Tenable Nessus Manager Certificates and Tenable Nessus Agent

When you link an agent to Tenable Nessus Manager, you can optionally specify the certificate that the agent should use when it links with Tenable Nessus Manager. This allows the agent to verify the server certificate from Tenable Nessus Manager when the agent links with Tenable Nessus Manager, and secures subsequent communication between the agent and Tenable Nessus Manager. For more information on linking Tenable Nessus Agent, see Nessuscli.

If you do not specify the certificate authority (CA) certificate at link time, the agent receives and trusts the CA certificate from the linked Tenable Nessus Manager. This ensures that subsequent communication between the agent and Tenable Nessus Manager is secure.

Note: If you use a self-signed or untrusted certificate for your Tenable Nessus Manager certificate, it needs to be trusted by any linked agents. Otherwise, the agents lose connection to Tenable Nessus Manager. For more information, see Trust a Custom CA.

The CA certificate the agent receives at linking time saves in the following location:

  • /opt/nessus_agent/var/nessus/users/nessus_ms_agent/ms_cert.pem

  • C:\ProgramData\Tenable\Nessus Agent\nessus\users\nessus_ms_agent\ms_cert.pem

  • /Library/NessusAgent/run/lib/nessus/users/nessus_ms_agent/ms_cert.pem

Troubleshooting

If the agent cannot follow the complete certificate chain, an error occurs and the agent stops connecting with the manager. You can see an example of this event in the following sensor logs:

  • nessusd.messages - Example: Server certificate validation failed: unable to get local issuer certificate

  • backend.log - Example: [error] [msmanager] SSL error encountered when negotiating with <Manager_IP>:<PORT>. Code 336134278, unable to get local issuer certificate, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Scenario: Agent can't communicate to manager due to broken certificate chain

A common reason your certificate chain may break is that you change the server certificate on Tenable Nessus Manager but do not update the CA certificate. The agent is then unable to communicate to the manager upon restart. To resolve this issue, do one of the following:

  • Unlink and relink the agent to Tenable Nessus Manager, which resets the certificate so the agent gets the correct CA certificate from Tenable Nessus Manager.

  • Manually upload the correct cacert.pem file from Tenable Nessus Manager into the custom_CA.inc file in the agent plugin directory:

    • /opt/nessus_agent/lib/nessus/plugins

    • C:\ProgramData\Tenable\Nessus Agent\nessus\plugins

    • /Library/NessusAgent/run/lib/nessus/plugins

  • Generate a new server certificate on Tenable Nessus Manager using the CA for which the agent already has the CA certificate, so that the certificate chain is still valid.