WorldHealthOrganization · ritikarawlani · Sep 10, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/input/pagecontent/concepts_onboarding_checklist.md b/input/pagecontent/concepts_onboarding_checklist.md
@@ -116,12 +116,17 @@ This repository contains the template for building [onboarding](https://github.c
 
 > Disclaimer: The script generates self-signed certificates not intended to be used on production environments.
 
-- You must adapt the following default certificate parameter in gen_all_certs.sh to your needs:
+- You must adapt the following default certificate parameter of [DN_template.cnf](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/DN_template.cnf) file which will used  in gen_all_certs.sh to your needs:
+
+  #Configuration Template for Certificate Generation
+
+  #Modify for your own needs
+
 
 	```
-    export OSSL_COUNTRY_NAME="XA"
+ 	export OSSL_COUNTRY_NAME="XC"
 	export OSSL_STATE_NAME="Test State"
-	export OSSL_LOCALITY_NAME="Geneva"
+	export OSSL_LOCALITY_NAME="TEST"
 	export OSSL_ORGANIZATION_NAME="WHO"
 	export OSSL_ORGANIZATIONAL_UNIT_NAME="R&D"
 	```
@@ -164,7 +169,10 @@ Files to be copied in respective folders are as follows:
 
 #### Certification Preparation for Prod
 
-This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed.
+This guide follows the certificate templates defined in the certificate governance. Public Key Certificates generated by following this guide will include the minimal required fields - further fields can be added in the configuration files if needed.Self-signed certificates are typically used in DEV and UAT environments.
+
+**For production, It is strongly recommended to use certificates signed by a trusted Certificate Authority (CA)**.
+This is just an example reference on how to use a Trusted CA certificate in a production environment. You should refer to the specific procedures provided by the public Trusted Certificate Authority (CA) of your choice for accurate and detailed instructions [Reference- Recommendation to use Trusted Public CA Certificate in Prod](#steps-to-obtain-and-use-a-ca-signed-certificate)
 
 **Elliptic Curve Public Key Certificates (ECDSA with NIST-p-256)**
 
@@ -194,10 +202,12 @@ This guide follows the certificate templates defined in the certificate governan
 	```
 
 - *Certificate generation*: Open a command line prompt in the folder where the sca.conf is located and use the following OpenSSL command to create the private key (CAprivkey.key) and the certificate (CAcert.pem):
+- 
+  **For Prod it's recommended to use** [Trusted CA issued Certificate](#steps-to-obtain-and-use-a-ca-signed-certificate) only. As below command for self-siged certificate generation as it's usually only recommened for **DEV/UAT** enviornment.
 	```
 	openssl req -x509 -new -days 1461 -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout CAprivkey.key -nodes -out CAcert.pem -config sca.conf
 	```
-
+### DSC generation example
 **DSC generation example**
 	Document Signer Certificates (DSCs) must be signed by the SCA. Hence, you have to create the SCA certificate (with the corresponding private key) before you can issue DSCs.
 
@@ -236,6 +246,7 @@ This guide follows the certificate templates defined in the certificate governan
     ```
 	openssl x509 -req -in DSC01csr.pem -CA CAcert.pem -CAkey CAprivkey.key -CAcreateserial -days 730 -extensions ext -extfile DSC.conf -out DSCcert.pem
 	```
+  **Important Recommendations for Prod**: Please replace CAcert.pem and CAprivkey.key with signing material from an officially Trusted Certification Authority instead using your own self-signed one.    
 
 **TNP<sub>UP</sub> generation example**
 
@@ -583,14 +594,143 @@ Signing tags and commits is great, but if you decide to use this in your normal
 ### Validating the certificates
 > Please check [Testing connection](https://github.com/WorldHealthOrganization/smart-trust/releases/download/v1.1.1/3.1.full-video.v2.mp4)  video for reference
 
-- Use the following command to verify the certificates by testing the connection.
+- **Use the following command to verify the certificates by testing the connection**.
 
 	```
 	curl -v https://tng-dev.who.int/trustList --cert TLS.pem --key TLS.key
 	```
 
 ### Send an onboarding/participation request
+
 - Send an onboarding/participation request to [email protected] which contains:
     - URL of the private repository created as a prerequisite
-    - The GPG key exported in Step [1.8.6.4](concepts_onboarding_checklist.html#generate-gpg-key)
+    - The GPG key exported in Step [1.8.6.4](#generate-gpg-key)
 
+Once you recieve confirmation on sucesfull onboarding from TNG Support Team ( [email protected]) 
+
+**TNG-WHO Endpoints:**
+-	PRD:	 https://tng.who.int
+-	UAT:	 https://tng-uat.who.int
+-	DEV:	 https://tng-dev.who.int
+
+
+
+1. After onboarding in the DEV/UAT/PROD Environment, check the connectivity with the Trust Network Gateway using its [API](https://smart.who.int/trust/openapi/). This can be acheived with following command:
+
+```
+curl -v https://tng-dev.who.int/trustList --cert TLS.pem --key TLS_key.pem
+```
+You should see a output like:
+
+```
+[
+{
+    "kid": "+jrpHSqdqZY=",
+    "timestamp": "2023-05-25T07:55:21Z",
+    "country": "XC",
+    "certificateType": "UPLOAD",
+    "thumbprint": "fa3ae91d...",
+    "signature": "MIAGCSqGSIb3D...",
+    "rawData": "MIIErTCCA5WgAwIBAgII..."
+}
+]
+```
+2) Test the other Trustlist Routes in the same style (e.g. with DSC/SCA/Upload/Authentication…)
+3) Create an Document Signer Certificate and sign it by the SCA [Refer](#certification-preparation-for-prod) and [DSC generation example](#dsc-generation-example)
+4) Create an CMS Package with the following Command:
+    Note: Step 3 and 4 could be achived through two menthod, commandlline and script respectively .
+
+**Method 1 - Commandline .**
+```
+openssl x509 -outform der -in cert.pem -out cert.der
+openssl cms -sign -nodetach -in cert.der -signer signing.crt -inkey signing.key -out signed.der -outform DER -binary
+openssl base64 -in signed.der -out cms.b64 -e -A
+
+```
+**Note**: cert.der is your DSC, signing.crt is the TNPUP.
+
+**Method 2 - Scripts**
+
+The DSC generation and upload of  CMS package to TNG Gateway  could be achieved through the below mentioned scripts.
+For DEV and UAT environments you may use script. 
+
+[Generate DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#generate-dscs)
+
+[Upload DSCs](https://github.com/WorldHealthOrganization/tng-participant-template/tree/main/scripts/certgen#upload-dscs0)
+
+The Distinguised Nmae ( DN) configuration file while will parse as source  [DN_template.cnf](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/DN_template.cnf) is an example.
+
+Please replace with your actual OSSL_COUNTRY_NAME, OSSL_STATE_NAME etc parameters accordingly of 	DN_template.cnf file.
+
+The script expects at least two arguments:
+A configuration file (DN_template.cnf) that contains the Distinguished Name (DN) template.
+A subdirectory where the SCA (Signing Certificate Authority) PEM and KEY files are located.
+An optional third argument can be provided to specify the purpose of the DSC (e.g., test, vax, rec). If this argument is not provided, the DSC will be generated for all purposes.
+
+**Howto to run DSC Generate Script** [gen_dsh.sh](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/gen_dsc.sh)
+
+``` 
+./script_name.sh DN_template.cnf directory_of_SCA_files [test/vax/rec-purpose}
+
+```
+**How to run upload.sh script:** [upload_dsc.sh](https://github.com/WorldHealthOrganization/tng-participant-template/blob/main/scripts/certgen/upload_dsc.sh)
+
+**- ./upload_dsc.sh:** Replace this with the actual name of your script.
+
+**- /path/to/subdir:** Path to the directory containing UP.pem and UP.key.
+
+**- /path/to/DSC_dir:** Path to the directory containing the DSC files (DSC.pem, DSC.key).
+
+**DCC:** The domain name to be used. If omitted, the script will default to DCC.
+
+```
+./upload_dsc.sh /path/to/subdir-up_pem_key  /path/to/DSC_dir [DCC]
+```
+
+5) Check DSC is already exist before upload CMS package
+```   
+curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key
+```
+6) Upload the CMS Package to the Gateway
+```    
+curl -v -X POST -H "Content-Type: application/cms" --cert TLS.pem --key TLS_key.pem --data @cms.b64 https://tng-dev.who.int/signerCertificate
+
+```
+7) Download the Trustlist again, and check if your DSC is available.
+```   
+curl -v https://tng-dev.who.int/trustList/DSC/XC --cert TLS.pem --key TLS.key
+```    
+
+Note: Some versions of curl don’t attach the client certificates automatically. This can be checked via curl --version Ensure that the used version is linked to OpenSSL. Especially under Windows (https://curl.se/windows/):
+
+**Working Setup**
+![image](https://github.com/user-attachments/assets/b55d083f-dccb-4547-af48-bbb7cb60d681)
+**Non-Working Setup**
+![image](https://github.com/user-attachments/assets/0f149617-d5f8-4f1b-bb65-37a073d4c146)
+
+## Steps to Obtain and Use a CA-Signed Certificate
+
+**1. Generate a Certificate Signing Request (CSR)**
+To begin, generate a CSR using the following OpenSSL command. This request will include a new private key and a configuration file:
+
+```
+openssl req -new -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout CAprivkey.key -out CAreq.csr -config sca.conf
+```
+
+
+**CAprivkey.key:** This file contains the private key.
+C**Areq.csr:** This file contains the Certificate Signing Request.
+**sca.conf:** This is the OpenSSL configuration file used during the CSR generation.
+
+**2. Submit the CSR to a Public Certificate Authority (CA)**
+Submit the generated CAreq.csr file to the public CA of your choice. The CA will use this CSR to issue a certificate. Upon approval, the CA will provide you with:
+
+**2. Submit CSR to the Public CA**
+Submit the generated CAreq.csr file to the public CA of your choice. They will use the CSR to issue a certificate. The CA will provide you with the signed certificate and possibly a certificate chain or intermediate certificates.
+
+**3. Use the CA-Signed Certificate**
+Once you receive the CA-signed certificate, you will use it instead of generating a new self-signed certificate. Here’s how you can replace the placeholders with the signed certificate:
+cp signed_CA_cert.pem ${subdir}/CAcert.pem 
+cp CAprivkey.key ${subdir}/CAprivkey.key
+
+