Upload a Custom Server Certificate and CA Certificate

These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.

Note: You can run nessuscli commands on any operating system as long as you use the correct path format for your operating system (for example, /opt/* for Linux and \ProgramData\* for Windows).

Before you begin:

  • Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.

To upload a custom server certificate and CA certificate manually using the CLI:

  1. Stop the Nessus server.

  2. Back up the original Nessus CA and server certificates and keys.

    For the location of the default certificate files for your operating system, see Location of Certificate Files.

    Linux example:

    cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig

    cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig

    cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig

  3. Replace the original certificates with the new custom certificates:

    Note: The certificates must be unencrypted, and you must name them servercert.pem and serverkey.pem.

    Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).

    Linux example:

    cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem

    cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem

    cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem

  4. If prompted, overwrite the existing files.

  5. Start the Nessus server.

  6. In a browser, log in to the Nessus user interface as a user with administrator permissions.
  7. When prompted, verify the new certificate details.

    Subsequent connections should not show a warning if the certificate was generated by a CA that is trusted by the browser.

What to do next: