# HAProxy SSL Certificates

**Never commit private keys (`.key`) or certificate files (`.pem`) to git.**

This directory holds SSL certificates for HAProxy HTTPS. The files are gitignored.

## Generating Certificates Locally

### Self-Signed (Development/Staging)

From the repository root:

```bash
cd docker/haproxy/certs
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout veza.key -out veza.crt -subj "/CN=veza.local"
cat veza.crt veza.key > veza.pem
```

Or use the project script (creates in `config/ssl/` — copy to this dir if needed):

```bash
./scripts/generate-ssl-cert.sh veza.local
# Then: cp config/ssl/veza.pem config/ssl/key.pem config/ssl/cert.pem docker/haproxy/certs/
```

### Production (Let's Encrypt)

```bash
certbot certonly --standalone -d yourdomain.com
cat /etc/letsencrypt/live/yourdomain.com/fullchain.pem \
    /etc/letsencrypt/live/yourdomain.com/privkey.pem > docker/haproxy/certs/veza.pem
```

## Certificate Rotation

If a private key may have been exposed:

1. Generate new certificate and key (commands above).
2. Replace `veza.pem`, `veza.key`, `veza.crt` in this directory.
3. Restart HAProxy.
4. Document rotation in `veza-docs/` if applicable.