request-new)** that includes the correct domain.
---
### `NET::ERR_CERT_DATE_INVALID`
<Callout type="info" emoji={<Calendar className="w-5 h-5" />}>
**The Logic:** The certificate has expired, OR your computer's clock is set to the wrong date (past/future).
</Callout>
**Solution:**
1. Check your system clock first.
2. If the clock is correct, the certificate is truly expired.
3. **[Renew the Certificate](/guide/certificates/renewal)** immediately.

97
pages/en/guide/troubleshooting/developer-tools.mdx Normal file
View File

@@ -0,0 +1,97 @@
import { Callout, Steps } from 'nextra/components'
import { Terminal, Code, Server, Download } from 'lucide-react'
# CLI & Language Issues
Even if you installed the Root CA on your operating system, many developer tools and programming languages **ignore the system store** and use their own.
<Callout type="info" emoji={<Download className="w-5 h-5" />}>
**Prerequisite:**
You must have the **`trustlab-root.crt`** file downloaded on your machine first.
[Download it here](/guide/getting-started/install-root-ca).
</Callout>
If your code or scripts are failing with certificate errors, check the solutions below.
## 1. cURL & Wget
Standard command-line tools often look for a specific bundle file.
### cURL
<Callout type="error" emoji={<Terminal className="w-5 h-5" />}>
`curl: (60) SSL certificate problem: unable to get local issuer certificate`
</Callout>
**Solution:**
Pass the Root CA explicitly:
```bash
curl --cacert /path/to/trustlab-root.crt https://your-domain.local
```
### Wget
**Solution:**
```bash
wget --ca-certificate=/path/to/trustlab-root.crt https://your-domain.local
```
---
## 2. Node.js / JavaScript
Node.js does not use the System Root CA by default.
<Callout type="error" emoji={<Server className="w-5 h-5" />}>
`Error: self signed certificate in certificate chain`
</Callout>
**Solution (Environment Variable):**
Set this variable before running your application. It works for most Node.js apps (npm, yarn, custom scripts).
```bash
export NODE_EXTRA_CA_CERTS="/path/to/trustlab-root.crt"
node server.js
```
---
## 3. Python (Requests/Pip)
Python's `requests` library (and `pip`) uses its own certificate bundle (`certifi`), ignoring Windows/macOS/Linux system stores.
<Callout type="error" emoji={<Code className="w-5 h-5" />}>
`SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed'))`
</Callout>
**Solution:**
Point to your Root CA using an environment variable.
```bash
export REQUESTS_CA_BUNDLE="/path/to/trustlab-root.crt"
python script.py
```
---
## 4. Java Applications
Java uses a proprietary "Keystore" (JKS) and typically **ignores** the Windows Certificate Store.
<Callout type="error" emoji={<Code className="w-5 h-5" />}>
`sun.security.validator.ValidatorException: PKIX path building failed`
</Callout>
**Solution:**
You must import the TrustLab Root CA into the Java Keystore (cacerts).
<Steps>
### Locate standard cacerts
Usually at `$JAVA_HOME/lib/security/cacerts`.
### Import with keytool
```bash
keytool -import -trustcacerts -alias trustlab-root \
-file trustlab-root.crt \
-keystore "$JAVA_HOME/lib/security/cacerts"
```
*Default password is typically `changeit`.*
</Steps>

3
pages/en/index.mdx Normal file
View File

@@ -0,0 +1,3 @@
import { LandingPage } from '../../components/LandingPage'
<LandingPage />