From 2cfccc5b921ec8f53c0b28e8b54d2db205b7f95e Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Tue, 14 Aug 2012 11:23:19 +0000
Subject: [PATCH] Working Client Certificate authentication.

git-svn-id: https://svn.argeo.org/commons/trunk@5507 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 demo/log4j.properties                         |   2 -
 demo/ssl/ca.crt                               |  34 ++++
 demo/ssl/ca.key                               |  54 ++++++
 demo/ssl/root@demo.crt                        |  32 ++++
 demo/ssl/root@demo.csr                        |  28 ++++
 demo/ssl/root@demo.key                        |  54 ++++++
 demo/ssl/root@demo.p12                        | Bin 0 -> 5741 bytes
 demo/ssl/server.ks                            | Bin 0 -> 3900 bytes
 demo/ssl/server.ts                            | Bin 0 -> 1587 bytes
 demo/ssl/ssl.txt                              |  21 +++
 demo/ssl/tomcat.crt                           |  32 ++++
 demo/ssl/tomcat.csr                           |  24 +++
 .../spring/security-ldap-services.xml         |  16 +-
 .../org.argeo.security.ui.rap/plugin.xml      |   8 +
 .../security/ui/rap/SecureEntryPoint.java     |   3 +-
 .../WEB-INF/security-filters.xml              |  25 ++-
 .../org.argeo.jackrabbit.webapp/pom.xml       |   1 +
 .../WEB-INF/security-filters.xml              |  19 ++-
 .../WEB-INF/web.xml                           |   4 +
 .../org.argeo.server.rap.webapp/pom.xml       |   1 +
 .../org.argeo.server.tomcat/conf/server.xml   | 156 +++---------------
 .../org.argeo.server.tomcat/tomcat.properties |   7 +
 22 files changed, 369 insertions(+), 152 deletions(-)
 create mode 100644 demo/ssl/ca.crt
 create mode 100644 demo/ssl/ca.key
 create mode 100644 demo/ssl/root@demo.crt
 create mode 100644 demo/ssl/root@demo.csr
 create mode 100644 demo/ssl/root@demo.key
 create mode 100644 demo/ssl/root@demo.p12
 create mode 100644 demo/ssl/server.ks
 create mode 100644 demo/ssl/server.ts
 create mode 100644 demo/ssl/ssl.txt
 create mode 100644 demo/ssl/tomcat.crt
 create mode 100644 demo/ssl/tomcat.csr

diff --git a/demo/log4j.properties b/demo/log4j.properties
index 15ce795ea..06e71583d 100644
--- a/demo/log4j.properties
+++ b/demo/log4j.properties
@@ -12,8 +12,6 @@ log4j.logger.org.apache.coyote=INFO
 log4j.logger.org.apache.directory.server=ERROR
 log4j.logger.org.apache.jackrabbit.core.query.lucene=ERROR
 
-#log4j.logger.org.springframework.security.context=DEBUG
-
 ## Appenders
 # console is set to be a ConsoleAppender.
 log4j.appender.console=org.apache.log4j.ConsoleAppender
diff --git a/demo/ssl/ca.crt b/demo/ssl/ca.crt
new file mode 100644
index 000000000..4b46c47fb
--- /dev/null
+++ b/demo/ssl/ca.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF6zCCA9OgAwIBAgIJAOn32kF0OI4QMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xDjAMBgNV
+BAoMBUFyZ2VvMRMwEQYDVQQLDApBcmdlbyBEZW1vMRYwFAYDVQQDDA1BcmdlbyBE
+ZW1vIENBMR0wGwYJKoZIhvcNAQkBFg5kZW1vQGFyZ2VvLm9yZzAeFw0xMjA4MTMx
+MjU1NTJaFw0xMzA4MTMxMjU1NTJaMIGLMQswCQYDVQQGEwJERTEPMA0GA1UECAwG
+QmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xDjAMBgNVBAoMBUFyZ2VvMRMwEQYDVQQL
+DApBcmdlbyBEZW1vMRYwFAYDVQQDDA1BcmdlbyBEZW1vIENBMR0wGwYJKoZIhvcN
+AQkBFg5kZW1vQGFyZ2VvLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBALNi3ZG2IxSvn/Ach9zpEIz2Nn7o/cMY/oUocBL9Pq+gcwBEnAyiC9MaJKDR
+M3HmIFMYrQ/6TdeSBblw1IO7ykeneybWpCEEA7zoK0DquXDRiuEyBWR+mz6JV/ce
+wrVo2bOnAUJgIfYUiEzYAT4j/+3qGUwokBAVbj+KSEnd5TnbMcbhRPzSW+Ghu/FL
+LIevq9BLRPQabLQTNvgVHGHX6iYTls7Y1jJaNe07mMfJOOuf2dfomiie7tMAyXKD
+XFg7vGRkW7kkSdXAvoasTXbmPj1AcxKKUtMqtoaMH0Lvl+4z1j9Zyi6Kg/7GZoE/
+uNZmSdVF/Qpx6VDcFGY8LaqUE9CNJgfvo6El0pXz+KZwV1nMMYLCM/bWSfR9tOob
+oHJW59C/JDGKY+1zEYuMlihGp2i/yM7PTw5Hi/Oi0L7gd55VesgVqm82lPmC1xUL
+bX7zI2lhVth7nMDbhmFMWxNGfuyuRFPNUR0VWhet8lYhrAHOA/r16T6cuKnzunmU
+3f9jmTZCxBD5PuFCCaZkrN2TYCTsI10K2EOXNPwJVPbBT6fkFhqFTU2eFiqcW95+
+e3t/HuGSUF6s/sDmSWJCDttnNKp6zGIGcB6xiUbuRkeV25PQq/UPQvxvBr7Df3I1
+PUneYQjjg4MXx+UvSdoRgPuPARpJBfJR4hVw2A/6MbkEfZ0BAgMBAAGjUDBOMB0G
+A1UdDgQWBBSnHbEv8ezkwPT+5UqmZllpM5NEAzAfBgNVHSMEGDAWgBSnHbEv8ezk
+wPT+5UqmZllpM5NEAzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQCY
+ZnF5ThcQfyUsqs7dGEb4j8WmnZ2+swueCp5TqkCtQU/0p63G5VwHoVkZkG9zBR5O
+JFqYO+UX8/jnbAeLfsw1+QW1IDzE1YIgmb8h8/j+erzO3krdEyweH3BcctaP3uJQ
+8AfMf3A6SamwXU96jNoRM6vPlMesM4ec82pTmspp5KSiP8JZ51tgeJm01Yr+WYF/
+3pDRjc0fJMfHfV1jRfVblTkaTYuIe9T+dpjWrh7t1u1M7nvPW6QWj2rbw3X9U/NR
+n0jyA063kskwWyY/uGXGIt+oCFhN323Jr1nQ8ZEJK38apS78xoC0Sxm5HQ6b8TII
+Jtc2YMPG0v2ygzN/lLlT1VnZfz6gPbFSv+otstQC7Kchdi6geQg2omYQVUzUCZEp
+Y8CQZTkXTEsrIaoIz/xn70RQAq8VQL4M42xfG/Z9WN+ype8fr2TMMrn9pRiLsnJd
+IQN5Tw6SwqqPLzfUirki4WY6up4wH11h9xyWeKAcK5rWq5qStlvdYmBDFUmnsXQj
+qdmNe96oZuZibS7+I0VER6/32u/MV2bHK6yXQEswXHrifHFvvq42HBayNdVPQZUG
+Y5Qrjo/19pAFmZFFs694TMz/85GtBnJkKBnciKrru1uzHMYo6Kim++wgPwfXNHXx
+gVYg4+NLjeXv2q178QtGxbKoHkqA7Q3lLEb4lw76gQ==
+-----END CERTIFICATE-----
diff --git a/demo/ssl/ca.key b/demo/ssl/ca.key
new file mode 100644
index 000000000..0888ad39b
--- /dev/null
+++ b/demo/ssl/ca.key
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,EBD71584ADEE8FE7
+
+L7Y9YmFRL/6tpCIskTGAp6St/9xx7dDMaFWk5AGPXk2q1hSV6XPp8m4zrJng2Cfd
+0iTP5G4p9zlceA6cV5lXFtZk9s3H6K38Pr2MtQ7pVMC9ZSXLeM+w1hj48Sdoe/ak
+oMhx9e6NVW9U4Lo4qX1lR4XE7NhdLf5nCAcB1zzwqbah8YnyKvkWjYFznfOz0ccV
+AQhsskfnUDNVB7SBQfvkJ2K5QVH9ElT81D8c323Cs/+7qD1NTEPNDQaB1XtUoTFr
+qMbgQKlGgku0CHpE9mnAfhrDiIox/kPk10jro2mSbeQraRkpxkudvADNEc0MLBUs
+cWfo4GkrvwWyZnFuVCZMjB6vJ8mVIVSZ0AEiTIq/sC+jiIfjSvAsaFdlV7BlUR2U
+KS7mnqivb6kRksyP5Om38MOF79KmxtLl7Cn4bio+qsQLcKBQwNoTqD2dFHVNdoTV
+TjP08xk+80oN0C246ZBeZLqwpfeXD71YQ5fkmw6AulJFr3NZDA6EAm6sJm+mC5fL
+a6JgnXe7ZBPnzzbHgm+8DOWa8kYh7lJ1iYPyg2iqK8O6t2jgl/C69pi6Qc/6NMry
+g6jyp0DnwpZG4P6pgy5fbbEqFOs6RkiFRtsQs88XDEE5tiJBtv9btHFZ16YGXr9V
+OL6/M5FIkHb/VC9+w+9ap0nyH8GtUMgx59gwAWPKbu5PC/4tZMts98btGzF6kV2A
+09/aI1RP79ImWLQtSy5BgjNozJ0biXdz1mSwgvrqz3TGySvwFzVGge1PMbJp+1iv
+XpkZGcS42OmHudDpK36QmWr4xizh8SOZLSW3803Mo8GkDT5xNz9w3xIZiXcXNAKt
+WE6U7nFuUpxvofnGjp9Shljt5HpYjqmB0cl3/y0n9wiZd5WeIYTC4PwmXH6qEyGO
+nh5WYOUNWtpVYHsmq6D0x1T3YXATBCWGFmDwJksnoWb3Czm49NJJpN837HynHcWG
+EBWQXWbzCZPp9C/lgttaOR67/QV6fl7aLx14jSbwWdgtCeQWDzYyL2vPr2m5xYOI
+ZgbYy6ULhGjsuMlD4JZEo2HFtU+5iw0sGTarp5xnB3v8AuiSzAJVGnGF55dcpTJ0
+DNaWv/xUt4s8GJgUPPPqhSibU/O9Mt4O2KxQl9wD424/tDFt4PArlDD2d+Xj29Nw
+2eWP8jlPZ6raAzp7ZFHB+SJBw49LF4ztGzSPWsmIWymBhfx1+d3e9LuqzHfVs83X
+9VjEY/i+xjIdry9Q1FWkTHbZgvYLVJ7fxenMT7nI8PPaecvQ4icEnB1zLGj4wbSc
+eFUsu+LkDb+SJOWh55xWlaiKsa4Qxll/1iHQ5xC2libjZU7sNmK0iJW1hOotF5RG
+ahWVbntVmqmVNm60IneckiQ1SLjlanOcM3QDFddjtmlCQ4OGMO6za8JRXErnKlhS
+I4P8Kzi889H5c9Y7l0GBarvdwrolWjgi80UHXkiNy6tU/3kn9+PB6RNZqzdng6dF
+dk4pQtqlEEkSBqqlPOXmRvDX+Ka60laDPzKefXrTjG8Y3EimRA7ngwhZMeONGMM9
+08wQI5lBVTJHvhFabnbbu1C6r8jd3es0u9AhXqI1WhILnR8DW/FwQFMLdIynYh9H
+41NLHCTaWslYlfBhAao+wnqL2BEN+fz2vxr27jZiQaovYMOA/0flH2rfcCigUtog
+EhVPCn4b5+qUZYux2RkBdhkJu2raJc6dtlTtsl/5KjHTe5wd0C3JeK/S0AaSeJG9
+/0xZvWcW4kVjovat9JPtuB6YDMH/gWmJby607iozF5z76rUAKmhObVNkW3C6+g1f
+ecpl7h6F5646oRMBh388sIYCfWtgYqZcuOiFylzDf0ZCAUlKMHIvQnbedHFu3VIS
+JK0teqwmIAmcsS1a91gn9N8GBVkzmf4BUTVXgWMQjtPJTCz4ZyFJvHHMrq5Ojocp
+/1sSU3iK4DuKeHRU5jr1c0YrGfREK8Gqxw1Ieh9Ah56zdWiGhXrlR5TH1mJJ0uFR
+ADNu/LoijVdLuJGMUneWS7qmPhLkzPv04sR2Ed7n7+E8Xn29lCgA68z5glaLEG8K
+HtlUGwNocnorrx2snQ77irbL+u4Qz/dfjJHmKu0JQvhM3XECqfQH3KLwmTnl0CxY
+zve3mlRV9LkVmOFINWH+bK+BiNBmgtm9mXRFyTQK3yUfqi/u3Imj1a3h3IL1S2rT
+IU6jkcoEvEQTmNiLIUg3ontwrHXm0kQA6RRccP6jYCAN4ao5iy9BfmDOmoOfdYuu
+qLrsB9JUuGyqEirrrApaNRhKNdJx8viVB9NDEO699CRMiEq0vIQqEBnsqmiq6hC1
+rJ+2+IGwa2Jf9qYtiCvGw+xaB0+x+nlb0uy9b+orzlKwX3UlUIs/AongtIcYe+BK
+Dwe+0yJ1gpkWoykR8hjx1b93QdTjamofqk2YJyBFUdrnn3lPJKvNyW2SgF0ZpkjQ
+ck1vo+lpZsvsXM8SbIJHfk0Mqat/BikB6bNXZs4FD6gn+dtPWCgPIDfYqhq+qe00
+zx2ZETYV9FRflZfIBg8xPJwj33NPO7j1HStBgtLSxLulkg5aVnpf/Qt5plgF+Ifs
+lnK9AYm9ah+3CbhOT9KoxzuNDOIbFlPkpUiC9v2bTtEE+mQrE4tag3L8IYzdaZCZ
+lgyPVnp1TQ6AiU/z0EkWvKTzcxcd8ujBjWk1NEaiNEowfxfB0CDnLaA0IN63pVwq
+H8QfQlIbAKKhRc9A7uoXrhO0YY0H2Sahd2AZnQkLPdUIUzp/JbeKC9JpmRnIF60C
+vdl/mUa5iqU3MihYOl9ykSD4V5iRYiB4QTIzF6TlyWW5RtrZh5m0jTFdh9D9uoro
+9HOs+ObdQg8UyBUQpII3ATr9Rf5r5uIml1ktbj97X7yBmdVXM8hHjkN7CzDHgWLh
+stbNBpoMf4dVaRHDm/wGn0jfqjeSUzEbnetpwseUbmiEjTXrYDyZ01Cf9gLq/8gs
+mqemNwLz16tGede34zQc5vHChEc3xJqbBIR5y7TCcDnEFDwKKLk3V5YpaTTLqT+y
+b9Espm2OovhBHQKDWqg8L5CRi1QTwyIjZHo++OlVlIslbsQlbqqkADBLhQcSB44i
+clxNml0TiqSYlY55MfBqmt5fbPYHI91Eg+/RbkfaW7supPjI0meS/idWX9r2FHLM
+-----END RSA PRIVATE KEY-----
diff --git a/demo/ssl/root@demo.crt b/demo/ssl/root@demo.crt
new file mode 100644
index 000000000..1f8a18c0a
--- /dev/null
+++ b/demo/ssl/root@demo.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFiDCCA3ACAQMwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAkRFMQ8wDQYD
+VQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzAR
+BgNVBAsMCkFyZ2VvIERlbW8xFjAUBgNVBAMMDUFyZ2VvIERlbW8gQ0ExHTAbBgkq
+hkiG9w0BCQEWDmRlbW9AYXJnZW8ub3JnMB4XDTEyMDgxMzEzMjM0MloXDTIyMDgx
+MTEzMjM0MlowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNV
+BAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzARBgNVBAsMCkFyZ2VvIERlbW8x
+DTALBgNVBAMMBHJvb3QxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAZGVtby5hcmdlby5v
+cmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrOC1BS1Qotq9D5NAg
+5761ATNjMNMsg3SFkbnVIY5bzraY+lxs2qW5I9BXEHGDIGXJoden8VmBI7Bd5vCE
+8yNu8VlhfwNOuDF2NQVCSzUU7LUzJuEW/CBo1zgES2RYaH8Rt6+/4VVEm6DFI+Dr
+7GVeJh/f2LIZuKvurz8wyxvbGAXeF1p6lerS5/Qw4JE/wgVLCecD92WP3zbMyj3I
+Of9njNJQ8w8lNVcu4LX0pNQHFyTotasMPAgnu6YZ9uWGjwb6fItl8JbFZSuQER1B
+d7stjbzvcFCBJ/ZdWm237nqfQXLakOqJvUEvzo1cVcDW8slTX/Ird2LKN5VslPyV
+pBxRUT8FhOANVnGP6E4iqhRMYyRW1i0e9+QRvhhwVIrC6NpMCYnZm3DponNIzZGF
+B7cHkT//vS2w4r5OtLVb2RleXGzxLag6GsVNyI74Abi4bsM/H+9CKN6NsSXn07BB
+kJERdOBO80L9W7zFhJ3IVRCIXGujCcOF0WZAareWESI1CVOPMgC32xdBbw/IrnGv
+dUc5BdsOInjsOcO17LbsNpEDQQavF5SUR1SLAmsrftQoYqtsBjzCiVcAFCOF8lwk
+lcEEWLSRwCOEtsieBtxKz7UvizFPn34iqvUwoN5BdceJQVry4wjXfraScIjnrHv8
+/6pvW/N63WJJODhQVEK499BM9wIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAy1dBM
+ViLw4/eBUTtpZvlMotw0booS6opEKxAUuC7YDMkKwW4rqDxJTpyVKgC61q4Q5wyH
+fripqwJPgF6+aqDlRE3YHbHFHq+iKYSD582MIy7Bb1kmqvw+CkSWgaZFJiRuDT/2
+QCdEcWPYFRWP23/GuNZurd3M8GA+7Pd10XnqYbZgXLAdVVz+I4JzFT9KReVOY4Ne
+ZWSnzXb092FCpy/REUg0vUKKze5GzCiBfTTEAb4CpnY8HHlvcBsL2tNABhcP+gu2
+b7/LlhRZqlMaidJhGz2UH6WqXWweYce7ldpZ8khuxF2Rbnb0upIUuJgCKeJ1HckE
+JIVTiOJ7ZV2KSphpkVgiGqJidonTPOY46lihk0ZqGnbXfHXtI4JYKorLikefztS6
+8ExVVpbHZpTz9plqxc7/VpNqLGLwwDXRkIEMBR0OgIecVnSTe5vCdFnGZACwqHa4
+iy4hDmf6iBb7CmOAcP5W0w3yZ/p/jrc2K2lKglcU161pR7uCsStLaRh5Mec9MGpx
+K38Qaecm8NtC06I5aCPMA+5UrXdrsNvmeKZUwaztskkBzV9RibW/ogfoZeDpCh66
+HHG4Tgpkra4X82D6g71Mtkl3ez3tlFiUR9K0cuxtDxwaavPAmUo7tKOAG1UBgRlS
+t8DoCPRbx0o98O/x6g37H1UWe4sEiQSUaW1LiA==
+-----END CERTIFICATE-----
diff --git a/demo/ssl/root@demo.csr b/demo/ssl/root@demo.csr
new file mode 100644
index 000000000..54c05433e
--- /dev/null
+++ b/demo/ssl/root@demo.csr
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEzTCCArUCAQAwgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzAN
+BgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzARBgNVBAsMCkFyZ2VvIERl
+bW8xDTALBgNVBAMMBHJvb3QxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAZGVtby5hcmdl
+by5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrOC1BS1Qotq9D
+5NAg5761ATNjMNMsg3SFkbnVIY5bzraY+lxs2qW5I9BXEHGDIGXJoden8VmBI7Bd
+5vCE8yNu8VlhfwNOuDF2NQVCSzUU7LUzJuEW/CBo1zgES2RYaH8Rt6+/4VVEm6DF
+I+Dr7GVeJh/f2LIZuKvurz8wyxvbGAXeF1p6lerS5/Qw4JE/wgVLCecD92WP3zbM
+yj3IOf9njNJQ8w8lNVcu4LX0pNQHFyTotasMPAgnu6YZ9uWGjwb6fItl8JbFZSuQ
+ER1Bd7stjbzvcFCBJ/ZdWm237nqfQXLakOqJvUEvzo1cVcDW8slTX/Ird2LKN5Vs
+lPyVpBxRUT8FhOANVnGP6E4iqhRMYyRW1i0e9+QRvhhwVIrC6NpMCYnZm3DponNI
+zZGFB7cHkT//vS2w4r5OtLVb2RleXGzxLag6GsVNyI74Abi4bsM/H+9CKN6NsSXn
+07BBkJERdOBO80L9W7zFhJ3IVRCIXGujCcOF0WZAareWESI1CVOPMgC32xdBbw/I
+rnGvdUc5BdsOInjsOcO17LbsNpEDQQavF5SUR1SLAmsrftQoYqtsBjzCiVcAFCOF
+8lwklcEEWLSRwCOEtsieBtxKz7UvizFPn34iqvUwoN5BdceJQVry4wjXfraScIjn
+rHv8/6pvW/N63WJJODhQVEK499BM9wIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIB
+AC9kNx1on4Twa7g0WvtRloBHxmXVxbhHaQtwQyzDarwhW973hLrJ5/5+wKzUoofe
+lw1moerhxQ9SWR8ZnlqLUj6aFZQXUi0754kVfEjmp762EByBciZg1RzgIK4YX0ln
+Sl1I1un/1rnLZo4YXay1uj0ZP99Iz/9uZK4WhrCkuYDwBFaeYDIEvG0MTwwf4hc+
+2f8xGxJ3/y6qyIe7VR2hCu2jsBGurHhf3dNVNr0wHLfpMtp8vGi7tVs/u53Kv/2P
+X1p/UznzZEbm928LAEtKGRuawlER5PVV8APFP0sy8FcpLGV0mD3eJCWFvOWz+/y5
+w3uSamgkuCYAdypxPSZrXEOrijZXDGfO8hFQfjSArD0eHf0XXx887ImVBmn0S/Hf
+lcmLdLI2Q/Ku5HEOGKGV9PsuZCcvyIlgOM0mMhmfHNbTZ1/xIq2YsI0t01RdfHd0
+zDWNxRHazBjrHhDs1gGlwcgHDswedbg6vu+q/kVrw2U2E4u12LzK3XvA1BZEidmI
+rEF/07WGRZoXndHitWeQu/lAEZbuI6h2qIJnjjI9VcAVqhDKhHXjGA1ZLBhqz1eh
+QdBEM8atOBg32l/I8GtFXTsauEkAe6hYUnvI9DdQIX+X5AInO8NsOUNNzOmmNpIG
+fxez4kWCC5zIZbSqCX7qDqZswfVdgEYLhElQquRbEDHH
+-----END CERTIFICATE REQUEST-----
diff --git a/demo/ssl/root@demo.key b/demo/ssl/root@demo.key
new file mode 100644
index 000000000..0c6c32d98
--- /dev/null
+++ b/demo/ssl/root@demo.key
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8B121EE89E94390B
+
+EjQARpI26YQBaqJdsM/qRqB6isTEUhNnYbKGzUpRql8bSKdszmrcxVW2eCzdPPeZ
+O8AZmg0lhRguxqRFxuHHd7hP+l3QUJRWy9FbR3Lr/x3r2FFVU6tDqt5yTNveF/Np
+1EL+vz9SE0QA6mUTE1kruLVQLrruPE78nztchdZREO/QmKk13x7ljotbRlgN3EyC
+NfPaVIyHAN9j3PqPVsNbsrFZvdo0HXWbd/zy1Zh2BGepxeCOYu2nSNQsZmaB1QjX
+rQ/g86hE35PcZuvMSjXkGYXf4mhzTWlt3h/o0mfVC+1iMTLmb0V/XP0DitIDmApL
+PM4yEfD0icg5Y9XDhbONHe1NqaI++Pq6Pz84PrxPziNREg6dUsqZDRDdvzXnogOo
+XKZ1yZBYtBt/4eptpWBd6xS8pIaNlUEApaVkNCDnnoniffxu/xVqZ5d9DcwoqImU
+IMZahuDzM5+MrFuu3BjxtQtU4mfytQ521P2NZb4wlVI+7TnveZ2sqTosj1QCX9E9
+4jh/SBi+D27wg0AAQU0eK3PVGrUZxFUCldqSfv8pABWyv+alRJ2ooUu5KLybu/Fi
+WAajrdWxwDrtqpxm9FWEW+0R4dXhr5EVmfOvTgGOsZT9fdDiAlfZiZHHs4JGG5yP
+ueUTsBgjlWoT7vmzxLNtjbJ0dlgYZzVpISbEH+kEXXzgwULF9s8CEptJ1m6hztZv
+TigK5WL09WSBbZiJZrY1tZxbWgJfL5TsI0V43qY3QzhtBPZTzlNlqzIwLDsexx1s
+AcG/B6FSTfzokG7KQJ5yN8empKFWggDEihGqDf0CpBnodSWwEEN00Ue13Mb1G+DR
+iPEUuZioiuuXJGcsr6OS/bY5NIu+bV5gyFNohzHN2ofrthaiU2hmIG2erAdtrq3C
+rxxmG4zRPYx+g/kjHEMaDnkgbtpa1f/inN7q+AbvvnV6w0I2lUsrI6Q8BcuDiRmr
+IUXPLMMFFWEEyiYatWAa9taGsKzN5k/lIw+09iFiAjuy86cvnTrWVAl8zns/pbJG
+mwv0LtfW13nYaOdkP4FknR8jDffIWohyfCaGf04zjWHbSBFMe/8mMv+6PY6RM0Wm
+Ye4e6VwCg27iLSQfH5+bTKzKvAZzSdUFCwHB04r/yO9+XpNFwMKWxmSWvSUldJC8
+2LjdR87/MCVwjHMOXwQfooJNdQXGJAwAr/VL4F7sq7dl+ndOg97W9tCkr92hPLsF
+oLTNJrmPAY5CTKGPYsfUiKsLbfr6hmzM4vPui3PnKISlu7z4TWl8WOWJraR1SOn2
+pw0waZc9BrzIlXSKR19wVOznBmluFBTFtofR9k9b/XleF+gelyQuU7bVCC3mz/ej
+hzL4xJT8UCz+qoHK53icNceBtjIKazd/MD4GFKyzzGDcR2He1oa9c195flwW3o2p
+bUGsITKBQO6n4YqMXQIypAtiEaFTVcyi1LQYw/ojD3s5RWvM8/PP0S9FnGVJOPSO
+isiFcJEjshMfflyhfGjdSvISzaKXBv+JCLlxNjblmCxZKPSFTRsND0ddeLnjNdl3
+C2xXr/nrh6f2cglAEWEGKKLR8/hFGop59JeGS7GJxWfqO4JEEZJ+spzkyoduqIJO
+FCZpb+mkXbalWhUDXd3QubXLY4HfNHJ33kZKFdbuARVirdMEZgS40KLOT7LL2MtD
+QrhgRJftw4LXkuHgxXH3KauDWXWHOssxq0ZIRo7wzLRRN2I0Wu5eptb5rIDSI3Ta
+i0WLkdzkRkhiCQ6bp8jo8Dhlld9pqprDLdMfP/ztObAnj3aCA7SoZlSI0upeUpJq
+ksFhXfDRppBvkZnOSUa0SaiF0gn2ApbbeJHsikZDYA9OpqaRJmghNCkv8/4oN9DJ
+LA1pYU+M5bVonmf54EVqjwxgl7yIOU9kKa8HIGROPqUL0eVAYZwfi6ryA82ZMs2a
+FmncGPjqdVBRD/er9+eNLhr2oN4xGU+/rFutMH+EOG7G8moxMNMJk5KHK4Av1Bz0
+mFDT/WCEP/+mtxSq9iMplXpVP+AycCReuLkq/Vh+Y8BFwyLvzoSytNEAeZo8EMjy
+9hLYzUARePAQmFPLazR8mxeh/eRcxBNPWrWY4BpUv7oaVYx3+lkWbgUtPEQKBwqL
+cYeFZzT2XEwlmoUy7i39hjrX3eyBL/JLH9wcke4+0ASIR9bKAM+auEkVgiY85wC3
+c8uQxvAIwUd8vwRr73YxlNACpagmUGWnsyPo6UbKi599F/fHiD+okXpmWArb5Tya
+m3MLkgLpSepBk2m51Ek2TO7F14sMe+AcuSnFaICYfsDsZwRfy36oFIgrYp3bPKZF
+/UPU7WS4N7YfeCwHtIPKSyhnMMLUHvQzUSHorsVAfievW6fatldszMdKKRz9I+v0
+wVtUOwBB56PPFvihm33nfu1k3F76Dwezw4xMj5SPX/7S5BazDrlh9TWbpeVUEJY1
+9R6EX/LIjmpUishVkf4QZMGlBAD3CHdHN0L0fGkPvBV9bnVwq4NfrkKc/Ppb+6V+
+hHvlpCEAjLNT4bQ0kYcdcbDtBh1Jl38DGCnSrkBs6BpTQBzuSa1+WH17jUy5735g
+H7SRFmqwVDLF5C8St83cS1GxiVdk4hwFQzbmk45QYHucmj3J4gA5qqkLPomf8Rea
+mxqjbP1F294UXGuwOd3NQ2MqD7Csy1yjh9y6hN7hvy4CMsiB2zvkPBlFwV//DWbR
+OXlX77Jh7V9GNP0eMgxhjon6NeAgfsPpvhJ/49HWlOqqoBcc/HDV+fL1AJEQcSDn
+tlbO/j8dtd9kvULm+MCxMQvTWPbM6+aNJeTFw/2PCEquhfDf/QN6WHgSRph/43za
+DlSWK7xSs5dTp77Tu36oLN7agRAyN4H2hpoFs2TeORrgfheaLR67ULb3M2tL+Hgq
+mHrjKLXVRcEDG1I/DPhuD+jdMoBfoxxf3JKn72NWn4j1A/n59nbvtZQdgzrvI+1a
+l1nbl/z45HZUQyNgDshPXTsHRuA+4tp1J8WSk0NjYW47P8ZuolfQMGMVtUS8NAal
+Jk1tqhBhBIpcHucFrON+6gznT5OP+IxUPqHVMzqp5SJDSsgRjTkfQXJHdM7cWKym
+H4/wYx5CmYg8FzD7XN4t8fNqNMUeuVCWv+OYxC4quiEqWy93ijGQnxFdFW9HZNCC
+-----END RSA PRIVATE KEY-----
diff --git a/demo/ssl/root@demo.p12 b/demo/ssl/root@demo.p12
new file mode 100644
index 0000000000000000000000000000000000000000..889f0b4165a2e3b0d2073ff1e93534bd06d32fbd
GIT binary patch
literal 5741
zcmY+HWmFV^)~@LqLWH5DQ@W)?a_DYB%AvbUV1^Ruk{-HS8fk{^4rxj0Za&Xi-@WJF
zAA9Y!o_Fp2`+c||L^eo>$XpO2PBcuGFi_Yn4k9{Y4upsr1wusr50h{~u+{z>q2)lZ
zCI2B&Bt(RNi~qj~A{RLt*8hIMMnvPnMZo|{PbpN4^++KhVITxSurX*6(;E`29UP^2
z9y8a;cvQlwPXm9@T_k1fpHz6GL%HKt(K%GRl?J}J<fMfEd}79szzxBmnR5?$f|6=6
za%I&yn0kW&%n#4rA<IfzZ6=cGg)MNNUmx0F5Gz)3<JF3`51aKB&!0wVR%6hz`lTob
zP4FcT9{@^LzKJaRfphMKf#~N9%qPBF!@<!Vy$5GW$!-Mlm+a+Bn_*iOVy0?ZQSXGH
zpQnk8m`+EBjE~BJOb@)9IgEN+9^ZtP8&iimWNAZDc)loq%Ie>`ZlGKcJ3Q3cOb_2!
zh!sT@XP-y!2yl5;`uJ2ffm<K3VR~gfu|59MvurtK)Le_m;bQB0pTE9anJ4(>DX-2%
z-T)na?K{~}%amh3)NCfl{@LoT%28`W6azXT#r%f|A^nSeFF{thmlSDx_j1{<u9^J_
z;FWNe9s<(vERTK~W7i`tG4xRr>*~W*o14NxT0;DM%pNZ>1rcY$g<{2en^TTtsYZzK
zWeej&>Y$wSp1-XMm<kxlBpkfIhYURRH_~efvcg@cf7kp6=jj@`Te)0&+O4%*;&@&6
zIOFTlIL%yuj?1^Ldw=nG@drIShp($s-kof+0xU(rhlW>aYlDaTR~k%P-EumdeV)TZ
zW=UHO08){kE&G4xO3yqV6Xsg9cOE|x%39E%aZEW6vSo@skK%D$NUHFU2P?Hq6e8?;
zcC~kFYo7QPFm{DLPRIx!kNmMB=xQE!7QlVHKP;y{r*U&Xq8%7@i=0aO;eyKU?4Kc@
z<yow@wPIH(O6xqgp9*Qnr-beVea7PNahpd_uFPlTWkO(Q?QBCLxA<`B!IyX5O+igQ
zbrzjLhFSseSZ{?3cJ0Ae^Ppih0ja(jAK&$z65YrQ)_D*ikh%J`zrf|kVEFdk*F6t!
z?sO2_a;xa0m#dbGYtlH$M;+>m)wC`pO4<vTGO-UKW&X)@U*awiQLW`uj)Q8d#;)}K
zM#SeF_{@FEBiOddRQz=+j$M7@P^UZwfKyq8xYd&8vetq9De6&vXYEUEr~~>`sR@D#
z`sZKLMXRZux0kPKL4!Rae5F`VM7qEwL8C@>=Hzl<1Z7@N;Ym)cXmidqA#cMp{qTeX
z`DKaTul>B4D7frsITCo`mi*%z^sG(JL;=gnS5bz~(Yu^5n8?fFR-hhza)Y7wjf~Bm
zSUH#rtz4M@5L)xsCClD*GQk5QhBE9JQvv^Ef&dTY%{`&xL`?CMv^`rsY~9+2!!R#Q
zy()_&6JayzmAUV$?tVfWaV32!pzle*fP^r4_^bb9beW%qBnfJbk!GD+i_2)e7FW*O
zRjJ?YtPa@wixq1}qKbaLH^s5jU+?L7yc&d$!C%5AwJsaTs7ZKf>q$1@1IC?Y^r#t5
zCywdJSzbjg;n%xta<RgtE?7WnDRVK2M#u?I?rvP7GC_=pMiht8GPiBm=I(V%K#^E4
zyariDb>OI=%<UFpZO&Q%Ll&Y-Y>Sef4y9=xW<1$vO3)X9VxvX-(fW^`D1|Z|YqVzv
z9W`G#J&AUtbb!cT_mwxO%XYxx;T$+a2}?8XgW6+JrWAauC01ramAO)l<+7J-v+VHE
z$Ew;eVNg~v+ueAr1XW2oRmlXK(Ci3)$0T%&+&r2Bh(4;dv1xn^5*jI`!%(gC(>sK@
zf^E4`o@uHZmhVxwegt5)+_xqh6-*X;ITOI4(ph~7IN{!lOCeL)6}QZ%OtXR3eEMy=
ztl_Qxh0pn#e<6Q|u)q6S61O71nFf1@B=zp`A1FfD`t!QyQ$c$thykj9*P^-JD-;v<
z*A2lO$0P|3k)Vku33C)NnMTyLfb0{2Bg$7$)7n))$%>#P7+0QMrDPq**ug(tQCPa~
z&P3a=ro6-O@gUz!e$L~}k+STE=p8m@nT%T8Gol@cSM+0(X5~_Or0y~!1Cn|rvV&sX
zBqc|$@9_@;e@wy3gEKxIH-S3dv{}=meNd^;b_9N{RJ<2gf=t{QJeeX_EpBo$!xG@?
zcTApjFLA5b-W-|j`26X&&j|)20v)jKc7be!dY<t9CX}%p9++q2Wg19UNNGgf@MUOL
zPSzQkb&7N%bxiWh)AjxQdH4karW<@kD1M^3{>J1bwu6`%ai6*?sl*HP7X379XynA-
z{i>>}j~`PG;)$D!wmd<RjhtGmY)VHT$)1T1WRADYL2K-jAAK%bd(TUP6&rXnFL}t_
zI{45cUHDhqt;gFZ&xNs9czMdeMdS({O$=ds!RX`^VA6bu+KXe#+!ld8xf~Tv1ao2}
zjHfOY<dc0neX7+oPK0{Ymi)3D0+Updrjg@4XLr8d8eZ(xBH#to-1&cvvQmr`Kf61?
zjol`25yWPlj$t6?^)PcwTp1<M#>B^`^W0*<-O_DnZR$Zmi*`Y&aU$Ic>9W}z>G<Y4
z4AmrErcP9BFUbXI#W&9Ge357l9y;9ad)+>S7x&YG^$p6!Dh#LOwQu|;HG+<H_x*fE
zP}6OHT9xDCHwbHvYpihKPWQag$?x>`SHxIS$ez2$l(e2d3VAk{f!N_er<mUW&a{ff
ztdS|w)zWpM%QL%V&qH!62r#+>sj`A;;NQ7H8h?uIN%*!upIaEzym+@MIEvV4OQT#n
zxUvSeo1*d6#-T1Hah*?6VjdL!yjt=q!`yAO<p=~PKC1Qt>8w>)D`{$7-TkEhm@-L}
zf`=0fl$mpFyp>RJht*8BL(t{vCkL*+_poG4n!0mug!vd$b@}?=#Xn*D?kLd$B49&8
zJ=Hz*#2KmMM>2~Rj5cyfJCGS~5U6DYv%6TQp{LxA;y8_;B7A6Cz<LPpHh49N1%0gv
z^-r2bM(<rV4~>-xt3uF9W0mDVCWwb==-u+Y?EZr7p(jvQp{U~!{5x5B&eei4cQ{}t
zyOxlR-H^w<J$->QGra9WOzRrA3VkBceZO|IuL@~_e`V`<a#s(PJzP&LfBkh(7G;i(
zm2K~ySnQ)A;e%%Ghf_Uc1Q9n;lmLObQC7y!a8|9;Z{VqJ*D`L2c<bZp5+JL|wT&)w
zB!$<y*Vb(Q$hEaaWlS)s6MFH%px>q%jJLq^!6zQTOttg0jQ#Suh-&n(@c8{e4mf4s
zSs^foN~PQ?l@gMwt_gh9Y!kEiL;!^YacSIvo<#TA&%&S4i8qFme0)8F?Va8qd6ORM
z>yqX_dL=DiH0C|@Z~4W<u+`HgHRT^hZmAA5*Ho4PJ*r(_r8Jv|oqtZH*uB>>#~Ns%
zjuFdR^cudQ4emID_?+_t94GEVHpy(iO>boKAl5ozdvpEtlyokT6hV|kwyaW5h7>&F
zCYO)2wfL{+&@2*bjtJv2#POGP69VA0#O62#?Yneuw8vmf!Mw1s(t2IP6Y#~pc&>E~
zx?Q!y?RX`pJ9n3(A$!n0irp7IKGh2tsz*6IMp!!RooWchtn%HwVk|m5UC<2ttgH~*
z%l%3A!K^uqUk{B;Aq7&zWQ)1gTcTmN#tD*0!~g4z45D=EUWBGF238;Sor}8aLKkA#
z9<lQ)X7f_6B+MLy1{B0xf=_zE)@9DGmv%Jvj?oAoStCw&V?4T8?W4*2lvca)cg^~D
z)-{F_WN8ZIQx_;$O=nyd;osI$CjG%fu$ovJT4DTt&0rCsM@I~?s^+@&<&41{lyQx(
zR>G9L+&*1<H!p}lK4VnK@j%IugFv*?t3&tPobqfEp84H&TIAk01dTX(qh}Mcrc8og
zdDD!>&3V!(wkqy#Dg=@Z9E0PW-@>21`K`gR0JEFy%kW#z$mob29Q;+yYc07F73)_$
z_6?>Wg16zmiZjx4!1KE1w6?}Euw`-N2Xz+)fcS#@+H6Ak<A*hkE2o@dJ&VeH^V08(
z6Dp54H8nWGwrT)cT-2yYEX=!3PeJWv@cp~Wyx1O%Nh{&V?s|6tCcPX$tkv&Jd$&*_
zCn?BqU!^Psjwm#?SZpk&@8_r3!>J#scsS#~O$x^+>T>-88Y_p~nJ#@_cPJd>Q8{gK
zeOen&e8dDHE;xHQDW<KqZDUj{dSR3*W=l<Yk(Pm{EoV~eBX;@q*l&amlf{Sk>A!G6
zFuVUBamayS)}cT!tN!7#e^Z18_&*wfg^2Vobo>Wx|3AAx{*PU(2aFDQ(Wc-2$1eVz
zgY<b-_FQDGn<7l`y)8A>4)Q9}zXH#;)j&BqN)-$ECz*XKS~}%qu}i6}>KX!nTK2ot
zB^C;ueQa@DrKRYQ&YHR1vPgxBU;lm?5c_JP(!X}EF6eg4ARM+*P<*g(!t1z~V=~6t
z{n>rZ$0R(!4QkAHWJ8`|>*L?29jf%@Ol+dfYf)1P7fb9W&H!R1#+sV)Iq*`E#@J1w
z^qqjvvCU0=(i$|IKn<oX-%#~cElYk@i?GXo@Xo`S?OhLn8T&;?x@MsC<PV!_7tq4T
zG-A5U9YGW_EU>=iS*er1@si@B3H8Pb6B#-efY2QR93aQSPL@cBm^(spB)324@9iv-
z&b^z;h4-gl_VQVcE1$novvSf8Mhkcovy<==l5xM3S?d38ul-u&XJx$-*|1m7lL*qV
z|BHgJz%(zM*~&z1Rk2|Ce#z-kOblo2+xI=55MaqcD0RuU9L{z^nWN*MTReV5qXFUg
zwH1&unwhE{O#k)f_!lbm6b}rV?y3t?Y;DAYwM3TDe9l$m2A*&uy7jI<yga8cW71Uq
zer-i<UCJoJnmMkI*I_YmPZ-o^WnZTFt>Ci#Tyw#-6jQ*YD$^UKBl$M3h_{UXL;8Gd
zhz<wGrx<oPTtE$>pk{3lDde%lx?DX}nz(7DWHwBE!8R<e2@ted$D86?`8cX1)et(3
z!6DV^mlA3`3EhO;$V3Y-;SgPc-`u)r87uN^R-U~O;I=XZpl@chV7*1)ZV)#;X0oh)
z$8uexyhdYvjoonP8BCjQk%9s0<bl7uL|3gh?IfQB@iP4CQ;an09W9-jDZV>cGH#pU
zc)YH_nE2+?n;|2dR#hS!rnW8lLHw4T>>*;j5V2{rR!cP_zP{j~&YkBCG4`C_@*e=X
zuuJ`SkU|z48=ucF<KSeaOgr1bjh(ONQo2l(a!}muI<Z@Nv7h%-0vZbCf41?q8E?!!
zECrG#St?NGf-6gtHJSL;FIQ^PYKVV)!v}2L9d+d*SFYss^cb94Jw`@V(g_0?J!-a`
z9>+7=x7wff#El9K==S_b0t!Cp^gR%de6VuUD3G$z8T!jYV8AM<4&+5RNxkw2(<bQI
z86rKED;-I4`i5F?LTU=vL_Yp9X|L4Yl-(+~YYH7esvW(N9M$-=iQYi{*}i26Z-;Qm
zoL+Azn9%emX0e=4Cb<Whg4sok@W?v>!_?Bb(+paDr~IXM=DWW;%=kO!B==q(*y^}B
zYm~K?a#HC}ba2?jW<$54K5Tho7dP{xMfWdoj*p$mgat%C`+-Q$;imzCbFD*nx?Lhy
zZ8>C?z3ay!>{837oGG4JvMj)FC?$$nHFHimShm0%F<<}7Ax>+?I9uh%_s%VSB1(mz
zAZ<@Hd-k3g#%<~G*Rd8Vg_=kzLS#R6+A>Y=trUQgzO&2*?Y=*aTxy~xWn@6Je_qKJ
zE<$KffaMpB9!dYiJ_RzTlxZ;7G8vYNDgwe2%wEZ~CU_fVLwr(2q9~LW6GHI=E6ZRq
z*cj7@zcWHyMsk?mIPc(XQ(v}Inu?5!-ttTRZOc+8D+4&v{=37%pNtn;meT2~Pv;$&
zY}~YeEytsMnE~Lo&Ul8$$o8AwgA4vJOBCa3tjt+i_x(otN>eATHro6fa&O{u*Z}1i
zkyP9}dTXgdN0HDYix`^x?*6IO*L_1GplnNwIf8AmQGaU=-T3C3q0~=ZMg+UHaW5Xz
zO=+T_4IoIj!`stVM$=<$?crS{7`A>3zYqP&OLeouJe?dL7%RvU_o`PVF*PhJQ?#*T
zdz(LFO|>?@Er^0BnEd|Gm3L8~q_VPB_r!O$Yqh{RS8OR|@r1o%Q%`=I14(jUNJa7N
zt%?uN+m_zIOh3s^AZV<>{r8&GnQI!(GA%78Se=F5U+fkZuc>R;v6Z?CHuBb9cn{DP
zodZeo=0}Rq?;Q_iOPD;U<rOcMoLtbollPFmtJQh8mvnrpXDPYjJF?uFS{+b(*HcGT
z*Di2cx%BAe5T$4S$8g;3aJO>zR9|izTtvQ5&(O22#c4TD>V>R9B~eHHYZM6`^>@z5
zrp_<n5C>ltYHxQxi&dLW?zGE`0J$#->WGt#^$!j?MDejebMgdfn~2x&X77{kp{qqx
zYLbwRIsT30ni}IKPmKnC&M>sksTg6e?}(xZF_%;wj_wFHv@M*Gd~O(cW)P2?{VT<3
zUMZEsuD(%LRHsiG3Zz^cMaz<?I%)Y9aY$YC$eFd5OdJMMef+>^88zOm=23E${E@LF
zycn*r<Sb+|cYnV~6&M&>g>lq<a`bIbw~%VL0~NVggg6bMO{-Zi(%+Sn3oewK>owfT
z-p#nypDs?x#W2Y#78Z)zYL`#R^iyYeLZn9NX@2Ysk5P5z(B*}BX)#HKBx$3KJCEC{
zkzcZBAHs>}@?LW8PcBNY)6tN&NQUq-nVH1ib(h6o1gZirYUD{2-tTV4xMjKC(!tT{
zY(Yi%u#dc<ZBVHFIUrr$tB8|Dc=sddtV^F<0F+g&Q_|qGt`VC#*D-A_EH8+0z1q|b
zjrhGUkTE$?@^Z`3GMtv)5;Pb5<TmEAbGjX~CI7GN@?fN*4l@R#@SiMDlMDa-00Wg2
zSLzps5+eSpM!2xk{{5^sCqxh;Vn9kf6UKdwXM^C6EOIK3WI|O<-kf`Y5IyurC7bR{
z^*N!UZ^{N>B}JN~k-1^+-HVHkiTw3*E#E9r)EOz2{*#MTz63cI0$*p#=BoL!B4!|T
zyF5E35guBuoXbsUUUhc5kY==4?XbRk?XD5JUB8|Kbe4Y3o1A)^M15+Aqw^DR7a3>p
z`ruZJH#n!Us}#pZOD18HVwsR5=4E5SFB2U>PVDQ2DpmwbWi>ElU1F)IVauNE|Klh;
zi)lY>hEXuvWjcW+lf(YlfJ7;plCpZ$TL<J8FDt#s0zd9ul+Bn!f2P1XoU?XZd48tD
z#Z{=TyKLv*oO!d5j;Ls&NeSo^!*-RUCMUNY$~#JKsZ}d13g;)COnNOe9rs&2e_2jK
zsWTMP*P;8t;1s9Zh|R9d2EB8_@6qy<5nZpl(E+&_?0SSBR+jQ<_`(%}5LCB<2OfR6
zFq(9H)HR6n0eQi%f0P>w<_)6#b#348dMsOGx{O@FRc@Ic(Mbik8Mx^FZ#%;TaucBt
zUW|ZWZuKrzKQqvCW?d$Vn-*n9adC6eaABgMvf?5mk)a}>5Yoja9c>-cUhr^929!jw
XxA4{AN1$L#5z89*V1=>&r=|T5J_;6X

literal 0
HcmV?d00001

diff --git a/demo/ssl/server.ks b/demo/ssl/server.ks
new file mode 100644
index 0000000000000000000000000000000000000000..cf0d090aa6e6f922a363c6c635f02302fc8c94c0
GIT binary patch
literal 3900
zcmc(h=Tj4mlgE<~dXpYHBE5tJ5JD5Ah;&4HKxv^WO^O8RktRjyUFp4d=}NF*0O<rI
z6zN?-h=82Wb8~mU|KN6JUwpp1FLrizXTE>-{_Ft&0MOqA{+nceUXLB^{r;i?ALHXD
z0Dv+E7D*Weqa&jdCj)|kVju<}kQ4xpr1T0RXmSy8A6{I#h&xP-R~Ayws}xo`hv;7H
zfbNxozb8!imGfb)O}lQ;X=J>A^Nvj*_@?%Y50M(DMjM`z5J@-qIMV};r+f*id;D8%
z+)?6FD>|DXWNS;5T>x)r<44qmbDy1h;)2M5UQ2kM5s|Vpfq6jnOJ8-k>kWXp{3`Q4
zJ|rbwh-tG&$j;pZN%_&p;Bk5&bmZ`1w@;0wwPj43%31O^Xdx>dg}eS)@6v|Tk*zay
zt{{sCK-&<w`GFWom9F}dBxmxuF)zBk;hICaz)O=`)v2pZS*q_l7su(I_n&y0+0582
zB0|L<%FStV#7j<nD@dd<moZzG57Q4kO_LlH8soWDw;#c<{o7eWB81p}VwGUQ75b?%
zRtE7LU3cH!5X(f}Ue`!(C+lp}*9Wu@OcnKF4tO1SGcp{v#y0XTCGK<b;M@pC3d^iF
zFR_5?d-%g8GrO9~C{b2?Uqleg*U*iI^r}@h(lUP3m*eeB7{+p)DaTb&WP`kwVcr^(
zM}YB>NsYT^Q{TQ+7VW0n#A)trd$s|C#VY%*g%!%jvkfxm$S6vj5tF%eBGb6bf6Qcl
zc;fax)57u7cJ{aYR-f;S_;N|44GDH`Zl<NAP{<qURjcu1{GgQ!O&t@=5Cce*(zv{8
zd^eZ6StBxOmQJd4$P7N(aCKy<Jcw@Y$r9#^g3L^avv+B^w;8soq^!Eyb)-iCCON3z
zaxE`B3Q$y8x!&*~%qLQWt%hGMN1A#@?%2-6VpI@EkJ0hna|ZM0I*tBtD{k5wvrC>(
z71Uyndg5fh{DA0SUT*Pood$OHN}iNi{Y`N%X9>2_rPATf5JJD<%K`Bi3lSKy7}R_+
zPYK|#qT_ClqEy9<2k(4`MyNErMJxufwNlu3{BfEeE8k#ldW!{?5(OqTN$4SYdXQ=G
z^%d`%ee%4nwu0&G;(ocK90>(EqM24~!=u{|yNowgkg5Sg4y|7^HLYeqDc{DTKPpdh
zjWxc0K*K|KHEBa(lCjb*dh?X&D&{Dsa14c`guVhb#v$$qIxjw`)6%#$$~h3;^sY|l
zwKMb5rTl6dD!mjB@;v2R#~}$XTuifd0l(ApgMYp`aK1^>sCoB}(4Y2nirG)9U%bDI
zOn}Ki$pnh13|2&oxU_mrF*R~xbOU^ycxB#Nn_q2+X3=bi0_iz&kj~FHw>b+|mCr${
z(k|~y%jCJ%f8MB%ZcAJu^wEpaxOWhPEdgSf7d8niHZTKVz+R2$ykfY8iF};GWQBFg
zu2_hxRhT;IBU4!^rSeM8%}nXqZ7Vi~C6lc#82*Iw;r7mftnUszhH%o~W6xRe+fXr2
z6xOKKahMXA#sd6Qt|cMp>4;gamj<Dg6~MJ@`E5vxz5cKgKNX1mMFaG^{H;y%$<Xfh
zZcl<J#}~B(J)VBdWVn1GFL$V~j;#`(moBI*i==pfO$pxkGhoz5=((*nl;<P2-}H4d
z{T=n-b(d>yY|GQ@g*J4#&GKdxff?Dq9f&@?X;16j9BA{ppNZ#tjfib7<)v7$c+c?w
z^MAcNxkbZk=Y?Sa4k--h^A4s3GBt8AHzYA8GdO>78gWsq(Uw|%9$~Hsy|wLKO;BQu
zK-d<H|EdA>-E(!q>Y2tSM4(lX7of^Ka|u-Am<J3upn<`61~~6t{W+iL$&@6Nto_Pr
z3m<037KJ1Y-n#yzqP(}s<CMG9g%II1@ouWWF!?l3b<1lYi^?An_vvmLKAY?&J`OUQ
z=wMlKZK>K~WtS71HX^<8enH9}($r@9h>3`LW2V?`tllubrdFs@;paswa}Qdc)oGC(
zuV0O*W}J!7cUdq`+l(+6)+H*qoKe=yBi`NJVW&Rdq7+{@)5zn&pR?QF$aurIh9E%{
z-i~~h&5#?{s$}t=`%x9@>p<dX81#0hHbSva?)V^+GS?~=_m;Mjwl?}Yp;>Q5*|<S{
z%q#2Y@ninT)mLHuOAHQso~Zswcx)Iw<%Sy0miIESDxcQGwg1Nl%c?<MeNy-2P@sP|
z{HJkCic}?T;(d_I;&*7dx3kj_l_M-68(DRGN5MdQI7rcK#A4wbQ<)aGABSiZ_fe)8
z)%LN`F%(JNp)E^^I}E<>o~j?3vf!#Hg-VG|8hBgFp8&ah6veDF_DrBpreMQn{+6vs
zc(G<;>BRN{sj&1PE9n_N5saGR78^1v{WPOu-6mtL|2WmjY<Ga?e7JlfoEPA~mH$%R
zg+-`51KCMIr&Krey0m^goTn#D<IFeHynRCQ<J3ZQq#x$d`1u(9oQX^rdTB_5tepbY
zK6nXT)-G8WOX5#2Rtvrr;-fh+d($@g5l0XA#~f4V#53%|5o?@FqJmx8k-;+#S-CjM
z-GnoVuR9t7OE0x+y6SD~^TU6~6yv#?WwD}Xt}iDYg4+eFScw5sGO$6}U_HCMk)b&?
zDDK80Q{v%4VNxI2oB8S$2M;;^C_Xgkmq@d@p*DPvGNg(jx26+lHG+tS^v|FWh3Hw9
zPXRCq-&vOcl-8UxwOk8dd{o%Znpx>y!Z8cgs%|a=LsEn1so!k(EIInMgmM^uf7~G5
zD}gDxFPc`@qxE&pwDqTl@%*vQ9f{KYV{oT_FNWh4v(Kqa7}vc8K$XLkvz|=GtgM*R
z%Dw>Ujp%ckCu*Xund@y~+1OX#tC|Z~EJ(DvC3T3KQ7qg!=FD$Z8W)~Q%amN;{q|Iv
zr}?f@)f|v+5ck|w0Q#|8*@t9nL001s>IYxSu7uy2(fsr;<DQfZ|4k1)xLgtbQuvd0
zaUaKs!1M|CHJPHn#NOE^iCrni*16Lq6XYZqQ-)$*i5wPq%m>rlsTQT^Y|A!EZb}?z
zs~CY!$|YWC;Ex1Hbaj-5&x5SnXSKdcGH!~}=ZkH`c36IrF;F5i{mTD!%g;;Ab|%HJ
z5tMxuraqZQcOT{ZLfO%UK|_}`S5k8_l>lT63S6obp1WuLD@aKAY0K~{i)RKr3<~Fw
z_zY9%`9kA;_#1uJXhOT6WO}$Si|!dZ@JBvTd{$L9O7t7j@4iHJ4_$kr$pZVt6RCKi
zOL_L|KM3Wo7za1_NH1uIYSFzJTkm?WQ-A$%{6{iIJME##3z$54^amXIldmtdPHOCn
zk*l_ge;6-4mX6}jEz)O9C_;<6thmXq?#mys4$E00x?+A>fAFxVPgE4F_imvXq__Fk
zo{?HYZ^9G+08&p_B&j<rlEmZ<2?z)RfsI9e2f}E{D8-`hMxWCDwP>UOSRkAlMoC6u
z1}0+yX==gg|JMHk1rwP%%J-3*=l=-g|0~eJX#VM-Vj{im>w@xvGr<`CVQMC-f0<7c
z_1Fu39me~QNWuj9KatP$U)RX@ch3PRUl<P?EnFIgfXl#TU@#d4>wggbPy9Fj{|y!i
z;{VSj{WY>Aksx{iED}ToiUa`xZ*1@4RG!VG)8OX3;OwCLQXh3L0JWXbpmQRx$>_5a
zEHMJjnDsfim$Lt<K1aBJvaxB;R;R&QWAjbb?45OH!TLJK?nPs@^c(jcR>b87Z7t&Z
z>bk6=P-$I@RvenfQ(Hz_M!Jp!5Aju$K$yi=QbcHM=he^fPwSyC6MP8s5Zju5drVKv
z0m-z72@mFZc(e4uQ|PifPf=JjvUr|+S@9Jq>W)$wS<zl{Sx@`x`^3*&%bK-S_UavH
z*&W04@v<#Wj6NMR9CqLZir9fmN&1wTA4xPW3(ww3B8@~j1t30zV#wkeaGp08yngSR
z@_^6VO(ONx1Bz;e^Us_U6}0A|&^f+<eTOZ#-&uKiY8VGGZPDzz3%q0aE_UpV&0QmE
zc=XgYvsrT6lX$(A*6^o24_hZ3?|8iLw?+mGsXRNNi`k(P`~0Jn%nuBlZr)`z4Orr~
zAEvsjONGjtF()kQMqp;hKaD0^BRJ0g=o9g=pQT(25~^KJ9nZ>A*1?@!nKosLu%O<H
z`no@ubl3#yiId=*e}=W&LJ>|@S!cPquvbZ+;@V8kZ)F!oyEAuhowcq)SEC|`HBV5v
z=?#GWx-)Kw?b~(?iNe)v$NXJzZ<zs_+|a-#RKr8X)IV7LJ}01b#PyOJO;OUG{qk04
zS(_+;RRX?x2;=AjkpKa}|GbdDZ}j&<fB=S7AU>pI`bL{2zX*DXVk|e`u689VW|bGo
zw^%Xg`c{{1-|c&HffhrQ`&?v~UqQe9aaP3X`KrmL{&rD|<twSM01OTOwg)>h>ac?P
zpu4^f!X=PfP)@Gvf68k47C$_lnQVx+84`$eCfrgJws~@3NQ$kc51Q%S@YcB5?ut!>
zV9@@en#a64ZFdNdHw3~qc9~WW;$z=i1(FBOMUEN<147vt+Xo@){y3{e8S|tmkaiR@
zFg$blc_R7kDS9BbPENKdUg4s^QjcUHDJ0&sQ1NAJTv->=7r>rrpMCOJvrh&xl5(<o
z4U8k_09R+_%Pi0ZB)&=$$}4EACZ-5;vc-9)EQ-GzYNi&v5_QE!3{Gd2bEfkp(Q93;
z3uQJQxUh6Lg2#-4NeG0m!LM5ukeM+pN8Q4>#jSHO;}U8zvByB6fo7|x!yxt`T)y?*
zaJrC*V^djI%gLOzBoz!4Kx5&Kb|Ty^I>Z{dWyyfMt$%LF2L#|x>NAh|Yv{mU+4L=@
zJANf=QZh`UTifjUht(r3l>59OSjT1pA3x}k-ZA_hcYe&b8J2g`se??h7}0NV$U`c*
zA_ae?1jKq0`>t?v&i-pg8e@IcIxL){GP^&gDe)t|YOUGeSDEcR*yq0L3*G!u-<lmQ
npw0g1#Bb6Z{VWamlX2<X2J(`wA)dmzSsYXEUJjra$Sw6>^8XQB

literal 0
HcmV?d00001

diff --git a/demo/ssl/server.ts b/demo/ssl/server.ts
new file mode 100644
index 0000000000000000000000000000000000000000..9af5fe41fc3c3b8f80d99b85e086dcfcbdeb6648
GIT binary patch
literal 1587
zcmezO_TO6u1_mY|W(3pRiACwD`6;Qn`N@euF-rxB_>By#5qhQumJAH6?+uz*UmG+r
zUtYk>#K^?N$?)>~EyogzJ^=$>HcqWJkGAi;jEt<T3<izehTI06Y|No7Y{E<~u7><T
z1wal551UhJQBGzaOn@COz-Pb%Qo+T;>Iiayp|F7<h|kT#1?DTb0G(tgW*`C*Wai;T
z2r4)`8p;|-!|mr}6ypQA-vR6sz5Jqd137VCLn8wVLt{fDQ&Ur;C?MAui95(#+r*@V
z9Gr}-49rbT{0s(7Ok7M&OpFYhlkQI3rYy34{s)=%J1+%#zM0j%_<LC5U#mue&|kat
z3yK+B=I|`yzAUA(;G%KiGlgJ@wfw()uTNs#S#YI!_bK<~)oRz4D6%l`d7<s_YG=X4
zu7^gfDRr~$I>W!q9om|4bMtaWrv$}sA{{<A810n*zkMa?qcK51G|#@v!}IP_%iD&>
z9=iOw6#a1F?vLI&?dw-x@OJqkm9s_I?1!jK;`LW*!qd*(xMmb(`qp~J@sk#>=ij{k
zVwT3dcb6GX7B$C2Sno+miQcK=dG)})wl%(G&+Kd+iiNs@E^BRT>ydYQKmDEYHT%d@
zdR@)`j-@r)@3@xcdDZnVSK-TmJ0fW|x~rxLU+7h1f4_L4>ZPfle=I8qk33`8bjbMI
zHP0`#TV6>oC<=RiVZVxDSMu9p!S0@E8g9!o_MbR+-k;CC`}3j;`yQ0f3#~dKx+>pn
z%Fm|jqTIQ4pOrHc!){d1IdHoz(I;Bit?tb_m*BI3vZ7JqYd?i4u3<dK{OjvWyE!{n
ze%@6%<?jFFnPyH$1b*5*bmCl=vgYpO1eG_+v0OKtr<?rY4Ec7@fB6$Jsa9X#d16{~
zqVLsJSJ%ruoD>kZ=HG#5o=Hx8x6@5lRh>y<E0EjR>Gsaeed_JW7gm4eclwjhw(oF#
zk*Tfcy+n@3&CTM+pXz(w5^VV0&nV@|`YG^{Xu%EsUxqtbYUeUCF*7nSE)Fp8Gmr&l
z23bB9F&2^KvK#e3zIk%s%fF{y%hDn<jVHS>8_0vCm02VV#2T<G0OdGYVHQ>cW=6*U
z$Y~Ckg@I{~kzqz!VWpqAK)tHYs&jWG+<x>QT{d^_zRle8xaI|~a#-u=|7H2wV^3q)
z7e-1>$S-D<^HYhMVf|G6^N;5_?A>)|On<U&Rj@g7wMk*-e#Or}{#ETcchBptu#TL3
zK}^xL{(FxCKCqvuFR=1lxgplSs^^xV@#^zaj;}FppYu5@c-E=RCrcLDABub)olr4z
z%hj%bk&X5DCS2@2E3b0=cx`O5>(}V1mQudm9o1L<mCd-ePVVisw?6Nx&qps2>(9D<
zxb$!E=fL?MpP2o&PdaH3t!BR?^_bHA6&w-1_j6CKkG$}4BByq})Ka}a#~QYHOYW5A
zoBh#<L+!d*!r^0={%&eEuAj0q_-f?Mdb<U-8-w=0(%p20>CJM*GQ9<r9A=Bs1VVkT
za8A@rJ}@EGQryQ|TX7Y~`9JCJT>_Zai#qJ%d7Kk3{jE0Q{-&kx<=3a2G1~cesYLgt
zqF6=dN`JmdhgS9Ln_ubLsq`?-YS%mi`PjtoGSey+$Y{^HwtCj2ZP9m=5}ZXnmv1al
zUU{>(`reAPXGytw|CC)_+}D4<_5MtF+HvhQ(;d7GVyYh16z1<+XC@=I$@Hqf<5aff
zDcXJgU%yRYojK8U^ZE*(GygwNT+3FJq9J*wW7X^3(VJzCX}nmm?Drc5d-m%lr5_u^
z6dphJ?tS|H*4pZi+-^rVt&sC-c+2}#$L+^-zF&=<VY8pVT(sUJ%J=J6f!?>%cge6m
F0su+|kgEUy

literal 0
HcmV?d00001

diff --git a/demo/ssl/ssl.txt b/demo/ssl/ssl.txt
new file mode 100644
index 000000000..95a24ca3f
--- /dev/null
+++ b/demo/ssl/ssl.txt
@@ -0,0 +1,21 @@
+# In demo all key and stores passwords are 'changeit'
+
+# Create CA
+openssl genrsa -des3 -out ca.key 4096
+openssl req -new -x509 -days 365 -key ca.key -out ca.crt
+
+# Tomcat Server
+keytool -genkey -alias tomcat -keyalg RSA -keysize 4096 -keystore server.ks
+keytool -certreq -alias tomcat -keystore server.ks -file tomcat.csr
+openssl x509 -req -set_serial 02 -days 3650 -in tomcat.csr -CA ca.crt -CAkey ca.key -out tomcat.crt
+keytool -import -keystore server.ts -file ca.crt -alias ArgeoDemoCA
+
+# Root User
+#keytool -genkey -alias root@demo -keyalg RSA -keysize 4096 -keystore root@demo.ks
+#keytool -certreq -alias root@demo -keystore root@demo.ks -file root@demo.csr
+
+openssl genrsa -des3 -out root@demo.key 4096 
+openssl req -new -key root@demo.key -out root@demo.csr
+openssl x509 -req -set_serial 03 -days 3650 -in root@demo.csr -CA ca.crt -CAkey ca.key -out root@demo.crt
+
+openssl pkcs12 -export -out root@demo.p12 -inkey root@demo.key -in root@demo.crt -certfile ca.crt
diff --git a/demo/ssl/tomcat.crt b/demo/ssl/tomcat.crt
new file mode 100644
index 000000000..b05dd8c7c
--- /dev/null
+++ b/demo/ssl/tomcat.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFdzCCA18CAQIwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAkRFMQ8wDQYD
+VQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzAR
+BgNVBAsMCkFyZ2VvIERlbW8xFjAUBgNVBAMMDUFyZ2VvIERlbW8gQ0ExHTAbBgkq
+hkiG9w0BCQEWDmRlbW9AYXJnZW8ub3JnMB4XDTEyMDgxMzEzMDQzNVoXDTIyMDgx
+MTEzMDQzNVowdzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UE
+BxMGQmVybGluMQ4wDAYDVQQKEwVBcmdlbzETMBEGA1UECxMKQXJnZW8gRGVtbzEh
+MB8GA1UEAxMYQXJnZW8gRGVtbyBUb21jYXQgU2VydmVyMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAoF1IzT1815UMzdlvMRkCUy/ISfwArbmGAvv5H1LP
+fPXF+YF6EpjKj74JwHhMGoB1j1BUvem5TeWxszU/mevmFCWvrmO83lBAlSNRX6iJ
+m3np3s2/rrtZg2WUu95ZGkRQ1elPRU9KY99rK+NlJH9X6Y6Bfoi5//OAyeZ+kIxx
+39sYXazAYYS9h+8D1mtSHoSFgLMy73gu4UIeon+GW6PbB+E6kQVlRjumBqLtj6a9
+t59T+coc4UStqmFCuPiZuMvbijS0ZBJxuNcaYATcCIjB/S0Pktfyjgxn3HzCLVtP
+KRskGHHfoxje5QHbH5sE5lEQPMFxuuj5C/9eCKs5+8ob06gNVn4u2SB27mLpafqY
+nJxAhGIqRymZSNwf0Nq7GcUj6OxPCzGG1RBV2Add9YpL4rWAeL1ftdNjRmvDwFpb
+dsY9fO8Oh+sKKsrypQZ0BAHWs+wWVHbgHWHLCv2uky43VRSM3kqBhNcHyc+PWjga
++/5M+dqIyi9onoyrZ/dj+KaS5gS5u5dcpjoweb78r67+hJUw02VzZCXZdZZaadyi
+zTQ8SeGzob47TAgQ15r6PGcSYPhqcEnlu6FoT6IYWh55p1QjAGHmZs3GF93qhwM5
+/9i420gEvqZNegdOTVx+Q2s9VHV7QlMbAKXOaP0degikt5mQPrmmtikAFiwx4/Aw
+Gr8CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAXEIZ1OpNWguFWdVn5ksTsw/tpm5M
+cTKBleyXNORrtAwZOo9+B60lRjdeOXGt77UAE5O/0EzR1DoUWs4btOHbHQEVNszM
+1GzudWuWawqcDpAaUKaXL0XjQ+dG1apDbq3MbEONkq1AjBtn3gUL4+Q+wFL6+G4Y
+sfAZkws2CQr1j0gTphAkbUDMtxJdOxSZybhTNgi5oShN46NljMvO9hhSbLMKAPrf
+hyEuyznSoGI3/9KVjK7dmmGAI/ieYc8mU1UIyEVUZPoECSBUJ/T7sFilbL6cFAsf
+IJIdvoBt/aW0+uVee0bZ1hrvYMbgj+Z6FzU7OX8mIbj0Sx9WD8kyoDgJjJ5AbVnQ
+XSlFh1WY99XurhokWtphs1Bmpk6c6alRV46NoAZey6c7UK7ugoMM9NNc+xD1+aK2
+k2bRFhu6LTeF5gyV3w9DA25CnXu7qZ6QiZ8Twav4GAPZIsKXqBx8+hEPN7QN9g0Z
+TlmZ0O25CpKRuYMjP6UI5DX3CvTI+UvlEZL5N9apOnTGh9FE3gkmy1I2gaVcuaW6
+HMXaRiMiZNPL/lJx8qgP8j1upiEtbmaL7bxYr1cql2s14YJJyfaoI26D8NGVkYSb
+BWSLhcjcL8TEwZ09r1geL7xodxov5h9KrgctMvcW7s/Co5xw9xIy8ktlanzDmaTV
+UjYW8C1Sk0eMSMM=
+-----END CERTIFICATE-----
diff --git a/demo/ssl/tomcat.csr b/demo/ssl/tomcat.csr
new file mode 100644
index 000000000..cf5521e5d
--- /dev/null
+++ b/demo/ssl/tomcat.csr
@@ -0,0 +1,24 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIEvDCCAqQCAQAwdzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
+bGluMQ4wDAYDVQQKEwVBcmdlbzETMBEGA1UECxMKQXJnZW8gRGVtbzEhMB8GA1UEAxMYQXJnZW8g
+RGVtbyBUb21jYXQgU2VydmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoF1IzT18
+15UMzdlvMRkCUy/ISfwArbmGAvv5H1LPfPXF+YF6EpjKj74JwHhMGoB1j1BUvem5TeWxszU/mevm
+FCWvrmO83lBAlSNRX6iJm3np3s2/rrtZg2WUu95ZGkRQ1elPRU9KY99rK+NlJH9X6Y6Bfoi5//OA
+yeZ+kIxx39sYXazAYYS9h+8D1mtSHoSFgLMy73gu4UIeon+GW6PbB+E6kQVlRjumBqLtj6a9t59T
++coc4UStqmFCuPiZuMvbijS0ZBJxuNcaYATcCIjB/S0Pktfyjgxn3HzCLVtPKRskGHHfoxje5QHb
+H5sE5lEQPMFxuuj5C/9eCKs5+8ob06gNVn4u2SB27mLpafqYnJxAhGIqRymZSNwf0Nq7GcUj6OxP
+CzGG1RBV2Add9YpL4rWAeL1ftdNjRmvDwFpbdsY9fO8Oh+sKKsrypQZ0BAHWs+wWVHbgHWHLCv2u
+ky43VRSM3kqBhNcHyc+PWjga+/5M+dqIyi9onoyrZ/dj+KaS5gS5u5dcpjoweb78r67+hJUw02Vz
+ZCXZdZZaadyizTQ8SeGzob47TAgQ15r6PGcSYPhqcEnlu6FoT6IYWh55p1QjAGHmZs3GF93qhwM5
+/9i420gEvqZNegdOTVx+Q2s9VHV7QlMbAKXOaP0degikt5mQPrmmtikAFiwx4/AwGr8CAwEAAaAA
+MA0GCSqGSIb3DQEBBQUAA4ICAQAs7DPJFRFw3drBpZ+cRXVQIybwYHYfKUPZEOGTX+mFgIgp8qfb
+k5IiTZW5JCj3sbskDUfWRcolCpyapUpB2eNej4Fs7Ry1PzwkzIgY1rMlSUnc0oi0JFpYT541RmWP
+o1e1j6+nEbVaRDZ/qk+vgLg/uCpuMwwdXYNOnax9mmCtXKjdIpwKG/WwqtB7ydDS0AszaItvwM5L
+IRAxuM0FteHYc9b5JCS762UpdJcaDTmvBOOShKG7mMSpFFoFlRThE7+kIQYDiV0pUas9odCEAond
+69sOLy9vIdpi6UHB0kEHB5DzEMlkOI5VyuAgsRQXlzxQKyYDS/PZwrR0+aFRq42ErMkmtFrC9kxG
+oDgFRhSHaej34ifM788x1c1oSq/dcy+DwuhaCXgdaTwnMKQVPQo6mHis6WL3DF8jf2EWJMlxvdw3
+0BwNRNSDAS1wN3jO+fJ7amWPa+OmdbYJB68dFNoSDDWW6Se0NJfKm4QBR21ipVlcC2Bk75s3HBRN
+KM8zV7UHQEgZnptatVtUKgiM3qSVbRxHP/miV/rVQpXAhE7z7ixAclx145piueIs0Jqxr4BgQFMd
+Vxeb4brcYk/3nrRrLKgVhVcywMb1V4YYXKuHIKR+cbHEk/lJ35UfEtCOeUKXyLoavbhoA7Ujfeqg
+0jp+vpbTHSFA6BG6ZUhL6FY+oA==
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml b/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml
index 525b84db0..57686c888 100644
--- a/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml
+++ b/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml
@@ -13,7 +13,7 @@
 		<property name="providers">
 			<list>
 				<ref bean="authByAdapterProvider" />
-<!-- 				<ref bean="preAuthAuthenticationProvider" /> -->
+				<ref bean="preAuthProvider" />
 				<ref bean="anonymousAuthenticationProvider" />
 				<ref bean="rememberMeAuthenticationProvider" />
 				<ref bean="ldapAuthenticationProvider" />
@@ -28,10 +28,16 @@
 		<property name="key" value="${argeo.security.systemKey}" />
 	</bean>
 
-<!-- 	<bean id="preAuthAuthenticationProvider" -->
-<!-- 		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> -->
-<!-- 		<description><![CDATA[Pre-authentication]]></description> -->
-<!-- 	</bean> -->
+	<bean id="preAuthProvider"
+		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
+		<description><![CDATA[Pre-authentication]]></description>
+		<property name="preAuthenticatedUserDetailsService">
+			<bean id="userDetailsServiceWrapper"
+				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
+				<property name="userDetailsService" ref="userDetailsManager" />
+			</bean>
+		</property>
+	</bean>
 
 	<bean id="anonymousAuthenticationProvider"
 		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
diff --git a/security/plugins/org.argeo.security.ui.rap/plugin.xml b/security/plugins/org.argeo.security.ui.rap/plugin.xml
index 27d151d6f..461cb5948 100644
--- a/security/plugins/org.argeo.security.ui.rap/plugin.xml
+++ b/security/plugins/org.argeo.security.ui.rap/plugin.xml
@@ -51,6 +51,14 @@
             favicon="branding/favicon.ico"
             body="branding/login.html">
       	</branding>
+    	<branding
+			id="org.argeo.security.ui.rap.branding"
+            servletName="clientauth"
+            defaultEntrypointId="org.argeo.security.ui.rap.secureEntryPoint"
+            title="Argeo Web UI"
+            favicon="branding/favicon.ico"
+            body="branding/login.html">
+      	</branding>
     	<branding
 			id="org.argeo.security.ui.rap.branding"
             servletName="public"
diff --git a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
index 233971687..0dd0d173b 100644
--- a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
+++ b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
@@ -70,6 +70,7 @@ public class SecureEntryPoint implements IEntryPoint {
 		// around too long
 		RWT.getRequest().getSession().setMaxInactiveInterval(loginTimeout);
 
+		// Try to load security context thanks to the session processing filter
 		HttpServletRequest httpRequest = RWT.getRequest();
 		HttpSession httpSession = httpRequest.getSession();
 		Object contextFromSessionObject = httpSession
@@ -140,7 +141,7 @@ public class SecureEntryPoint implements IEntryPoint {
 					return new Integer(result);
 				}
 			});
-			//logout(loginContext, username);
+			// logout(loginContext, username);
 		} finally {
 			display.dispose();
 		}
diff --git a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
index f12f0c804..5d4319222 100644
--- a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
@@ -9,15 +9,15 @@
 	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
 		<sec:filter-chain-map path-type="ant">
 			<sec:filter-chain pattern="/webdav/**"
-				filters="session,basic,rememberMe,anonymous,exception,interceptor" />
+				filters="x509,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/remoting/**"
-				filters="session,basic,rememberMe,anonymous,exception,interceptor" />
+				filters="x509,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/public/**"
-				filters="session,anonymous,exception,interceptorPublic" />
+				filters="anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/pub/**"
-				filters="session,anonymous,exception,interceptorPublic" />
+				filters="anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/j_spring_security_logout"
-				filters="session,logout,exception" />
+				filters="logout,exception" />
 		</sec:filter-chain-map>
 	</bean>
 
@@ -41,12 +41,23 @@
 		</property>
 	</bean>
 
-	<!-- Integrates the authentication information in the http sessions -->
+	<bean id="x509"
+		class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager" />
+		<property name="principalExtractor">
+			<bean
+				class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
+				<property name="subjectDnRegex" value="CN=(.*?)," />
+			</bean>
+		</property>
+	</bean>
+
+	<!-- Integrates the authentication information in the http sessions
 	<bean id="session"
 		class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
 		<property name="allowSessionCreation" value="false" />
 	</bean>
-
+ -->
 	<!-- Processes logouts, removing both session informations and the remember-me 
 		cookie from the browser -->
 	<bean id="logout" class="org.springframework.security.ui.logout.LogoutFilter">
diff --git a/server/modules/org.argeo.jackrabbit.webapp/pom.xml b/server/modules/org.argeo.jackrabbit.webapp/pom.xml
index 0837be7e7..2be9e3d1f 100644
--- a/server/modules/org.argeo.jackrabbit.webapp/pom.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/pom.xml
@@ -38,6 +38,7 @@
 							org.springframework.security,
 							org.springframework.security.providers.anonymous,
 							org.springframework.security.ui.webapp,
+							org.springframework.security.ui.preauth.x509,
 							org.springframework.web.context,
 							org.springframework.web.filter,
 							org.springframework.web.servlet,
diff --git a/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml b/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
index cfe148bd6..45e5457d9 100644
--- a/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
+++ b/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
@@ -9,10 +9,12 @@
 	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
 		<sec:filter-chain-map path-type="ant">
 			<sec:filter-chain pattern="/ui"
-				filters="session,basic,rememberMe,exception,interceptor" />
+				filters="session,x509,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/basicauth"
-				filters="session,basic,exception,interceptor" />
-			<sec:filter-chain pattern="/node" filters="session,exception,interceptor" />
+				filters="session,x509,basic,exception,interceptor" />
+			<sec:filter-chain pattern="/clientauth"
+				filters="session,x509,exception,interceptor" />
+			<!-- <sec:filter-chain pattern="/node" filters="session,x509,exception,interceptor" /> -->
 			<sec:filter-chain pattern="/public"
 				filters="session,anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/j_spring_security_logout"
@@ -39,6 +41,17 @@
 		</property>
 	</bean>
 
+	<bean id="x509"
+		class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager" />
+		<property name="principalExtractor">
+			<bean
+				class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
+				<property name="subjectDnRegex" value="CN=(.*?)," />
+			</bean>
+		</property>
+	</bean>
+
 	<!-- Integrates the authentication information in the http sessions -->
 	<bean id="session"
 		class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
diff --git a/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml b/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml
index 4a13fe556..a3ca21b63 100644
--- a/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml
+++ b/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml
@@ -50,6 +50,10 @@
 		<filter-name>springSecurityFilterChain</filter-name>
 		<url-pattern>/basicauth</url-pattern>
 	</filter-mapping>
+	<filter-mapping>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<url-pattern>/clientauth</url-pattern>
+	</filter-mapping>
 	<filter-mapping>
 		<filter-name>springSecurityFilterChain</filter-name>
 		<url-pattern>/none</url-pattern>
diff --git a/server/modules/org.argeo.server.rap.webapp/pom.xml b/server/modules/org.argeo.server.rap.webapp/pom.xml
index aedce79e8..4dbac3ac5 100644
--- a/server/modules/org.argeo.server.rap.webapp/pom.xml
+++ b/server/modules/org.argeo.server.rap.webapp/pom.xml
@@ -33,6 +33,7 @@
 							org.springframework.security.ui.logout,
 							org.springframework.security.ui.rememberme,
 							org.springframework.security.ui.webapp,
+							org.springframework.security.ui.preauth.x509,
 							org.springframework.security.userdetails,
 							org.springframework.security.util,
 							org.springframework.security.vote,
diff --git a/server/modules/org.argeo.server.tomcat/conf/server.xml b/server/modules/org.argeo.server.tomcat/conf/server.xml
index 14c4b9ebc..2e98917a3 100644
--- a/server/modules/org.argeo.server.tomcat/conf/server.xml
+++ b/server/modules/org.argeo.server.tomcat/conf/server.xml
@@ -1,150 +1,38 @@
 <?xml version='1.0' encoding='utf-8'?>
-	<!--
-		Licensed to the Apache Software Foundation (ASF) under one or more
-		contributor license agreements. See the NOTICE file distributed with
-		this work for additional information regarding copyright ownership.
-		The ASF licenses this file to You under the Apache License, Version
-		2.0 (the "License"); you may not use this file except in compliance
-		with the License. You may obtain a copy of the License at
-
-		http://www.apache.org/licenses/LICENSE-2.0 Unless required by
-		applicable law or agreed to in writing, software distributed under the
-		License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-		CONDITIONS OF ANY KIND, either express or implied. See the License for
-		the specific language governing permissions and limitations under the
-		License.
-	-->
-	<!--
-		Note: A "Server" is not itself a "Container", so you may not define
-		subcomponents such as "Valves" at this level. Documentation at
-		/docs/config/server.html
-	-->
 <Server port="8005" shutdown="SHUTDOWN">
-
 	<!--APR library loader. Documentation at /docs/apr.html -->
-	<Listener className="org.apache.catalina.core.AprLifecycleListener"
-		SSLEngine="on" />
-	<!--
-		Initialize Jasper prior to webapps are loaded. Documentation at
-		/docs/jasper-howto.html
-	-->
+	<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" 
+		SSLEngine="on" /> -->
+	<!-- Initialize Jasper prior to webapps are loaded. -->
 	<Listener className="org.apache.catalina.core.JasperListener" />
-	<!--
-		JMX Support for the Tomcat server. Documentation at
-		/docs/non-existent.html
-	-->
-	<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-	<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+	<!-- JMX -->
+	<!-- <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" 
+		/> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" 
+		/> -->
 
-
-	<!--
-		A "Service" is a collection of one or more "Connectors" that share a
-		single "Container" Note: A "Service" is not itself a "Container", so
-		you may not define subcomponents such as "Valves" at this level.
-		Documentation at /docs/config/service.html
-	-->
 	<Service name="Catalina">
-
-		<!--
-			The connectors can use a shared executor, you can define one or more
-			named thread pools
-		-->
-		<!--
-			<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-			maxThreads="150" minSpareThreads="4"/>
-		-->
-
-
-		<!--
-			A "Connector" represents an endpoint by which requests are received
-			and responses are returned. Documentation at : Java HTTP Connector:
-			/docs/config/http.html (blocking & non-blocking) Java AJP Connector:
-			/docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define
-			a non-SSL HTTP/1.1 Connector on port 8080
-		-->
-		<Connector port="${argeo.server.port.http}" protocol="HTTP/1.1"
-			connectionTimeout="20000" redirectPort="${argeo.server.port.https}" />
-		<!-- A "Connector" using the shared thread pool-->
-		<!--
-			<Connector executor="tomcatThreadPool" port="8080"
-			protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
-		-->
-		<!--
-			Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the
-			JSSE configuration, when using APR, the connector should be using the
-			OpenSSL style configuration described in the APR documentation
-		-->
-		<!--
-			<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-			maxThreads="150" scheme="https" secure="true" clientAuth="false"
-			sslProtocol="TLS" />
-		-->
-
-		<!-- Define an AJP 1.3 Connector on port 8009 -->
+		<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+			maxThreads="150" minSpareThreads="4" />
+
+		<!-- HTTP -->
+		<Connector executor="tomcatThreadPool" port="${argeo.server.port.http}"
+			protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="${argeo.server.port.https}" />
+		<!-- HTTPS -->
+		<!-- <Connector port="${argeo.server.port.https}" protocol="HTTP/1.1"
+			SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
+			keystoreFile="${argeo.server.keystoreFile}" keystoreType="JKS"
+			keystorePass="${argeo.server.keystorePass}" truststoreFile="${argeo.server.truststoreFile}"
+			truststoreType="JKS" truststorePass="${argeo.server.truststorePass}"
+			clientAuth="${argeo.server.https.clientAuth}" /> -->
+		<!-- AJP (for proxying with httpd) -->
 		<Connector port="${argeo.server.port.ajp}" protocol="AJP/1.3"
 			redirectPort="${argeo.server.port.https}" />
 
-
-		<!--
-			An Engine represents the entry point (within Catalina) that processes
-			every request. The Engine implementation for Tomcat stand alone
-			analyzes the HTTP headers included with the request, and passes them
-			on to the appropriate Host (virtual host). Documentation at
-			/docs/config/engine.html
-		-->
-
-		<!--
-			You should set jvmRoute to support load-balancing via AJP ie :
-			<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-		-->
 		<Engine name="Catalina" defaultHost="localhost">
-
-			<!--
-				For clustering, please take a look at documentation at:
-				/docs/cluster-howto.html (simple how to) /docs/config/cluster.html
-				(reference documentation)
-			-->
-			<!--
-				<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-			-->
-
-			<!--
-				The request dumper valve dumps useful debugging information about
-				the request and response data received and sent by Tomcat.
-				Documentation at: /docs/config/valve.html
-			-->
-			<!--
-				<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-			-->
-
-
-			<!--
-				Define the default virtual host Note: XML Schema validation will not
-				work with Xerces 2.2.
-			-->
 			<Host name="localhost" appBase="webapps" unpackWARs="true"
 				autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"
 				workDir="work">
-				<!--
-					SingleSignOn valve, share authentication between web applications
-					Documentation at: /docs/config/valve.html
-				-->
-				<!--
-					<Valve className="org.apache.catalina.authenticator.SingleSignOn"
-					/>
-				-->
-
-				<!--
-					Access log processes all example. Documentation at:
-					/docs/config/valve.html
-				-->
-				<!--
-					<Valve className="org.apache.catalina.valves.AccessLogValve"
-					directory="logs" prefix="localhost_access_log." suffix=".txt"
-					pattern="common" resolveHosts="false"/>
-				-->
-
 			</Host>
 		</Engine>
 	</Service>
-</Server>
+</Server>
\ No newline at end of file
diff --git a/server/modules/org.argeo.server.tomcat/tomcat.properties b/server/modules/org.argeo.server.tomcat/tomcat.properties
index f79b2dec4..67f0455eb 100644
--- a/server/modules/org.argeo.server.tomcat/tomcat.properties
+++ b/server/modules/org.argeo.server.tomcat/tomcat.properties
@@ -1,3 +1,10 @@
 argeo.server.port.http=7070
 argeo.server.port.https=7443
 argeo.server.port.ajp=7009
+
+# Used only when SSL is activated (uncommented in server.xml)
+argeo.server.keystoreFile=../../../../ssl/server.ks
+argeo.server.keystorePass=changeit
+argeo.server.truststoreFile=../../../../ssl/server.ts
+argeo.server.truststorePass=changeit
+argeo.server.https.clientAuth=want
\ No newline at end of file
-- 
2.30.2