Create SSL Client Certificates for Login
You can configure Nessus to use SSL client certificate authentication for users to log in to Nessus when accessing Nessus on port 8834. After certificate authentication is enabled, you can no longer log in using a username and password.
Caution: Nessus does not support connecting Agents, Remote Scanners, or Managed Scanners after SSL client certificate authentication is enabled. Configure an alternate port to enable supporting remote agents and scanners using the advanced setting remote_listen_port. For more information, see Advanced Settings.
If you configure SSL client certificate authentication, Nessus also supports:
- smart cards
- personal identity verification (PIV) cards
- Common Access Cards (CAC)
Before you begin:
- If you are using a custom CA, configure Nessus to trust certificates from your CA, as described in Trust a Custom CA.
To configure SSL client certificate authentication for Nessus user accounts:
Access the Nessus CLI as an administrator user or a user with equivalent privileges.
- Set Nessus to allow SSL client certificate authentication.Linux
# /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yesmacOS
# /Library/Nessus/run/sbin/nessuscli fix --set force_pubkey_auth=yesWindows
C:\Program Files\Tenable\Nessus\nessuscli.exe fix --set force_pubkey_auth=yes
Create a client certificate for each user you want to be able to log in to Nessus via SSL authentication.
On the Nessus server, run the nessuscli mkcert-client command.Linux:
# /Library/Nessus/run/sbin/nessuscli mkcert-clientmacOS
# /opt/nessus/sbin/nessuscli mkcert-clientWindows
C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert-client
Complete the fields as prompted.
Note: The answers you provided in the initial prompts remain as defaults if you create subsequent client certificates during the same session. However, you can change the values for each client certificate you create.
The client certificates are created and placed in the Nessus temporary directory:
- Linux: /opt/nessus/var/nessus/tmp/
- macOS: /Library/Nessus/run/var/nessus/tmp/
- Windows: C:\ProgramData\Tenable\Nessus\tmp
Combine the two files (the certificate and the key) and export them into a format that can be imported into the browser, such as .pfx.
In the previous example, the two files were key_sylvester.pem and cert_sylvester.pem.
For example, you can combine the two files by using the openssl program and the following command:
# openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem -in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -passout 'pass:password' -name 'Nessus User Certificate for: sylvester'
The resulting file combined_sylvester.pfx is created in the directory where you launched the command.
Upload the certificate to your browser’s personal certificate store.
Refer to the documentation for your browser.
Restart the Nessus service.
Log in to Nessus via https://<Nessus IP address or hostname>:8834 and select the username you created.