Trust a Custom CA
By default, Tenable Nessus trusts certificate authorities (CAs) based on root certificates in the Mozilla Included CA Certificate list. Tenable Nessus lists the trusted CAs in the known_CA.inc file in the Tenable Nessus directory. Tenable updates known_CA.inc when updating plugins.
If you have a custom root CA that is not included in the known CAs, you can configure Tenable Nessus to trust the custom CA to use for certificate authentication.
You can use either the Tenable Nessus user interface or the command-line interface (CLI).
Before you begin:
-
If your organization does not already have a custom CA, use Tenable Nessus to create a new custom CA and server certificate, as described in Create a New Server Certificate and CA Certificate.
-
Ensure your CA is in PEM (Base64) format.
To configure Tenable Nessus to trust a custom CA using the Tenable Nessus user interface:
-
In the top navigation bar, click Settings.
The About page appears.
-
In the left navigation bar, click Custom CA.
The Custom CA page appears.
-
In the Certificate box, enter the text of your custom CA.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.
Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.
-
Click Save.
The CA is available for use in Nessus.
To configure Tenable Nessus to trust a custom CA using the CLI:
-
Save your PEM-formatted CA as a text file.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.
Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.
- Rename the file
custom_CA.inc. -
Move the file to your plugins directory:
Linux
/opt/nessus/lib/nessus/plugins
Windows
C:\ProgramData\Tenable\Nessus\nessus\plugins
macOS
/Library/Nessus/run/lib/nessus/plugins
The CA is available for use in Nessus.