Showing results for 
Search instead for 
Did you mean: 

Generating new EFM Server SSL Certificates



EFM broker connection to upstream EFM server is failing. You have confirmed that the IP connectivity to the destination port number (tcp/443 by default) is open, yet the connection does not establish from the EFM broker to the EFM server.

You have verified that both the broker and the server have their time synchronized.


Upon log inspection you can see a message "Verification of certificate failed" and "X509 verification result: certificate has expired and depth 0". It might be that when the certificate was created your system time was not correct.


Log in to EFM server as user "efm", and enter the directory where the EFM server SSL certificate is stored:


cd /etc/cisco/kinetic/ssl/efm-server


Before generating new certificates, makes sure this is indeed the issue. Check your current certificate expiration date with:

openssl x509 -in selfsigned.cert -text | grep Not


First we need to generate a new server key, remember the passphrase used to encrypt that key:

openssl genrsa -des3 -out server.pass.key 2048


Remove the passphrase from that key:

openssl rsa -in server.pass.key -out selfsigned.key


Create a Certificate Signing Request:

openssl req -new -key selfsigned.key -out selfsigned.csr


Generate a new certificate using the CSR and key:

openssl x509 -req -sha256 -days 365 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.cert


Check if your key is valid:

openssl rsa -in selfsigned.key -check


Check if your certificate is valid (pay attention to dates):

openssl x509 -in selfsigned.cert -text


You may need to restart EFM server and broker to wipe out any remains of a previous cached certificate.


CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.