Text for new file, docs/CertDeployment

[ZjYwMj]

I suggest to add the following text as docs/CertDeployment. To help those without the full picture of what should be done.

There is a similar, more terse, suggestion for nginx at the comments of the deploy-cert hook.

Apache 2.4 on Debian 11 (bullseye) cert deploymemnt suggestion:

Referring to cert.pem, chain.pem, fullchain.pem and privkey.pem:
By default, on Debian 11 (bullseye), those files are at /var/lib/dehydrated/certs/domain/ . It could be noticed that

# cat cert.pem chain.pem | diff - fullchain.pem

shows the concatenation of cert.pem and chain.pem results in fullchain.pem.

1. cp cert.pem domain.crt. Its permission can be world readable.
2. Copy and paste the first certificate section of chain.pem, that is the first "-----BEGIN CERTIFICATE-----" section, into a text file named intermediate.pem.
3. mv domain.crt intermediate.pem /etc/ssl/certs/. Their permissions can be world readable.
4. cp privkey.pem /etc/ssl/private/domain.key. Its permissions should keep it private.
5. Adjust your web server config to something like

<VirtualHost _default_:443>
        ServerName me.tld:443
        ServerAlias www.me.tld
        DocumentRoot /var/www/me.tld/html
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/domain.crt
        SSLCertificateKeyFile /etc/ssl/private/domain.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
        SSLProtocol TLSv1.2
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLHonorCipherOrder on
        <Directory /var/www/me.tld/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

6. Restart the web server service.

Test at https://www.ssllabs.com/ssltest/analyze.html?d=me.tld

This procedure can be fully, or partially, automated by the deploy_cert hook.