update according to blog post

.gitignore

@@ -24,4 +24,7 @@
 /nbbuild/
 /dist/
 /nbdist/
-/.nb-gradle/
+/.nb-gradle/
+
+setup_ca/root-ca
+setup_ca/server

README.md

@@ -1,3 +1,40 @@
-# ssl-demo
+# SSL Demo Application
 
-Accompanying project code for blog post on [blog.novatec-gmbh.de](https://blog.novatec-gmbh.de)
+This is the accompanying project code for the blog post for _Secure Spring Boot Applications with TLS and HTTP/2_
+on [blog.novatec-gmbh.de](https://blog.novatec-gmbh.de).
+
+## System Requirements
+
+* Java 9 SDK
+
+## Using this demo project
+
+You can either use this project either 
+
+1. directly without changing anything here.
+The only thing you have to do is to import the root certificate in 
+your web browser as new authority. The root certificate can be found
+in *setup_ca/ca.pem*. After importing this you can start the application and 
+navigate to [https://localhost:8443](https://localhost:8443) in your web browser.
+
+2. or with setting up a new private certificate authority first. Then you have to follow the
+explanations of the next sections.  
+
+## Setting up the private CA
+
+To setup the private certificate authority with root certificate and to create the valid
+server certificate please run the corresponding shell script *setup_ca.sh* (linux) / *setup_ca.cmd* (windows) 
+in sub directory *setup_ca*.
+
+This script creates the required sub directories and performs all the steps using keytool
+as described in the blog post.
+
+After executing the script you will find the important files here:
+
+* _setup_ca/root-ca_: Here you find the root certificate *ca.pem* that you have to import as new authority in your web browser
+* _setup_ca/server_: Here you find the key store *server.jks* containing the root and server certificates. 
+This has to be copied to the directory *src/main/resources*. The existing key store can be overwritten.
+
+After you have completed all these steps you can start the application and 
+navigate to [https://localhost:8443](https://localhost:8443) in your web browser.
+

build.gradle

@@ -1,7 +1,7 @@
 buildscript {
 	ext {
-		kotlinVersion = '1.2.41'
-		springBootVersion = '2.0.2.RELEASE'
+		kotlinVersion = '1.2.51'
+		springBootVersion = '2.0.3.RELEASE'
 	}
 	repositories {
 		mavenCentral()
@@ -20,7 +20,7 @@ apply plugin: 'org.springframework.boot'
 apply plugin: 'io.spring.dependency-management'
 
 group = 'com.example'
-version = '0.0.1-SNAPSHOT'
+version = '1.0.0-SNAPSHOT'
 sourceCompatibility = 1.8
 compileKotlin {
 	kotlinOptions {

setup_ca/ca.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYTCCAsmgAwIBAgIELD51oTANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJE
+RTEYMBYGA1UEChMPTXkgT3JnYW5pemF0aW9uMRQwEgYDVQQLEwtEZXZlbG9wbWVu
+dDETMBEGA1UEAxMKTXkgUm9vdCBDQTAeFw0xODA3MjAxMzQ4MThaFw0yODA3MTcx
+MzQ4MThaMFIxCzAJBgNVBAYTAkRFMRgwFgYDVQQKEw9NeSBPcmdhbml6YXRpb24x
+FDASBgNVBAsTC0RldmVsb3BtZW50MRMwEQYDVQQDEwpNeSBSb290IENBMIIBojAN
+BgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAnfhwA0qmHtGK2UCFUakAkX9nypx5
+pIfDIX7q3AlGek1RoPmbzLRpyAA5irsSqcWfQW8j+djPMpjaNtB/l6RBSkSQLBgn
+T3/01SZHtVtQ4d3Vq1TAU11HaR4xOmNB/4z86e+roeoNoqpcL3AIv5lwWfLlyRmp
+iNVzFkKr6FFac5yFNsaU4GUOtDAdB5kXjg9ayksRuI3sRCpJbzYSTUz5xf27M6+Q
+h50tvztXNrEXHaLlnZgHYvNIyO07G45UtNW24newkV8LWH/0Rj71IdauezbaYs/I
+F2ID/cio/AsdxR5lBurvGdBJpIiJhuMGMP+xOaau8TDJEHcsBujT1kCa/Mq27qCF
+XoSxcGCvAv7YkaPuS44znh76vnBT7lRb+B8fs9F9P4OhAfgAo2wHlAWmGz3g/RHa
+xyrbTLd4YlWb9yBjPYhkWJLfi1s+TFC7VbEK42x284l/Q1TklVC2S7Hh0fU8wH51
+Y4Jl0OTLNAMrsNfDVxqf5HnPj+oA47cg4rAZAgMBAAGjPzA9MB0GA1UdDgQWBBSJ
+zBTaqcLIWK/MENQe7PAqiPo+azALBgNVHQ8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAYEAjTrajAloePQOpKrxQ61qGNdtMnxGGExji5FF
+lAnhtKzZsDuOkMhc7LRn1LIT+ugWFmbLPxQ6Uq71xg3QskWADJ1bV4Wex5J7RDar
+8v4z41kILa+XcdNVQHq3Fujox7IYVt4U5wZB4sXQJUK6ELso4L8I/jMgx/GmDfFC
+e8ltSJDErvlEMRmu3bfdaNieOfhB5Soa9WUzm7a8Z8BUXwOMelk9P24B3HdpDWcr
+9Ud3+PCWmxI+lB33l6O3EFEdGqySd2q3cn8R89nqokO8ctGYmm00EBPoy+VfdlAy
+9NS5KvWS9wxWpFuvBQzWVc8buQkspBKoYC8NAnFcdM3FwUf/uRVCNYO8V6mgKOUU
+64RMQHzhSygFOCI4A3T6S9lwkpCKoOEhIZnSmCfqCMFjo0ilFWCQ3E1TBSAtEPfW
+z4xR/pSNZ5NIIvc8Bfdk0R/7Jah0oOrECe4hlD7GoVbOLRwjHKzEvkgmttGLL/tW
+whnMnXLKCaXDq6y1JWrjth9+zPSa
+-----END CERTIFICATE-----

setup_ca/setup_ca.cmd

@@ -0,0 +1,17 @@
+
+md root-ca
+md server
+
+keytool -genkeypair -keyalg RSA -keysize 3072 -alias root-ca -dname "CN=My Root CA,OU=Development,O=My Organization,C=DE" -ext BC:c=ca:true -ext KU=keyCertSign -validity 3650 -keystore root-ca\ca.jks -storepass secret -keypass secret
+
+keytool -exportcert -keystore root-ca\ca.jks -storepass secret -alias root-ca -rfc -file root-ca\ca.pem
+
+keytool -genkeypair -keyalg RSA -keysize 3072 -alias localhost -dname "CN=localhost,OU=Development,O=My Organization,C=DE" -ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore server\server.jks -storepass secret -keypass secret
+
+keytool -certreq -keystore server\server.jks -storepass secret -alias localhost -keypass secret -file server\server.csr
+
+keytool -gencert -keystore root-ca\ca.jks -storepass secret -infile server\server.csr -alias root-ca -keypass secret -ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -rfc -outfile server\server.pem
+
+keytool -importcert -noprompt -keystore server\server.jks -storepass secret -alias root-ca -keypass secret -file root-ca\ca.pem
+keytool -importcert -noprompt -keystore server\server.jks -storepass secret -alias localhost -keypass secret -file server\server.pem
+

setup_ca/setup_ca.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+mkdir root-ca
+mkdir server
+
+keytool -genkeypair -keyalg RSA -keysize 3072 -alias root-ca -dname "CN=My Root CA,OU=Development,O=My Organization,C=DE" -ext BC:c=ca:true -ext KU=keyCertSign -validity 3650 -keystore ./root-ca/ca.jks -storepass secret -keypass secret
+
+keytool -exportcert -keystore ./root-ca/ca.jks -storepass secret -alias root-ca -rfc -file ./root-ca/ca.pem
+
+keytool -genkeypair -keyalg RSA -keysize 3072 -alias localhost -dname "CN=localhost,OU=Development,O=My Organization,C=DE" -ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore ./server/server.jks -storepass secret -keypass secret
+
+keytool -certreq -keystore ./server/server.jks -storepass secret -alias localhost -keypass secret -file ./server/server.csr
+
+keytool -gencert -keystore ./root-ca/ca.jks -storepass secret -infile ./server/server.csr -alias root-ca -keypass secret -ext BC:c=ca:false -ext EKU:c=serverAuth -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -rfc -outfile ./server/server.pem
+
+keytool -importcert -noprompt -keystore ./server/server.jks -storepass secret -alias root-ca -keypass secret -file ./root-ca/ca.pem
+keytool -importcert -noprompt -keystore ./server/server.jks -storepass secret -alias localhost -keypass secret -file ./server/server.pem
+

src/main/resources/application.properties

@@ -1,8 +1,8 @@
 server.port=8443
 server.ssl.enabled=true
-server.ssl.key-store=classpath:ssl-certs.jks
+server.ssl.key-store=classpath:server.jks
 server.ssl.key-store-type=PKCS12
 server.ssl.key-store-password=secret
-server.ssl.key-alias=server
+server.ssl.key-alias=localhost
 server.ssl.key-password=secret
 server.http2.enabled=true