Create a New Custom CA and Server Certificate

To allow SSL certificate authentication in Nessus, you must configure the Nessus web server with a certificate authority (CA) and server certificate.

This allows the web server to trust certificates created by the CA for authentication purposes. Generated files related to certificates must be owned by root:root, and have the correct permissions by default.

To create a new custom CA and server certificate:

  1. Create a new custom CA and server certificate for the Nessus server using the nessuscli mkcert command at the command line. This will place the certificates in their correct directories.

    When prompted for the hostname, enter the DNS name or IP address of the server in the browser such as https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.

  2. If you want to use a CA certificate instead of the Nessus generated one, make a copy of the self-signed CA certificate using the appropriate command for your OS:

  3. If the certificates to be used for authentication are created by a CA other than the Nessus server, the CA certificate must be installed on the Nessus server.

  4. Configure the Nessus server for certificate authentication. Once certificate authentication is enabled, log in using a username and password is disabled.

    Caution: Nessus does not support connecting Agents, Remote Scanners, or Managed Scanners using the force_pubkey_auth option. Configure an alternate port to enable supporting remote agents and scanners with force_pubkey_auth enabled using remote_listen_port in the Advanced Settings.

  5. Once the CA is in place and the force_pubkey_auth setting is enabled, restart the Nessus services with the service nessusd restart command.

After Nessus has been configured with the proper CA certificate(s), you can log in to Nessus using SSL client certificates, Smart Cards, and CACs.