Create a New Server Certificate and CA Certificate

If you do not have your own custom certificate authority (CA) and server certificate (for example, a trusted certificate that your organization uses), you can use Nessus to create a new server certificate and CA certificate.

The Nessus CA signs this server certificate, which means your browser may report that the server certificate is untrusted.

Note: You need to be an administrator user or have root privileges to create a new custom CA and server certificate.
Note: The following steps are applicable to both Nessus scanners and Nessus Manager.

To create a new custom CA and server certificate:

  1. Access the Nessus CLI as an administrator user or a user with root privileges.

  2. Run the nessuscli mkcert command:

    # /opt/nessus/sbin/nessuscli mkcert

    # /Library/Nessus/run/sbin/nessuscli mkcert

    C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert

    This command places the certificates in their correct directories.

  3. When prompted for the hostname, enter the DNS name or IP address of the Nessus server in the browser such as https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.

What to do next:

  • Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:

    • Your browser may produce a warning regarding an unsafe connection when you access Nessus via HTTPS through port 8834.

    • Plugin 51192 may report a vulnerability when scanning the Nessus scanner host.

    To resolve either of those issues, Trust a Custom CA. For more information about how Nessus uses custom SSL server certificates and CAs, see Custom SSL Server Certificates.