The backmost-end system is a mostly isolated computer with restricted access used to run the EViL-bot script.
The generator is run every 6 hours, and uploaded to the certs.opera.com server(s).
There are several maintainance tasks for this server:
Espen and Stein to provide information
At irregular intervals it will become necessary to create a new signing key for the bot.
This process is managed by the evil-bot/tools/generate-key.sh command.generate-key.sh
Security considerations: The script includes the password in the command line. This is not considered a problem since the resulting key is stored unencypted on the backmost-end system.
Filename list
All these files are stored in the evil-bot/tools/ folder.At some occasion it migh be necessary to revocer one or more signing key. After copying the backup versionXY.privkey.pem to the evil-bot/tools/ folder the recovery script is used to recreate the installed private key so that it can be used again.
recover-key.sh
Security considerations: The script includes the password in the command line. This is not considered a problem since the resulting key is stored unencypted on the backmost-end system.
Espen and Stein to provide information
The signing keys that have been generated will be stored in password protected files that are exported from the bot to a secure external storage unit. This external storage must be backed up, and all copies stored in secure physical locations, at least one location must be off-site.
The passwords used to protect the signing keys and external storage units must be recoverable in the eventuality that all involved persons are unavailable.
Espen and Stein to provide information, with assistance from Ops
Regular exercises for creating a parallel operational system should be conducted regularly by various people
Espen and Stein to provide information, with assistance from Ops
The expiration check system will monthly go through the roots to check if any Roots will expire within the next two months, and send a summary to ca-issues@opera.com.
This executable is built by the evilbot/check_expires.sh script, which is activated monthly by the expires_crontab.
The expires_crontab is hosted on a server, where the evil-bot-master module has been checked out for the tag "dark-master", and the command "sh setup_expire.sh" has been run, which will register the crontab file.