Custom SSL Server Certificates

By default, Nessus uses an SSL certificate signed by the Nessus certifciate authority (CA), Nessus Certification Authority. During installation, Nessus creates two files that make up the certificate: servercert.pem and serverkey.pem. This certificate allows you to access Nessus over HTTPS through port 8834.

Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:

  • Your browser may produce a warning regarding an unsafe connection when you access Nessus via HTTPS through port 8834.

  • Plugin 51192 may report a vulnerability when scanning the Nessus scanner host.

To resolve these issues, you can use a custom SSL certificate generated by your organization or a trusted CA.

To configure Nessus to use custom SSL certificates, see the following:

Troubleshooting

For common problems with SSL certificates, see the following table.

Problem Solution
Your browser reports that the Nessus server certificate is untrusted.

Do any of the following:

  • Get the Nessus self-signed certificate signed by a trusted root CA, and upload that trusted CA to your browser.

  • Use the /getcert path to install the root CA in your browsers. Go to the following address in your browser: https://[IP address]:8834/getcert

  • Upload your own custom certificate and custom CA to your browser:

    1. Upload a Custom Server Certificate and CA Certificate.

    2. If the CA for your certificate is not already trusted by Nessus, configure Nessus to Trust a Custom CA.

Plugin 51192 reports that the Nessus server certificate is untrusted.

For example:

  • the certificate expired

  • the certificate is self-signed and therefore untrusted

Do any of the following:

Plugin 51192 reports that an unknown CA was found at the top of the certificate chain. Add your custom root CA to the list of CAs that Nessus trusts, as described in Trust a Custom CA.