Upload a Custom Server Certificate and CA Certificate

These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.

You can use the nessuscli import-certs command to validate the server key, server certificate, and CA certificate, check that they match, and copy the files to the correct locations. Alternatively, you can also manually copy the files.

Before you begin:

  • Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Tenable Nessusmkcert utility.

To upload a custom CA certificate using a single command:

  1. Access Tenable Nessus from the CLI.

  2. Type the following, replacing the server key, server certificate, and CA certificate with the appropriate path and file names for each file.

    nessuscli import-certs --serverkey=<server key path> --servercert=<server certificate path> --cacert=<CA certificate path>

    Tenable Nessus validates the files, checks that they match, and copies the files to the correct locations.

To upload a custom server certificate and CA certificate manually using the CLI:

  1. Stop the Nessus server.

  2. Back up the original Nessus CA and server certificates and keys.

    For the location of the default certificate files for your operating system, see The default certificate files are located in the following directory, depending on your operating system:.

    cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig

    cp /opt/nessus/var/nessus/CA/cakey.pem /opt/nessus/var/nessus/CA/cakey.pem.orig

    cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig

    cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig

    copy C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem.orig

    copy C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem.orig

    copy C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem.orig

    copy C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem.orig

    cp /Library/NessusAgent/run/com/nessus/CA/cacert.pem /Library/NessusAgent/run/com/nessus/CA/cacert.pem.orig

    cp /Library/NessusAgent/run/var/nessus/CA/cakey.pem /Library/NessusAgent/run/var/nessus/CA/cakey.pem.orig

    cp /Library/NessusAgent/run/com/nessus/CA/servercert.pem /Library/NessusAgent/run/com/nessus/CA/servercert.pem.orig

    cp /Library/NessusAgent/run/var/nessus/CA/serverkey.pem /Library/NessusAgent/run/var/nessus/CA/serverkey.pem.orig

  3. Replace the original certificates with the new custom certificates:

    Note: The certificates must be unencrypted, and you must name them servercert.pem and serverkey.pem.

    Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).

    cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem

    cp cakey.pem /opt/nessus/var/nessus/CA/cakey.pem

    cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem

    cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem

    copy customCA.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem

    copy cakey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem

    copy servercert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem

    copy serverkey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem

    cp customCA.pem /Library/NessusAgent/run/com/nessus/CA/cacert.pem

    cp cakey.pem /Library/NessusAgent/run/var/nessus/CA/cakey.pem

    cp servercert.pem /Library/NessusAgent/run/com/nessus/CA/servercert.pem

    cp serverkey.pem /Library/NessusAgent/run/var/nessus/CA/serverkey.pem

  4. If prompted, overwrite the existing files.

  5. Start the Nessus server.

  6. In a browser, log in to the Tenable Nessus user interface as a user with administrator permissions.
  7. When prompted, verify the new certificate details.

    Subsequent connections should not show a warning if a browser-trusted CA generated the certificate.

What to do next:

  • If Tenable Nessus does not already trust the CA, configure Tenable Nessus to Trust a Custom CA.