Upload a Custom Server Certificate and CA Certificate

These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.

Before you begin:

  • Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.

To manually upload a custom server certificate and CA certificate using the CLI:

  1. Stop the Nessus server.

  2. Back up the original Nessus CA and server certificates and keys.

    For the location of the default certificate files for your operating system, see Upload a Custom Server Certificate and CA Certificate.

    Linux example:

    cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig

    cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig

    cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig

  3. Replace the original certificates with the new custom certificates:

    Note: The certificates must be named servercert.pem and serverkey.pem.

    Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).

    Linux example:

    cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem

    cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem

    cp server.key /opt/nessus/var/nessus/CA/serverkey.pem

  4. If prompted, overwrite the existing files.

  5. Start the Nessus server.

  6. In a browser, log in to the Nessus user interface as a user with administrator permissions.
  7. When prompted, verify the new certificate details.

    Subsequent connections should not display a warning if the certificate was generated by a trusted CA.

What to do next: