Create SSL Client Certificates for Login

You can configure Tenable Nessus to use SSL client certificate authentication for users to log in to Tenable Nessus when accessing Tenable Nessus on port 8834. After you enable certificate authentication, you can no longer log in using a username and password.

Caution: Tenable Nessus does not support connecting agents, remote scanners, or managed scanners after you enable SSL client certificate authentication. Configure an alternate port to enable supporting remote agents and scanners using the advanced setting remote_listen_port. For more information, see Advanced Settings.

If you configure SSL client certificate authentication, Tenable Nessus also supports:

• Smart cards
• Personal identity verification (PIV) cards
• Common Access Cards (CAC)

To configure SSL client certificate authentication for Tenable Nessus user accounts:

1. Access the Tenable Nessus CLI as an administrator user or a user with equivalent privileges.

2. Create a client certificate for each user you want to be able to log in to Tenable Nessus via SSL authentication.

   1. On the Tenable Nessus server, run the nessuscli mkcert-client command.

      Linux

      # /opt/nessus/sbin/nessuscli mkcert-client

      macOS

      # /Library/Nessus/run/sbin/nessuscli mkcert-client

      Windows

      C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert-client

   2. Complete the fields as prompted.

      Note: The answers you provided in the initial prompts remain as defaults if you create subsequent client certificates during the same session. However, you can change the values for each client certificate you create.

      Tenable Nessus creates the client certificates and places them in the Tenable Nessus temporary directory:

      • Linux: /opt/nessus/var/nessus/tmp/
      • macOS: /Library/Nessus/run/var/nessus/tmp/
      • Windows: C:\ProgramData\Tenable\Nessus\tmp

   3. Combine the two files (the certificate and the key) and export them into a format that you can import into the browser, such as .pfx.

      In the previous example, the two files were key_sylvester.pem and cert_sylvester.pem.

      For example, you can combine the two files by using the openssl program and the following command:

      # openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem -in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -passout 'pass:password' -name 'Nessus User Certificate for: sylvester'

      Tenable Nessus creates the resulting file combined_sylvester.pfx in the directory where you launched the command.

3. Upload the certificate to your browser’s personal certificate store.

   Refer to the documentation for your browser.

4. Set Tenable Nessus to allow SSL client certificate authentication.
   Linux

   # /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes

   Windows

   C:\Program Files\Tenable\Nessus\nessuscli.exe fix --set force_pubkey_auth=yes

   macOS

   # /Library/Nessus/run/sbin/nessuscli fix --set force_pubkey_auth=yes

5. Log in to Tenable Nessus via https://<Tenable Nessus IP address or hostname>:8834 and select the username you created.

What to do next:

• If you are using a custom CA, configure Tenable Nessus plugins to trust certificates from your CA, as described in Trust a Custom CA.