Custom SSL Server Certificates
By default, Nessus uses an SSL certificate signed by the Nessus certificate authority (CA), Nessus Certification Authority. During installation, Nessus creates two files that make up the certificate: servercert.pem and serverkey.pem. This certificate allows you to access Nessus over HTTPS through port 8834.
Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:
-
Your browser may produce a warning regarding an unsafe connection when you access Nessus via HTTPS through port 8834.
-
Plugin 51192 may report a vulnerability when scanning the Nessus scanner host.
To resolve these issues, you can use a custom SSL certificate generated by your organization or a trusted CA.
To configure Nessus to use custom SSL certificates, see the following:
-
Create a New Server Certificate and CA Certificate. — If your organization does not have a custom SSL certificate, create your own using the built-in Nessus mkcert utility.
-
Upload a Custom Server Certificate and CA Certificate — Replace the default certificate that ships with Nessus.
-
Trust a Custom CA — Add a custom CA to the list of CAs that Nessus trusts.
Troubleshooting
To troubleshoot common problems with using the default CA certificate with Nessus, see the following table:
Problem | Solution |
---|---|
Your browser reports that the Nessus server certificate is untrusted. |
Do any of the following:
|
Plugin 51192 reports that the Nessus server certificate is untrusted. For example:
|
Do any of the following:
|
Plugin 51192 reports that an unknown CA was found at the top of the certificate chain. | Add your custom root CA to the list of CAs that Nessus trusts, as described in Trust a Custom CA. |