Create Self-Signed SSL Certificates for Tenable Network Monitor
By default, Tenable Network Monitor uses a self-signed SSL certificate for secure communication. You can generate a new self-signed certificate if your current certificate expires or if you need to update the certificate information.
Note: These certificates are specific to Tenable Network Monitor and are not compatible with CA-signed certificates. To install CA-signed SSL certificates, see Custom SSL Certificates. Additionally, if you created SSL certificates to log in to your Tenable Network Monitor host, you must recreate them.
Before you begin:
Before you generate a new certificate, you must stop the Tenable Network Monitor service.
-
Open your terminal or command prompt.
-
Stop the Tenable Network Monitor service:
-
Linux: # service nnm stop
-
Windows: Use the Services snap-in to stop the Tenable Network Monitor service.
-
To generate a new self-signed certificate for Tenable Network Monitor:
Use the nnm-make-cert utility to create a new certificate and private key.
-
Navigate to the directory where Tenable Network Monitor is installed.
-
Run the nnm-make-cert utility:
Operating System
Command
Linux
# /opt/nnm/bin/nnm-make-cert
Windows
C:\Program Files\Tenable\NNM\nnm-make-cert.exe
-
When the utility prompts you with the question Do you want to create a NEW NNM SSL certificate?, answer y.
-
Follow the on-screen prompts to enter your organization details, such as:
-
Country Name
-
State or Province
-
Common Name (use the FQDN or IP address of your Tenable Network Monitor server)
The utility generates two files in the ssl directory:
-
cacert.pem
-
servercert.pem
-
What to do next:
-
Restart the Tenable Network Monitor service:
Operating System
Command
Linux
# service nnm restart
Windows
Restart the Tenable Network Monitor service from the Services snap-in.
-
Open your browser and navigate to the Tenable Network Monitor interface (for example, https://<your-ip-address>:8835).
-
Verify the new certificate details in your browser's security settings.