The Extended Validation internal Logistics Bot (EViL-bot) maintainance

Backmost-end environment

The backmost-end system is a mostly isolated computer with restricted access used to run the EViL-bot script.

The generator is run every 6 hours, and uploaded to the certs.opera.com server(s).

There are several maintainance tasks for this server:

System setup

Espen and Stein to provide information

Keygeneration

At irregular intervals it will become necessary to create a new signing key for the bot.

This process is managed by the evil-bot/tools/generate-key.sh command.
	generate-key.sh     
version
The version of the key to be generated. This is at least a 2 characted hexadecimal number
filename
The base filename of the key and the associated files. Must always be "versionXY", where "XY" is the version from version parameter
pass
The password that the generated private key will be protected by.
dest
Location of the external storage until where the generated password protected private key and the associate header file with the public key will be exported to.
seedfile
Colon separated list of files that will be used to seed the random generator. The files in this list should add up to at least 30 MB of compressed pseudo random content, for example logfiles.

Security considerations: The script includes the password in the command line. This is not considered a problem since the resulting key is stored unencypted on the backmost-end system.

Filename list

All these files are stored in the evil-bot/tools/ folder.
Version "02"
version02.key.pem
The unprotected private key. Must never leave the system
version02.privkey.pem
The password protected key. To be backed up securely
version02.pubkey.h
The header file with the public key. Must be transported to rootstore module owner

Keyrecovery

At some occasion it migh be necessary to revocer one or more signing key. After copying the backup versionXY.privkey.pem to the evil-bot/tools/ folder the recovery script is used to recreate the installed private key so that it can be used again.

	recover-key.sh    
version
The version of the key to be generated. This is at least a 2 characted hexadecimal number
filename
The base filename of the key and the associated files. Must always be "versionXY", where "XY" is the version from version parameter
pass
The password that the generated private key will be protected by.
dest
Location of the external storage until where the generated password protected private key and the associate header file with the public key will be exported to. This is mostly a formal duplication step, but can be used to verify integrity, and should not point to the original storage folder.

Security considerations: The script includes the password in the command line. This is not considered a problem since the resulting key is stored unencypted on the backmost-end system.

Updating server with new source

Espen and Stein to provide information

Signing key storage

The signing keys that have been generated will be stored in password protected files that are exported from the bot to a secure external storage unit. This external storage must be backed up, and all copies stored in secure physical locations, at least one location must be off-site.

Password recovery

The passwords used to protect the signing keys and external storage units must be recoverable in the eventuality that all involved persons are unavailable.

Espen and Stein to provide information, with assistance from Ops

Crisis recovery exercises

Regular exercises for creating a parallel operational system should be conducted regularly by various people

Espen and Stein to provide information, with assistance from Ops

Inform ca-issues about EV-enables roots nearing expiration

The expiration check system will monthly go through the roots to check if any Roots will expire within the next two months, and send a summary to ca-issues@opera.com.

This executable is built by the evilbot/check_expires.sh script, which is activated monthly by the expires_crontab.

The expires_crontab is hosted on a server, where the evil-bot-master module has been checked out for the tag "dark-master", and the command "sh setup_expire.sh" has been run, which will register the crontab file.