docs: document SSL certificate generation strategy

Add comprehensive documentation explaining why certificates are generated
on each deployment rather than reused:

- Enhanced deployment documentation with certificate management section
- New ADR-006 documenting the architectural decision and rationale
- Improved inline code documentation in deploy-app.sh
- Updated ADR index with new decision record

Key rationale documented:
1. Production flexibility: Different environments use different domains
2. Certificate validity: Self-signed certs must match deployment domain
3. Security: Fresh certificates prevent stale credential reuse
4. Workflow consistency: Same process works across all environments
5. Zero configuration: No certificate store or distribution needed

While certificates could be reused for local testing (always test.local),
this approach ensures deployment workflow consistency between local
testing and production, reducing environment-specific issues.

Closes: Discussion about certificate reuse vs regeneration strategy

Author: josecelano

application/docs/deployment.md

@@ -53,7 +53,57 @@ If you need to manually deploy on the server:
    docker compose --env-file /var/lib/torrust/compose/.env up -d
    ```
 
-## 3. Verification and Smoke Testing
+## 3. SSL Certificate Management
+
+### Certificate Generation Strategy
+
+The deployment process generates SSL certificates on each deployment rather than
+reusing certificates. This approach provides several advantages:
+
+#### Why Generate Certificates Per Deployment?
+
+1. **Production Flexibility**: Different environments use different domains:
+   - Local testing: `test.local`
+   - Staging: `staging.example.com`
+   - Production: `tracker.torrust-demo.com`
+
+2. **Certificate Validity**: Self-signed certificates are domain-specific and must
+   exactly match the domain being used in each deployment environment.
+
+3. **Security Best Practices**: Fresh certificates for each deployment ensure no
+   stale or leaked credentials are reused.
+
+4. **Workflow Consistency**: The same deployment process works across all
+   environments without manual certificate management or copying certificates
+   between systems.
+
+5. **Zero Configuration**: No need to maintain a certificate store or handle
+   certificate distribution between development and production environments.
+
+#### Certificate Types by Environment
+
+- **Local/Testing**: Self-signed certificates with 10-year validity (for convenience in testing)
+- **Production**: Let's Encrypt certificates (automatically renewed)
+
+#### Implementation Details
+
+The certificate generation happens during the application deployment phase
+(`make app-deploy`) and includes:
+
+1. **Self-signed certificates**: Generated using OpenSSL with domain-specific
+   Subject Alternative Names (SAN)
+2. **Certificate placement**: Stored in `/var/lib/torrust/proxy/certs/` and
+   `/var/lib/torrust/proxy/private/` on the target server
+3. **Container mounting**: Certificates are mounted into nginx container at runtime
+4. **Automatic configuration**: nginx configuration is automatically templated
+   with the correct certificate paths
+
+While it would be possible to reuse certificates for local testing (since we
+always use `test.local`), this approach ensures that the deployment workflow is
+identical between local testing and production, reducing the chance of
+environment-specific issues.
+
+## 4. Verification and Smoke Testing
 
 After deployment, verify that all services are running correctly.
 

docs/adr/006-ssl-certificate-generation-strategy.md

@@ -0,0 +1,130 @@
+# ADR-006: SSL Certificate Generation Strategy
+
+## Status
+
+Accepted
+
+## Context
+
+During the implementation of HTTPS support for the Torrust Tracker Demo, we
+needed to decide between two approaches for SSL certificate management:
+
+1. **Generate certificates on each deployment** - Create fresh certificates during each deployment process
+2. **Reuse certificates across deployments** - Generate certificates once and copy them between deployments
+
+For local testing environments, we consistently use the same domain (`test.local`),
+which means certificates could technically be reused. However, for production
+environments, different domains are used for different deployment targets.
+
+## Decision
+
+We will **generate SSL certificates on each deployment** rather than reusing
+certificates across deployments.
+
+## Rationale
+
+### 1. Production Flexibility
+
+Different environments use different domains:
+
+- Local testing: `test.local`
+- Staging environments: `staging.example.com`
+- Production: `tracker.torrust-demo.com`
+
+Certificates must match the exact domain being used in each environment.
+
+### 2. Certificate Validity
+
+Self-signed certificates are domain-specific and must exactly match the domain
+being used in each deployment environment. Reusing certificates would require
+maintaining separate certificate sets for each domain or would fail certificate
+validation.
+
+### 3. Security Best Practices
+
+Fresh certificates for each deployment ensure:
+
+- No stale or leaked credentials are reused
+- Certificates are generated with current system time
+- No cross-environment certificate contamination
+
+### 4. Workflow Consistency
+
+The same deployment process works across all environments without:
+
+- Manual certificate management
+- Certificate copying between systems
+- Environment-specific deployment procedures
+- Certificate store maintenance
+
+### 5. Zero Configuration
+
+This approach requires no additional infrastructure:
+
+- No certificate distribution system
+- No certificate storage requirements
+- No manual certificate rotation procedures
+
+## Implementation
+
+Certificate generation happens during the application deployment phase (`make app-deploy`):
+
+1. **Self-signed certificates**: Generated using OpenSSL with domain-specific
+   Subject Alternative Names (SAN)
+2. **Certificate placement**: Stored in `/var/lib/torrust/proxy/certs/` and
+   `/var/lib/torrust/proxy/private/` on the target server
+3. **Container mounting**: Certificates are mounted into nginx container at runtime
+4. **Automatic configuration**: nginx configuration is automatically templated
+   with the correct certificate paths
+
+## Consequences
+
+### Positive
+
+- ✅ Identical deployment workflow between local testing and production
+- ✅ No certificate management overhead
+- ✅ Domain-specific certificates always match deployment target
+- ✅ Enhanced security through fresh certificates
+- ✅ Simplified deployment automation
+
+### Negative
+
+- ❌ Slight deployment time increase (certificate generation takes ~2-3 seconds)
+- ❌ Cannot preserve certificate fingerprints across deployments
+- ❌ Requires certificate regeneration for each deployment (even if domain unchanged)
+
+### Neutral
+
+- 🔄 For local testing, certificates are regenerated even though domain remains `test.local`
+- 🔄 Certificate validity period is reset on each deployment (10 years for self-signed)
+
+## Alternatives Considered
+
+### Certificate Reuse Strategy
+
+We considered implementing certificate reuse for local testing:
+
+1. Generate certificates once and store them locally
+2. Copy stored certificates to VM during deployment
+3. Use fresh generation only for production deployments
+
+**Rejected because:**
+
+- Creates environment-specific deployment logic
+- Increases complexity for minimal time savings
+- Introduces certificate management overhead
+- Reduces consistency between local and production workflows
+
+## Related Decisions
+
+- [ADR-004: Configuration Approach Files vs Environment Variables]
+  (004-configuration-approach-files-vs-environment-variables.md) -
+  Template-based configuration approach
+- [ADR-002: Docker for All Services](002-docker-for-all-services.md) -
+  Container-based service architecture
+
+## References
+
+- [SSL Certificate Management Documentation](../application/docs/deployment.md#ssl-certificate-management)
+- [Deployment Script Implementation](../infrastructure/scripts/deploy-app.sh)
+- [Certificate Generation Script](../application/share/bin/ssl-generate-test-certs.sh)

docs/adr/README.md

@@ -132,12 +132,15 @@ These are separate infrastructure concerns and should be documented separately:
 - [ADR-005: Sudo Cache Management for Infrastructure Operations]
   (005-sudo-cache-management-for-infrastructure-operations.md) -
   Proactive sudo cache management for better UX during testing
+- [ADR-006: SSL Certificate Generation Strategy]
+  (006-ssl-certificate-generation-strategy.md) -
+  Generate certificates per deployment vs reusing certificates
 
 ### 📊 ADR Statistics
 
-- **Total ADRs**: 5
+- **Total ADRs**: 6
 - **Status**: All Accepted
-- **Coverage**: Infrastructure (3), Application (1), Development Workflow (1)
+- **Coverage**: Infrastructure (3), Application (2), Development Workflow (1)
 
 ## Contributing
 

infrastructure/scripts/deploy-app.sh

@@ -400,11 +400,23 @@ generate_nginx_https_selfsigned_config() {
 }
 
 # Generate self-signed SSL certificates on the VM
+#
+# Why we generate certificates on each deployment:
+# 1. Production flexibility: Different environments use different domains
+#    (test.local for local testing, actual domain for production)
+# 2. Certificate validity: Self-signed certs are domain-specific and must match
+#    the actual domain being used in each deployment
+# 3. Security: Fresh certificates for each deployment ensure no stale credentials
+# 4. Portability: Works across different deployment targets without manual
+#    certificate management or copying between environments
+#
+# While we could reuse certificates for local testing (always test.local),
+# this approach ensures consistency with production deployment workflows.
 generate_selfsigned_certificates() {
     local vm_ip="$1"
     local domain_name="${DOMAIN_NAME:-test.local}"
 
-    log_info "Generating self-signed SSL certificates on VM..."
+    log_info "Generating self-signed SSL certificates on VM for domain: ${domain_name}..."
 
     # Copy the certificate generation script to VM
     local cert_script="${PROJECT_ROOT}/application/share/bin/ssl-generate-test-certs.sh"