Trust a Custom CA

By default, Tenable Nessus trusts certificate authorities (CAs) based on root certificates in the Mozilla Included CA Certificate list. Tenable Nessus lists the trusted CAs in the known_CA.inc file in the Tenable Nessus directory. Tenable updates known_CA.inc when updating plugins.

If you have a custom root CA that is not included in the known CAs, you can configure Tenable Nessus to trust the custom CA to use for certificate authentication.

You can use either the Tenable Nessus user interface or the command-line interface (CLI).

Note: You can also configure individual scans to trust certain CAs. For more information, see Trusted CAs.
Note: For information about using custom SSL certificates, see Create SSL Client Certificates for Login.
Note: known_CA.inc and custom_CA.inc are used for trusting certificates in your network, and are not used for Nessus SSL authentication.

Before you begin:

To configure Tenable Nessus to trust a custom CA using the Tenable Nessus user interface:

  1. In the top navigation bar, click Settings.

    The About page appears.

  2. In the left navigation bar, click Custom CA.

    The Custom CA page appears.

  3. In the Certificate box, enter the text of your custom CA.

    Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.

    Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.

  4. Click Save.

    The CA is available for use in Nessus.

To configure Tenable Nessus to trust a custom CA using the CLI:

  1. Save your PEM-formatted CA as a text file.

    Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END CERTIFICATE-----.

    Tip: You can save more than one certificate in a single text file, including the beginning and ending text for each one.

  2. Rename the file custom_CA.inc.
  3. Move the file to your plugins directory:

    The CA is available for use in Nessus.