You are here: Additional Resources > Custom SSL Certificates > Create Nessus SSL Certificates for Login

Create Nessus SSL Certificates for Login

To log in to a Nessus server with SSL certificates, the certificates must be created with the proper utility. For this process, the nessuscli mkcert-client command line utility is used on the system. The six questions asked are to set defaults for the creation of users during the current session. These include certificate lifetime, country, state, location, organization, and organizational unit. The defaults for these options may be changed during the actual user creation if desired. The user(s) will then be created one at a time as prompted. At the end of the process the certificates are copied appropriately and are used to log in to the Nessus server.

  1. On the Nessus server, run the nessuscli mkcert-client command.

  2. Fill in the fields as prompted. The process is identical on a Linux or Windows server.

    mkcert-client Output

    Tip: The client certificates will be placed in the temporary directory in Nessus:

    Linux: /opt/nessus/var/nessus/tmp/

    Mac OSX: /Library/Nessus/run/var/nessus/tmp/

    Windows: C:\programdata\tenable\nessus\tmp

    Tip: Windows installations of Nessus do not come with “man” pages (local manual instructions). Consult the Tenable Network Security Support Portal for additional details on commonly used Nessus executables.

  3. Two files are created in the temporary directory. In the example demonstrated in the above image, cert_sylvester.pem and key_sylvester.pem were created. These two files must be combined and exported into a format that may be imported into the web browser such as .pfx. This may be accomplished with the openssl program and the following command:


    #openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem -in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -passout 'pass:password' -name 'Nessus User Certificate for: sylvester'

The resulting file combined sylvester.pfx will be created in the directory from which the command is launched. This file must then be imported into the web browser’s personal certificate store.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.