diff --git a/cert/.gitignore b/cert/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..d6b7ef32c8478a48c3994dcadc86837f4371184d
--- /dev/null
+++ b/cert/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/provision.sh b/provision.sh
index 27b52c45a27250847a20f71695c18964b91f61cd..b053108c582d55e66fd3b359744f441a92dc490d 100644
--- a/provision.sh
+++ b/provision.sh
@@ -1,149 +1,193 @@
-# STEP 0
+# STEP 0 - update mirrors
+echo "download the package lists from the repositories and "updates" them to get information on the newest versions of packages and their dependencies"
 sudo apt-get update
 
-# STEP 1 - install d'apache
+# STEP 1 - install web server
+echo "install Apache2"
 sudo apt-get -y install apache2
-# TEST IT
-# http://0.0.0.0:8080/ -> Apache2 Debian Default Page
 
-# STEP2 - install d'openssl
+echo "you can now browser http://0.0.0.0:8080/ you will see Apache2 Debian Default Page"
+
+# STEP2 - install ssl
+echo "install openssl"
 sudo apt-get install openssl
 
 # STEP3 - ssl certs (re)generation
-# vagrant ssh
-# >>> # man make-ssl-cert
-# >>> # sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
-# >>> # /usr/share/ssl-cert/ssleay.cnf ->  System template to be enhanced
-# /etc/ssl/certs/ssl-cert-snakeoil.pem -> fourni par openssl
-# /etc/ssl/private/ssl-cert-snakeoil.key -> fourni par openssl
+echo "openssl provides dummy key and dummy certificate"
+echo " - /etc/ssl/certs/ssl-cert-snakeoil.pem"
+echo " - # /etc/ssl/private/ssl-cert-snakeoil.key"
+echo "let regenerate it"
 sudo make-ssl-cert generate-default-snakeoil --force-overwrite # regenerate ssl cert
 
 # STEP4 - apache configuration
-# /etc/apache2/ports.conf -> to read nothing to change
-# port 443 /etc/apache2/sites-available/default-ssl.conf -> to read nothing to change
-# port 80 /etc/apache2/sites-available/000-default.conf -> to read nothing to change
-# a2 = apache2, en = enable, mod = module
-# <=> ln -s /etc/apache2/sites-available/000-default.conf  /etc/apache2/sites-enabled/000-default.conf
+echo "enable mod_ssl ssl apache's module with a2enmod command (debian/ubuntu world)"
+echo "a2enmod -> a2 = apache2, en = enable, mod = module"
+echo "under the hood apache execute these two commands to enable mod_ssl"
+echo " - ln -s /etc/apache2/mods-available/ssl.conf  /etc/apache2/mods-enabled/ssl.conf"
+echo " - ln -s /etc/apache2/mods-available/ssl.load  /etc/apache2/mods-enabled/ssl.load"
 sudo a2enmod ssl
-# a2 = apache2, en = enable, site = virtual host
-# <=> ln -s /etc/apache2/mods-available/ssl.conf  /etc/apache2/mods-enabled/ssl.conf
-# && ln -s /etc/apache2/mods-available/ssl.load  /etc/apache2/mods-enabled/ssl.load
+echo "now we can use ssl with apache to provides https"
+
+echo "enable default ssl apache's virutal host with a2ensite command (debian/ubuntu world)"
+echo "a2 = apache2, en = enable, site = virtual host name"
+echo "under the hood apache execute this command to enable default ssl vhost"
+echo " - ln -s /etc/apache2/sites-available/000-default.conf  /etc/apache2/sites-enabled/000-default.conf"
 sudo a2ensite default-ssl
+
+echo "take a look at /etc/apache2/ports.conf there's nothing to change"
+echo "take a look at /etc/apache2/sites-available/000-default.conf listen to (local) port 80 there's nothing to change"
+echo "take a look at /etc/apache2/sites-available/default-ssl.conf listen to (local) port 443 there's nothing to change"
+echo "note that everything in /var/www/html will be available at "
+
+echo "for any changes to take affect you need to restart apache http://0.0.0.0:8080/ or http://0.0.0.0:8443/"
 sudo systemctl reload apache2.service
-# TEST IT
-# http://0.0.0.0:8443/ -> bad request (connect with http on https port)
-# https://0.0.0.0:8443/ -> NET::ERR_CERT_AUTHORITY_INVALID
 
-# STEP 5 - make host accessible with https only - 80 closed or forwarded
+echo "you can now browser http://0.0.0.0:8443/ you will see bad request because you connect with http on https port)"
+echo "you can now browser https://0.0.0.0:8443/ you will see NET::ERR_CERT_AUTHORITY_INVALID because you use dummy cert & key"
+echo "you can force your browser to accept it"
+
+# STEP 5 - make host accessible with https only
+echo "automatic forward port 80 on 443"
+echo "enable mod_rewirte ssl apache's module with a2enmod command (debian/ubuntu world)"
+echo "a2enmod -> a2 = apache2, en = enable, mod = module"
+echo "under the hood apache execute these two commands to enable mod_ssl"
+echo " - ln -s /etc/apache2/mods-available/rewrite.conf  /etc/apache2/mods-enabled/rewrite.conf"
+echo " - ln -s /etc/apache2/mods-available/rewrite.load  /etc/apache2/mods-enabled/rewrite.load"
 sudo a2enmod rewrite
-# add 3 lines
-# RewriteEngine On
-# RewriteCond %{HTTPS} off
-# RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
-# to /etc/apache2/sites-enabled/000-default.conf
+echo "now we can perform http redirection (and more) with apache"
+
+echo "add 3 lines to vhost /etc/apache2/sites-enabled/000-default.conf (port 80) to forward to 443"
+echo " RewriteEngine On"
+echo " RewriteCond %{HTTPS} off"
+echo " RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]"
 sudo sed -i 's/<\/VirtualHost>/        RewriteEngine On\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
 sudo sed -i 's/<\/VirtualHost>/        RewriteCond %{HTTPS} off\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
 sudo sed -i 's/<\/VirtualHost>/        RewriteRule (.*) https:\/\/%{SERVER_NAME}:8443$1 [R,L]\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
+
+echo "for any changes to take affect you need to restart apache"
 sudo systemctl reload apache2.service
 
-# STEP 6 - install ssl decoder to benchmark
-# https://github.com/RaymiiOrg/ssl-decoder
+# STEP 6 - install ssl benchmark
+echo "install ssl-decoder to benchmark (https://github.com/RaymiiOrg/ssl-decoder)"
+echo "install some system dependencies"
 sudo apt-get install -y libfreetype6-dev libjpeg62-turbo-dev libmcrypt-dev \
   libpng12-dev zlib1g-dev libicu-dev g++ python2.7 python-all-dev \
   python-netaddr perl dnsutils wget curl git
 sudo apt-get -y install php5 php5-intl php5-mcrypt php5-gd php5-json php5-curl
+
+echo "for any changes to take affect you need to restart apache"
 sudo apache2ctl restart
+
+echo "create https://0.0.0.0/info.php to see phpinfo page (ensure php is correctly configured)"
 sudo echo '<?php phpinfo();' > /var/www/html/info.php
+
+echo "git clone ssl-decoder in /vagrant and alias it to response to https://0.0.0.0/ssl"
 sudo curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin
 sudo rm -rf /vagrant/ssl-decoder
 sudo git clone https://github.com/RaymiiOrg/ssl-decoder.git /vagrant/ssl-decoder
 sudo rm -rf /var/www/html/ssl
 ln -s  /vagrant/ssl-decoder /var/www/html/ssl
 sudo chown www-data /var/www/html/ssl/results/
-############################
-# https://127.0.0.1:8443/ssl/?host=127.0.0.1&port=443&fastcheck=0
-# 3 warnings!
-# (1) - TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection.
-# (2) - HTTP Strict Transport Security not set.
-# (3) - OCSP Stapling not enabled.
-# * depend on CA https://www.digicert.com/ssl-support/apache-enable-ocsp-stapling-on-server.htm
+
+echo "you can check your ssl configuration on https://127.0.0.1:8443/ssl/?host=127.0.0.1&port=443&fastcheck=0"
+echo "you should see 3 warnings!"
+echo "(1) - TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."
+echo "      https://community.qualys.com/thread/14996"
+echo "      echo 'SSLSessionTickets Off' | sudo tee --append /etc/apache2/apache2.conf"
+echo "      Requires Apache >= 2.4.12 and we have Apache/2.4.10 (Debian): sudo apache2ctl -v"
+echo "      upgrade apache2 (not covered)"
+echo "(2) - HTTP Strict Transport Security not set."
+echo "(3) - OCSP Stapling not enabled."
+echo "      depend on CA https://www.digicert.com/ssl-support/apache-enable-ocsp-stapling-on-server.htm"
 
 # STEP 7 - enhance apache secuirty configuration
-# https://cipherli.st/
-# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
-############################
+echo "Trying to resole (2) - HTTP Strict Transport Security not set"
+echo "see https://cipherli.st/ force ssl configuration good practices"
+echo "see https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html"
 echo 'SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH' | sudo tee --append /etc/apache2/apache2.conf
 echo 'SSLHonorCipherOrder On' | sudo tee --append /etc/apache2/apache2.conf
-############################
-# https://addons.mozilla.org/fr/firefox/addon/toggle-cipher-suites/
+
+echo "see https://addons.mozilla.org/fr/firefox/addon/toggle-cipher-suites/"
 echo 'SSLProtocol All -SSLv2 -SSLv3' | sudo tee --append /etc/apache2/apache2.conf
-############################
-# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#SSLv2_and_SSLv3
-# useless for our apache version
+
+echo "see https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#SSLv2_and_SSLv3"
+echo "useless for our apache version"
+
+echo "enable mod_headers apache's module with a2enmod command (debian/ubuntu world)"
+echo "a2enmod -> a2 = apache2, en = enable, mod = module"
+echo "under the hood apache execute these two commands to enable mod_ssl"
+echo " - ln -s /etc/apache2/mods-available/headers.load  /etc/apache2/mods-enabled/headers.load"
 sudo a2enmod headers
+echo "now we can tweak http headers sent by apache"
+
+echo "restart apache to take modifcations"
 sudo apache2ctl restart
-# http://blog.adin.pro/2013-09-09/invalid-command-header-perhaps-misspelled-or-defined-by-a-module-not-included-in-the-server-configuration/
-# "(2) - HTTP Strict Transport Security not set." disappeared
-# https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+
+echo "see http://blog.adin.pro/2013-09-09/invalid-command-header-perhaps-misspelled-or-defined-by-a-module-not-included-in-the-server-configuration/"
+echo "(2) - HTTP Strict Transport Security not set. -> disappeared"
+echo "see also https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"
 echo 'Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"' | sudo tee --append /etc/apache2/apache2.conf
-# https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Frame-Options#Frame-Options
+
+echo "see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Frame-Options#Frame-Options"
 echo 'Header always set X-Frame-Options DENY' | sudo tee --append /etc/apache2/apache2.conf
-# https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#cite_ref-45
+
+echo "see https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#cite_ref-45"
 echo 'Header always set X-Content-Type-Options nosniff' | sudo tee --append /etc/apache2/apache2.conf
-############################
-# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#SSL_Compression_(CRIME_attack)
+
+echo "see https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#SSL_Compression_(CRIME_attack)"
 echo 'SSLCompression off' | sudo tee --append /etc/apache2/apache2.conf
-############################
-# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#OCSP_Stapling
+
+echo "see https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#OCSP_Stapling"
 echo 'SSLUseStapling on' | sudo tee --append /etc/apache2/apache2.conf
 echo 'SSLStaplingCache "shmcb:logs/stapling-cache(150000)"' | sudo tee --append /etc/apache2/apache2.conf
-############################
-# https://community.qualys.com/thread/14996
-# echo 'SSLSessionTickets Off' | sudo tee --append /etc/apache2/apache2.conf
-# Requires Apache >= 2.4.12 and we have Apache/2.4.10 (Debian): sudo apache2ctl -v
-# this would resolve "(1) - TLS_FALLBACK_SCSV unsupported. Please upgrade OpenSSL to enable. This offers downgrade attack protection."
-############################
-# reload to have new modules enabled
+
+echo "restart apache to take modifcations"
 sudo apache2ctl restart
 
 # STEP 8 - signed cert and import certificate authority
-# let's have a look to which certificate we are using
-# sudo vi /etc/apache2/sites-enabled/default-ssl.conf
-# ...
-# SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
-# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-# ultra generic certificate ...
-#############################
-# generate certificate
-# sudo mkdir -p /etc/apache2/ssl
-# http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain
-
-openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
-openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
-openssl genrsa -out client.key 1024
-openssl req -new -key client.key -out client.csr
-openssl ca -in client.csr -out client.cer
-
-# https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
-
-# 4096-bit long RSA key for our root CA and store it in file ca.key:
-openssl genrsa -out ca.key 4096
-# self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:
-openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
-# create our subordinate CA that will be used for the actual signing. First, generate the key:
-openssl genrsa -out ia.key 4096
-# process the request for the subordinate CA certificate and get it signed by the root CA.
-openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
-# To use this subordinate CA key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file:
-openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
-
-# création du certificat
-# https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
-# https://blogs.msdn.microsoft.com/benjaminperkins/2014/05/05/make-your-own-ssl-certificate-for-testing-and-learning/
-# http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
-# https://softwareinabottle.wordpress.com/2011/12/18/creating-self-signed-certificates-on-ubuntu-server/
-# with let's encrypt?
-# http://www.fidian.com/programming/public-dns-pointing-to-localhost
+echo "enhance our hey and cert"
+echo "see https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/"
+
+echo "generate 4096-bit long RSA key for our root CA  (rootca.key)"
+openssl genrsa -out /vagrant/cert/rootca.key 4096
+
+echo "self-signed root CA certificate; you’ll need to provide an identity for your root CA (rootca.crt)"
+openssl req -new -x509 -days 1826 -key /vagrant/cert/rootca.key -out /vagrant/cert/rootca.crt  -subj '/CN=www.rootdom.com/O=My Root Company Name LTD./C=US'
+
+echo "create a subordinate CA that will be used for the actual signing. First, generate the key (inter.key)"
+openssl genrsa -out /vagrant/cert/inter.key 4096
+
+echo "Then, request a certificate for this subordinate CA (inter.csr)"
+openssl req -new -key /vagrant/cert/inter.key -out /vagrant/cert/inter.csr -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
+
+echo "process the request for the subordinate CA certificate and get it signed by the root CA (inter.crt)"
+echo "for error "Error self signed certificate getting chain." see http://stackoverflow.com/questions/23156911/wso2-enterprise-mobility-manager-error-self-signed-certificate-getting-chain#answer-23158993"
+openssl x509 -req -days 730 -in /vagrant/cert/inter.csr -CA /vagrant/cert/rootca.crt -CAkey /vagrant/cert/rootca.key -set_serial 01 -out /vagrant/cert/inter.crt
+
+echo "package the keys and certs in a PKCS12 file (inter.p12)"
+openssl pkcs12 -export -out /vagrant/cert/inter.p12 -inkey /vagrant/cert/inter.key -in /vagrant/cert/inter.crt -chain -CAfile /vagrant/cert/rootca.crt -password pass:
+
+echo "export keys and certs in pem files (my.key.pem & my.crt.pem)"
+openssl pkcs12 -in /vagrant/cert/inter.p12 -out /vagrant/cert/my.key.pem -nocerts -nodes -password pass:
+openssl pkcs12 -in /vagrant/cert/inter.p12 -out /vagrant/cert/my.crt.pem -clcerts -nokeys -password pass:
+
+echo "copy keys and certs in /etc/ssl/private & /etc/ssl/certs"
+sudo cp /vagrant/cert/my.key.pem /etc/ssl/private/
+sudo cp /vagrant/cert/my.crt.pem /etc/ssl/certs/
+
+echo "update ssl-vhost to use new keys and certs"
+sudo sed -i 's/ssl-cert-snakeoil.pem/my.crt.pem/' /etc/apache2/sites-enabled/default-ssl.conf
+sudo sed -i 's/ssl-cert-snakeoil.key/my.key.pem/' /etc/apache2/sites-enabled/default-ssl.conf
+
+echo "restart apache to take modifcations"
+sudo systemctl reload apache2.service
+
+echo "import rootca.key in your browser ... do you know that you truster all these CA?"
+echo "browse https://0.0.0.0:8443/ -> cert doesn't match domain name in url"
+echo "you can fake www.mydom.com in our local resolver"
+echo "type \"sudo cat '0.0.0.0  www.mydom.com' > /etc/hosts\" on your local machine"
+echo "browse https://www.mydom.com:8443/ \o/"
+echo "browse https://0.0.0.0:8443/ssl/?host=127.0.0.1&port=&csr=&s= -> Validating certificate chain failed. Probably non-trusted root/self signed certificate, or the chain order is wrong."
 
 # OPTIONAL
 # STEP 9 - nginx as reverse proxy / http router - nginx front serve listen 80
diff --git a/provision0.sh b/provision0.sh
deleted file mode 100644
index f02f985f71728f93272e3545a74c3110f1aa0da5..0000000000000000000000000000000000000000
--- a/provision0.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# STEP 0
-sudo apt-get update
-
-# STEP 1 - install d'apache
-sudo apt-get -y install apache2
diff --git a/provision1.sh b/provision1.sh
deleted file mode 100644
index c3cc63b06ba94481b920bd2cff8fd963ef4fb367..0000000000000000000000000000000000000000
--- a/provision1.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-# STEP 0
-#sudo apt-get update
-
-# STEP 1 - install d'apache
-sudo apt-get -y install apache2
-
-# Generation clef
-sudo make-ssl-cert generate-default-snakeoil --force-overwrite
-
-#
-sudo a2enmod ssl
-
-sudo a2ensite default-ssl
-sudo systemctl reload apache2.service
-
-# STEP 5 - make host accessible with https only - 80 closed or forwarded
-sudo a2enmod rewrite
-# add 3 lines
-# RewriteEngine On
-# RewriteCond %{HTTPS} off
-# RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]
-# to /etc/apache2/sites-enabled/000-default.conf
-sudo sed -i 's/<\/VirtualHost>/        RewriteEngine On\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
-sudo sed -i 's/<\/VirtualHost>/        RewriteCond %{HTTPS} off\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
-sudo sed -i 's/<\/VirtualHost>/        RewriteRule (.*) https:\/\/%{SERVER_NAME}:8443$1 [R,L]\n<\/VirtualHost>/' /etc/apache2/sites-enabled/000-default.conf
-sudo systemctl reload apache2.service