feat: initial commit of trustlab-docs

2026-01-26 05:25:38 +07:00 · 2026-01-08 15:03:32 +07:00
commit 6c5b0c53ae
31 changed files with 8109 additions and 0 deletions
--- a/pages/guide/_meta.json
+++ b/pages/guide/_meta.json
@@ -0,0 +1,6 @@
+{
+    "index": "Overview",
+    "getting-started": "Getting Started",
+    "certificates": "Certificate Operations",
+    "integrations": "Integrations"
+}
--- a/pages/guide/certificates/_meta.json
+++ b/pages/guide/certificates/_meta.json
@@ -0,0 +1,6 @@
+{
+    "request-new": "Requesting a Certificate",
+    "download-install": "Download & Formats",
+    "renewal": "Renewal Process",
+    "revocation": "Revocation"
+}
--- a/pages/guide/certificates/download-install.mdx
+++ b/pages/guide/certificates/download-install.mdx
@@ -0,0 +1,39 @@
+# Download & Formats (PEM, PFX, JKS)
+
+Once your certificate is issued, you can download it in various formats suitable for different servers and applications.
+
+## Available Formats
+
+| Format | Extension | Used For |
+| :--- | :--- | :--- |
+| **PEM (Nginx/Apache)** | `.crt`, `.key` | Standard Linux web servers. You get separate Certificate and Private Key files. |
+| **PFX / PKCS#12** | `.pfx`, `.p12` | IIS (Windows), Microsoft Exchange, Client Certificates (S/MIME). Contains both key and cert. |
+| **JKS (Java)** | `.jks` | Java applications (Tomcat, Spring Boot). |
+
+## How to Download
+
+1. Go to **"My Certificates"** in the dashboard.
+2. Click on the certificate ID or the **"View"** button.
+3. Scroll to the **"Downloads"** section.
+4. Select the format you need and click **Download**.
+
+> [!WARNING]
+> The **Private Key** is generated securely. If you lose it, you cannot recover it. You must revoke and re-issue the certificate.
+
+## Installation Examples
+
+### Nginx (PEM)
+```nginx
+server {
+    listen 443 ssl;
+    server_name internal.app;
+
+    ssl_certificate     /etc/nginx/ssl/internal.app.crt;
+    ssl_certificate_key /etc/nginx/ssl/internal.app.key;
+}
+```
+
+### Windows (PFX)
+1. Double-click the downloaded `.pfx` file.
+2. Follow the "Certificate Import Wizard".
+3. When prompted for a password, enter the password you set during download (or the default export password provided in the UI).
--- a/pages/guide/certificates/renewal.mdx
+++ b/pages/guide/certificates/renewal.mdx
@@ -0,0 +1,26 @@
+# Renewal Process
+
+Certificates expire to ensure security rotation. TrustLab simplifies the renewal process so you don't experience downtime.
+
+## When to Renew
+You will receive an email notification:
+- **30 days** before expiration.
+- **7 days** before expiration.
+- **1 day** before expiration.
+
+## How to Renew
+
+1. Log in to TrustLab.
+2. Navigate to **"My Certificates"**.
+3. Identify certificates marked with the **"Expiring Soon"** badge.
+4. Click the **"Renew"** button next to the certificate.
+5. Review the details (CN, SANs). You can add or remove SANs at this stage.
+6. Click **Confirm Renewal**.
+
+## What Happens Next?
+- A **new certificate** is generated with a new validity period.
+- The **Private Key** remains the same (if "Reuse Key" was selected) OR a new key is generated (recommended).
+- The old certificate remains valid until its original expiration date (unless revoked).
+
+> [!IMPORTANT]
+> You must **download and install the new certificate** on your server. Renewal **does not** happen automatically on the server side unless you use our ACME integration.
--- a/pages/guide/certificates/request-new.mdx
+++ b/pages/guide/certificates/request-new.mdx
@@ -0,0 +1,31 @@
+# Requesting a New Certificate
+
+TrustLab allows you to request private SSL/TLS certificates for various internal uses.
+
+## Prerequisites
+- You must have an active TrustLab account.
+- You must have the **Root CA** installed on your machine.
+
+## Step-by-Step Guide
+
+1. **Log in to Dashboard**
+   Navigate to the TrustLab Dashboard and login with your credentials.
+
+2. **Navigate to "New Certificate"**
+   Click on the **"New Request"** button in the top navigation bar or the main dashboard card.
+
+3. **Select Certificate Profile**
+   Choose the profile that matches your need:
+   - **Internal Web Server**: For HTTPS on internal tools (e.g., specific IP or `.local` domains).
+   - **User / S/MIME**: For email signing and encryption.
+   - **Code Signing**: For signing scripts and executables.
+
+4. **Fill in Details**
+   - **Common Name (CN)**: The primary domain name or IP address (e.g., `internal.app` or `192.168.1.50`).
+   - **Subject Alternative Names (SANs)**: Additional domains or IPs (optional).
+   - **Validity Period**: Choose between 90 days, 1 year, or custom (if allowed).
+
+5. **Submit Request**
+   Click **"Submit"**. The system will process your request. 
+   - If **Auto-Approval** is enabled for your role, the certificate is issued immediately.
+   - If **Manual Approval** is required, the status will be `PENDING` until a Manager approves it.
--- a/pages/guide/certificates/revocation.mdx
+++ b/pages/guide/certificates/revocation.mdx
@@ -0,0 +1,23 @@
+# Revocation (Cabut Sertifikat)
+
+Revocation invalidates a certificate before its expiration date. This is critical if a Private Key is compromised.
+
+## When to Revoke?
+- **Key Compromise**: You suspect someone stole your Private Key.
+- **Service Change**: The domain name effectively no longer belongs to the service.
+- **Mistake**: The certificate was issued with incorrect details.
+
+## How to Revoke
+
+1. Open the Certificate Detail page.
+2. Click the **"Revoke"** button (Danger Zone).
+3. Select a **Reason Code**:
+   - `unspecified` (0)
+   - `keyCompromise` (1)
+   - `cACompromise` (2)
+   - `superseded` (4)
+   - `cessationOfOperation` (5)
+4. Confirm the action.
+
+## CRL (Certificate Revocation List)
+Once revoked, the certificate serial number is added to the TrustLab CRL. All clients checking the CRL will immediately reject the certificate.
--- a/pages/guide/getting-started/_meta.json
+++ b/pages/guide/getting-started/_meta.json
@@ -0,0 +1,4 @@
+{
+    "install-root-ca": "Install Root CA",
+    "access-dashboard": "Access Dashboard"
+}
--- a/pages/guide/getting-started/access-dashboard.mdx
+++ b/pages/guide/getting-started/access-dashboard.mdx
@@ -0,0 +1,5 @@
+# Accessing Dashboard
+
+1. Navigate to [https://trustlab.dyzulk.com](https://trustlab.dyzulk.com).
+2. Click "Login".
+3. Use your SSO credentials or Magic Link.
--- a/pages/guide/getting-started/install-root-ca.mdx
+++ b/pages/guide/getting-started/install-root-ca.mdx
@@ -0,0 +1,36 @@
+import { CertificateDownload } from '../../../components/CertificateDownload'
+
+# Installing Root CA
+
+To ensure your browser trusts certificates issued by TrustLab, you must install our Root CA.
+
+<div className="my-8">
+  <CertificateDownload />
+</div>
+
+## Manual Installation Guide
+
+### Windows
+1. Download the Root CA (`.crt`) or use the auto-installer above.
+2. Double-click to open.
+3. Click "Install Certificate".
+4. Select "Local Machine" (Requires Admin).
+5. Choose "Place all certificates in the following store" -> **Trusted Root Certification Authorities**.
+
+### macOS
+1. Download the Root CA.
+2. Open in Keychain Access.
+3. Double-click the certificate.
+4. Expand "Trust" and select "Always Trust".
+
+### Linux (Debian/Ubuntu)
+```bash
+sudo cp trustlab-root.crt /usr/local/share/ca-certificates/
+sudo update-ca-certificates
+```
+
+### Android
+1. Settings > Security > Encryption & Credentials.
+2. Install a certificate > CA Certificate.
+3. Select the downloaded `.crt` or `.der` file.
+
--- a/pages/guide/index.mdx
+++ b/pages/guide/index.mdx
@@ -0,0 +1,8 @@
+# User Guide
+
+Welcome to the TrustLab User Guide. Here you will find step-by-step instructions on how to use our services.
+
+## Getting Started
+
+- [Install Root CA](/guide/getting-started/install-root-ca)
+- [Access Dashboard](/guide/getting-started/access-dashboard)
--- a/pages/guide/integrations/_meta.json
+++ b/pages/guide/integrations/_meta.json
@@ -0,0 +1,5 @@
+{
+    "smime": "S/MIME for Email",
+    "web-servers": "Web Servers (Nginx/IIS)",
+    "code-signing": "Code Signing"
+}
--- a/pages/guide/integrations/code-signing.mdx
+++ b/pages/guide/integrations/code-signing.mdx
@@ -0,0 +1,23 @@
+# Code Signing
+
+Code signing ensures that scripts and executables have not been tampered with and originate from a trusted source (Internal Developer).
+
+## Supported Formats
+- **Microsoft Authenticode** (Executables, PowerShell scripts)
+- **Java Archive** (JAR files)
+
+## Signing with SignTool (Windows)
+
+1. **Install SignTool**: Included in the Windows SDK.
+2. **Download PFX**: Get your Code Signing certificate in `.pfx` format.
+3. **Run Command**:
+
+```powershell
+signtool sign /f "MyCert.pfx" /p "password" /tr http://timestamp.digicert.com /td sha256 /fd sha256 .\MyApp.exe
+```
+
+- `/tr`: Timestamp Server (Recommended so the signature is valid even after cert expiry).
+- `/fd`: File Digest algorithm (Use SHA256).
+
+## Verifying Signature
+Right-click the `.exe` file -> **Properties** -> **Digital Signatures** tab. You should see "TrustLab Internal CA" in the certificate path.
--- a/pages/guide/integrations/smime.mdx
+++ b/pages/guide/integrations/smime.mdx
@@ -0,0 +1,28 @@
+# S/MIME Email Security
+
+Secure/Multipurpose Internet Mail Extensions (S/MIME) allows you to **sign** and **encrypt** internal emails.
+
+- **Signing**: Proves the email actually came from you (prevents spoofing).
+- **Encryption**: Ensures only the intended recipient can read the message.
+
+## Prerequisites
+- A TrustLab certificate with the **S/MIME** profile.
+- Downloaded in **PFX (.p12)** format.
+
+## Outlook (Windows) Setup
+1. Open Outlook. Go to **File > Options > Trust Center**.
+2. Click **Trust Center Settings > Email Security**.
+3. Under "Encrypted Email", click **Settings**.
+4. Click **Choose** for Signing Certificate and select your TrustLab ID.
+5. Click **OK**.
+
+## Thunderbird Setup
+1. Go to **Settings > Privacy & Security**.
+2. Scroll to **Certificates** and click **Manage Certificates**.
+3. Under **"Your Certificates"**, click **Import**.
+4. Select your `.p12` file.
+5. Go back to Account Settings > Security.
+6. Select the certificate for **Digital Signing** and **Encryption**.
+
+> [!TIP]
+> To send encrypted email to a colleague, you must first possess their Public Key (usually by receiving a signed email from them first).
--- a/pages/guide/integrations/web-servers.mdx
+++ b/pages/guide/integrations/web-servers.mdx
@@ -0,0 +1,52 @@
+# Web Server Configuration
+
+Configuring SSL/TLS on internal web servers is the most common use case for TrustLab.
+
+## Nginx Configuration
+
+Ensure you have downloaded the **PEM** format bundle (contains `.crt` and `.key`).
+
+```nginx
+server {
+    listen 80;
+    server_name internal.app;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name internal.app;
+
+    # SSL Configuration
+    ssl_certificate     /path/to/internal.app.crt;
+    ssl_certificate_key /path/to/internal.app.key;
+
+    # Recommended Security Settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+}
+```
+
+## Apache (httpd)
+
+```apache
+<VirtualHost *:443>
+    ServerName internal.app
+    SSLEngine on
+    SSLCertificateFile "/path/to/internal.app.crt"
+    SSLCertificateKeyFile "/path/to/internal.app.key"
+</VirtualHost>
+```
+
+## IIS (Windows Server)
+
+For IIS, you must use the **PFX** format.
+
+1. Open **IIS Manager**.
+2. Select the server node.
+3. Open **Server Certificates**.
+4. Click **Import** in the actions pane.
+5. Select your `.pfx` file and enter the password.
+6. Go to your Site -> **Bindings**.
+7. Add **https** binding and select the imported certificate.