Upload a Custom Server Certificate and CA Certificate

These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.

You can use the nessuscli import-certs command to validate the server key, server certificate, and CA certificate, check that they match, and copy the files to the correct locations. Alternatively, you can also manually copy the files.

Note: You can run nessuscli commands on any operating system as long as you use the correct path format for your operating system (for example, /opt/* for Linux and \ProgramData\* for Windows).

Before you begin:

  • Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.

To upload a custom CA certificate using a single command:

  1. Access Nessus from the CLI.

  2. Type the following, replacing the server key, server certificate, and CA certificate with the appropriate path and file names for each file.

    nessuscli import-certs --serverkey=<server key path> --servercert=<server certificate path> --cacert=<CA certificate path>

    Nessus validates the files, checks that they match, and copies the files to the correct locations.

To upload a custom server certificate and CA certificate manually using the CLI:

  1. Stop the Nessus server.

  2. Back up the original Nessus CA and server certificates and keys.

    For the location of the default certificate files for your operating system, see Location of Certificate Files.

    Linux example:

    cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig

    cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig

    cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig

  3. Replace the original certificates with the new custom certificates:

    Note: The certificates must be unencrypted, and you must name them servercert.pem and serverkey.pem.

    Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).

    Linux example:

    cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem

    cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem

    cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem

  4. If prompted, overwrite the existing files.

  5. Start the Nessus server.

  6. In a browser, log in to the Nessus user interface as a user with administrator permissions.
  7. When prompted, verify the new certificate details.

    Subsequent connections should not show a warning if the certificate was generated by a CA that is trusted by the browser.

What to do next: