Upload a Custom Server Certificate and CA Certificate
These steps describe how to upload a custom server certificate and certificate authority (CA) certificate to the Nessus web server through the command line.
You can use the nessuscli import-certs command to validate the server key, server certificate, and CA certificate, check that they match, and copy the files to the correct locations. Alternatively, you can also manually copy the files.
Before you begin:
Ensure you have a valid server certificate and custom CA. If you do not already have your own, create a custom CA and server certificate using the built-in Nessusmkcert utility.
To upload a custom CA certificate using a single command:
Access Nessus from the CLI.
Type the following, replacing the server key, server certificate, and CA certificate with the appropriate path and filenames for each file.
nessuscli import-certs --serverkey=<server key path> --servercert=<server certificate path> --cacert=<CA certificate path>
Nessus validates the files, checks that they match, and copies the files to the correct locations.
To manually upload a custom server certificate and CA certificate using the CLI:
Stop the Nessus server.
Back up the original Nessus CA and server certificates and keys.
For the location of the default certificate files for your operating system, see Upload a Custom Server Certificate and CA Certificate.
cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig
cp /opt/nessus/com/nessus/CA/servercert.pem /opt/nessus/com/nessus/CA/servercert.pem.orig
cp /opt/nessus/var/nessus/CA/serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem.orig
Replace the original certificates with the new custom certificates:
Note: The certificates must be unencrypted, and must be named servercert.pem and serverkey.pem.
Note: If your certificate does not link directly to the root certificate, add an intermediate certificate chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).
cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem
cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem
cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem
If prompted, overwrite the existing files.
Start the Nessus server.
- In a browser, log in to the Nessus user interface as a user with administrator permissions.
- When prompted, verify the new certificate details.
Subsequent connections should not display a warning if the certificate was generated by a trusted CA.
What to do next:
If the CA is not already trusted by Nessus, configure Nessus to Trust a Custom CA.