<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">If you automate the process, you have to store the private key in a manner in which it can be accessed automatically.<div class=""><br class=""></div><div class="">This compromises the integrity of the key as it must be stored online (or be usable through an on-line process) rather than being kept offline and utilized via an HSM or other secure process.</div><div class=""><br class=""></div><div class="">Owen</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 10, 2019, at 3:34 AM, Sunday Folayan <<a href="mailto:sfolayan@gmail.com" class="">sfolayan@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" class="">Hi Cedrick and the team,<div dir="auto" class=""><br class=""></div><div dir="auto" class="">Can the certificate generation and update be automated and handled by a script? I guess alerts when such an update fails will be taken more seriously.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Can the AfriNIC RPKI-WG be more involved in assuring stability rather than leave the community to discover and complain?</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Just musing.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Good luck with the automation.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Sunday.</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 8, 2019, 16:46 Cedrick Adrien Mbeyet <<a href="mailto:cedrick.mbeyet@afrinic.net" class="">cedrick.mbeyet@afrinic.net</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF" class=""><div class="">
<br class="webkit-block-placeholder"></div><p class="MsoNormal"><span class="">Dear
AFRINIC community,</span></p><p class="MsoNormal"><span class=""><br class="">
</span></p><p class="MsoNormal"><span class="">Find
below postmortem report on the incident that happen on 06 April
2019. <br class="">
</span></p><div class=""><span class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span class="">The
AFRINIC RPKI
engine has an offline part that has to be renewed on a monthly
bases. The
process is known, documented and automated reminders set. The
system is set to
send 2 reminders each month, one 15 days prior to the expiry
date and the
second one 7 days before expiry. On the 2nd half of March, the
monitoring
system sent a reminder to perform the offline refresh but this
was not acted
upon. </span></p><div class=""><span class=""> </span><br class="webkit-block-placeholder"></div><div class=""><span class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span class="">On
Saturday 06 April
2019,<span class=""> </span>Certificate
revocation List (CRL)
and the manifest file of AFRINIC RPKI repository expired (around
07:24AM UTC).
Our monitoring system picked this up. The immediate action was
to generate new
certificates and manifest file and upload them onto RPKI engine
system.</span></p><div class=""><span class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span class="">The
failure was as a
result of human error, no changes were made on the system but we
have taken
additional steps to the existing process to ensure that this
does not happen
again. We do acknowledge that it is unacceptable to have such a
failure with
critical infrastructure and necessary done in this regard. </span></p><div class=""><span class=""> </span><br class="webkit-block-placeholder"></div><div class=""><span class=""> </span><br class="webkit-block-placeholder"></div>
<span class="">We do apologize for the
inconvenience caused and
thank you for your patience in this regard.</span><div class="">
<br class="webkit-block-placeholder"></div>
<pre class="m_9116748212214592339moz-signature" cols="72">--
_______________________________________________________________
Cedrick Adrien Mbeyet
Infrastructure Unit Manager, AFRINIC Ltd.
t: +230 403 5100 / 403 5115 | f: +230 466 6758 | tt: @afrinic | w: <a class="m_9116748212214592339moz-txt-link-abbreviated" href="http://www.afrinic.net/" target="_blank" rel="noreferrer">www.afrinic.net</a>
<a href="http://facebook.com/afrinic" target="_blank" rel="noreferrer" class="">facebook.com/afrinic</a> | <a href="http://flickr.com/afrinic" target="_blank" rel="noreferrer" class="">flickr.com/afrinic</a> | <a href="http://youtube.com/afrinicmedia" target="_blank" rel="noreferrer" class="">youtube.com/afrinicmedia</a>
______________________________________________________
</pre>
</div>
_______________________________________________<br class="">
Community-Discuss mailing list<br class="">
<a href="mailto:Community-Discuss@afrinic.net" target="_blank" rel="noreferrer" class="">Community-Discuss@afrinic.net</a><br class="">
<a href="https://lists.afrinic.net/mailman/listinfo/community-discuss" rel="noreferrer noreferrer" target="_blank" class="">https://lists.afrinic.net/mailman/listinfo/community-discuss</a><br class="">
</blockquote></div>
_______________________________________________<br class="">Community-Discuss mailing list<br class=""><a href="mailto:Community-Discuss@afrinic.net" class="">Community-Discuss@afrinic.net</a><br class="">https://lists.afrinic.net/mailman/listinfo/community-discuss<br class=""></div></blockquote></div><br class=""></div></body></html>