dyzulk/trustlab-docs
1
0
Fork 0
mirror of https://github.com/dyzulk/trustlab-docs.git synced 2026-01-26 05:25:38 +07:00
Code Issues Packages Projects Releases Wiki Activity

refactor: migrate to flat-file i18n structure and fix relative imports

Browse Source
This commit is contained in:
dyzulk
2026-01-09 09:29:19 +07:00
parent 44d578f033
commit 545eb3648b
53 changed files with 17 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
pages/guide/_meta.id.json Normal file
View File

@@ -0,0 +1,8 @@
{
"index": "Panduan Pengguna",
"getting-started": "Mulai Cepat",
"concepts": "Konsep Inti",
"certificates": "Operasi Sertifikat",
"integrations": "Integrasi",
"troubleshooting": "Pemecahan Masalah"
}

8
pages/guide/_meta.json Normal file
View File

@@ -0,0 +1,8 @@
{
"index": "Overview",
"getting-started": "Getting Started",
"concepts": "Core Concepts",
"certificates": "Certificate Operations",
"integrations": "Integrations",
"troubleshooting": "Troubleshooting"
}

7
pages/guide/certificates/_meta.id.json Normal file
View File

@@ -0,0 +1,7 @@
{
"request-new": "Minta Sertifikat Baru",
"download-install": "Unduh & Format",
"view-details": "Lihat Detail",
"renewal": "Proses Perpanjangan",
"revocation": "Pencabutan (Revocation)"
}

7
pages/guide/certificates/_meta.json Normal file
View File

@@ -0,0 +1,7 @@
{
"request-new": "Requesting a Certificate",
"view-details": "View Details",
"download-install": "Download & Formats",
"renewal": "Renewal Process",
"revocation": "Revocation"
}

43
pages/guide/certificates/download-install.id.mdx Normal file
View File

@@ -0,0 +1,43 @@
# Unduh & Format (PEM, PFX, JKS)
Setelah sertifikat Anda diterbitkan, Anda dapat mengunduhnya dalam berbagai format yang sesuai untuk server dan aplikasi yang berbeda.
## Format yang Tersedia
| Format | Ekstensi | Digunakan Untuk |
| :--- | :--- | :--- |
| **PEM (Nginx/Apache)** | `.crt`, `.key` | Server web Linux standar. Anda mendapatkan file Sertifikat dan Private Key terpisah. |
| **PFX / PKCS#12** | `.pfx`, `.p12` | IIS (Windows), Microsoft Exchange, Sertifikat Klien (S/MIME). Berisi key dan cert sekaligus. |
| **JKS (Java)** | `.jks` | Aplikasi Java (Tomcat, Spring Boot). |
## Cara Mengunduh (Salin & Simpan)
Dashboard memungkinkan Anda untuk menyalin data mentah sertifikat secara langsung.
1. Buka menu **"My Certificates"** dan klik tombol **View (Ikon Mata)** pada sertifikat Anda.
2. **Sertifikat:** Gulir ke bagian "Certificate (CRT)" dan klik **Ikon Salin** di pojok kanan atas. Simpan ke dalam file bernama `domain.crt` atau `domain.pem`.
3. **Private Key:** Gulir ke bagian "Private Key (KEY)", klik **Show**, lalu klik **Ikon Salin**. Simpan ke dalam file bernama `domain.key`.
> [!TIP]
> Gunakan editor teks murni (Notepad, VS Code, Nano) untuk menyimpan file-file ini. Jangan gunakan Word atau editor Rich Text.
> [!WARNING]
> **Private Key** dihasilkan secara aman secara lokal di browser/server. Jika Anda menghilangkannya, kunci tersebut **TIDAK BISA** dipulihkan. Anda harus melakukan revoke dan menerbitkan ulang sertifikat.
## Contoh Instalasi
### Nginx (PEM)
```nginx
server {
listen 443 ssl;
server_name internal.app;
ssl_certificate /etc/nginx/ssl/internal.app.crt;
ssl_certificate_key /etc/nginx/ssl/internal.app.key;
}
```
### Windows (PFX)
1. Klik dua kali file `.pfx` yang diunduh.
2. Ikuti "Certificate Import Wizard".
3. Saat diminta kata sandi, masukkan kata sandi yang Anda tetapkan saat mengunduh (atau kata sandi ekspor default yang disediakan di UI).

43
pages/guide/certificates/download-install.mdx Normal file
View File

@@ -0,0 +1,43 @@
# Download & Formats (PEM, PFX, JKS)
Once your certificate is issued, you can download it in various formats suitable for different servers and applications.
## Available Formats
| Format | Extension | Used For |
| :--- | :--- | :--- |
| **PEM (Nginx/Apache)** | `.crt`, `.key` | Standard Linux web servers. You get separate Certificate and Private Key files. |
| **PFX / PKCS#12** | `.pfx`, `.p12` | IIS (Windows), Microsoft Exchange, Client Certificates (S/MIME). Contains both key and cert. |
| **JKS (Java)** | `.jks` | Java applications (Tomcat, Spring Boot). |
## How to Download (Copy & Save)
The dashboard allows you to copy the raw certificate data directly.
1. Navigate to **"My Certificates"** and click the **View (Eye Icon)** button on your certificate.
2. **Certificate:** Scroll to the "Certificate (CRT)" section and click the **Copy Icon** in the top right. Paste this into a file named `domain.crt` or `domain.pem`.
3. **Private Key:** Scroll to the "Private Key (KEY)" section, click **Show**, then click the **Copy Icon**. Paste this into a file named `domain.key`.
> [!TIP]
> Use a plain text editor (Notepad, VS Code, Nano) to save these files. Do not use Word or Rich Text editors.
> [!WARNING]
> The **Private Key** is generated securely. If you lose it, you cannot recover it. You must revoke and re-issue the certificate.
## Installation Examples
### Nginx (PEM)
```nginx
server {
listen 443 ssl;
server_name internal.app;
ssl_certificate /etc/nginx/ssl/internal.app.crt;
ssl_certificate_key /etc/nginx/ssl/internal.app.key;
}
```
### Windows (PFX)
1. Double-click the downloaded `.pfx` file.
2. Follow the "Certificate Import Wizard".
3. When prompted for a password, enter the password you set during download (or the default export password provided in the UI).

60
pages/guide/certificates/renewal.id.mdx Normal file
View File

@@ -0,0 +1,60 @@
import { Steps } from 'nextra/components'
import { RefreshCcw, Bell, ShieldCheck } from 'lucide-react'
# Proses Perpanjangan
Sertifikat SSL/TLS memiliki masa aktif yang terbatas. Di TrustLab, kami menyederhanakan proses perpanjangan (renewal) untuk memastikan layanan Anda tetap berjalan tanpa gangguan.
## Kapan Harus Memperpanjang?
- **Rekomendasi**: Lakukan perpanjangan **30 hari** sebelum sertifikat kadaluarsa.
- **Notifikasi**: TrustLab akan mengirimkan pengingat email otomatis ke akun Anda pada H-30, H-7, dan H-1 sebelum masa berlaku habis.
---
## Proses Pembaruan
Sertifikat memiliki masa berlaku untuk menjamin rotasi keamanan. TrustLab menyederhanakan proses pembaruan agar Anda tidak mengalami downtime.
## Kapan Harus Memperbarui?
Anda akan menerima notifikasi email:
- **30 hari** sebelum kedaluwarsa.
- **7 hari** sebelum kedaluwarsa.
- **1 hari** sebelum kedaluwarsa.
## Cara Memperbarui (Penerbitan Ulang Manual)
Untuk memperbarui sertifikat, Anda cukup membuat sertifikat baru dengan nama domain yang sama.
<Steps>
### Buka Dashboard
Login ke [trustlab.dyzulk.com](https://trustlab.dyzulk.com) dan masuk ke menu **"Manage Certificates"**.
1. Buka menu **Certificates** dan klik **"Generate New"**.
2. **Identity**: Masukkan **Common Name (CN) yang sama** dengan sertifikat Anda yang akan habis masa berlakunya.
3. **Generate**: Sistem akan menerbitkan sertifikat baru dengan masa berlaku yang segar.
4. **Ganti**: Unduh `.crt` baru (dan `.key` jika Anda tidak menggunakan kembali CSR) dan ganti file di server Anda.
</Steps>
> [!NOTE]
> Sertifikat lama akan tetap valid sampai habis masa berlakunya secara alami. Anda dapat menghapusnya dengan aman setelah memastikan sertifikat baru berfungsi.
## Apa yang Terjadi Selanjutnya?
- **Sertifikat baru** dihasilkan dengan masa berlaku baru.
- **Private Key** tetap sama (jika "Reuse Key" dipilih) ATAU kunci baru dihasilkan (disarankan).
- Sertifikat lama tetap valid hingga tanggal kedaluwarsa aslinya (kecuali dicabut).
> [!IMPORTANT]
> Anda harus **mengunduh dan menginstal sertifikat baru** di server Anda. Pembaruan **tidak terjadi otomatis** di sisi server kecuali Anda menggunakan integrasi ACME kami.
---
## Penting: Mengapa Harus Perpanjang?
Jika sertifikat kadaluarsa sebelum diganti:
- Browser akan memblokir akses ke situs Anda dengan pesan **"Your connection is not private"**.
- API internal akan gagal melakukan enkripsi (SSL Handshake Error).
- Pengguna akan kehilangan kepercayaan terhadap keamanan jaringan Anda.
> [!TIP]
> Perpanjangan di TrustLab tidak mengubah Root CA Anda. Anda **tidak perlu** menginstal ulang Root CA di perangkat klien setiap kali Anda memperpanjang sertifikat server.

29
pages/guide/certificates/renewal.mdx Normal file
View File

@@ -0,0 +1,29 @@
# Renewal Process
Certificates expire to ensure security rotation. TrustLab simplifies the renewal process so you don't experience downtime.
## When to Renew
You will receive an email notification:
- **30 days** before expiration.
- **7 days** before expiration.
- **1 day** before expiration.
## How to Renew (Manual Re-issue)
To renew a certificate, you simply generate a fresh one with the same domain name.
1. Go to **Certificates** and click **"Generate New"**.
2. **Identity**: Enter the **same Common Name (CN)** as your expiring certificate.
3. **Generate**: The system will issue a new certificate with a fresh validity period.
4. **Replace**: Download the new `.crt` (and `.key` if you didn't reuse the CSI) and replace the files on your server.
> [!NOTE]
> The old certificate will remain valid until it expires naturally. You can safely delete it after verifying the new one works.
## What Happens Next?
- A **new certificate** is generated with a new validity period.
- The **Private Key** remains the same (if "Reuse Key" was selected) OR a new key is generated (recommended).
- The old certificate remains valid until its original expiration date (unless revoked).
> [!IMPORTANT]
> You must **download and install the new certificate** on your server. Renewal **does not** happen automatically on the server side unless you use our ACME integration.

51
pages/guide/certificates/request-new.id.mdx Normal file
View File

@@ -0,0 +1,51 @@
import { Steps, Callout, Cards, Card } from 'nextra/components'
import { FileBadge, ShieldCheck, Globe, Code, Save, AlertTriangle } from 'lucide-react'
# Menerbitkan Sertifikat Baru
TrustLab menyediakan wizard yang disederhanakan untuk menghasilkan sertifikat SSL/TLS pribadi untuk infrastruktur internal Anda.
## Prasyarat
Sebelum memulai, pastikan Anda memiliki:
* Akses akun TrustLab yang aktif.
* **Root CA** telah terinstal di perangkat Anda (agar mempercayai sertifikat yang diterbitkan).
---
<Steps>
### 1. Buka Menu Sertifikat
Akses halaman **Certificates**. Tampilan ini mencantumkan semua sertifikat aktif dan kedaluwarsa Anda. Klik tombol **"Generate New"** (atau "+") untuk memulai.
![Certificates List](/images/guide/certificates-screen.png)
### 2. Masukkan Detail Domain (Mode Default)
Secara default, Anda hanya perlu memberikan Identitas. Sistem akan mengisi otomatis metadata Organisasi & Lokasi.
![Default Generation Modal](/images/guide/certificates-generate-modal-default-metadata-screen.png)
* **Common Name (CN)**: Domain utama (misalnya, `app.internal`).
* **SANs**: Domain tambahan atau alamat IP.
* **Key Strength**: Pilih tingkat enkripsi.
![Key Strength Selector](/images/guide/certificates-generate-modal-key-strength-focused-screen.png)
* **2048-bit**: Standar industri, kompatibel dengan semua perangkat.
* **4096-bit**: Keamanan lebih tinggi, sedikit lebih intensif pada CPU.
### 3. Kustomisasi CSR (Kontrol Manual)
Aktifkan **"Manual Control"** jika Anda perlu menimpa bidang Identitas default (misalnya, untuk kantor cabang tertentu atau entitas hukum khusus).
![Manual Control Modal](/images/guide/certificates-generate-modal-manual-control-screen.png)
* **Organization (O)**: Ganti nama perusahaan default.
* **Locality (L) / State (ST)**: Atur data lokasi spesifik.
* **Country (C)**: Kode ISO Negara.
### 4. Terbitkan & Simpan
Klik **Generate**.
* **Certificate (.pem)** dan **Private Key (.key)** akan dihasilkan secara instan.
* Anda dapat menyalinnya segera atau mengaksesnya nanti dari halaman **Certificate Details**.
<Callout type="info" emoji={<Save className="w-5 h-5" />}>
**Penyimpanan:** Private Key Anda disimpan dengan aman di server (dienkripsi). Anda dapat melihatnya kapan saja dengan mengklik **"View Details"** pada daftar sertifikat.
</Callout>
</Steps>

53
pages/guide/certificates/request-new.mdx Normal file
View File

@@ -0,0 +1,53 @@
import { Steps, Callout, Cards, Card } from 'nextra/components'
import { FileBadge, ShieldCheck, Globe, Code, Save, AlertTriangle } from 'lucide-react'
# Requesting a New Certificate
TrustLab provides a streamlined wizard to generate private SSL/TLS certificates for your internal infrastructure.
## Prerequisites
Before starting, ensure you have:
* Active TrustLab account access.
* **Root CA** installed on your machine (to trust the generated certs).
---
<Steps>
### 1. Open Certificates Menu
Navigate to the **Certificates** page. This view lists all your active and expired certificates. Click the **"Generate New"** (or "+") button to start.
![Certificates List](/images/guide/certificates-screen.png)
### 2. Enter Domain Details (Default Mode)
By default, you only need to provide the Identity. The system will auto-fill the Organization & Location metadata.
![Default Generation Modal](/images/guide/certificates-generate-modal-default-metadata-screen.png)
* **Common Name (CN)**: The primary domain (e.g., `app.internal`).
* **SANs**: Additional domains or IP addresses.
* **Key Strength**: Choose the encryption level.
![Key Strength Selector](/images/guide/certificates-generate-modal-key-strength-focused-screen.png)
* **2048-bit**: Industry standard, compatible with all devices.
* **4096-bit**: Higher security, slightly more CPU intensive.
### 3. Customize CSR (Manual Control)
Toggle **"Manual Control"** if you need to override the default Identity fields (e.g., for a specific branch office or legal entity).
![Manual Control Modal](/images/guide/certificates-generate-modal-manual-control-screen.png)
* **Organization (O)**: Override the default company name.
* **Locality (L) / State (ST)**: Set specific location data.
* **Country (C)**: ISO Code.
### 4. Generate & Save
Click **Generate**.
* The **Certificate (.pem)** and **Private Key (.key)** will be generated.
* You can copy them immediately or access them later from the **Certificate Details** page.
<Callout type="info" emoji={<Save className="w-5 h-5" />}>
**Storage:** Your Private Key is securely stored. You can view it anytime by clicking **"View Details"** on the certificate list.
</Callout>
</Steps>

22
pages/guide/certificates/revocation.id.mdx Normal file
View File

@@ -0,0 +1,22 @@
# Pencabutan (Revocation)
Pencabutan membatalkan validitas sertifikat sebelum tanggal kedaluwarsanya. Ini sangat penting jika Private Key Anda bocor atau hilang.
## Kapan Harus Mencabut?
- **Kebocoran Kunci (Key Compromise)**: Anda curiga seseorang telah mencuri Private Key Anda.
- **Perubahan Layanan**: Nama domain secara efektif tidak lagi menjadi milik layanan tersebut.
- **Kesalahan**: Sertifikat diterbitkan dengan detail yang salah.
## Cara Menghapus / Mencabut
Jika sertifikat bocor atau tidak lagi dibutuhkan, Anda dapat menghapusnya dari sistem.
1. Buka daftar **Certificates**.
2. Cari sertifikat yang ingin dihapus.
3. Klik **Ikon Tempat Sampah** (Delete) di sisi kanan baris.
4. **Konfirmasi**: Ketik `DELETE` di modal konfirmasi untuk menghapus sertifikat dan private key-nya secara permanen dari TrustLab.
![Delete Certificate Action](/images/guide/certificates_list_view_1767869137654.png)
## CRL (Certificate Revocation List)
Setelah dicabut, nomor seri sertifikat akan ditambahkan ke TrustLab CRL. Semua klien yang memeriksa CRL akan segera menolak sertifikat tersebut.

22
pages/guide/certificates/revocation.mdx Normal file
View File

@@ -0,0 +1,22 @@
# Revocation (Cabut Sertifikat)
Revocation invalidates a certificate before its expiration date. This is critical if a Private Key is compromised.
## When to Revoke?
- **Key Compromise**: You suspect someone stole your Private Key.
- **Service Change**: The domain name effectively no longer belongs to the service.
- **Mistake**: The certificate was issued with incorrect details.
## How to Remove / Revoke
If a certificate is compromised or no longer needed, you can remove it from the system.
1. Go to the **Certificates** list.
2. Identify the certificate to remove.
3. Click the **Trash Icon** (Delete) on the right side of the row.
4. **Confirm**: Type `DELETE` in the confirmation modal to permanently remove the certificate and its private key from TrustLab.
![Delete Certificate Action](/images/guide/certificates_list_view_1767869137654.png)
## CRL (Certificate Revocation List)
Once revoked, the certificate serial number is added to the TrustLab CRL. All clients checking the CRL will immediately reject the certificate.

42
pages/guide/certificates/view-details.id.mdx Normal file
View File

@@ -0,0 +1,42 @@
import { Steps } from 'nextra/components'
import { Search, Eye, Clipboard, ShieldAlert } from 'lucide-react'
# Lihat Detail Sertifikat
Setiap sertifikat di TrustLab memiliki metadata lengkap yang bisa Anda audit kapan saja untuk memastikan kesesuaian identitas dan keamanan.
## Cara Melihat Detail
<Steps>
### Navigasi ke List
Di menu utama Dashboard, klik **"Manage Certificates"**. Anda akan melihat daftar semua sertifikat yang pernah diterbitkan.
### Klik Ikon Mata
Gunakan kolom pencarian untuk menemukan domain Anda. Klik tombol **"View Details"** (ikon mata 👁️) di sisi kanan baris sertifikat.
### Tinjau Tab Informasi
Anda akan melihat detail seperti:
- **Serial Number**: ID unik sertifikat Anda.
- **Validity period**: Tanggal mulai dan berakhir.
- **Issuer**: CA mana yang menandatangani (TrustLab Intermediate).
- **Public Key Info**: Algoritma yang digunakan (RSA 2048/4096).
</Steps>
---
## Audit Metadata
Penting untuk memeriksa detail berikut secara berkala:
- **Thumbprint (SHA-1/SHA-256)**: Gunakan fingerprint ini untuk memverifikasi apakah sertifikat yang terpasang di server benar-benar yang Anda terbitkan dari TrustLab.
- **Subject Alternative Names (SAN)**: Pastikan semua alias domain yang dibutuhkan sudah terdaftar di sini.
- **Status**: Pastikan statusnya **Valid** (hijau). Jika warnanya merah, berarti sertifikat telah kadaluarsa atau dicabut.
---
## Keamanan Data Detail
Meskipun detail sertifikat (Public) aman untuk dilihat, tim TrustLab menyarankan untuk membatasi akses ke dashboard hanya untuk admin sistem yang berkepentingan untuk mencegah kebocoran informasi topologi jaringan.
> [!TIP]
> Anda bisa menyalin (copy) Serial Number secara cepat melalui tombol clipboard di samping teks untuk keperluan dokumentasi internal atau konfigurasi firewall.

40
pages/guide/certificates/view-details.mdx Normal file
View File

@@ -0,0 +1,40 @@
import { Callout } from 'nextra/components'
import { ShieldAlert } from 'lucide-react'
# Viewing Certificate Details
After generating a certificate, you can view its full metadata, download the files, or retrieve the Private Key at any time.
## Certificate List
The main **Certificates** page lists all issuing certificates.
* **Status Indicators**: Quickly see if a cert is `Valid`, `Expired`, or `Revoked`.
* **Search**: Filter by Common Name or Serial Number.
![Certificate List](/images/guide/certificates_list_view_1767869137654.png)
## Details View
Clicking the **View Icon** (Eye) or the row opens the detailed management view.
![Certificate Management View](/images/guide/certificate_management_view_1767869044987.png)
### 1. Metadata
The top section displays critical information:
* **Validity Period**: Start and End dates.
* **Issuer**: The CA that signed this certificate.
* **Subject Info**: Organization, Location, and Country.
* **Key Strength**: 2048-bit or 4096-bit.
### 2. Certificate (CRT)
This text box contains the public certificate in **PEM format** (`-----BEGIN CERTIFICATE-----`).
* **Copy**: Click the **Copy Icon** to copy the full block.
* This is safe to share publicly.
### 3. Private Key (KEY)
This section contains your secret Private Key.
* **Hidden by Default**: The specific key content is blurred/hidden for security.
* **Show**: Click the **"Show"** button to reveal the key.
* **Copy**: Click the **Copy Icon** to retrieve it.
<Callout type="error" emoji={<ShieldAlert className="w-5 h-5" />}>
**Security Warning:** Never share your Private Key. Anyone with this key can impersonate your server.
</Callout>

4
pages/guide/concepts/_meta.id.json Normal file
View File

@@ -0,0 +1,4 @@
{
"pki-fundamentals": "Dasar-Dasar PKI",
"trust-architecture": "Arsitektur Kepercayaan"
}

4
pages/guide/concepts/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"pki-undamentals": "PKI Fundamentals",
"trust-architecture": "Trust Architecture"
}

58
pages/guide/concepts/pki-fundamentals.id.mdx Normal file
View File

@@ -0,0 +1,58 @@
import { Steps } from 'nextra/components'
import { Shield, Key, Lock, Globe } from 'lucide-react'
# Dasar-Dasar PKI
Memahami cara kerja **Public Key Infrastructure (PKI)** sangat penting untuk mengelola keamanan jaringan internal Anda. TrustLab menyederhanakan konsep kompleks ini menjadi alur kerja yang mudah dikelola.
## Apa itu PKI?
PKI adalah kerangka kerja yang terdiri dari peran, kebijakan, perangkat lunak, dan perangkat keras yang digunakan untuk membuat, mengelola, mendistribusikan, menggunakan, menyimpan, dan mencabut sertifikat digital.
---
## Komponen Utama TrustLab
TrustLab mengelola tiga pilar utama keamanan untuk Anda:
### 1. Root Certificate Authority (CA)
Akar dari kepercayaan di seluruh jaringan Anda. Root CA digunakan untuk menandatangani sertifikat lain di bawahnya. Jika perangkat mempercayai Root CA ini, mereka akan mempercayai semua sertifikat yang diterbitkannya.
### 2. Intermediate CA
Digunakan oleh TrustLab untuk operasional sehari-hari. Kami tidak menggunakan Root CA langsung untuk menandatangani sertifikat pengguna akhir (end-entity) demi alasan keamanan (isolasi).
### 3. Sertifikat Pengguna Akhir
Sertifikat SSL/TLS yang Anda pasang di server web, perangkat IoT, atau klien email. Inilah yang sebenarnya "mengamankan" koneksi Anda.
---
## Cara Kerja Kepercayaan (Trust)
Bagaimana browser Anda tahu bahwa sebuah situs web itu aman?
<Steps>
### Instalasi Akar
Administrator menginstal Root CA TrustLab ke sistem trust store Anda.
### Pengenalan Sertifikat
Saat Anda mengakses situs internal, server menyajikan sertifikatnya.
### Verifikasi Rantai
Browser memeriksa: "Apakah sertifikat ini ditandatangani oleh pemegang yang saya percayai (Root CA)?"
### Koneksi Aman
Jika rantai valid, gembok hijau muncul dan enkripsi data dimulai.
</Steps>
---
## Mengapa PKI Privat?
Mungkin Anda bertanya, kenapa tidak menggunakan CA publik seperti Let's Encrypt?
1. **Domain Non-Publik**: CA publik tidak bisa mengeluarkan sertifikat untuk `.local` atau `.internal`.
2. **Kontrol Penuh**: Anda menentukan masa berlaku, algoritma enkripsi, dan siapa yang berhak mendapatkan sertifikat.
3. **Tanpa Validasi DNS**: Karena ini internal, Anda tidak perlu membuktikan kepemilikan domain ke pihak luar.
> [!IMPORTANT]
> Keamanan PKI privat Anda bergantung sepenuhnya pada **kerahasiaan Private Key Root CA**. TrustLab menyimpan key ini dengan enkripsi kuat untuk memastikan integritas jaringan Anda.

83
pages/guide/concepts/pki-undamentals.mdx Normal file
View File

@@ -0,0 +1,83 @@
import { Callout, Cards, Card } from 'nextra/components'
import { ShieldCheck, ShieldAlert, BadgeCheck, Lock, Key, Link, CheckCircle2, XCircle } from 'lucide-react'
# PKI Fundamentals & Trust Context
**Public Key Infrastructure (PKI)** is the framework that allows secure communication over the internet. It relies on cryptographic keys and a chain of trust to verify identities.
## Core Concepts
Understanding these two mechanisms is essential to understanding how TrustLab works.
### 1. Asymmetric Encryption
Secure communication relies on a pair of keys:
* <Key className="inline w-4 h-4 mr-1"/> **Public Key**: Shared with everyone. Used to **encrypt** data.
* <Lock className="inline w-4 h-4 mr-1"/> **Private Key**: Kept secret. Used to **decrypt** data and **sign** digital assets.
### 2. The Chain of Trust
A certificate is only trusted if it is signed by a known authority. This forms a chain:
* **Root CA**: The trusted anchor. It signs itself. You must install this on your device to trust the chain.
* **Intermediate CA**: Signed by the Root CA. Used to sign day-to-day certificates for security.
* **Leaf Certificate**: The final certificate used on your Web Server or Email.
---
## The Two Lanes of Trust
The internet security model is built on two distinct "lanes". Mixing them up causes browser errors, but using them correctly provides **Military-Grade Security**.
<Cards>
<Card icon={<ShieldCheck />} title="Public Lane (Global)" href="#public-pki" arrow />
<Card icon={<Lock />} title="Private Lane (Internal)" href="#private-pki-trustlab" arrow />
</Cards>
### Public PKI
* **Issuer**: Let's Encrypt, DigiCert, Google Trust Services.
* **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
* **Limitation**: **Cannot** issue certificates for Private IPs (`192.168.x.x`) or Internal Domains (`.local`, `.lan`).
### Private PKI (TrustLab)
* **Issuer**: TrustLab Root CA (Your Organization).
* **Trust Model**: Trusted **ONLY** by devices that have explicitly installed your Root CA.
* **Superpower**: Can secure **ANYTHING** internal (Localhost, Database Servers, IoT).
---
## Why "Military Grade"?
TrustLab utilizes **OpenSSL**, the same cryptographic core used by the world's highly secure networks.
| Feature | TrustLab (Private) | Public CA (Paid) |
| :--- | :--- | :--- |
| **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 |
| **Signature** | SHA-256 | SHA-256 |
| **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 |
| **Global Trust** | <XCircle className="inline w-4 h-4 text-red-500"/> (Manual Install) | <CheckCircle2 className="inline w-4 h-4 text-green-500"/> (Pre-installed) |
| **Internal IPs** | <CheckCircle2 className="inline w-4 h-4 text-green-500"/> Supported | <XCircle className="inline w-4 h-4 text-red-500"/> Forbidden |
| **Cost** | **Free** | $400+/month (Private CA) |
## Appropriate Use Cases
<Callout type="info" emoji={<BadgeCheck className="w-5 h-5" />}>
**The Golden Rule:**
Use **TrustLab** for anything the Public Internet CANNOT access.
Use **Public CAs** for anything the Public Internet MUST access.
</Callout>
### <CheckCircle2 className="inline w-5 h-5 text-green-500 mr-2"/> Perfect For (Green Lane)
* **Internal Tools**: Admin Panels, HR Portals, Dashboards.
* **Development**: Testing HTTPS on `localhost` or `dev.local`.
* **Databases**: Securing connections to MySQL/Postgres/Mongo.
* **S/MIME**: Encrypting email between internal employees.
### <XCircle className="inline w-5 h-5 text-red-500 mr-2"/> Do Not Use For (Red Lane)
* **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning.
* **Public Blogs/Websites**: Random visitors do not have your Root CA installed.
## The "Trust Split" Myth
There is **no conflict** between having TrustLab installed and visiting public websites.
* When you visit `google.com`, your browser uses the **Public Lane**.
* When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**.
They coexist peacefully, providing comprehensive security for your entire digital life.

50
pages/guide/concepts/trust-architecture.id.mdx Normal file
View File

@@ -0,0 +1,50 @@
import { Steps } from 'nextra/components'
import { Shield, Lock, Server, Users } from 'lucide-react'
# Arsitektur Kepercayaan
Arsitektur TrustLab dibangun di atas prinsip isolasi dan keamanan berlapis. Kami menggunakan struktur otoritas bertingkat untuk memastikan integritas jaringan Anda tetap terjaga.
## Hirarki Otoritas Sertifikat
Untuk keamanan maksimal, TrustLab tidak menggunakan satu kunci untuk semua hal. Kami menggunakan hirarki berikut:
### 1. Root CA (Offline Root)
Ini adalah "Ayah" dari segala kepercayaan. Key ini sangat sensitif dan idealnya jarang digunakan. Dalam infrastruktur yang sangat ketat, Root CA biasanya tetap offline.
### 2. Intermediate CA (Issuing CA)
TrustLab secara otomatis membuat Intermediate CA yang menandatangani sertifikat pengguna Anda. Jika Intermediate CA disusupi, Root CA dapat mencabutnya tanpa merusak seluruh ekosistem keamanan Anda.
### 3. End-Entity Certificates
Aplikasi atau server Anda menggunakan sertifikat ini. Mereka memiliki masa berlaku yang lebih pendek (biasanya 1 tahun atau kurang) untuk meminimalkan risiko.
---
## Alur Penerbitan Sertifikat
Bagaimana data Anda berpindah dari dashboard hingga menjadi sertifikat sah?
<Steps>
### Permintaan Klien (CSR)
Dashboard membuat sepasang kunci (Public & Private). Public key dikirim dalam format Certificate Signing Request (CSR).
### Validasi Internal
Dashboard TrustLab memverifikasi identitas Anda dan hak akses Anda terhadap domain yang diminta.
### Penandatanganan CA
Intermediate CA menandatangani CSR tersebut menggunakan Private Key CA-nya sendiri.
### Pengiriman Sertifikat
Sertifikat hasil tanda tangan dikembalikan ke Dashboard untuk Anda unduh.
</Steps>
---
## Keamanan Kunci (Key Security)
- **Enkripsi saat Istirahat (Encryption at Rest)**: Semua Private Key disimpan dalam database menggunakan enkripsi tingkat tinggi (AES-256).
- **Isolasi Database**: Hanya layanan CA internal yang memiliki akses ke modul yang mendekripsi key tersebut.
- **Audit Logs**: Setiap aksi penandatanganan dicatat dalam log sistem yang tidak dapat diubah (immutable logs).
> [!TIP]
> Jangan pernah membagikan file Private Key (`.key`) Anda kepada siapapun. Siapapun yang memiliki key tersebut bisa menyamar sebagai server Anda.

56
pages/guide/concepts/trust-architecture.mdx Normal file
View File

@@ -0,0 +1,56 @@
import { Callout, Steps } from 'nextra/components'
import { GitGraph, Shield, FileX, Network } from 'lucide-react'
# Trust Architecture
While the [Fundamentals](/guide/concepts/pki-undamentals) page explains *what* PKI is, this page explains *how* the hierarchy is structured to ensure security and scalability.
## The Hierarchy of Authority
TrustLab uses a standard **Three-Tier Architecture** (imulated in some modes) or a Two-Tier architecture to maximize security.
### 1. The Root CA (The Anchor)
* **Role**: The ultimate source of trust.
* **Behavior**: It signs **Intermediate CAs**. It almost **NEVER** signs end-user certificates directly.
* **Security**: If this key is stolen, the entire trust network is compromised. That is why in enterprise environments, the Root CA is often kept offline (air-gapped).
### 2. Intermediate CA (The Manager)
* **Role**: The working horse. It is trusted because the Root signed it.
* **Behavior**: It signs **Leaf Certificates** (for your servers).
* **Benefit**: If an Intermediate CA is compromised, you can revoke it using the Root CA without forcing every user to re-install the Root certificate.
### 3. Leaf Certificate (The Worker)
* **Role**: Validates a specific entity (e.g., `trustlab.local`, `api.internal`).
* **Behavior**: Cannot sign other certificates. It is valid only for a specific time (e.g., 397 days).
---
## The TLS Handshake (Simplified)
When you access `https://trustlab.local`, what actually happens?
<Steps>
### 1. Client Hello
Your browser sends a "Hello" to the server, listing supported encryption methods.
### 2. Server Hello & Certificate
The server responds with its **Leaf Certificate** AND the **Intermediate Certificate**. It does *not* send the Root.
### 3. Verification (The Chain Walk)
The browser looks at the Leaf. "Who signed you?" -> "Intermediate A".
The browser looks at Intermediate A. "Who signed you?" -> "Root CA".
The browser checks its **Local Trust Store**. "Do I have Root CA?"
* **Yes**: <span className="text-green-600 font-bold">Secure Connection Established</span>.
* **No**: <span className="text-red-500 font-bold">NET::ERR_CERT_AUTHORITY_INVALID</span>.
</Steps>
---
## Revocation (CRL & OCSP)
What happens if a private key is stolen *before* the certificate expires? Use Revocation.
* **CRL (Certificate Revocation List)**: A digital "Blacklist" file signed by the CA. Browsers download this list to check if a certificate is banned.
* **OCSP (Online Certificate Status Protocol)**: The browser asks the CA in real-time, "Is this specific serial number still good?".
TrustLab manages these mechanisms internally to ensure that if you delete a compromised certificate, it is effectively effectively untrusted (depending on client support for CRLs).

4
pages/guide/getting-started/_meta.id.json Normal file
View File

@@ -0,0 +1,4 @@
{
"install-root-ca": "Instal Root CA",
"access-dashboard": "Akses Dashboard"
}

4
pages/guide/getting-started/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"install-root-ca": "Install Root CA",
"access-dashboard": "Access Dashboard"
}

96
pages/guide/getting-started/access-dashboard.id.mdx Normal file
View File

@@ -0,0 +1,96 @@
import { Callout, Steps, Cards, Card } from 'nextra/components'
import { Monitor, Smartphone, LayoutDashboard, Key, Shield, Info, Clock, AlertTriangle } from 'lucide-react'
# Mengakses Dashboard
**TrustLab Dashboard** adalah pusat kendali utama Anda untuk mengelola sertifikat. Di sini Anda dapat meminta sertifikat baru, mengunduh kunci, dan mengelola sertifikat yang sudah ada.
![Antarmuka Login TrustLab](/images/guide/login-screen.png)
## Metode Autentikasi
Kami mengutamakan keamanan dengan menawarkan opsi autentikasi modern tanpa kata sandi (passwordless).
<Cards>
<Card icon={<Shield className="w-6 h-6" />} title="SSO (Google / GitHub)" href="#1-single-sign-on-sso" arrow />
<Card icon={<Key className="w-6 h-6" />} title="Magic Link (Email)" href="#2-magic-link" arrow />
</Cards>
### 1. Single Sign-On (SSO)
Cara tercepat untuk masuk. Klik **Continue with Google** atau **Continue with GitHub**.
<Callout type="info" emoji={<Info className="w-5 h-5" />}>
**Perilaku SSO:**
* **Pengguna Lama:** Anda hanya dapat Masuk via SSO jika alamat email Anda sudah terdaftar.
* **Pengguna Baru:** Anda dapat **Mendaftar** akun baru secara instan dengan mengklik tombol Social Login pada halaman *Sign In* atau *Sign Up*.
</Callout>
### 2. Magic Link
Masuk yang aman dan tanpa kata sandi melalui email.
<Steps>
### Masukkan Email
Masukkan alamat email terdaftar Anda pada formulir login dan klik **"Continue with Email"**.
### Cek Kotak Masuk
Anda akan menerima email berisi tautan login unik yang sensitif terhadap waktu.
### Klik untuk Verifikasi
Klik tombol **"Sign in to TrustLab"** di dalam email tersebut. Anda akan langsung masuk ke dashboard secara instan.
</Steps>
<Callout type="warning" emoji={<Clock className="w-5 h-5" />}>
**Kedaluwarsa:** Tautan Magic Link hanya berlaku selama **15 menit**. Jika kedaluwarsa, cukup minta tautan baru dengan memasukkan email Anda kembali.
</Callout>
## Ikhtisar Dashboard
Setelah berhasil masuk, Anda akan mendarat di dashboard utama.
![Ikhtisar Dashboard TrustLab](/images/guide/dashboard-screen.png)
Hub pusat ini memungkinkan Anda untuk mengakses:
* **Active Certificates**: Lihat semua sertifikat valid yang diterbitkan untuk Anda.
* **Request Certificate**: Wizard untuk menghasilkan Private Key dan CSR baru.
* **Revocation**: Antarmuka untuk menandai sertifikat yang hilang atau bocor sebagai tidak valid.
## Registrasi
Pengguna baru dapat membuat akun untuk mulai mengelola sertifikat.
![Antarmuka Registrasi TrustLab](/images/guide/register-screen.png)
<Steps>
### Opsi A: Registrasi Sosial (Instan)
1. Klik **Continue with Google** atau **Continue with GitHub**.
2. **Atur Kata Sandi:** Pertama, pastikan Anda telah [**Menginstal Root CA**](/id/guide/getting-started/install-root-ca) di perangkat Anda.
![Layar Atur Kata Sandi](/images/guide/set-password-after-social-screen.png)
### Opsi B: Registrasi Email
1. Klik **"Sign up"** atau isi formulir.
2. Berikan detail dan kata sandi Anda.
3. **Verifikasi Email:** Klik tautan yang dikirim ke kotak masuk Anda untuk mengaktifkan.
</Steps>
## Pemulihan Kata Sandi
Jika Anda kehilangan akses ke akun, Anda dapat mengatur ulang kata sandi dengan aman.
![Antarmuka Lupa Kata Sandi TrustLab](/images/guide/forgot-password-screen.png)
1. Klik **"Forgot password?"** pada layar login.
2. Masukkan alamat email terdaftar Anda.
3. Cek kotak masuk Anda untuk tautan pengaturan ulang kata sandi.
4. Buat kata sandi baru dan masuk.
## Pemecahan Masalah
### Saya tidak menerima Magic Link
* **Cek Spam/Junk**: Seringkali masuk ke sana untuk domain perusahaan.
* **Tunggu 1-2 Menit**: Pengiriman email terkadang tertunda.
* **Whitelist Pengirim**: Tambahkan `@trustlab.dyzulk.com` ke daftar **Safe Senders** penyedia email Anda agar tidak diblokir.
### Akses Ditolak / Pengguna Tidak Ditemukan
* **Salah Ketik**: Periksa kembali alamat email Anda.
* **Belum Terdaftar**: Jika Anda belum membuat akun, silakan **Daftar** terlebih dahulu. Anda tidak dapat masuk via SSO jika email Anda belum ada di sistem kami (kecuali Anda menggunakan alur Pendaftaran).

96
pages/guide/getting-started/access-dashboard.mdx Normal file
View File

@@ -0,0 +1,96 @@
import { Callout, Steps, Cards, Card } from 'nextra/components'
import { Monitor, Smartphone, LayoutDashboard, Key, Shield, Info, Clock, AlertTriangle } from 'lucide-react'
# Accessing Dashboard
The **TrustLab Dashboard** is your central command center for managing certificates. Here you can request new certificates, download keys, and manage existing ones.
![TrustLab Login Interface](/images/guide/login-screen.png)
## Authentication Methods
We prioritize security by offering modern, passwordless authentication options.
<Cards>
<Card icon={<Shield className="w-6 h-6" />} title="SSO (Google / GitHub)" href="#1-single-sign-on-sso" arrow />
<Card icon={<Key className="w-6 h-6" />} title="Magic Link (Email)" href="#2-magic-link" arrow />
</Cards>
### 1. Single Sign-On (SSO)
The fastest way to log in. Click **Continue with Google** or **Continue with GitHub**.
<Callout type="info" emoji={<Info className="w-5 h-5" />}>
**SSO Behavior:**
* **Existing Users:** You can only Log In via SSO if your email address is already registered.
* **New Users:** You can **Register** a new account instantly by clicking the Social Login buttons on the *Sign In* or *Sign Up* page.
</Callout>
### 2. Magic Link
Secure, passwordless login via email.
<Steps>
### Enter Email
Input your registered email address in the login form and click **"Continue with Email"**.
### Check Inbox
You will receive an email with a unique, time-sensitive login link.
### Click to Verify
Click the **"Sign in to TrustLab"** button in the email. You will be instantly logged in to the dashboard.
</Steps>
<Callout type="warning" emoji={<Clock className="w-5 h-5" />}>
**Expiration:** Magic links are valid for **15 minutes** only. If it expires, simply request a new one by entering your email again.
</Callout>
## Dashboard Overview
Upon successful login, you will land on the main dashboard.
![TrustLab Dashboard Overview](/images/guide/dashboard-screen.png)
This central hub allows you to access:
* **Active Certificates**: View all valid certificates issued to you.
* **Request Certificate**: The wizard to generate a new Private Key and CSR.
* **Revocation**: Interface to mark lost or compromised certificates as invalid.
## Registration
New users can create an account to start managing certificates.
![TrustLab Registration Interface](/images/guide/register-screen.png)
<Steps>
### Option A: Social Registration (Instant)
1. Click **Continue with Google** or **Continue with GitHub**.
2. **Set Password:** First, ensure you have [**Installed the Root CA**](/guide/getting-started/install-root-ca) on your device.count.
![Set Password Screen](/images/guide/set-password-after-social-screen.png)
### Option B: Email Registration
1. Click **"Sign up"** or fill the form.
2. Provide your details and password.
3. **Verify Email:** Click the link sent to your inbox to activate.
</Steps>
## Password Recovery
If you lose access to your account, you can reset your password securely.
![TrustLab Forgot Password Interface](/images/guide/forgot-password-screen.png)
1. Click **"Forgot password?"** on the login screen.
2. Enter your registered email address.
3. Check your inbox for a password reset link.
4. Create a new password and log in.
## Troubleshooting
### I didn't receive the Magic Link
* **Check Spam/Junk**: It often lands there for corporate domains.
* **Wait 1-2 Minutes**: Email delivery can sometimes be delayed.
* **Whitelist Sender**: Add `@trustlab.dyzulk.com` to your email provider's **Safe Senders** list to prevent it from being blocked.
### Access Denied / User Not Found
* **Typos**: Double-check your email address.
* **Not Registered**: If you haven't created an account yet, please **Sign Up** first. You cannot log in via SSO if your email is not in our system (unless you use the Sign Up flow).

64
pages/guide/getting-started/install-root-ca.id.mdx Normal file
View File

@@ -0,0 +1,64 @@
import { Tabs, Steps, Cards, Card, Callout } from 'nextra/components'
import { Monitor, Smartphone, AlertTriangle, Info } from 'lucide-react'
# Menginstal Root CA
Untuk memastikan browser Anda mempercayai sertifikat yang diterbitkan oleh TrustLab, Anda harus menginstal Root CA kami.
## Instalasi Cepat (Bundle)
Instal secara instan **SEMUA** sertifikat Root & Intermediate TrustLab menggunakan skrip bundle otomatis kami.
### Linux / Server (CLI)
Pilih distribusi Anda untuk mendapatkan perintah instalasi yang dioptimalkan:
<Tabs items={['Debian/Ubuntu', 'RHEL/CentOS', 'Arch Linux', 'Universal']}>
<Tabs.Tab>
```bash
sudo apt update && sudo apt install -y curl && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
(sudo yum install -y curl || sudo dnf install -y curl) && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
sudo pacman -Sy --noconfirm curl && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
</Tabs>
### Ekosistem Windows & Apple
<Cards>
<Card icon={<Monitor className="w-6 h-6" />} title="Windows Bundle Installer (.bat)" href="https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.bat" arrow />
<Card icon={<Smartphone className="w-6 h-6" />} title="macOS / iOS Profile (.mobileconfig)" href="https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.mobileconfig" arrow />
</Cards>
<Callout type="warning" emoji={<AlertTriangle className="w-5 h-5" />}>
**Pengguna Windows:** Anda **WAJIB** klik kanan file `.bat` dan pilih **"Run as Administrator"**. Mengklik dua kali secara langsung kemungkinan besar akan gagal karena batasan izin.
</Callout>
<Callout type="info" emoji={<Info className="w-5 h-5" />}>
**Pengguna Apple:** Setelah mengunduh profil, buka **System Settings > Privacy & Security > Profiles** untuk menginstalnya. Untuk iOS, lihat bagian *Instalasi Sertifikat Individu* di bawah untuk langkah-langkah kepercayaan mendetail.
</Callout>
---
import { DynamicInstallationGuide } from '../../../components/DynamicInstallationGuide'
## Instalasi Sertifikat Individu
Jika Anda perlu menginstal sertifikat tertentu secara individu (misal: hanya Root, atau Intermediate tertentu), gunakan panduan langsung di bawah ini.
<DynamicInstallationGuide locale="id" />

62
pages/guide/getting-started/install-root-ca.mdx Normal file
View File

@@ -0,0 +1,62 @@
import { Tabs, Steps, Cards, Card, Callout } from 'nextra/components'
import { Monitor, Smartphone, AlertTriangle, Info } from 'lucide-react'
# Installing Root CA
To ensure your browser trusts certificates issued by TrustLab, you must install our Root CA.
## Quick Installation (Bundle)
Instantly install **ALL** TrustLab Root & Intermediate certificates using our automated bundle scripts.
### Linux / Server (CLI)
Select your distribution to get the optimized installation command:
<Tabs items={['Debian/Ubuntu', 'RHEL/CentOS', 'Arch Linux', 'Universal']}>
<Tabs.Tab>
```bash
sudo apt update && sudo apt install -y curl && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
(sudo yum install -y curl || sudo dnf install -y curl) && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
sudo pacman -Sy --noconfirm curl && curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
<Tabs.Tab>
```bash
curl -sL https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.sh | sudo bash
```
</Tabs.Tab>
</Tabs>
### Windows & Apple Ecosystem
<Cards>
<Card icon={<Monitor className="w-6 h-6" />} title="Windows Bundle Installer (.bat)" href="https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.bat" arrow />
<Card icon={<Smartphone className="w-6 h-6" />} title="macOS / iOS Profile (.mobileconfig)" href="https://cdn.trustlab.dyzulk.com/ca/bundles/trustlab-all.mobileconfig" arrow />
</Cards>
<Callout type="warning" emoji={<AlertTriangle className="w-5 h-5" />}>
**Windows Users:** You **MUST** right-click the `.bat` file and select **"Run as Administrator"**. Double-clicking directly will likely fail due to permission restrictions.
</Callout>
<Callout type="info" emoji={<Info className="w-5 h-5" />}>
**Apple Users:** After downloading the profile, go to **System Settings > Privacy & Security > Profiles** to install it. For iOS, see the *Individual Installation* section below for detailed trust steps.
</Callout>
---
import { DynamicInstallationGuide } from '../../../components/DynamicInstallationGuide'
## Individual Certificate Installation
If you need to install specific certificates individually (e.g. only Root, or specific Intermediate), use the live guide below.
<DynamicInstallationGuide />

23
pages/guide/index.id.mdx Normal file
View File

@@ -0,0 +1,23 @@
# Panduan Pengguna TrustLab
Selamat datang di dokumentasi resmi TrustLab. Panduan ini dirancang untuk membantu Anda memahami, menginstal, dan mengelola Otoritas Sertifikat (CA) privat Anda sendiri.
## Apa itu TrustLab?
TrustLab adalah solusi manajemen PKI (Public Key Infrastructure) yang disederhanakan untuk jaringan internal. Kami memungkinkan Anda untuk:
- **Mengeluarkan Sertifikat SSL/TLS** untuk domain internal seperti `.local`, `.corp`, atau alamat IP privat.
- **Mengamankan Komunikasi IoT** dan perangkat dalam jaringan lokal.
- **Enkripsi Email (S/MIME)** untuk kerahasiaan data karyawan.
- **Otomasi Integrasi** dengan web server modern seperti Nginx dan IIS.
## Langkah Cepat
1. **Instal Root CA**: Langkah pertama yang wajib dilakukan agar semua sertifikat Anda dipercaya oleh perangkat. [Baca selengkapnya](/id/guide/getting-started/install-root-ca)
2. **Akses Dashboard**: Masuk ke portal manajemen Anda untuk mulai menerbitkan sertifikat. [Baca selengkapnya](/id/guide/getting-started/access-dashboard)
3. **Terbitkan Sertifikat**: Pelajari cara membuat permintaan sertifikat baru dalam hitungan detik. [Baca selengkapnya](/id/guide/certificates/request-new)
---
> [!TIP]
> Mulailah dari bagian **Mulai Cepat** untuk mendapatkan Certificate Authority yang berfungsi penuh dalam waktu kurang dari 5 menit.

29
pages/guide/index.mdx Normal file
View File

@@ -0,0 +1,29 @@
import { Cards, Card } from 'nextra/components'
import { BookOpen, ShieldCheck, Server, Mail, AlertTriangle, HardDriveDownload, Rocket } from 'lucide-react'
# TrustLab Documentation
Welcome to the **TrustLab User Guide**.
TrustLab is a private Certificate Authority (CA) designed to secure your internal infrastructure (Intranet, APIs, IoT, Databases) with SSL/TLS certificates.
## Quick Start
<Cards>
<Card icon={<Rocket />} title="Install Root CA" href="/guide/getting-started/install-root-ca" arrow />
<Card icon={<HardDriveDownload />} title="Generate Certificate" href="/guide/certificates/request-new" arrow />
<Card icon={<ShieldCheck />} title="Core Concepts (PKI)" href="/guide/concepts/pki-undamentals" arrow />
</Cards>
## Guide Structure
This documentation is organized as follows:
* [**Getting Started**](/guide/getting-started/install-root-ca): Setup Root CA and access the dashboard.
* [**Core Concepts**](/guide/concepts/pki-undamentals): Understand the "Two Lanes of Trust" (Public vs Private PKI).
* [**Certificate Operations**](/guide/certificates/request-new): Request, Download, Renew, and Revoke certificates.
* [**Integrations**](/guide/integrations/web-servers): Configure Nginx, IIS, and S/MIME.
* [**Troubleshooting**](/guide/troubleshooting/browser-errors): Resolve common browser errors like `NET::ERR_CERT_AUTHORITY_INVALID`.
## Why TrustLab?
TrustLab solves the "Not Secure" warnings on internal networks by providing a centralized, managed PKI that acts just like a Public CA (Let's Encrypt), but for your **Private Network**.

4
pages/guide/integrations/_meta.id.json Normal file
View File

@@ -0,0 +1,4 @@
{
"web-servers": "Konfigurasi Web Server",
"smime": "Keamanan Email S/MIME"
}

4
pages/guide/integrations/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"smime": "S/MIME for Email",
"web-servers": "Web Servers (Nginx/IIS)"
}

77
pages/guide/integrations/smime.id.mdx Normal file
View File

@@ -0,0 +1,77 @@
import { Steps, Callout, Tabs } from 'nextra/components'
import { Mail, BadgeAlert, ShieldCheck } from 'lucide-react'
# Keamanan Email S/MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME) memungkinkan Anda untuk **menandatangani** (membuktikan identitas) dan **mengenkripsi** (melindungi konten) pesan email.
<Callout type="warning" emoji={<BadgeAlert className="w-5 h-5" />}>
**Hanya untuk Penggunaan Internal:**
Sertifikat TrustLab bersifat pribadi. Jika Anda mengirim email bertanda tangan ke **Penerima Eksternal** (misal: Gmail, Yahoo), mereka akan melihat peringatan "Tanda Tangan Tidak Dipercaya/Tidak Valid" karena mereka tidak mempercayai Root CA TrustLab.
**Gunakan ini hanya untuk komunikasi internal perusahaan.**
</Callout>
## Panduan Pengaturan
## Konfigurasi Microsoft Outlook
<Tabs items={['Outlook Klasik (Desktop)', 'Outlook Baru (Web Style)']}>
<Tabs.Tab>
**Versi yang Didukung:** Outlook 365, 2019, 2016.
<Steps>
### 1. Buka Trust Center
Buka **File > Options > Trust Center > Trust Center Settings**.
### 2. Email Security
Pilih **Email Security** dari sidebar kiri.
### 3. Impor Sertifikat
Di bawah *Encrypted Email*, klik **Settings...**
* **Signing Certificate**: Klik 'Choose' dan pilih sertifikat TrustLab Anda.
* **Encryption Certificate**: Sama seperti di atas.
### 4. Simpan
Klik **OK** untuk menerapkan.
</Steps>
</Tabs.Tab>
<Tabs.Tab>
**Versi yang Didukung:** Outlook baru untuk Windows, OWA.
*Catatan: Memerlukan ekstensi S/MIME Control.*
<Steps>
### 1. Buka Pengaturan
Klik **Ikon Roda Gigi** (Settings) di pojok kanan atas.
### 2. Menu S/MIME
Navigasi ke **Mail > S/MIME**.
### 3. Aktifkan
Aktifkan **"Encrypt with S/MIME"** dan pilih sertifikat Anda.
</Steps>
</Tabs.Tab>
</Tabs>
## Konfigurasi Thunderbird
**Persyaratan Versi:** v115+ (Supernova) atau yang lebih baru.
<Steps>
### 1. Pengaturan Akun
Klik tombol **Menu (≡)** dan pilih **Account Settings**.
### 2. Enkripsi End-to-End
Pilih akun email Anda dari sidebar dan klik **End-to-End Encryption**.
### 3. Impor Sertifikat
Di bagian **S/MIME**, klik **Add** (atau Manager) untuk mengimpor file `.p12` Anda.
### 4. Terapkan Sertifikat
Di bawah *Select Certificate*, pilih file yang diimpor untuk keduanya:
* **Digital Signing**
* **Encryption**
</Steps>
## Cara Mengetes
Kirim email ke rekan kerja yang juga telah menginstal Root CA. Mereka seharusnya melihat ikon **Pita/Badge** terverifikasi yang menunjukkan bahwa email tersebut dipercaya dan tidak dimodifikasi.

78
pages/guide/integrations/smime.mdx Normal file
View File

@@ -0,0 +1,78 @@
import { Steps, Callout, Tabs } from 'nextra/components'
import { Mail, BadgeAlert, ShieldCheck } from 'lucide-react'
# S/MIME Email Security
Secure/Multipurpose Internet Mail Extensions (S/MIME) allows you to **sign** (prove identity) and **encrypt** (protect content) email messages.
<Callout type="warning" emoji={<BadgeAlert className="w-5 h-5" />}>
**Internal Use Only:**
TrustLab certificates are private. If you send signed emails to **External Recipients** (e.g., Gmail, Yahoo), they will see an "Untrusted/Invalid Signature" warning because they do not trust the TrustLab Root CA.
**Use this for internal corporate communication only.**
</Callout>
## Setup Guide
## Configure Microsoft Outlook
<Tabs items={['Classic Outlook (Desktop)', 'New Outlook (Web Style)']}>
<Tabs.Tab>
**Supported Versions:** Outlook 365, 2019, 2016.
<Steps>
### 1. Open Trust Center
Go to **File > Options > Trust Center > Trust Center Settings**.
### 2. Email Security
Select **Email Security** from the left sidebar.
### 3. Import Certificate
Under *Encrypted Email*, click **Settings...**
* **Signing Certificate**: Click 'Choose' and select your TrustLab cert.
* **Encryption Certificate**: Same as above.
### 4. Save
Click **OK** to apply.
</Steps>
</Tabs.Tab>
<Tabs.Tab>
**Supported Versions:** New Outlook for Windows, OWA.
*Note: Requires S/MIME Control extension.*
<Steps>
### 1. Open Settings
Click the **Gear Icon** (Settings) in the top right.
### 2. S/MIME Menu
Navigate to **Mail > S/MIME**.
### 3. Enable
Enable **"Encrypt with S/MIME"** and select your certificate.
</Steps>
</Tabs.Tab>
</Tabs>
## Configure Thunderbird
**Version Requirement:** v115+ (Supernova) or newer.
<Steps>
### 1. Account Settings
Click the **Menu (≡)** button and select **Account Settings**.
### 2. End-to-End Encryption
Select your email account from the sidebar and click **End-to-End Encryption**.
### 3. Import Certificate
In the **S/MIME** section, click **Add** (or Manager) to import your `.p12` file.
### 4. Apply Certificate
Under *Select Certificate*, choose the imported file for both:
* **Digital Signing**
* **Encryption**
</Steps>
## How to Test
Send an email to a colleague who also has the Root CA installed. They should see a verified **Ribbon/Badge** icon indicating the email is trusted and unmodified.

78
pages/guide/integrations/web-servers.id.mdx Normal file
View File

@@ -0,0 +1,78 @@
import { Tabs, Callout } from 'nextra/components'
import { Server, Globe, Shield } from 'lucide-react'
# Konfigurasi Web Server
Untuk mengaktifkan HTTPS pada layanan internal Anda, Anda perlu mengonfigurasi web server agar menggunakan sertifikat yang diterbitkan oleh TrustLab.
<Callout type="info" emoji={<Shield className="w-5 h-5" />}>
**Prasyarat:** Pastikan Anda telah mengunduh **PEM Bundle** (untuk Linux) atau **PFX** (untuk Windows) seperti yang dijelaskan dalam [Panduan Unduh](/id/guide/certificates/download-install).
</Callout>
## Contoh Konfigurasi
Pilih lingkungan web server Anda di bawah ini:
<Tabs items={['Nginx', 'Apache (httpd)', 'IIS (Windows)']}>
<Tabs.Tab>
### Pengaturan Nginx
File Target: `/etc/nginx/sites-available/default` atau `internal.app.conf`
```nginx
server {
listen 80;
server_name internal.app;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name internal.app;
# SSL Configuration
ssl_certificate /etc/ssl/trustlab/internal.app.crt;
ssl_certificate_key /etc/ssl/trustlab/internal.app.key;
# Recommended Security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
```
</Tabs.Tab>
<Tabs.Tab>
### Pengaturan Apache / HTTPD
File Target: `/etc/httpd/conf.d/ssl.conf` atau file VHost.
```apache
<VirtualHost *:443>
ServerName internal.app
DocumentRoot /var/www/html/internal
SSLEngine on
SSLCertificateFile "/path/to/internal.app.crt"
SSLCertificateKeyFile "/path/to/internal.app.key"
# Best Practice
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>
```
5. Pergi ke **Sites**, pilih situs Anda, dan klik **Bindings...**.
6. Tambahkan binding `https` dan pilih sertifikat TrustLab yang baru diimpor.
</Tabs.Tab>
</Tabs>
---
## Verifikasi Konfigurasi
Gunakan perintah `curl` dari terminal untuk memastikan sertifikat terdeteksi dengan benar:
```bash
curl -vI https://internal.yourcompany.local
```
Perhatikan baris `server certificate verification OK`. Jika muncul error, pastikan Anda telah menginstal Root CA di perangkat yang menjalankan perintah tersebut.
> [!NOTE]
> Sangat disarankan untuk selalu menggunakan file **BUNDLE/COMBINED** (Sertifikat + Intermediate) untuk menghindari masalah rantai sertifikat (Chain Error) di beberapa browser mobile.

76
pages/guide/integrations/web-servers.mdx Normal file
View File

@@ -0,0 +1,76 @@
import { Tabs, Callout } from 'nextra/components'
import { Server, Globe, Shield } from 'lucide-react'
# Web Server Configuration
To enable HTTPS on your internal services, you need to configure your web server to use the certificates issued by TrustLab.
<Callout type="info" emoji={<Shield className="w-5 h-5" />}>
**Prerequisite:** Ensure you have downloaded the **PEM Bundle** (for Linux) or **PFX** (for Windows) as described in the [Download Guide](/guide/certificates/download-install).
</Callout>
## Configuration Examples
Select your web server environment below:
<Tabs items={['Nginx', 'Apache (httpd)', 'IIS (Windows)']}>
<Tabs.Tab>
### Nginx Setup
Target File: `/etc/nginx/sites-available/default` or `internal.app.conf`
```nginx
server {
listen 80;
server_name internal.app;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name internal.app;
# SSL Configuration
ssl_certificate /etc/ssl/trustlab/internal.app.crt;
ssl_certificate_key /etc/ssl/trustlab/internal.app.key;
# Recommended Security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
```
</Tabs.Tab>
<Tabs.Tab>
### Apache / HTTPD Setup
Target File: `/etc/httpd/conf.d/ssl.conf` or VHost file.
```apache
<VirtualHost *:443>
ServerName internal.app
DocumentRoot /var/www/html/internal
SSLEngine on
SSLCertificateFile "/path/to/internal.app.crt"
SSLCertificateKeyFile "/path/to/internal.app.key"
# Best Practice
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>
```
</Tabs.Tab>
<Tabs.Tab>
### IIS (Internet Information Services)
Requires the **.pfx** file format.
1. **Import Certificate**:
* Open **IIS Manager** > Click Server Node > **Server Certificates**.
* Click **Import...** (Actions pane).
* Select your `.pfx` file and enter the password.
2. **Bind to Site**:
* Go to **Sites** > Select your site (e.g., Default Web Site).
* Click **Bindings...** > **Add...**
* Type: `https` | Port: `443`.
* **SSL Certificate**: Select the certificate you just imported.
</Tabs.Tab>
</Tabs>

4
pages/guide/troubleshooting/_meta.id.json Normal file
View File

@@ -0,0 +1,4 @@
{
"browser-errors": "Kesalahan Umum Browser",
"developer-tools": "Masalah CLI & Bahasa"
}

4
pages/guide/troubleshooting/_meta.json Normal file
View File

@@ -0,0 +1,4 @@
{
"browser-errors": "Common Browser Errors",
"developer-tools": "CLI & Language Support"
}

43
pages/guide/troubleshooting/browser-errors.id.mdx Normal file
View File

@@ -0,0 +1,43 @@
import { Callout, Cards, Card } from 'nextra/components'
import { AlertTriangle, Globe, Calendar, XCircle, HelpCircle } from 'lucide-react'
# Kesalahan Browser Umum
Saat menggunakan sertifikat internal, browser sangatlah ketat. Berikut adalah kode kesalahan yang paling umum dan cara mengatasinya.
### `NET::ERR_CERT_AUTHORITY_INVALID`
<Callout type="error" emoji={<AlertTriangle className="w-5 h-5" />}>
**Logikanya:** Browser sama sekali **tidak mengenal** "TrustLab Root CA" yang menandatangani sertifikat situs web Anda, sehingga ia menganggapnya palsu.
</Callout>
**Solusi:**
Anda belum menginstal Root CA di perangkat Anda.
* [**Panduan Instalasi Root CA**](/id/guide/getting-started/install-root-ca)
---
### `NET::ERR_CERT_COMMON_NAME_INVALID`
<Callout type="warning" emoji={<Globe className="w-5 h-5" />}>
**Logikanya:** Anda mengunjungi `app.local`, tetapi sertifikat hanya diterbitkan untuk `api.local`. Namanya **tidak cocok**.
</Callout>
**Solusi:**
Domain tersebut tidak ada dalam **SANs (Subject Alternative Names)** sertifikat.
1. Klik ikon **"Not Secure"** > **Certificate**.
2. Periksa bidang **DNS Name** atau SAN.
3. Jika tidak ada, Anda harus **[Menerbitkan Sertifikat Baru](/id/guide/certificates/request-new)** yang menyertakan domain yang benar.
---
### `NET::ERR_CERT_DATE_INVALID`
<Callout type="info" emoji={<Calendar className="w-5 h-5" />}>
**Logikanya:** Sertifikat telah kedaluwarsa, ATAU jam komputer Anda diatur ke tanggal yang salah (lampau/masa depan).
</Callout>
**Solusi:**
1. Periksa jam sistem Anda terlebih dahulu.
2. Jika jam sudah benar, berarti sertifikat benar-benar kedaluwarsa.
3. **[Perbarui Sertifikat](/id/guide/certificates/renewal)** segera.

43
pages/guide/troubleshooting/browser-errors.mdx Normal file
View File

@@ -0,0 +1,43 @@
import { Callout, Cards, Card } from 'nextra/components'
import { AlertTriangle, Globe, Calendar, XCircle, HelpCircle } from 'lucide-react'
# Common Browser Errors
When using internal certificates, browsers are very strict. Below are the most common error codes and how to resolve them.
### `NET::ERR_CERT_AUTHORITY_INVALID`
<Callout type="error" emoji={<AlertTriangle className="w-5 h-5" />}>
**The Logic:** The browser simply **does not know** the "TrustLab Root CA" that signed your website's certificate, so it assumes it's fake.
</Callout>
**Solution:**
You have not installed the Root CA on your device yet.
* [**Install Root CA Guide**](/guide/getting-started/install-root-ca)
---
### `NET::ERR_CERT_COMMON_NAME_INVALID`
<Callout type="warning" emoji={<Globe className="w-5 h-5" />}>
**The Logic:** You are visiting `app.local`, but the certificate was only issued for `api.local`. The names **do not match**.
</Callout>
**Solution:**
The domain is missing from the certificate's **SANs (Subject Alternative Names)**.
1. Click the **"Not Secure"** icon > **Certificate**.
2. Check the **DNS Name** or SAN field.
3. If missing, you must **[Generate a New Certificate](/guide/certificates/request-new)** that includes the correct domain.
---
### `NET::ERR_CERT_DATE_INVALID`
<Callout type="info" emoji={<Calendar className="w-5 h-5" />}>
**The Logic:** The certificate has expired, OR your computer's clock is set to the wrong date (past/future).
</Callout>
**Solution:**
1. Check your system clock first.
2. If the clock is correct, the certificate is truly expired.
3. **[Renew the Certificate](/guide/certificates/renewal)** immediately.

97
pages/guide/troubleshooting/developer-tools.id.mdx Normal file
View File

@@ -0,0 +1,97 @@
import { Callout, Steps } from 'nextra/components'
import { Terminal, Code, Server, Download } from 'lucide-react'
# Masalah CLI & Bahasa Pemrograman
Bahkan jika Anda sudah menginstal Root CA di sistem operasi Anda, banyak alat pengembang dan bahasa pemrograman yang **mengabaikan penyimpanan sistem (system store)** dan menggunakan penyimpanan mereka sendiri.
<Callout type="info" emoji={<Download className="w-5 h-5" />}>
**Prasyarat:**
Anda harus memiliki file **`trustlab-root.crt`** yang sudah diunduh di mesin Anda.
[Unduh di sini](/id/guide/getting-started/install-root-ca).
</Callout>
Jika kode atau skrip Anda gagal dengan kesalahan sertifikat, periksa solusi di bawah ini.
## 1. cURL & Wget
Alat baris perintah standar sering kali mencari file bundle tertentu.
### cURL
<Callout type="error" emoji={<Terminal className="w-5 h-5" />}>
`curl: (60) SSL certificate problem: unable to get local issuer certificate`
</Callout>
**Solusi:**
Teruskan Root CA secara eksplisit:
```bash
curl --cacert /jalur/ke/trustlab-root.crt https://domain-anda.local
```
### Wget
**Solusi:**
```bash
wget --ca-certificate=/jalur/ke/trustlab-root.crt https://domain-anda.local
```
---
## 2. Node.js / JavaScript
Node.js tidak menggunakan Root CA Sistem secara default.
<Callout type="error" emoji={<Server className="w-5 h-5" />}>
`Error: self signed certificate in certificate chain`
</Callout>
**Solusi (Variabel Lingkungan):**
Atur variabel ini sebelum menjalankan aplikasi Anda. Ini berfungsi untuk sebagian besar aplikasi Node.js (npm, yarn, skrip kustom).
```bash
export NODE_EXTRA_CA_CERTS="/jalur/ke/trustlab-root.crt"
node server.js
```
---
## 3. Python (Requests/Pip)
Pustaka `requests` di Python (dan `pip`) menggunakan paket sertifikatnya sendiri (`certifi`), mengabaikan penyimpanan sistem Windows/macOS/Linux.
<Callout type="error" emoji={<Code className="w-5 h-5" />}>
`SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed'))`
</Callout>
**Solusi:**
Arahkan ke Root CA Anda menggunakan variabel lingkungan.
```bash
export REQUESTS_CA_BUNDLE="/jalur/ke/trustlab-root.crt"
python script.py
```
---
## 4. Aplikasi Java
Java menggunakan "Keystore" (JKS) milik sendiri dan biasanya **mengabaikan** Windows Certificate Store.
<Callout type="error" emoji={<Code className="w-5 h-5" />}>
`sun.security.validator.ValidatorException: PKIX path building failed`
</Callout>
**Solusi:**
Anda harus mengimpor Root CA TrustLab ke dalam Java Keystore (cacerts).
<Steps>
### Lokasi standar cacerts
Biasanya di `$JAVA_HOME/lib/security/cacerts`.
### Impor dengan keytool
```bash
keytool -import -trustcacerts -alias trustlab-root \
-file trustlab-root.crt \
-keystore "$JAVA_HOME/lib/security/cacerts"
```
*Kata sandi default biasanya adalah `changeit`.*
</Steps>

97
pages/guide/troubleshooting/developer-tools.mdx Normal file
View File

@@ -0,0 +1,97 @@
import { Callout, Steps } from 'nextra/components'
import { Terminal, Code, Server, Download } from 'lucide-react'
# CLI & Language Issues
Even if you installed the Root CA on your operating system, many developer tools and programming languages **ignore the system store** and use their own.
<Callout type="info" emoji={<Download className="w-5 h-5" />}>
**Prerequisite:**
You must have the **`trustlab-root.crt`** file downloaded on your machine first.
[Download it here](/guide/getting-started/install-root-ca).
</Callout>
If your code or scripts are failing with certificate errors, check the solutions below.
## 1. cURL & Wget
Standard command-line tools often look for a specific bundle file.
### cURL
<Callout type="error" emoji={<Terminal className="w-5 h-5" />}>
`curl: (60) SSL certificate problem: unable to get local issuer certificate`
</Callout>
**Solution:**
Pass the Root CA explicitly:
```bash
curl --cacert /path/to/trustlab-root.crt https://your-domain.local
```
### Wget
**Solution:**
```bash
wget --ca-certificate=/path/to/trustlab-root.crt https://your-domain.local
```
---
## 2. Node.js / JavaScript
Node.js does not use the System Root CA by default.
<Callout type="error" emoji={<Server className="w-5 h-5" />}>
`Error: self signed certificate in certificate chain`
</Callout>
**Solution (Environment Variable):**
Set this variable before running your application. It works for most Node.js apps (npm, yarn, custom scripts).
```bash
export NODE_EXTRA_CA_CERTS="/path/to/trustlab-root.crt"
node server.js
```
---
## 3. Python (Requests/Pip)
Python's `requests` library (and `pip`) uses its own certificate bundle (`certifi`), ignoring Windows/macOS/Linux system stores.
<Callout type="error" emoji={<Code className="w-5 h-5" />}>
`SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed'))`
</Callout>
**Solution:**
Point to your Root CA using an environment variable.
```bash
export REQUESTS_CA_BUNDLE="/path/to/trustlab-root.crt"
python script.py
```
---
## 4. Java Applications
Java uses a proprietary "Keystore" (JKS) and typically **ignores** the Windows Certificate Store.
<Callout type="error" emoji={<Code className="w-5 h-5" />}>
`sun.security.validator.ValidatorException: PKIX path building failed`
</Callout>
**Solution:**
You must import the TrustLab Root CA into the Java Keystore (cacerts).
<Steps>
### Locate standard cacerts
Usually at `$JAVA_HOME/lib/security/cacerts`.
### Import with keytool
```bash
keytool -import -trustcacerts -alias trustlab-root \
-file trustlab-root.crt \
-keystore "$JAVA_HOME/lib/security/cacerts"
```
*Default password is typically `changeit`.*
</Steps>