Upload a Custom CA Certificate

These steps describe how to upload a custom certificate authority (CA) certificate to the Nessus web server through the command line.


  1. Create one or more custom CA and server certificates.
  2. Back up the original Nessus CA and server certificates and keys:

    cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig

    cp /opt/nessus/var/nessus/CA/cakey.pem /opt/nessus/var/nessus/CA/cakey.pem.orig

    cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig

    cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig

  3. Replace the original certificates with the new custom certificates:

    cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem

    cp customCA.key /opt/nessus/var/nessus/CA/cakey.pem

    cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem

    cp server.key /opt/nessus/var/nessus/CA/serverkey.pem

  4. Restart Nessus:

    service nessusd restart

    Note: Any linked agent has an old certificate in its configuration, (ms_cert) and upon restart, communication fails to the manager. You can remedy this by relinking the agent to the controller:

    nessuscli agent unlink

    nessuscli agent link --host=<host> --port=<port> --key=<key> --groups<group1,group2>

    You can also load the cacert.pem file into the custom_CA.inc file in the Agents plugin directory:

    scp customCA.pem [email protected]:/opt/nessus_agent/lib/nessus/custom_CA.inc