Create Nessus SSL Certificates for Login
To log in to a Nessus server with SSL certificates, the certificates must be created with the proper utility. For this process, the nessuscli mkcert-client command line utility is used on the system. The six questions asked are to set defaults for the creation of users during the current session. These include certificate lifetime, country, state, location, organization, and organizational unit. The defaults for these options may be changed during the actual user creation if desired. The user will then be created one at a time as prompted. At the end of the process the certificates are copied appropriately and are used to log in to the Nessus server.
On the Nessus server, run the nessuscli mkcert-client command.Linux:
# /opt/nessus/sbin/nessuscli mkcert-clientWindows (Run as a local Administrator user):
C:\> cd C:\Program Files\Tenable\Nessus\
C:\Program Files\Tenable\Nessus> nessuscli mkcert-client
Fill in the fields as prompted. The process is identical on a Linux or Windows server.
Tip: The client certificates will be placed in the temporary directory in Nessus:
Mac OS X: /Library/Nessus/run/var/nessus/tmp/
Tip: Windows installations of Nessus do not come with man pages (local manual instructions). Consult the Nessus Command Line Reference for additional details on commonly used Nessus executables.
Two files are created in the temporary directory. In the example demonstrated in the previous step, cert_sylvester.pem and key_sylvester.pem were created. These two files must be combined and exported into a format that may be imported into the web browser such as .pfx. This may be accomplished with the openssl program and the following command:
#openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem -in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -passout 'pass:password' -name 'Nessus User Certificate for: sylvester'
The resulting file combined_sylvester.pfx is created in the directory from which the command is launched. This file must then be imported into the web browser’s personal certificate store.