TOC & Recently Viewed

Recently Viewed Topics

Create a New Custom CA and Server Certificate

To allow SSL certificate authentication in Nessus, you must configure the Nessus web server with a certificate authority (CA) and server certificate.

This allows the web server to trust certificates created by the CA for authentication purposes. Generated files related to certificates must be owned by root:root, and have the correct permissions by default.

Note: You must re-link any connected Nessus Agents or managed scanners after loading new certificates.


  1. Create a new custom CA and server certificate for the Nessus server using the nessuscli mkcert command at the command line. This will place the certificates in their correct directories.

    When prompted for the hostname, enter the DNS name or IP address of the server in the browser such as https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.

  2. If you want to use a CA certificate instead of the Nessus generated one, make a copy of the self-signed CA certificate using the appropriate command for your OS:

  3. If the certificates to be used for authentication are created by a CA other than the Nessus server, the CA certificate must be installed on the Nessus server.

  4. Configure the Nessus server for certificate authentication. Once certificate authentication is enabled, log in using a username and password is disabled.

    Caution: Nessus does not support connecting Agents, Remote Scanners, or Managed Scanners using the force_pubkey_auth option. Configure an alternate port to enable supporting remote agents and scanners with force_pubkey_auth enabled using remote_listen_port in the Advanced Settings.

  5. Once the CA is in place and the force_pubkey_auth setting is enabled, restart the Nessus services with the service nessusd restart command.

    Note: Any linked Agents will still have an old certificate (ms_cert) and communication will fail to the Nessus Manager. Relink the Agent using the following commands:

    nessuscli agent unlink

    nessuscli agent link --host=<host> --port=<port> --key=<key> --groups<group1,group2>

After Nessus has been configured with the proper CA certificate(s), you can log in to Nessus using SSL client certificates, Smart Cards, and CACs.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.