Tenable Nessus Manager Certificates and Tenable Agent

When you link an agent to Tenable Nessus Manager, you can optionally specify the certificate that the agent should use when it links with Tenable Nessus Manager. This allows the agent to verify the server certificate from Tenable Nessus Manager when the agent links with Tenable Nessus Manager, and secures subsequent communication between the agent and Tenable Nessus Manager. For more information on linking Tenable Agent, see Nessuscli.

If you do not specify the certificate authority (CA) certificate at link time, the agent receives and trusts the CA certificate from the linked Tenable Nessus Manager. This ensures that subsequent communication between the agent and Tenable Nessus Manager is secure.

Note: If you use a self-signed or untrusted certificate for your Tenable Nessus Manager certificate, it needs to be trusted by any linked agents. Otherwise, the agents lose connection to Tenable Nessus Manager. For more information, see Trust a Custom CA.

Note: When you regenerate or update the Tenable Nessus Manager CA certificate, existing linked Tenable Agents automatically detect the change and update their local certificate trust. You do not need to unlink and re-link your agents after updating the Tenable Nessus Manager certificate.

The CA certificate the agent receives at linking time saves in the following location:

Operating System CA Certificate Save Location

Linux

/opt/nessus_agent/var/nessus/users/nessus_ms_agent/ms_cert.pem

Windows

C:\ProgramData\Tenable\Nessus Agent\nessus\users\nessus_ms_agent\ms_cert.pem

macOS

/Library/NessusAgent/run/var/nessus/users/nessus_ms_agent/

Troubleshooting

If the agent cannot follow the complete certificate chain, an error occurs and the agent stops connecting with the manager. You can see an example of this event in the following sensor logs:

  • nessusd.messages - Example: Server certificate validation failed: unable to get local issuer certificate

  • backend.log - Example: [error] [msmanager] SSL error encountered when negotiating with <Manager_IP>:<PORT>. Code 336134278, unable to get local issuer certificate, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Scenario: Agent Cannot Communicate to Manager Due to Broken Certificate Chain

A common reason your certificate chain may break is that you change the server certificate on Tenable Nessus Manager but do not update the CA certificate. The agent is then unable to communicate to the manager upon restart. To resolve this issue, do one of the following:

  • Update cacert.pem in Tenable Nessus Manager. For more information, see Upload a Custom Server Certificate and CA Certificate.

  • Manually upload the correct cacert.pem file from Tenable Nessus Manager into the custom_CA.inc file in the agent plugin directory:

    Operating System Agent Plugin Directory Location

    Linux

    		 /opt/nessus_agent/lib/nessus/plugins

    Windows

    		 C:\ProgramData\Tenable\Nessus Agent\nessus\plugins

    macOS

    		 /Library/NessusAgent/run/lib/nessus/plugins

  • Generate a new server certificate on Tenable Nessus Manager using the CA for which the agent already has the CA certificate, so that the certificate chain is still valid.