docs: update os/security certificates section

diff --git a/doc/antora/modules/howto/nav.adoc b/doc/antora/modules/howto/nav.adoc
index 2125da5503d7fa23b43dc3f3e62b40c5a19e4fad..eceefbaed552b96a79d3f47b97adeb47c1f960a8 100644 (file)
--- a/doc/antora/modules/howto/nav.adoc
+++ b/doc/antora/modules/howto/nav.adoc
@@ -83,8 +83,8 @@
 **** xref:protocols/radius/proxy_config.adoc[Proxy configuration]
 ***** xref:protocols/radius/proxy_extensions.adoc[Proxy Extensions]
 
-** Security Certificates
-*** xref:os/letsencrypt.adoc[Using LetsEncrypt certificates]
+** xref:os/index.adoc[Security Certificates]
+*** xref:os/letsencrypt.adoc[LetsEncrypt]
 
 ** Vendors
 *** xref:vendors/ascend.adoc[Ascend]

diff --git a/doc/antora/modules/howto/pages/os/index.adoc b/doc/antora/modules/howto/pages/os/index.adoc
new file mode 100644 (file)
index 0000000..597e0ef
--- /dev/null
+++ b/doc/antora/modules/howto/pages/os/index.adoc
@@ -0,0 +1,7 @@
+= Security Certificates
+
+FreeRADIUS supports security certificates and uses them for various authentication methods. FreeRADIUS can generate and manage its own certificates. Alternatively, you can install certificates from an external Certificate Authorities (CAs).
+
+EAP-TLS is a secure authentication method that relies on digital certificates to verify the identity of both the client and the server. See the following section to learn how to install and manage your certificates:
+
+* xref:os/letsencrypt.adoc[LetsEncrypt]

diff --git a/doc/antora/modules/howto/pages/os/letsencrypt.adoc b/doc/antora/modules/howto/pages/os/letsencrypt.adoc
index ab0239c217336e4cdea156e84a6aaafa7945cfc7..5be328b7c476acdc2c817aaf22d2a5405ed3fff3 100644 (file)
--- a/doc/antora/modules/howto/pages/os/letsencrypt.adoc
+++ b/doc/antora/modules/howto/pages/os/letsencrypt.adoc
@@ -1,9 +1,9 @@
-= Using LetsEncrypt certificates
+= LetsEncrypt
 
 When configuring FreeRADIUS to use EAP, the use of keys and
 certificates are essential. Unfortunately this is one of those areas
 that can be hard to get right and prone to problems.  Notably,
-certificates can expiry at very inopportune moments.  At which point
+certificates can expire at very inopportune moments.  At which point
 no one can get online.
 
 Our recommendation is always to use a private CA for both server
@@ -13,11 +13,13 @@ can put many people off of this route. In that case, using a public CA
 certificate for the server is often seen as the most convenient
 answer, even if it is not the most secure.
 
-WARNING: Never configure FreeRADIUS to use a public CA root in the
+[WARNING]
+====
+Never configure FreeRADIUS to use a public CA root in the
 `ca_file` or `ca_path` EAP module settings. This would potentially
 allow any secondary (intermediate) CA signed by that public CA to
 issue client certificates, and be authenticated by your server!
-
+====
 
 == Prerequisites
 
@@ -27,7 +29,7 @@ The instructions here depend on the following criteria:
   certificate for your RADIUS server, and are aware of the
   security considerations in doing so.
 
-- You wish to use https://letsencrypt.org/[LetsEncrypt[ for this
+- You wish to use https://letsencrypt.org/[LetsEncrypt] for this
   purpose, and want certificate renewals (usually every 2-3 months) to
   be automatic.
 
@@ -79,12 +81,12 @@ based systems, `radius` if installed from source, or some other
 user.
 
 [NOTE]
-===
+====
 You *must* have a public IP address for the server, and
 there *must* be a DNS entry (of the name of the certificate you
 will be requesting) pointing to this IP. The server *must* be
 reachable on port 80 (HTTP) from the Internet.
-===
+====
 
 Install the `certbot` utility from LetsEncrypt. On Debian it can
 be installed from the default repositories: