Upload a Custom Server Certificate and CA Certificate

These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.

Before you begin:

• Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.

To manually upload a custom server certificate and CA certificate using the CLI:

1. Stop the Nessus server.

2. Back up the original Nessus CA and server certificates and keys.

   For the location of the default certificate files for your operating system, see Upload a Custom Server Certificate and CA Certificate.

   Linux example:

   cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig

   cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig

   cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig

3. Replace the original certificates with the new custom certificates:

   Note: The certificates must be unencrypted, and must be named servercert.pem and serverkey.pem.

   Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).
   

   Linux example:

   cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem

   cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem

   cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem

4. If prompted, overwrite the existing files.

5. Start the Nessus server.

6. In a browser, log in to the Nessus user interface as a user with administrator permissions.
7. When prompted, verify the new certificate details.

   Subsequent connections should not show a warning if the certificate was generated by a trusted CA.

What to do next:

• If the CA is not already trusted by Nessus, configure Nessus to Trust a Custom CA.