Add build step; add gen-roots step.

README.md

@@ -9,7 +9,12 @@ in a very similar way to Sunlight.
 
 ### Usage
 
-1. **Create YAML configuration file:**
+1. **Build the tool:**
+```bash
+go build -o tesseract-genconf ./tesseract/genconf/
+```
+
+2. **Create YAML configuration file:**
 
 ```yaml
 listen:
@@ -28,26 +33,35 @@ logs:
     notafterlimit: 2025-07-01T00:00:00Z
 ```
 
-2. **Generate private keys:**
+3. **Generate private keys:**
 ```bash
 mkdir -p /etc/tesseract/keys
-go run ./tesseract/genconf/main.go -c config.yaml gen-key
+./tesseract-genconf -c config.yaml gen-key
 ```
 
-3. **Create directories and generate environment files:**
+4. **Create directories and generate environment files:**
 ```bash
 mkdir -p /var/lib/tesseract/example2025h1/data
-go run ./tesseract/genconf/main.go -c config.yaml gen-env
+./tesseract-genconf -c config.yaml gen-env
 ```
 
-4. **Generate HTML and JSON files:**
+5. **Generate HTML and JSON files:**
 ```bash
-go run ./tesseract/genconf/main.go -c config.yaml gen-html
+./tesseract-genconf -c config.yaml gen-html
 ```
 
-5. **Generate nginx configuration files:**
+6. **Generate nginx configuration files:**
 ```bash
-go run ./tesseract/genconf/main.go -c config.yaml gen-nginx
+./tesseract-genconf -c config.yaml gen-nginx
 ```
 
 You can symlink the generated $monitoringprefix.conf files from `/etc/nginx/sites-enabled/`.
+
+7. **Generate root certificates (optional):**
+```bash
+# For testing/staging environment, take the ccadb 'testing' roots
+./tesseract-genconf gen-roots --source https://rennet2027h2.log.ct.ipng.ch/ --output roots-staging.pem
+
+# For production environment, take the ccadb 'production' roots
+./tesseract-genconf gen-roots --source https://gouda2027h2.log.ct.ipng.ch/ --output roots-production.pem
+```