Trust a Custom CA
By default, Nessus trusts certificate authorities (CAs) based on root certificates in the Mozilla Included CA Certificate list. Nessus lists the trusted CAs in the known_CA.inc file in the Nessus directory. Tenable updates known_CA.inc when updating plugins.
If you have a custom root CA that is not included in the known CAs, you can configure Nessus to trust the custom CA to use for certificate authentication.
You can use either the Nessus user interface or the command-line interface (CLI).
Before you begin:
-
If your organization does not already have a custom CA, use Nessus to create a new custom CA and server certificate, as described in Create a New Server Certificate and CA Certificate.
-
Ensure your CA is in PEM (Base64) format.
To configure Nessus to trust a custom CA using the Nessus user interface:
-
In the top navigation bar, click Settings.
The About page appears.
-
In the left navigation bar, click Custom CA.
The Custom CA page appears.
-
In the Certificate box, enter the text of your custom CA.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.
Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.
-
Click Save.
The CA is available for use in Nessus.
To configure Nessus to trust a custom CA using the CLI:
-
Save your PEM-formatted CA as a text file.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.
Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.
- Rename the file
custom_CA.inc. -
Move the file to your plugins directory:
Linux
/opt/nessus/lib/nessus/plugins
Windows
C:\ProgramData\Tenable\Nessus\nessus\plugins
macOS
/Library/Nessus/run/lib/nessus/plugins
The CA is available for use in Nessus.