Create SSL Client Certificates for Login

You can configure Nessus to use SSL client certificate authentication for users to log in to Nessus when accessing Nessus on port 8834. After you enable certificate authentication, you can no longer log in using a username and password.

Caution: Nessus does not support connecting agents, remote scanners, or managed scanners after you enable SSL client certificate authentication. Configure an alternate port to enable supporting remote agents and scanners using the advanced setting remote_listen_port. For more information, see Advanced Settings.

If you configure SSL client certificate authentication, Nessus also supports:

• Smart cards
• Personal identity verification (PIV) cards
• Common Access Cards (CAC)

Before you begin:

• If you are using a custom CA, configure Nessus to trust certificates from your CA, as described in Trust a Custom CA.

To configure SSL client certificate authentication for Nessus user accounts:

1. Access the Nessus CLI as an administrator user or a user with equivalent privileges.

2. Set Nessus to allow SSL client certificate authentication.
   Linux

   # /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes

   macOS

   # /Library/Nessus/run/sbin/nessuscli fix --set force_pubkey_auth=yes

   Windows

   C:\Program Files\Tenable\Nessus\nessuscli.exe fix --set force_pubkey_auth=yes

3. Create a client certificate for each user you want to be able to log in to Nessus via SSL authentication.

   1. On the Nessus server, run the nessuscli mkcert-client command.

      Linux:

      # /opt/nessus/sbin/nessuscli mkcert-client

      macOS

      # /Library/Nessus/run/sbin/nessuscli mkcert-client

      Windows

      C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert-client

   2. Complete the fields as prompted.

      Note: The answers you provided in the initial prompts remain as defaults if you create subsequent client certificates during the same session. However, you can change the values for each client certificate you create.

      Nessus creates the client certificates and places them in the Nessus temporary directory:

      • Linux: /opt/nessus/var/nessus/tmp/
      • macOS: /Library/Nessus/run/var/nessus/tmp/
      • Windows: C:\ProgramData\Tenable\Nessus\tmp

   3. Combine the two files (the certificate and the key) and export them into a format that you can import into the browser, such as .pfx.

      In the previous example, the two files were key_sylvester.pem and cert_sylvester.pem.

      For example, you can combine the two files by using the openssl program and the following command:

      # openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem -in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -passout 'pass:password' -name 'Nessus User Certificate for: sylvester'

      Nessus creates the resulting file combined_sylvester.pfx in the directory where you launched the command.

4. Upload the certificate to your browser’s personal certificate store.

   Refer to the documentation for your browser.

5. Restart the Nessus service.

6. Log in to Nessus via https://<Nessus IP address or hostname>:8834 and select the username you created.