From b1f061eb5e650b2f49afb640cf572da695787fac Mon Sep 17 00:00:00 2001
From: dyzulk <66510723+dyzulk@users.noreply.github.com>
Date: Thu, 8 Jan 2026 19:16:47 +0700
Subject: [PATCH] doc: refine smime guide structure and styling

---
 pages/guide/integrations/smime.mdx       |  92 +++++++++++++++-----
 pages/guide/integrations/web-servers.mdx | 106 ++++++++++++++---------
 pages/knowledge/fundamentals/index.mdx   |  76 ++++++++++++++++
 3 files changed, 212 insertions(+), 62 deletions(-)
 create mode 100644 pages/knowledge/fundamentals/index.mdx

diff --git a/pages/guide/integrations/smime.mdx b/pages/guide/integrations/smime.mdx
index 4bba4b7..3c059ff 100644
--- a/pages/guide/integrations/smime.mdx
+++ b/pages/guide/integrations/smime.mdx
@@ -1,28 +1,78 @@
+import { Steps, Callout, Tabs } from 'nextra/components'
+import { Mail, BadgeAlert, ShieldCheck } from 'lucide-react'
+
 # S/MIME Email Security
 
-Secure/Multipurpose Internet Mail Extensions (S/MIME) allows you to **sign** and **encrypt** internal emails.
+Secure/Multipurpose Internet Mail Extensions (S/MIME) allows you to **sign** (prove identity) and **encrypt** (protect content) email messages.
 
-- **Signing**: Proves the email actually came from you (prevents spoofing).
-- **Encryption**: Ensures only the intended recipient can read the message.
+<Callout type="warning" emoji={<BadgeAlert className="w-5 h-5" />}>
+  **Internal Use Only:**
+  TrustLab certificates are private. If you send signed emails to **External Recipients** (e.g., Gmail, Yahoo), they will see an "Untrusted/Invalid Signature" warning because they do not trust the TrustLab Root CA.
+  
+  **Use this for internal corporate communication only.**
+</Callout>
 
-## Prerequisites
-- A TrustLab certificate with the **S/MIME** profile.
-- Downloaded in **PFX (.p12)** format.
+## Setup Guide
 
-## Outlook (Windows) Setup
-1. Open Outlook. Go to **File > Options > Trust Center**.
-2. Click **Trust Center Settings > Email Security**.
-3. Under "Encrypted Email", click **Settings**.
-4. Click **Choose** for Signing Certificate and select your TrustLab ID.
-5. Click **OK**.
+## Configure Microsoft Outlook
 
-## Thunderbird Setup
-1. Go to **Settings > Privacy & Security**.
-2. Scroll to **Certificates** and click **Manage Certificates**.
-3. Under **"Your Certificates"**, click **Import**.
-4. Select your `.p12` file.
-5. Go back to Account Settings > Security.
-6. Select the certificate for **Digital Signing** and **Encryption**.
+<Tabs items={['Classic Outlook (Desktop)', 'New Outlook (Web Style)']}>
+  <Tabs.Tab>
+    **Supported Versions:** Outlook 365, 2019, 2016.
+    
+    <Steps>
+    ### 1. Open Trust Center
+    Go to **File > Options > Trust Center > Trust Center Settings**.
+    
+    ### 2. Email Security
+    Select **Email Security** from the left sidebar.
+    
+    ### 3. Import Certificate
+    Under *Encrypted Email*, click **Settings...**
+    *   **Signing Certificate**: Click 'Choose' and select your TrustLab cert.
+    *   **Encryption Certificate**: Same as above.
+    
+    ### 4. Save
+    Click **OK** to apply.
+    </Steps>
+  </Tabs.Tab>
+  <Tabs.Tab>
+    **Supported Versions:** New Outlook for Windows, OWA.
+    *Note: Requires S/MIME Control extension.*
+    
+    <Steps>
+    ### 1. Open Settings
+    Click the **Gear Icon** (Settings) in the top right.
+    
+    ### 2. S/MIME Menu
+    Navigate to **Mail > S/MIME**.
+    
+    ### 3. Enable
+    Enable **"Encrypt with S/MIME"** and select your certificate.
+    </Steps>
+  </Tabs.Tab>
+</Tabs>
+
+## Configure Thunderbird
+
+**Version Requirement:** v115+ (Supernova) or newer.
+
+<Steps>
+### 1. Account Settings
+Click the **Menu (≡)** button and select **Account Settings**.
+
+### 2. End-to-End Encryption
+Select your email account from the sidebar and click **End-to-End Encryption**.
+
+### 3. Import Certificate
+In the **S/MIME** section, click **Add** (or Manager) to import your `.p12` file.
+
+### 4. Apply Certificate
+Under *Select Certificate*, choose the imported file for both:
+*   **Digital Signing**
+*   **Encryption**
+</Steps>
+
+## How to Test
+Send an email to a colleague who also has the Root CA installed. They should see a verified **Ribbon/Badge** icon indicating the email is trusted and unmodified.
 
-> [!TIP]
-> To send encrypted email to a colleague, you must first possess their Public Key (usually by receiving a signed email from them first).
diff --git a/pages/guide/integrations/web-servers.mdx b/pages/guide/integrations/web-servers.mdx
index afa49f6..4ecc9a4 100644
--- a/pages/guide/integrations/web-servers.mdx
+++ b/pages/guide/integrations/web-servers.mdx
@@ -1,52 +1,76 @@
+import { Tabs, Callout } from 'nextra/components'
+import { Server, Globe, Shield } from 'lucide-react'
+
 # Web Server Configuration
 
-Configuring SSL/TLS on internal web servers is the most common use case for TrustLab.
+To enable HTTPS on your internal services, you need to configure your web server to use the certificates issued by TrustLab.
 
-## Nginx Configuration
+<Callout type="info" emoji={<Shield className="w-5 h-5" />}>
+  **Prerequisite:** Ensure you have downloaded the **PEM Bundle** (for Linux) or **PFX** (for Windows) as described in the [Download Guide](/guide/certificates/download-install).
+</Callout>
 
-Ensure you have downloaded the **PEM** format bundle (contains `.crt` and `.key`).
+## Configuration Examples
 
-```nginx
-server {
-    listen 80;
-    server_name internal.app;
-    return 301 https://$host$request_uri;
-}
+Select your web server environment below:
 
-server {
-    listen 443 ssl http2;
-    server_name internal.app;
+<Tabs items={['Nginx', 'Apache (httpd)', 'IIS (Windows)']}>
+  <Tabs.Tab>
+    ### Nginx Setup
+    Target File: `/etc/nginx/sites-available/default` or `internal.app.conf`
+    
+    ```nginx
+    server {
+        listen 80;
+        server_name internal.app;
+        return 301 https://$host$request_uri;
+    }
 
-    # SSL Configuration
-    ssl_certificate     /path/to/internal.app.crt;
-    ssl_certificate_key /path/to/internal.app.key;
+    server {
+        listen 443 ssl http2;
+        server_name internal.app;
 
-    # Recommended Security Settings
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-}
-```
+        # SSL Configuration
+        ssl_certificate     /etc/ssl/trustlab/internal.app.crt;
+        ssl_certificate_key /etc/ssl/trustlab/internal.app.key;
 
-## Apache (httpd)
+        # Recommended Security
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+    }
+    ```
+  </Tabs.Tab>
+  <Tabs.Tab>
+    ### Apache / HTTPD Setup
+    Target File: `/etc/httpd/conf.d/ssl.conf` or VHost file.
 
-```apache
-<VirtualHost *:443>
-    ServerName internal.app
-    SSLEngine on
-    SSLCertificateFile "/path/to/internal.app.crt"
-    SSLCertificateKeyFile "/path/to/internal.app.key"
-</VirtualHost>
-```
+    ```apache
+    <VirtualHost *:443>
+        ServerName internal.app
+        DocumentRoot /var/www/html/internal
 
-## IIS (Windows Server)
-
-For IIS, you must use the **PFX** format.
-
-1. Open **IIS Manager**.
-2. Select the server node.
-3. Open **Server Certificates**.
-4. Click **Import** in the actions pane.
-5. Select your `.pfx` file and enter the password.
-6. Go to your Site -> **Bindings**.
-7. Add **https** binding and select the imported certificate.
+        SSLEngine on
+        SSLCertificateFile      "/path/to/internal.app.crt"
+        SSLCertificateKeyFile   "/path/to/internal.app.key"
+        
+        # Best Practice
+        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    </VirtualHost>
+    ```
+  </Tabs.Tab>
+  <Tabs.Tab>
+    ### IIS (Internet Information Services)
+    Requires the **.pfx** file format.
+    
+    1.  **Import Certificate**:
+        *   Open **IIS Manager** > Click Server Node > **Server Certificates**.
+        *   Click **Import...** (Actions pane).
+        *   Select your `.pfx` file and enter the password.
+    
+    2.  **Bind to Site**:
+        *   Go to **Sites** > Select your site (e.g., Default Web Site).
+        *   Click **Bindings...** > **Add...**
+        *   Type: `https` | Port: `443`.
+        *   **SSL Certificate**: Select the certificate you just imported.
+  </Tabs.Tab>
+</Tabs>
diff --git a/pages/knowledge/fundamentals/index.mdx b/pages/knowledge/fundamentals/index.mdx
new file mode 100644
index 0000000..b9aa682
--- /dev/null
+++ b/pages/knowledge/fundamentals/index.mdx
@@ -0,0 +1,76 @@
+import { Callout, Cards, Card } from 'nextra/components'
+import { ShieldCheck, ShieldAlert, BadgeCheck, Lock } from 'lucide-react'
+
+# PKI Fundamentals & Trust Context
+
+Understanding the difference between **Private PKI** (TrustLab) and **Public PKI** (Let's Encrypt, DigiCert) is critical for using SSL/TLS effectively and safely.
+
+## The Two Lanes of Trust
+
+The internet security model is built on two distinct "lanes" of trust. Mixing them up causes errors, but using them correctly provides **Military-Grade Security**.
+
+<Cards>
+  <Card icon={<ShieldCheck />} title="Public Lane (Global)" href="#1-public-pki" arrow />
+  <Card icon={<Lock />} title="Private Lane (Internal)" href="#2-private-pki-trustlab" arrow />
+</Cards>
+
+### 1. Public PKI
+*   **Issuer**: Let's Encrypt, DigiCert, Google Trust Services.
+*   **Trust Model**: Pre-installed in every browser/OS (Chrome, Windows, iOS) by default.
+*   **Verification**: Requires you to own a public domain (e.g., `google.com`).
+*   **Limitation**: **Cannot** issue certificates for:
+    *   Private IP Addresses (e.g., `192.168.1.50`).
+    *   Internal Domain Names (e.g., `company.local`, `dev.internal`).
+    *   Intranet servers behind a firewall.
+
+### 2. Private PKI (TrustLab)
+*   **Issuer**: TrustLab Root CA (Your Organization).
+*   **Trust Model**: Trusted **ONLY** by devices that have installed your Root CA.
+*   **Strength**: Uses the **exact same math** (RSA-2048/4096, SHA-256) as Public CAs.
+*   **Superpower**: Can secure **ANYTHING**:
+    *   Localhost (`localhost`).
+    *   Database Servers (`10.0.0.5`).
+    *   Development Environments.
+    *   Internal APIs.
+
+---
+
+## Why "Military Grade"?
+
+TrustLab utilizes **OpenSSL**, the same cryptographic core used by majority of the world's secure servers, banks, and military networks.
+
+| Feature | TrustLab (Private) | Public CA (Paid) |
+| :--- | :--- | :--- |
+| **Encryption** | RSA-2048 / RSA-4096 | RSA-2048 / RSA-4096 |
+| **Signature** | SHA-256 | SHA-256 |
+| **Protocol** | TLS 1.2 / 1.3 | TLS 1.2 / 1.3 |
+| **Global Trust** | ❌ (Manual Install Required) | ✅ (Pre-installed) |
+| **Internal IPs** | ✅ Supported | ❌ Forbidden |
+| **Cost** | **Free** | $400+/month (for Private CA) |
+
+## Appropriate Use Cases
+
+<Callout type="info" emoji={<BadgeCheck className="w-5 h-5" />}>
+  **The Golden Rule:**
+  Use **TrustLab** for anything the Public Internet CANNOT access.
+  Use **Public CAs** for anything the Public Internet MUST access.
+</Callout>
+
+### ✅ Perfect For (Green Lane)
+*   **Internal Tools**: Admin Panels, HR Portals, Dashboards.
+*   **Development**: Testing HTTPS on `localhost` or `dev.local`.
+*   **Databases**: Securing connection to MySQL/Postgres/Mongo.
+*   **IoT Devices**: Securing communication between sensors and local hubs.
+*   **S/MIME**: Encrypting email between employees.
+
+### ❌ Do Not Use For (Red Lane)
+*   **Public E-Commerce**: Your customer's browser will show a "Not Secure" warning.
+*   **Public Blogs/Websites**: Random visitors will not have your Root CA installed.
+
+## The "Trust Split" Myth
+
+There is **no conflict** between having TrustLab installed and visiting public websites.
+*   When you visit `google.com`, your browser uses the **Public Lane**.
+*   When you visit `intranet.corp`, your browser sees the TrustLab signature and uses the **Private Lane**.
+
+They coexist peacefully, providing comprehensive security for your entire digital life.