Solution

Log in to EFM server as user "efm", and enter the directory where the EFM server SSL certificate is stored:

cd /etc/cisco/kinetic/ssl/efm-server

Before generating new certificates, makes sure this is indeed the issue. Check your current certificate expiration date with:

openssl x509 -in selfsigned.cert -text | grep Not

First we need to generate a new server key, remember the passphrase used to encrypt that key:

openssl genrsa -des3 -out server.pass.key 2048

Remove the passphrase from that key:

openssl rsa -in server.pass.key -out selfsigned.key

Create a Certificate Signing Request:

openssl req -new -key selfsigned.key -out selfsigned.csr

Generate a new certificate using the CSR and key:

openssl x509 -req -sha256 -days 365 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.cert

Check if your key is valid:

openssl rsa -in selfsigned.key -check

Check if your certificate is valid (pay attention to dates):

openssl x509 -in selfsigned.cert -text

Additional notes:

The dglux server (the Dart server) needs the certificate at (citing the default configuration in server.json)

 "certName": "/etc/cisco/kinetic/ssl/efm-server/selfsigned.cert",
 "certKeyName": "/etc/cisco/kinetic/ssl/efm-server/selfsigned.key",

From 1.6 on the connection should be made via the EFM manager (openresty). This has the certificates configured in file "/usr/local/openresty/nginx/conf/conf.d/efm-manager.conf" which contains:

  ssl_certificate /etc/cisco/kinetic/ssl/efm-manager/nginx-selfsigned.crt;
  ssl_certificate_key /etc/cisco/kinetic/ssl/efm-manager/nginx-selfsigned.key;

You may need to restart EFM server and broker to wipe out any remains of a previous cached certificate.