# DigiCert SSL Certificate Setup for Production

## Certificate Files Required

From DigiCert, you'll receive these files:
- `merchbay_com.crt` - Your domain certificate
- `merchbay_com.key` - Private key (generated during CSR creation)
- `DigiCertCA.crt` - Intermediate certificate
- `TrustedRoot.crt` - Root certificate (optional)

## Step 1: Combine Certificate Chain (on your local machine)

```bash
# Create full chain certificate
cat merchbay_com.crt DigiCertCA.crt > merchbay.com.crt

# Copy private key
cp merchbay_com.key merchbay.com.key
```

## Step 2: Upload to Production Server

```bash
# SSH to production server
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST

# Create certificates directory
sudo mkdir -p /srv/certs
sudo chmod 700 /srv/certs

# Exit SSH, then upload from local machine
scp merchbay.com.crt PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
scp merchbay.com.key PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/

# SSH back to server and move files
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
sudo mv /tmp/merchbay.com.crt /srv/certs/
sudo mv /tmp/merchbay.com.key /srv/certs/
sudo chmod 600 /srv/certs/*
sudo chown root:root /srv/certs/*
```

## Step 3: Upload Traefik Configuration

```bash
# From local machine
scp traefik-certs.yml PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/

# SSH to server
ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
sudo mkdir -p /srv/traefik
sudo mv /tmp/traefik-certs.yml /srv/traefik/dynamic-certs.yml
sudo chmod 644 /srv/traefik/dynamic-certs.yml
```

## Step 4: Update Traefik Container

Ensure your Traefik docker-compose.yml includes:

```yaml
services:
  traefik:
    image: traefik:v2.10
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=/dynamic-certs.yml
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /srv/certs:/srv/certs:ro
      - /srv/traefik/dynamic-certs.yml:/dynamic-certs.yml:ro
    networks:
      - traefik-public
    restart: unless-stopped
```

## Step 5: Restart Traefik

```bash
cd /opt/traefik  # or wherever your traefik docker-compose.yml is
docker compose restart traefik

# Verify certificate is loaded
docker compose logs traefik | grep -i certificate
```

## Step 6: Deploy merchbay Application

Once Traefik is configured, deploy merchbay:

```bash
cd /var/www/merchbay
docker compose up -d
```

## Verification

```bash
# Check certificate
openssl s_client -connect merchbay.com:443 -servername merchbay.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

# Should show:
# subject=CN = merchbay.com
# issuer=O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
# notBefore=...
# notAfter=...
```

## Certificate Renewal

DigiCert certificates typically last 1-2 years. Set a reminder to renew 30 days before expiration and repeat Steps 1-3 and 5.

## Security Notes

- Never commit `.key` files to git
- Keep private keys secure (600 permissions)
- Use strong encryption for private key storage
- Consider using a certificate management system for automatic renewal