Upload a Custom Server Certificate and CA Certificate
These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.
Before you begin:
-
Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.
To upload a custom server certificate and CA certificate manually using the CLI:
-
Stop the Nessus server.
-
Back up the original Nessus CA and server certificates and keys.
For the location of the default certificate files for your operating system, see Location of Certificate Files.
Linux example:
cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig
cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig
cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig
-
Replace the original certificates with the new custom certificates:
Note: The certificates must be unencrypted, and you must name them servercert.pem and serverkey.pem.
Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).
Linux example:
cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem
cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem
cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem
-
If prompted, overwrite the existing files.
-
Start the Nessus server.
- In a browser, log in to the Nessus user interface as a user with administrator permissions.
- When prompted, verify the new certificate details.
Subsequent connections should not show a warning if the certificate was generated by a CA that is trusted by the browser.
What to do next:
-
If Nessus does not already trust the CA, configure Nessus to Trust a Custom CA.