Upload a Custom CA Certificate
These steps describe how to upload a custom certificate authority (CA) certificate to the Nessus web server through the command line.
Steps
- Create one or more custom CA and server certificates.
-
Back up the original Nessus CA and server certificates and keys:
cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig
cp /opt/nessus/var/nessus/CA/cakey.pem /opt/nessus/var/nessus/CA/cakey.pem.orig
cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig
cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig
-
Replace the original certificates with the new custom certificates:
cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem
cp customCA.key /opt/nessus/var/nessus/CA/cakey.pem
cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem
cp server.key /opt/nessus/var/nessus/CA/serverkey.pem
-
Restart Nessus:
service nessusd restart
Note: Any linked agent has an old certificate in its configuration, (ms_cert) and upon restart, communication fails to the manager. You can remedy this by relinking the agent to the controller:
nessuscli agent unlink
nessuscli agent link --host=<host> --port=<port> --key=<key> --groups<group1,group2>
You can also load the cacert.pem file into the custom_CA.inc file in the Agents plugin directory:
scp customCA.pem [email protected]:/opt/nessus_agent/lib/nessus/custom_CA.inc