Custom SSL Server Certificates
By default, Tenable Nessus uses an SSL certificate signed by the Tenable Nessus certificate authority (CA), Nessus Certification Authority. During installation, Tenable Nessus creates two files that make up the certificate: servercert.pem and serverkey.pem. This certificate allows you to access Tenable Nessus over HTTPS through port 8834.
Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is untrusted, which can result in the following:
-
Your browser may produce a warning regarding an unsafe connection when you access Tenable Nessus via HTTPS through port 8834.
-
Plugin 51192 may report a vulnerability when scanning the Tenable Nessus scanner host.
To resolve these issues, you can use a custom SSL certificate generated by your organization or a trusted CA.
To configure Tenable Nessus to use custom SSL certificates, see the following:
-
Create a New Server Certificate and CA Certificate. — If your organization does not have a custom SSL certificate, create your own using the built-in Tenable Nessus mkcert utility.
-
Upload a Custom Server Certificate and CA Certificate — Replace the default certificate that ships with Tenable Nessus.
-
Trust a Custom CA — Add a custom CA to the list of CAs that Tenable Nessus trusts.
Troubleshooting
To troubleshoot common problems with using the default CA certificate with Tenable Nessus, see the following table:
Problem | Solution |
---|---|
Your browser reports that the Tenable Nessus server certificate is untrusted. |
Do any of the following:
|
Plugin 51192 reports that the Tenable Nessus server certificate is untrusted. For example:
|
Do any of the following:
|
Plugin 51192 reports that an unknown CA was found at the top of the certificate chain. | Add your custom root CA to the list of CAs that Tenable Nessus trusts, as described in Trust a Custom CA. |