Custom SSL Server Certificates

By default, Nessus uses an SSL certificate signed by the Nessus certificate authority (CA), Nessus Certification Authority. During installation, Nessus creates two files that make up the certificate: servercert.pem and serverkey.pem. This certificate allows you to access Nessus over HTTPS through port 8834.

Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:

Your browser may produce a warning regarding an unsafe connection when you access Nessus via HTTPS through port 8834.
Plugin 51192 may report a vulnerability when scanning the Nessus scanner host.

To resolve these issues, you can use a custom SSL certificate generated by your organization or a trusted CA.

To configure Nessus to use custom SSL certificates, see the following:

Create a New Server Certificate and CA Certificate. — If your organization does not have a custom SSL certificate, create your own using the built-in Nessus mkcert utility.
Upload a Custom Server Certificate and CA Certificate — Replace the default certificate that ships with Nessus.
Trust a Custom CA — Add a custom CA to the list of CAs that Nessus trusts.

Troubleshooting

To troubleshoot common problems with using the default CA certificate with Nessus, see the following table:

Problem Solution

Problem	Solution
Your browser reports that the Nessus server certificate is untrusted.	Do any of the following: Get the Nessus self-signed certificate signed by a trusted root CA, and upload that trusted CA to your browser. Use the `/getcert` path to install the root CA in your browsers. Go to the following address in your browser: https://[IP address]:8834/getcert. Upload your own custom certificate and custom CA to your browser: Upload a Custom Server Certificate and CA Certificate. If Nessus does not trust the CA for your certificate, configure Nessus to Trust a Custom CA.
Plugin 51192 reports that the Nessus server certificate is untrusted. For example: The certificate expired The certificate is self-signed and therefore untrusted	Do any of the following: Replace the Nessus server certificate with one that has been signed by a CA that Nessus already trusts. Upload your own custom certificate and custom CA to your browser: Upload a Custom Server Certificate and CA Certificate. If Nessus does not trust the CA for your certificate, configure Nessus to Trust a Custom CA.
Plugin 51192 reports that an unknown CA was found at the top of the certificate chain.	Add your custom root CA to the list of CAs that Nessus trusts, as described in Trust a Custom CA.

Your browser reports that the Nessus server certificate is untrusted.

Do any of the following:

Get the Nessus self-signed certificate signed by a trusted root CA, and upload that trusted CA to your browser.
Use the /getcert path to install the root CA in your browsers. Go to the following address in your browser: https://[IP address]:8834/getcert.
Upload your own custom certificate and custom CA to your browser:
1. Upload a Custom Server Certificate and CA Certificate.
2. If Nessus does not trust the CA for your certificate, configure Nessus to Trust a Custom CA.

Plugin 51192 reports that the Nessus server certificate is untrusted.

For example:

The certificate expired
The certificate is self-signed and therefore untrusted

Do any of the following:

Replace the Nessus server certificate with one that has been signed by a CA that Nessus already trusts.
Upload your own custom certificate and custom CA to your browser:
1. Upload a Custom Server Certificate and CA Certificate.
2. If Nessus does not trust the CA for your certificate, configure Nessus to Trust a Custom CA.

Plugin 51192 reports that an unknown CA was found at the top of the certificate chain. Add your custom root CA to the list of CAs that Nessus trusts, as described in Trust a Custom CA.