TOC & Recently Viewed

Recently Viewed Topics

Custom SSL Certificates

By default, Nessus is installed and managed using HTTPS and SSL support and uses port 8834, and default installation of Nessus uses a self-signed SSL certificate.

To avoid browser warnings, a custom SSL certificate specific to your organization can be used. During the installation, Nessus creates two files that make up the certificate: servercert.pem and serverkey.pem. These files must be replaced with certificate files generated by your organization or a trusted Certificate Authority (CA).

Before replacing the certificate files, stop the Nessus server. Replace the two files and re-start the Nessus server. Subsequent connections to the scanner should not display an error if the certificate was generated by a trusted CA.

You can configure Nessus for custom SSL certificates using the following steps:

Location of Certificate Files

Operating System

Directory

Linux

/opt/nessus/com/nessus/CA/servercert.pem

/opt/nessus/var/nessus/CA/serverkey.pem

FreeBSD

/usr/local/nessus/com/nessus/CA/servercert.pem

/usr/local/nessus/var/nessus/CA/serverkey.pem

Windows Vista and later

C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem

C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem

Mac OS X

/Library/Nessus/run/com/nessus/CA/servercert.pem

/Library/Nessus/run/var/nessus/CA/serverkey.pem

You can also use the /getcert switch to install the root CA in your browser, which will remove the warning.

https://[IP address]:8834/getcert

Note: To set up an intermediate certificate chain, a file named serverchain.pem must be placed in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).

Copyright 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.