Create Tenable Network Monitor SSL Certificates for Login

You can log in to an Tenable Network Monitor server with SSL certificates. Once certificate authentication is enabled, username and password login is disabled. You must create the certificates using the nnm-make-cert command.

Note: When asked if you want to create a server certificate, select no to be prompted for the user certificate information.

To create Tenable Network Monitor SSL certificates for login:

  1. On the Tenable Network Monitor server, run the nnm-make-cert command.

    Operating System

    Command

    Linux

    # /opt/nnm/bin/nnm-make-cert

    Windows

    C:\Program Files\Tenable\NNM\nnm-make-cert

  2. Configure the client certificate by answering the various questions.

    Two files, the certificate and the key, are created in the temporary directory.

    Operating System

    Directory

    Linux

    /opt/nnm/var/nnm/temp

    Windows

    C:\ProgramData\Tenable\NNM\nnm\temp

  3. Combine and export the certificate and key file into a format that can be imported into the web browser, such as .pfx.

    In the following example where the username is admin, the files cert_admin.pem and key_admin.pem are combined into the file combined_admin.pfx .

    Note: The username you type must correspond with an existing username in Tenable Network Monitor. By default, Tenable Network Monitor has only one administrative user. If you add another administrative user, then you can use more than one certificate.

    openssl pkcs12 -export -out combined_admin.pfx -inkey key_admin.pem -in cert_admin.pem -chain -CAfile /opt/nnm/var/nnm/ssl/cacert.pem -passout 'pass:password' -name 'Tenable Network Monitor User Certificate for: admin'

    The resulting file is created in the directory from which the command was launched.

    Note: If your Tenable Network Monitor is managed by Tenable Security Center you must concatenate the cert_admin.pem and key_admin.pem files into a new file (for example, "sc_admin.pem"). Upload this file to Tenable Security Center to log on to NNM using SSL certificates.

  4. Import the combined file into the web browser's personal certificate store.

  5. Configure the Tenable Network Monitor server for certificate authentication using the appropriate command for your operating system.

    Once certificate authentication is enabled, username and password login is disabled.

    Operating System

    Command

    Linux

    # /opt/nnm/bin/nnm --config "Enable SSL Client Certificate Authentication" "1"

    Windows

    C:\Program Files\Tenable\NNM\nnm --config "Enable SSL Client Certificate Authentication" "1"