Create a New Server Certificate and CA Certificate

If you do not have your own custom certificate authority (CA) and server certificate (for example, a trusted certificate that your organization uses), you can use Tenable Nessus to create a new server certificate and CA certificate.

The Tenable Nessus CA signs this server certificate, which means your browser may report that the server certificate is untrusted.

Note: You need to be an administrator user or have root privileges to create a new custom CA and server certificate.
Note: The following steps are applicable to both Tenable Nessus scanners and Tenable Nessus Manager.

To create a new custom CA and server certificate:

  1. Access the Tenable Nessus CLI as an administrator user or a user with root privileges.

  2. Run the nessuscli mkcert command:

    # /opt/nessus/sbin/nessuscli mkcert

    C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert

    # /Library/Nessus/run/sbin/nessuscli mkcert

    This command places the certificates in their correct directories.

  3. When prompted for the hostname, enter the DNS name or IP address of the Tenable Nessus server in the browser such as https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.

What to do next:

  • Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:

    • Your browser may produce a warning regarding an unsafe connection when you access Tenable Nessus via HTTPS through port 8834.

    • Plugin 51192 may report a vulnerability when scanning the Tenable Nessus scanner host.

    To resolve either of those issues, Trust a Custom CA. For more information about how Tenable Nessus uses custom SSL server certificates and CAs, see Custom SSL Server Certificates.