Create a Custom CA and Server Certificate
To create a custom CA and server certificate:
-
Optionally, create a new custom CA and server certificate for the Tenable Nessus Network Monitor server using the
NNM-make-certcommand. This places the certificates in the correct directories. -
When prompted for the host name, type the DNS name or IP address of the server in the browser (eg., https://hostname:8835/ or https://ipaddress:8835/). The default certificate uses the host name.
-
If you wish to use a CA certificate instead of the Tenable Nessus Network Monitor generated one, make a copy of the self-signed CA certificate (cacert.pem) using the appropriate command for your OS. Use this command to also back up the servercert.pem and serverkey.pem certificates signed by your cacert.pem.
Operating System
Command
Linux
# cp /opt/nnm/var/nnm/ssl/cacert.pem /opt/nnm/var/nnm/ssl/ORIGcacert.pemWindows
copy \ProgramData\Tenable\NNM\nnm\ssl\cacert.pem C:\ProgramData\Tenable\NNM\nnm\ssl\ORIGcacert.pemmacOS
# cp /Library/NNM/var/nnm/ssl/cacert.pem /Library/NNM/var/nnm/ssl/ORIGcacert.pem -
If the authentication certificates are created by a CA other than the Tenable Nessus Network Monitor server, the CA certificate must be installed on the Tenable Nessus Network Monitor server. Copy the organization's CA certificate to the appropriate location for your OS.
The servercert.pem must be signed by the cacert.pem authority. This requires someone with SSL certification expertise to create valid SSL certificates.
Operating System
File Location
Linux
/opt/nnm/var/nnm/ssl/cacert.pemWindows
C:\ProgramData\Tenable\NNM\nnm\ssl\cacert.pemmacOS
/Library/NNM/var/nnm/ssl/cacert.pem -
Once the CA is in place, restart the Tenable Nessus Network Monitor services.
-
After Tenable Nessus Network Monitor is configured with the proper CA certificate(s), users may log in to Tenable Nessus Network Monitor using SSL client certificates.