cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Generating new EFM Server SSL Certificates

266
Views
5
Helpful
0
Comments

Symptoms

EFM broker connection to upstream EFM server is failing. You have confirmed that the IP connectivity to the destination port number (tcp/443 by default) is open, yet the connection does not establish from the EFM broker to the EFM server.

You have verified that both the broker and the server have their time synchronized.

Diagnosis

Upon log inspection you can see a message "Verification of certificate failed" and "X509 verification result: certificate has expired and depth 0". It might be that when the certificate was created your system time was not correct.

Solution

Log in to EFM server as user "efm", and enter the directory where the EFM server SSL certificate is stored:

 

cd /etc/cisco/kinetic/ssl/efm-server

 

Before generating new certificates, makes sure this is indeed the issue. Check your current certificate expiration date with:

openssl x509 -in selfsigned.cert -text | grep Not

 

First we need to generate a new server key, remember the passphrase used to encrypt that key:

openssl genrsa -des3 -out server.pass.key 2048

 

Remove the passphrase from that key:

openssl rsa -in server.pass.key -out selfsigned.key

 

Create a Certificate Signing Request:

openssl req -new -key selfsigned.key -out selfsigned.csr

 

Generate a new certificate using the CSR and key:

openssl x509 -req -sha256 -days 365 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.cert

 

Check if your key is valid:

openssl rsa -in selfsigned.key -check

 

Check if your certificate is valid (pay attention to dates):

openssl x509 -in selfsigned.cert -text

 

You may need to restart EFM server and broker to wipe out any remains of a previous cached certificate.

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.