Custom SSL Certificates

By default, Industrial Security is installed and managed using HTTPS and SSL support and uses port 8837. Default installations of Industrial Security use a self-signed SSL certificate.

To avoid browser warnings, use a custom SSL certificate specific to your organization. During the installation, Industrial Security creates two files that make up the certificate: servercert.pem and serverkey.pem. You must replace these files with certificate files generated by your organization or a trusted CA.

Before replacing the certificate files, stop the Industrial Security server. Replace the two files and re-start the Industrial Security server. If the certificate was generated by a trusted CA, subsequent connections to the scanner do not display an error.

Certificate File Locations

Operating System






C:\ProgramData\Tenable\Industrial Security\industrial-security\ssl\servercert.pem

C:\ProgramData\Tenable\Industrial Security\industrial-security\ssl\serverkey.pem

Optionally, you can use the /getcert switch to install the root CA in your browser, which removes the warning:

https://<IP address>:8837/getcert

To set up an intermediate certificate chain, place a file named serverchain.pem in the same directory as the servercert.pem file.

This file must contain the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Industrial Security server to its ultimate root certificate (one trusted by the user’s browser).

SSL Client Certificate Authentication

Industrial Security supports use of SSL client certificate authentication. When the browser is configured for this method, use of SSL client certificates is allowed.

Industrial Security allows for password-based or SSL Certificate authentication methods for user accounts. When creating a user for SSL certificate authentication, use the Industrial Security-make-cert-client utility through the command line on the Industrial Security server.