Add Azure App Service task doc, Signing & Security info, general updates

Author: webprofusion-chrisc

docs/deployment/tasks/azure-app-service.md

@@ -0,0 +1,19 @@
+---
+id: task-azure-app-service
+title: Deployment Task - Azure App Service
+---
+
+The Azure App Service task is built to deploy to either a "web-app" or a "function" via Azure App Service. 
+
+You need a working web-app or function app and an Application User setup using Azure AD, with a corresponding Secret. The info you need to collect for an Azure Application User credential is Directory/Tenant ID, Application/Client ID, Client Secret: (which you need to add using Azure AD and which you need to remind yourself to renew/update periodically).
+
+- Ideally start with a working managed certificate, you will likely find that Azure requires a password to be set on the PFX that will be imported, so set that under Certificate > Advanced > Signing & Security - Security (scroll down for the option). Select *Request Certificate* again to re-build the certificate with the password set.
+
+- Add the *Deploy to Azure App Service* task under Tasks for your managed certificate.
+
+- On the *Task Parameters* tab, select/add the Azure App Service Credential you want to use to authenticate to the App Service, and the Azure App Service you want to deploy to. To add a stored credential, click "New" next to the credentials dropdown list to save new app login details
+
+- Save the managed certificate and then click the ▶️ play button next to the task to run it. You should see a success message in the task log.
+
+- Subsequent automated renewals will also run the deployment task after the renewal has completed successfully.
+

docs/deployment/tasks/tomcat.md

@@ -1,6 +1,6 @@
 ---
 id: tomcat
-title: Apache Tomcat
+title: Deployment Task - Apache Tomcat
 ---
 
 Specific configuration of Apache Tomcat for individual requirements is outside of the scope of this documentation however the following is a suggested (working) configuration process for a default install of Tomcat 9.0:

docs/deployment/tasks_intro.md

@@ -16,26 +16,26 @@ If you need to perform more custom steps using the certificate, or if you just w
 
 You may wish to run a custom task before you renew your certificate. For instance, you may wish to to make automated firewall changes or call a custom Web Hook/API. These are called 'Pre-Request Tasks'.
 
-## Post-Request (Deployment) Tasks
+## Deployment Tasks
 
-You may want to run any number of tasks after you have renewed your certificate or after it has been automatically deployed. For instance, running scripts, exporting for different server types (Apache, nginx), copying to remote servers etc. These are called 'Deployment Tasks'.
+You may want to run any number of tasks after you have renewed your certificate or after it has been automatically deployed. For instance, running scripts, exporting for different server types (Apache, nginx), copying to remote servers etc. These are called 'Deployment Tasks' or Post-Request Tasks.
 
 ### Task Triggers
 
 You can configure a task to run either when a certificate request was successful or on error, or you can opt to run the task manually.
 
 Manually running a task is useful when you want to avoid restarting a service outside of maintenance hours, or if you wish to run the tasks from the command line, a script or a scheduled task. Example command line arguments are shown in the UI to help with scripting.
 
-## Task Types
+### Built-in Task Types
 
 Built-in deployment task types, each with UI to configure the task parameters etc, include:
 
 
 | Name | Description |
 |---|---|
 | Deploy Certificate to ADFS |  |
-| Deploy to Apache Tomcat| Export the certificate as a pkcs12 key store for use with Apache Tomcat. See [more details](./tasks/tomcat.md). |
-| Deploy to Azure App Service| Note that setting a PFX password (Certificate> Advanced > Signing & Security) is required for this deployment.  |
+| [Deploy to Apache Tomcat](./tasks/tomcat.md)| Export the certificate as a pkcs12 key store for use with Apache Tomcat. |
+| [Deploy to Azure App Service](./tasks/azure-app-service.md)| Note that setting a PFX password (Certificate> Advanced > Signing & Security) is required for this deployment.  |
 | Deploy to Azure Key Vault| |
 | Deploy to Centralized Certificate Store (CCS)|  |
 | Deploy to Microsoft Exchange| Apply the certificate to a local MS Exchange services and apply it to an optional list of services (IMAP, SMTP, IIS, POP etc). |

docs/guides/csr.md

@@ -1,6 +1,6 @@
 ---
 id: csr
-title: Certificate Signing Requests
+title: Certificate Signing & Security
 ---
 
 # Certificate Signing Requests
@@ -9,9 +9,20 @@ When requesting a certificate from a [Certificate Authority (CA)](certificate-au
 
 In the case of ACME domain validated certificates this CSR mainly just includes the list of domains you want to include on the certificate (other fields such as Organisation etc are discarded because ACME doesn't validate these). The CSR is signed using your Private Key, verifiable using the public key included in the CSR. This ensures that the same entity who completed certificate validation is also the same entity submitting the certificate signing request.
 
+## OCSP Must-Staple
+To enable OCSP-Must staple check *Require OCSP Must-Staple* under Certificate > Advanced > Signing & Security. This will add the OCSP Must Staple extension to the CSR and the resulting certificate.
+
+## CSR Signing Key Algorithm (Private Key)
+Before version 6.x the app uses RSA 2048 for CSR signing keys (the certificate Private Key), but this has been changed to ECDSA P256 in version 6.x onwards. You can set your preference per-managed certificate under Certificate > Advanced  > Signing & Security > CSR Signing Algorithm. 
+
+## Re-use a Private Key
+In most cases you will want to use a new private key for each certificate request, but in some cases you may want to re-use an existing private key. For example, if you have a private key that is already in use by another system, or you have a private key that you want to use for multiple certificates. If you check *Use the same Private Key for Renewals* the app will generate a key on next renewal and re-use that for subsequent renewals of the same certificate.
+
+You can also use a custom private key in PEM format, by selecting *Choose Private Key...* under Certificate > Advanced > Signing & Security > CSR Signing Key.
+
 ## Using a Custom CSR
 In most cases the CSR (and private key) is generated for you, but in some cases you may need to supply your own, so that the resulting certificate can be used with other systems which require a CSR based workflow (such as SAP, various servers and IoT devices including printers etc).
 
-- Click New Certificate, then in Certificate - Advanced > Signing & Security, Choose Custom CSR.
+- Click New Certificate, then in Certificate > Advanced > Signing & Security, Choose Custom CSR.
 - Select your CSR file, then select your Private key file. The private key file is required in order to build the final certificate PFX.
 - Click Request Certificate. This will perform the certificate request with the ACME CA and submit your CSR, a signed certificate will then be downloaded. 

docs/renewals.md

@@ -5,11 +5,14 @@ title: Certificate Renewals
 
 All certificates have an expiry date, after which they cannot be used to secure communication. Certificates from Let's Encrypt expire after 90 days, so for that reason renewals need to happen often, and if there's going to be a problem with validation that will prevent the renewal, you need to know in advance of the certificate expiry.
 
-**By default, Certify will attempt to auto-renew your certificates.**
+**By default, Certify will attempt to auto-renew your certificates and tell you if something goes wrong**
 
-If the process fails repeatedly, **it will try to notify you** (unless you have disabled the option) before certificate expiration becomes a problem. Set your 'Certificate Authority Account' under Settings > Certificate Authorities > Edit to a real, monitored, email address preferably accessible by others if you are a group of site administrators.
+If the renewal process fails repeatedly, **it will try to notify you** via our API before certificate expiration becomes a problem, unless you have disabled the *Enable Status Reports to Dashboard* option under Settings. **Ensure that your 'Certificate Authority Account' under Settings > Certificate Authorities is set to a real, monitored, email address** preferably accessible by others if you are a group of site administrators. You do not need to configure anything else like SMTP relays etc. to use this feature, it's all automatic by default.
 
-In addition, as your certificate approaches expiration, Let's Encrypt will also email you. This can also happen if you have changed a certificate (for instance to add more domains to it) so you may get emails for expiring certificates you have since replaced.
+In addition, as your certificate approaches expiration, the certificate authority (such as Let's Encrypt) will also email you. This can also happen if you have changed a certificate (for instance to add more domains to it) so you may get emails for expiring certificates you have since replaced.
+
+## Dashboard
+You can optionally send a notification to the https://certifytheweb.com dashboard when a renewal is successful or fails. This is useful if you have multiple administrators and want to be notified when a renewal fails. You can also see the status of all your certificates on the dashboard. To get started with sending reports to the Dashboard, select the *Add to Dashboard* option from the start up screen of the app on your machine.
 
 ## Certificate Cleanup
 

package.json

@@ -15,17 +15,17 @@
     "dev": "docusaurus start"
   },
   "dependencies": {
-    "@docusaurus/core": "2.3.1",
-    "@docusaurus/preset-classic": "2.3.1",
-    "@docusaurus/theme-mermaid": "2.3.1",
+    "@docusaurus/core": "2.4.0",
+    "@docusaurus/preset-classic": "2.4.0",
+    "@docusaurus/theme-mermaid": "2.4.0",
     "@mdx-js/react": "^1.6.22",
     "clsx": "^1.2.1",
     "prism-react-renderer": "^1.3.5",
     "react": "^17.0.2",
     "react-dom": "^17.0.2"
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "2.3.1",
+    "@docusaurus/module-type-aliases": "2.4.0",
     "@tsconfig/docusaurus": "1.0.7",
     "typescript": "^4.7.4"
   },

sidebars.js

@@ -40,8 +40,12 @@ const sidebars = {
         {
           type: 'category',
           collapsible: true,
-          label: 'General',
-          items: ["guides/csr"],
+          label: 'Other Advanced Options',
+          items: [
+            "guides/csr",
+            "commandline",
+            "csv-import",
+        ]
         },
       ]
     },
@@ -51,8 +55,6 @@ const sidebars = {
       items: [
         "guides/best-practices",
         "guides/ssl-windows",
-        "commandline",
-        "csv-import",
         "backgroundservice",
         'guides/troubleshooting'