Security Certificate Options

The Server installation defaults to enabling TLS for the using a self-signed certificate. The Tenable Patch Server, installation provides the following TLS security options:

  • Add your own TLS certificate, authorized through a CA such as Active Directory Certificate Services or a third-party CA like GoDaddy, DigiCert, Let's Encrypt and so on.

  • Use the self-signed TLS certificate that the Tenable Patch Server creates during Server installation. This certificate is 4096 bits, uses SHA-512 hash, and expires in 12 years from the date of creation.

  • Use plain HTTP protocol. The Tenable Patch Server, installation allows this option for lab testing only. Tenable does not support this choice on product servers.

When deciding on the type of TLS certificate to use for your Server installation, consider whether your security organization has any requirements for using certificates, such as the following:

  • Self-signed certificates versus CA certificates.

  • Wildcard certificates versus a certificate specific to a server.

  • Key size, Hash algorithm, and expiration length requirements.

In addition, identify all administrators who require access to the Admin Portal and whether they require access to all devices. After completing the Server installation, install the Server certificate in the certificate store of each remote device that requires secure access to the Admin Portal (see Import a TLS Certificate).

CA Requirements

CAs issue SSL certificates as PFX files, which you must convert to PEM files for use with the Tenable Patch Server. The two separate .pem files required by the Tenable Patch Server include a certificate file and a private key file in the UTF-8 format. You can convert the .pfx files to .pem with a converter (such as openssl).

Self-signed Certificate Requirements

List the x.500 protocol common and alternate comma-separated names you want to use for the self-signed certificate. These include the following server details:

  • FQDN

  • DNS aliases

  • IP addresses

  • NETBIOS

HTTP Communication

Tenable Patch Clients use the UDP to communicate with the Tenable Patch Server. When Clients are unable to use UDP, such as when the company uses cloud-based VPN products like ZScaler, Microsoft Direct Access, or other NAT scenarios, the Tenable Patch Server installation allows you to configure the server to communicate using a defined HTTP port instead of UDP.

HTTP Communication Requirements

Review the following HTTP Communication requirements before choosing the HTTP Communication port to use:

  • If s are able to communicate with the using UDP, the installer configures the website component to default to using port 443.

  • If s are not able to communicate with the using UDP, the server may be configured to allow binding on HTTP by enabling the direct client mode.

  • If installing the on a server with the Web Server role or with SQL Server Reporting Services installed, use a different port or choose to install the on a different server.

  • Record the required port information to the Installation Checklist.