From 05f35a76af07caea625f926f82a3bcd54edd926b Mon Sep 17 00:00:00 2001
From: Fadi Abbud <fadi.abbud@intevation.de>
Date: Wed, 2 Feb 2022 15:19:25 +0100
Subject: [PATCH] Instruction for installing TLS server certificate on nginx

---
 README.md                          |  1 +
 docs/install-server-certificate.md | 46 ++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 docs/install-server-certificate.md

diff --git a/README.md b/README.md
index 1497e5f..079c457 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@
 These places the binaries under `bin/` directory.
 
 - [Install](http://nginx.org/en/docs/install.html)  **nginx**
+- To install server certificate on nginx see [docs/install-server-certificate.md](docs/client-certificate-setup.md)
 - To configure nginx see [docs/provider-setup.md](docs/provider-setup.md)
 
 ## csaf_uploader
diff --git a/docs/install-server-certificate.md b/docs/install-server-certificate.md
new file mode 100644
index 0000000..cb43674
--- /dev/null
+++ b/docs/install-server-certificate.md
@@ -0,0 +1,46 @@
+# Install TLS Certificate on nginx
+
+If you already have the TLS Certificates you can start with [Link the files](#link-the-files) step.
+
+
+## Generate a private key and Certificate Signing Request (CSR)
+Generate and submit the Certificate Signing Request (CSR) to the issuing Certificate Authority (CA) for processing.
+
+Firstly create the key
+```shell
+openssl req -new newkey -aes256 -out {domainName}.key 4096
+```
+Then create the Certificate Singing Request (CSR)
+
+```shell
+openssl req -new -key {domainName}.key -out {domainName}.csr
+```
+A number of questions about the CSR details should be answered.
+
+These generated CSR is necessary for the validation of the TLS certificate generation, thus the content should be submitted to the Certificate Authority to sign the certificate.
+
+## Link the files
+Once the CA issues the certificate download it to `/etc/ssl/`.
+
+- If you recieved {domainName}.pem file from the CA when the certificate was issued, then this file contains both primary and intermediate certificate and you can skip the next step.
+- Concatenate the primary certificate file ({domainName.crt}) and the intermediate file ({intemediate.crt})
+```shell
+cat {domainName.crt} {intermediate.crt} >> bundle.crt
+```
+
+
+## Configure nginx
+Adjust the server block in ```/etc/nginx/sites-enabled/default```:
+
+```
+server {
+    listen 443 ssl http2 default_server;
+    listen       [::]:443 ssl http2 default_server;
+
+    ssl_certificate /etc/ssl/{domainName.pem}; # or bundle.crt
+    ssl_certificate_key /etc/ssl/{domainName}.key";
+    # Other Config
+    # ...
+}
+
+Restart nginx with systemctl nginx restart to apply the changes.
\ No newline at end of file