Custom SSL Server Certificates

By default, Tenable Nessus uses an SSL certificate signed by the Tenable Nessus certificate authority (CA), Nessus Certification Authority. During installation, Tenable Nessus creates two files that make up the certificate: servercert.pem and serverkey.pem. This certificate allows you to access Tenable Nessus over HTTPS through port 8834.

Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:

Your browser may produce a warning regarding an unsafe connection when you access Tenable Nessus via HTTPS through port 8834.
Plugin 51192 may report a vulnerability when scanning the Tenable Nessus scanner host.

To resolve these issues, you can use a custom SSL certificate generated by your organization or a trusted CA.

To configure Tenable Nessus to use custom SSL certificates, see the following:

Create a New Server Certificate and CA Certificate. — If your organization does not have a custom SSL certificate, create your own using the built-in Tenable Nessus mkcert utility.
Upload a Custom Server Certificate and CA Certificate — Replace the default certificate that ships with Tenable Nessus.
Trust a Custom CA — Add a custom CA to the list of CAs that Tenable Nessus trusts.

Troubleshooting

To troubleshoot common problems with using the default CA certificate with Tenable Nessus, see the following table:

Problem Solution

Problem	Solution
Your browser reports that the Tenable Nessus server certificate is untrusted.	Do any of the following: Get the Tenable Nessus self-signed certificate signed by a trusted root CA, and upload that trusted CA to your browser. Use the `/getcert` path to install the root CA in your browsers. Go to the following address in your browser: https://[IP address]:8834/getcert. Upload your own custom certificate and custom CA to your browser: Upload a Custom Server Certificate and CA Certificate. If Tenable Nessus does not trust the CA for your certificate, configure Tenable Nessus to Trust a Custom CA. Note: These workarounds do not work with some browsers. Tenable plans to update Tenable Nessus soon so that all browsers trust Tenable Nessus server certificates. In the meantime, Tenable recommends using a third-party custom server certificate.
Plugin 51192 reports that the Tenable Nessus server certificate is untrusted. For example: The certificate expired The certificate is self-signed and therefore untrusted	Do any of the following: Replace the Tenable Nessus server certificate with one that has been signed by a CA that Tenable Nessus already trusts. Upload your own custom certificate and custom CA to your browser: Upload a Custom Server Certificate and CA Certificate. If Tenable Nessus does not trust the CA for your certificate, configure Tenable Nessus to Trust a Custom CA.
Plugin 51192 reports that an unknown CA was found at the top of the certificate chain.	Add your custom root CA to the list of CAs that Tenable Nessus trusts, as described in Trust a Custom CA.

Your browser reports that the Tenable Nessus server certificate is untrusted.

Do any of the following:

Get the Tenable Nessus self-signed certificate signed by a trusted root CA, and upload that trusted CA to your browser.
Use the /getcert path to install the root CA in your browsers. Go to the following address in your browser: https://[IP address]:8834/getcert.
Upload your own custom certificate and custom CA to your browser:
1. Upload a Custom Server Certificate and CA Certificate.
2. If Tenable Nessus does not trust the CA for your certificate, configure Tenable Nessus to Trust a Custom CA.
Note: These workarounds do not work with some browsers. Tenable plans to update Tenable Nessus soon so that all browsers trust Tenable Nessus server certificates. In the meantime, Tenable recommends using a third-party custom server certificate.

Plugin 51192 reports that the Tenable Nessus server certificate is untrusted.

For example:

The certificate expired
The certificate is self-signed and therefore untrusted

Do any of the following:

Replace the Tenable Nessus server certificate with one that has been signed by a CA that Tenable Nessus already trusts.
Upload your own custom certificate and custom CA to your browser:
1. Upload a Custom Server Certificate and CA Certificate.
2. If Tenable Nessus does not trust the CA for your certificate, configure Tenable Nessus to Trust a Custom CA.

Plugin 51192 reports that an unknown CA was found at the top of the certificate chain. Add your custom root CA to the list of CAs that Tenable Nessus trusts, as described in Trust a Custom CA.