Custom SSL Certificates

By default, Tenable Nessus Network Monitor is installed and managed using HTTPS and SSL support and uses port 8835. Default installations of Tenable Nessus Network Monitor use a self-signed SSL certificate.

To avoid browser warnings, use a custom SSL certificate specific to your organization. During the installation, Tenable Nessus Network Monitor creates two files that make up the certificate: servercert.pem and serverkey.pem. Replace these files with certificate files generated by your organization or a trusted CA. Also, you may have to update cacert.pem and cakey.pem if your servercert.pem is signed by intermediate CAs.

A certificate chain link from your servercert.pem certificate must be defined where the subject/issuer pairs of intermediate CAs match all the way to a root certificate or there is a link to the signing CA in the final intermediate CA. The certificate chain can be defined in cacert.pem or a serverchain.pem file. Use the openssl s_client utility to troubleshoot your certificate chains. You may have to consult with a PKI expert to set up your certificates. For example, openssl s_client -connect host_name:8835 -state -debug shows the certificates being used and the subject/issuer chain link.

Before replacing the certificate files:

  1. Stop the Tenable Nessus Network Monitor server.

  2. Back up the original files in case you need to restore them.

  3. Replace the files and re-start the Tenable Nessus Network Monitor server.

Note: If the certificate is generated by a trusted CA, subsequent connections to the scanner do not show an error.

Certificate File Locations

Operating System

Directory

Linux

/opt/nnm/var/nnm/ssl/servercert.pem

/opt/nnm/var/nnm/ssl/serverkey.pem

Windows

C:\ProgramData\Tenable\NNM\nnm\ssl\servercert.pem

C:\ProgramData\Tenable\NNM\nnm\ssl\serverkey.pem

macOS

/Library/NNM/var/nnm/ssl/servercert.pem

/Library/NNM/var/nnm/ssl/serverkey.pem

Optionally, you can use the /getcert switch to install the root CA in your browser, which removes the warning:

https://<IP address>:8835/getcert

To set up an intermediate certificate chain, place a file named serverchain.pem in the same directory as the servercert.pem file.

This file must contain the 1-n intermediate certificates (concatenated public certificates) necessary to construct the full certificate chain from the Tenable Nessus Network Monitor server to its ultimate root certificate (one trusted by the user’s browser).

SSL Client Certificate Authentication

Tenable Nessus Network Monitor supports use of SSL client certificate authentication. When the browser is configured for this method, the use of SSL client certificates is allowed.

Tenable Nessus Network Monitor allows for password-based or SSL Certificate authentication methods for user accounts. When creating a user for SSL certificate authentication, use the Tenable Nessus Network Monitor-make-cert-client utility through the command line on the Tenable Nessus Network Monitor server.