Upload a Custom Server Certificate and CA Certificate
These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.
You can use the nessuscli import-certs command to validate the server key, server certificate, and CA certificate, check that they match, and copy the files to the correct locations. Alternatively, you can also manually copy the files.
Before you begin:
-
Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Tenable Nessusmkcert utility.
To upload a custom CA certificate using a single command:
-
Access Tenable Nessus from the CLI.
-
Type the following, replacing the server key, server certificate, and CA certificate with the appropriate path and file names for each file.
nessuscli import-certs --serverkey=<server key path> --servercert=<server certificate path> --cacert=<CA certificate path>
Tenable Nessus validates the files, checks that they match, and copies the files to the correct locations.
To upload a custom server certificate and CA certificate manually using the CLI:
-
Stop the Nessus server.
-
Back up the original Nessus CA and server certificates and keys.
For the location of the default certificate files for your operating system, see The default certificate files are located in the following directory, depending on your operating system:.
Linux examplecp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig
cp /opt/nessus/var/nessus/CA/cakey.pem /opt/nessus/var/nessus/CA/cakey.pem.orig
cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig
cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig
Windows examplecopy C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem.orig
copy C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem.orig
copy C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem.orig
copy C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem.orig
macOS examplecp /Library/NessusAgent/run/com/nessus/CA/cacert.pem /Library/NessusAgent/run/com/nessus/CA/cacert.pem.orig
cp /Library/NessusAgent/run/var/nessus/CA/cakey.pem /Library/NessusAgent/run/var/nessus/CA/cakey.pem.orig
cp /Library/NessusAgent/run/com/nessus/CA/servercert.pem /Library/NessusAgent/run/com/nessus/CA/servercert.pem.orig
cp /Library/NessusAgent/run/var/nessus/CA/serverkey.pem /Library/NessusAgent/run/var/nessus/CA/serverkey.pem.orig
-
Replace the original certificates with the new custom certificates:
Note: The certificates must be unencrypted, and you must name them servercert.pem and serverkey.pem.
Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).
Linux examplecp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem
cp cakey.pem /opt/nessus/var/nessus/CA/cakey.pem
cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem
cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem
Windows examplecopy customCA.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem
copy cakey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem
copy servercert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem
copy serverkey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem
macOS examplecp customCA.pem /Library/NessusAgent/run/com/nessus/CA/cacert.pem
cp cakey.pem /Library/NessusAgent/run/var/nessus/CA/cakey.pem
cp servercert.pem /Library/NessusAgent/run/com/nessus/CA/servercert.pem
cp serverkey.pem /Library/NessusAgent/run/var/nessus/CA/serverkey.pem
-
If prompted, overwrite the existing files.
-
Start the Nessus server.
- In a browser, log in to the Tenable Nessus user interface as a user with administrator permissions.
- When prompted, verify the new certificate details.
Subsequent connections should not show a warning if a browser-trusted CA generated the certificate.
What to do next:
-
If Tenable Nessus does not already trust the CA, configure Tenable Nessus to Trust a Custom CA.