Add NGINX documentation

.github/workflows/pages.yml

@@ -30,13 +30,24 @@ jobs:
         cd ID_software_architecture_files
         mkdocs build
         mv site ../_site
+    - name: Copy shared files
+      run: |
+        for dir in domain nginx; do
+          mkdir -p $dir/_includes
+          cp _includes/head_custom.html $dir/_includes/head_custom.html
+        done
     - name: Build domain page docs
       uses: actions/jekyll-build-pages@v1
       with:
         source: ./domain
         destination: ./_site/domain
+    - name: Build nginx page docs
+      uses: actions/jekyll-build-pages@v1
+      with:
+        source: ./nginx
+        destination: ./_site/nginx
     - name: Upload artifact
-      uses: actions/upload-pages-artifact@v4
+      uses: actions/upload-pages-artifact@v5
 
   deploy:
     environment:
@@ -47,4 +58,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v5

README.md

@@ -2,34 +2,50 @@
 
  * [Architecture of ID-software](http://open-eid.github.io)
  * [Domain Controller Configuration](http://open-eid.github.io/domain)
+ * [Nginx SSL Configuration](http://open-eid.github.io/nginx)
 
 ## Editing and building "Architecture of ID-software"
 
-Uses http://www.mkdocs.org/ and https://github.com/mkdocs/mkdocs-bootswatch styles for generating documentation. 
+Uses http://www.mkdocs.org/ and https://github.com/mkdocs/mkdocs-bootswatch styles for generating documentation.
 
 1.  Update source files in ID_software_architecture_files/docs/
 
-2.  Build documentation localy
+2.  Build documentation locally
 
         cd ID_software_architecture_files
         mkdocs build
 
 ## Editing and building "Domain Controller Configuration"
 
-Uses https://jekyllrb.com and https://just-the-docs.com styles for generating documentation. 
+Uses https://jekyllrb.com and https://just-the-docs.com styles for generating documentation.
 
 1.  Update source files in domain/
 
-2.  Build pdf document
+2.  Build PDF document
 
 ```bash
 # Export English version
-pandoc index.md -L kramdown-toc.lua -o eID_Auth_Guide_EN.pdf
+pandoc domain/index.md -L kramdown-toc.lua -o eID_Auth_Guide_EN.pdf
 
 # Export Estonian version
-pandoc index.et.md -L kramdown-toc.lua -o eID_Auth_Guide_ET.pdf
+pandoc domain/index.et.md -L kramdown-toc.lua -o eID_Auth_Guide_ET.pdf
 ```
 
+## Editing and building "Nginx SSL Configuration"
+
+Uses https://jekyllrb.com and https://just-the-docs.com styles for generating documentation.
+
+1.  Update source files in nginx/
+
+2.  Build PDF document
+
+```bash
+# Export English version
+pandoc nginx/index.md -L kramdown-toc.lua -o nginx_SSL_EN.pdf
+
+# Export Estonian version
+pandoc nginx/index.et.md -L kramdown-toc.lua -o nginx_SSL_ET.pdf
+```
 
 ## Support
 Official builds are provided through official distribution point [id.ee](https://www.id.ee/en/article/install-id-software/). If you want support, you need to be using official builds. Contact our support via www.id.ee for assistance.

domain/_includes/head_custom.html → _includes/head_custom.html

@@ -6,11 +6,11 @@
       if (altText && altText.trim() !== '') {
         const figure = document.createElement('figure');
         const figcaption = document.createElement('figcaption');
-        
+
         figure.className = 'generated-figure';
         figcaption.className = 'generated-figcaption';
         figcaption.textContent = altText;
-        
+
         const parent = img.parentNode;
         figure.appendChild(img.cloneNode(true));
         figure.appendChild(figcaption);

domain/index.et.md

@@ -6,16 +6,18 @@ See dokument pakub põhjalikku tehnilist ülevaadet ja samm-sammulisi juhiseid s
 
 **Versioon:** 26.03/1
 
+**Väljaandja:** [RIA](https://www.ria.ee/)
+
 **Versiooni info**
 
 | Kuupäev    | Versioon | Muutused/märkused
 |:-----------|:--------:|:-----------------------------------------------------------
-| 21.01.2019 | 19.01/1  | Avalik versioon, baseerub 18.12 tarkvaral
-| 10.03.2022 | 22.03/1  | Uuendatud versioon, baseerub EID-22.1.0.1922 tarkvaral. — Muutja: Urmas Vanem
+| 21.01.2019 | 19.01/1  | Avalik versioon, baseerub `18.12` tarkvaral
+| 10.03.2022 | 22.03/1  | Uuendatud versioon, baseerub `eID-22.1.0.1922` tarkvaral. — Muutja: Urmas Vanem
 | 14.09.2022 | 22.09/1  | Lisatud uute Microsoft poolsete nõuete kirjeldus kasutaja ja eID kaardi sertifikaadi sidumiseks. — Muutja: Urmas Vanem
-| 11.12.2023 | 23.12/1  | Eemaldatud ESTEID-SK 2015 ahel + väiksed muutused. — Muutja: Urmas Vanem
+| 11.12.2023 | 23.12/1  | Eemaldatud `ESTEID-SK 2015` ahel + väiksed muutused. — Muutja: Urmas Vanem
 | 31.10.2025 | 25.10/1  | Lisatud Zetes ahelad — Muutja: Raul Kaidro
-| 13.03.2026 | 26.03/1  | Konverteeritud to Markdown formaati — Changed by: Raul Metsma
+| 13.03.2026 | 26.03/1  | Konverteeritud Markdown formaati — Muutja: Raul Metsma
 
 ---
 
@@ -40,7 +42,7 @@ eID logini rakendamine eeldab kogumit süsteemseid ettevalmistusi nii domeeni ku
 eID kaartidega domeeni logimiseks tuleb keskkond konfigureerida järgnevalt:
 
 *   Domeeni kontrollerid peavad omama endi tuvastamiseks spetsiifiliste omadustega sertifikaati, mida usaldavad ka kliendid.
-*   Domeeni kontrollerid peavad usaldama sertifitseerimiskeskuse eID kaartide harude juur- ja kesktasemete sertifikaate.
+*   Domeeni kontrollerid peavad usaldama [SK ID Solutions](https://www.skidsolutions.eu/resources/certificates/) (`EE-GovCA2018`) ja [Zetes](https://repository.eidpki.ee/) (`EEGovCA2025`) eID kaartide harude juur- ja kesktasemete sertifikaate.
 *   Klientarvutitel peab olema installeeritud ID-tarkvara (täna, märtsis 2026, soovitame kõige värskeimat versiooni 25.10.23.8403).
 *   Klientarvutid peavad toetama sertifikaate, millel puudub spetsiaalne kiipkaardiga logimise toe atribuut (`Smart Card Logon` EKU) ja samuti peab lubatud olema ECC sertifikaatide kasutamine arvutisse logimise eesmärgil.
 *   Domeenis peab eID kaartide autentimissertifikaat olema seotud kindla kasutajaga.
@@ -67,9 +69,9 @@ Juhul, kui ettevõttel PKI lahendus puudub, tundub mõistliku otsusena selle loo
 
 eID kaartide ja nendega seotud sertifikaatide kasutamisel domeeni sisselogimisel peavad domeeni kontrollerid neid usaldama, nii kesk- kui juurtaseme sertifikaadid peavad paiknema õigetes konteinerites. Sertifikaatide kehtivuse kontrollimiseks peab olema ligipääs SK ja Zetes OCSP teenusele.
 
-eID kaardiga domeeni logimise võimaldamiseks tuleb kesktaseme sertifikaadid (ESTEID2018, ESTEID2025) paigaldada ka domeeni NTAuthCertificates konteinerisse. Seda saame teha käsuga `certutil -dspublish -f 'SERDINIMI' NTAuthCA`. Samuti võime domeeni konteinerisse lisada ka juurtaseme sertifikaadi, siis on käsuks `certutil -dspublish -f 'SERDINIMI' RootCA`.
+eID kaardiga domeeni logimise võimaldamiseks tuleb kesktaseme sertifikaadid (`ESTEID2018`, `ESTEID2025`) paigaldada ka domeeni NTAuthCertificates konteinerisse. Seda saame teha käsuga `certutil -dspublish -f 'SERDINIMI' NTAuthCA`. Samuti võime domeeni konteinerisse lisada ka juurtaseme sertifikaadi, siis on käsuks `certutil -dspublish -f 'SERDINIMI' RootCA`.
 
-Sertifikaadid on allalaetavad lehelt [https://www.skidsolutions.eu/resources/certificates/](https://www.skidsolutions.eu/resources/certificates/) ja [https://repository.eidpki.ee/crt/](https://repository.eidpki.ee/crt/). Tänase seisuga vajame järgmiseid sertifikaate:
+Sertifikaadid on allalaetavad lehelt <https://www.skidsolutions.eu/resources/certificates/> ja <https://repository.eidpki.ee/crt/>. Tänase seisuga vajame järgmiseid sertifikaate:
 
 *   [EE-GovCA2018](https://c.sk.ee/EE-GovCA2018.der.crt) - usaldusväärne juursertifikaat;
 *   [EEGovCA2025](https://crt.eidpki.ee/EEGovCA2025.crt) - usaldusväärne juursertifikaat;
@@ -128,7 +130,7 @@ Juhul, kui eID kaartidega tahetakse logida näiteks domeenivälisest koduarvutis
 
 ### OCSP sertifikaadikontrolli meetodi keskne nõue
 
-Hetkel kasutusel olevate eID kaartide puhul ei ole meil vajalik OCSP teed enam keskselt kirjeldada, kuna see on sertifikaadis juba sees. CRL tee neis sertifikaatides puudub, seega toimub sertifikaadi kehtivuse kontroll vaikimisi ainult vastu vaba ligipääsuga AIA OCSP teenust (http://aia.sk.ee/esteid2018, http://ocsp.eidpki.ee).
+Hetkel kasutusel olevate eID kaartide puhul ei ole meil vajalik OCSP teed enam keskselt kirjeldada, kuna see on sertifikaadis juba sees. CRL tee neis sertifikaatides puudub, seega toimub sertifikaadi kehtivuse kontroll vaikimisi ainult vastu vaba ligipääsuga AIA OCSP teenust (<http://aia.sk.ee/esteid2018>, <http://ocsp.eidpki.ee>).
 
 > **Märkus:** OCSP nõude kehtestamise korral vii end kurssi ka mõistega OCSP maagiline number.[^3]
 

domain/index.md

@@ -6,14 +6,16 @@ This document provides a comprehensive technical overview and step-by-step guida
 
 **Version:** 26.03/1
 
+**Published by:** [RIA](https://www.ria.ee/)
+
 **Version information**
 
 | Date       | Version | Changes/Notices
 |:-----------|:-------:|:-----------------------------------------------------------
-| 21.01.2019 | 19.01/1 | Public version, based on software version 18.12.
-| 10.03.2022 | 22.03/1 | Updated version, based on software version eID-22.1.0.1922. — Changed by: Urmas Vanem
+| 21.01.2019 | 19.01/1 | Public version, based on software version `18.12`.
+| 10.03.2022 | 22.03/1 | Updated version, based on software version `eID-22.1.0.1922`. — Changed by: Urmas Vanem
 | 14.09.2022 | 22.09/1 | Added description of new requirements from Microsoft for mapping user and eID card certificate. — Changed by: Urmas Vanem
-| 11.12.2023 | 23.12/1 | Removed ESTEID-SK 2015 chain + minor changes. — Changed by: Urmas Vanem
+| 11.12.2023 | 23.12/1 | Removed `ESTEID-SK 2015` chain + minor changes. — Changed by: Urmas Vanem
 | 31.10.2025 | 25.10/1 | Added Zetes certificates — Changed by: Raul Kaidro
 | 13.03.2026 | 26.03/1 | Converted to Markdown format — Changed by: Raul Metsma
 
@@ -40,7 +42,7 @@ Configuring ID login requires a set of systemic preparations for both the domain
 To enable eID card logging into Windows domain following options must be enabled:
 
 *   Domain controllers must have a specific certificate to identify themselves, the certificate must also be trusted by clients/computers.
-*   Domain controllers must trust root and intermediate level certificates from eID card chains.
+*   Domain controllers must trust root and intermediate level certificates from [SK ID Solutions](https://www.skidsolutions.eu/resources/certificates/) (`EE-GovCA2018`) and [Zetes](https://repository.eidpki.ee/) (`EEGovCA2025`) eID card chains.
 *   Client computers must have ID-software installed (today, March 2026, we recommend the most recent version 25.10.23.8403).
 *   Client computers must support certificates that do not have a special `Smart Card Logon` EKU property and the use of ECC certificates for logging purposes into computers must also be allowed.
 *   In the domain, the authentication certificate of the eID card must be linked to a specific user.
@@ -67,9 +69,9 @@ If PKI services are not implemented in the domain, it could be a good idea to ch
 
 To use eID cards and related certificates for domain logging, domain controllers must trust those certificates. Both root and intermediate certificates form eID certificate chains must be trusted and installed into correct certificate containers. Domain controllers must also have access to the OCSP service described in certificates to check the validity of certificates.
 
-To enable domain logging with an eID card, intermediate level certificates (ESTEID2018, ESTEID2025) must be installed in the NTAuthCertificates container of the domain. We can do this with the command `certutil -dspublish -f 'CERTIFICATE NAME' NTAuthCA`. We can also add a root-level certificate to the domain container with the command `certutil -dspublish -f 'CERTIFICATE NAME' RootCA`.
+To enable domain logging with an eID card, intermediate level certificates (`ESTEID2018`, `ESTEID2025`) must be installed in the NTAuthCertificates container of the domain. We can do this with the command `certutil -dspublish -f 'CERTIFICATE NAME' NTAuthCA`. We can also add a root-level certificate to the domain container with the command `certutil -dspublish -f 'CERTIFICATE NAME' RootCA`.
 
-Certificates can be downloaded from [https://www.skidsolutions.eu/resources/certificates/](https://www.skidsolutions.eu/resources/certificates/) and [https://repository.eidpki.ee/crt/](https://repository.eidpki.ee/crt/). As of today, we need the following certificates:
+Certificates can be downloaded from <https://www.skidsolutions.eu/resources/certificates/> and <https://repository.eidpki.ee/crt/>. As of today, we need the following certificates:
 
 *   [EE-GovCA2018](https://c.sk.ee/EE-GovCA2018.der.crt) - trusted root certificate;
 *   [EEGovCA2025](https://crt.eidpki.ee/EEGovCA2025.crt) - trusted root certificate;
@@ -128,7 +130,7 @@ If you want to support eID card to log in from a non-domain, for example from ho
 
 ### Requiring OCSP revocation check
 
-For eID cards currently in use, it is no longer necessary for us to describe the OCSP path centrally, as it is already included in the certificate. There is no CRL path in these certificates, so by default the certificate's validity is checked only against the free access AIA OCSP service (http://aia.sk.ee/esteid2018, http://ocsp.eidpki.ee).
+For eID cards currently in use, it is no longer necessary for us to describe the OCSP path centrally, as it is already included in the certificate. There is no CRL path in these certificates, so by default the certificate's validity is checked only against the free access AIA OCSP service (<http://aia.sk.ee/esteid2018>, <http://ocsp.eidpki.ee>).
 
 > **Note:** If using OCSP, familiarize yourself with the concept of OCSP magic number also.[^3]
 

nginx/_config.yml

@@ -0,0 +1,7 @@
+remote_theme: just-the-docs/just-the-docs
+title: Estonian eID Nginx SSL Configuration
+description: Technical documentation for configuring two-way SSL using Estonian ID-cards in Ubuntu Nginx web server.
+google_analytics:
+layout: minimal
+nav_enabled: false
+baseurl: "/nginx"