Solution
Log in to EFM server as user "efm", and enter the directory where the EFM server SSL certificate is stored:
cd /etc/cisco/kinetic/ssl/efm-server
Before generating new certificates, makes sure this is indeed the issue. Check your current certificate expiration date with:
openssl x509 -in selfsigned.cert -text | grep Not
First we need to generate a new server key, remember the passphrase used to encrypt that key:
openssl genrsa -des3 -out server.pass.key 2048
Remove the passphrase from that key:
openssl rsa -in server.pass.key -out selfsigned.key
Create a Certificate Signing Request:
openssl req -new -key selfsigned.key -out selfsigned.csr
Generate a new certificate using the CSR and key:
openssl x509 -req -sha256 -days 365 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.cert
Check if your key is valid:
openssl rsa -in selfsigned.key -check
Check if your certificate is valid (pay attention to dates):
openssl x509 -in selfsigned.cert -text
Additional notes:
The dglux server (the Dart server) needs the certificate at (citing the default configuration in server.json)
"certName": "/etc/cisco/kinetic/ssl/efm-server/selfsigned.cert",
"certKeyName": "/etc/cisco/kinetic/ssl/efm-server/selfsigned.key",
From 1.6 on the connection should be made via the EFM manager (openresty). This has the certificates configured in file "/usr/local/openresty/nginx/conf/conf.d/efm-manager.conf" which contains:
ssl_certificate /etc/cisco/kinetic/ssl/efm-manager/nginx-selfsigned.crt;
ssl_certificate_key /etc/cisco/kinetic/ssl/efm-manager/nginx-selfsigned.key;
You may need to restart EFM server and broker to wipe out any remains of a previous cached certificate.