You are here: Additional Resources > Custom SSL Certificates > Create a New Custom CA and Server Certificate

Create a New Custom CA and Server Certificate

To allow SSL certificate authentication in Nessus, you must configure the Nessus web server with a server certificate and CA (Certificate Authority).

This allows the web server to trust certificates created by the Certificate Authority (CA) for authentication purposes. Generated files related to certificates must be owned by root:root, and have the correct permissions by default.

Note: You must re-link any connected Nessus Agents or managed Scanners after loading new certificates.


  1. Create a new custom CA and server certificate for the Nessus server using the nessuscli mkcert command at the command line. This will place the certificates in their correct directories.

    When prompted for the hostname, enter the DNS name or IP address of the server in the browser such as https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.

  2. If you want to use a CA certificate instead of the Nessus generated one, make a copy of the self-signed CA certificate using the appropriate command for your OS:

  3. If the certificates to be used for authentication are created by a CA other than the Nessus server, the CA certificate must be installed on the Nessus server.

  4. Configure the Nessus server for certificate authentication. Once certificate authentication is enabled, log in using a username and password is disabled.

    Caution: Connecting Agents, Remote Scanners, or Managed Scanners using the force_pubkey_auth option is not supported.

  5. Once the CA is in place and the force_pubkey_auth setting is enabled, restart the Nessus services with the service nessusd restart command.

    Note: Any linked Agents will still have an old certificate (ms_cert) and communication will fail to the Nessus Manager. Relink the Agent using the following commands:

    nessuscli agent unlink

    nessuscli agent link --host=<host> --port=<port> --key=<key> --groups<group1,group2>

After Nessus has been configured with the proper CA certificate(s), you can log in to Nessus using SSL client certificates, Smart Cards, and CACs.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.