Upload a Custom Server Certificate and CA Certificate
These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.
Before you begin:
Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.
To manually upload a custom server certificate and CA certificate using the CLI:
Stop the Nessus server.
Back up the original Nessus CA and server certificates and keys.
For the location of the default certificate files for your operating system, see Upload a Custom Server Certificate and CA Certificate.
cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig
cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig
cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig
Replace the original certificates with the new custom certificates:
Note: The certificates must be unencrypted, and must be named servercert.pem and serverkey.pem.
Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).
cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem
cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem
cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem
If prompted, overwrite the existing files.
Start the Nessus server.
- In a browser, log in to the Nessus user interface as a user with administrator permissions.
- When prompted, verify the new certificate details.
Subsequent connections should not show a warning if the certificate was generated by a trusted CA.
What to do next:
If the CA is not already trusted by Nessus, configure Nessus to Trust a Custom CA.