You are here: Additional Resources > Nessus SSL Configuration > Nessus Configuration for Windows

Nessus Configuration for Windows

Commands and Relevant Files

The following section describes the commands and relevant files involved in the Nessus SSL process on a Windows system.

Certificate Authority and Nessus Server Certificate

The command C:\Program Files\Tenable\Nessus\nessuscli mkcert creates the Certificate Authority and generates the server certificate. This command creates the following files:

File Name Created Purpose Where to Copy to

C:\Program Files\Tenable\Nessus\nessus\CA\cacert.pem

This is the certificate for the Certificate Authority. If using an existing PKI, this will be provided to you by the PKI and must be copied to this location.

C:\Program Files\Tenable\Nessus\nessus\CA\ on any additional Nessus servers that need to authenticate using SSL.

C:\Program Files\Tenable\Nessus\nessus\CA\servercert.pem

This is the public certificate for the Nessus server that is sent in response to a CSR.

C:\Program Files\Tenable\Nessus\nessus\CA\ on any additional Nessus servers that need to authenticate using SSL.

C:\Program Files\Tenable\Nessus\nessus\CA\cakey.pem

This is the private key of the Certificate Authority. It may or may not be provided by the Certificate Authority, depending on if they allow the creation of sub users.

C:\Program Files\Tenable\Nessus\nessus\CA\ on any additional Nessus servers that need to authenticate using SSL.

C:\Program Files\Tenable\Nessus\nessus\CA\serverkey.pem

This is the private key of the Nessus server.

C:\Program Files\Tenable\Nessus\nessus\CA\ on any additional Nessus servers that need to authenticate using SSL.

 

Nessus Client Keys

The Nessus user, which in this case is the user ID that SecurityCenter uses to communicate with the Nessus server, is created by the command C:\Program Files\Tenable\Nessus\nessuscli mkcert-client.

This command creates the keys for the Nessus clients and optionally registers them appropriately with the Nessus server by associating a distinguished name (dname) with the user ID. It is important to respond y (yes) when prompted to register the user with the Nessus server for this to take effect. The user name may vary and is referred to here as user.

The certificate filename will be a concatenation of cert_, the user name you entered and .pem. Additionally, the key filename will be a concatenation of key_, the user name you entered and .pem.

The following files are created by this command:

File Name Created Purpose

C:\Documents and Settings\<UserAccount>\Local Settings\Temp\nessus-xxxxxxxx\cert_<user>.pem

This is the public certificate for the specified user.

C:\Documents and Settings\<UserAccount>\Local Settings\Temp\nessus-xxxxxxxx\key_<user>.pem

This is the private key for the specified user.

C:\Program Files\Tenable\Nessus\nessus\users\<user_name>\auth\dname

This is the distinguished name to be associated with this user. The distinguished name consists of a number of fields separated by commas in the following format:

 

"/C={country}/ST={state}/L={location}/OU={organizational

unit}/O={organization/CN={common name}"

 

Creating and Deploying SSL Authentication for Nessus

Create Keys and User on Nessus Server

Create the Certificate Authority and Nessus server certificate using the command C:\Program Files\Tenable\Nessus\nessuscli mkcert and provide the requested information.

Caution: Critical: Any Nessus Scanner that has previously processed scans will not initially accept these keys as a policy.db will have already been created on the Nessus Scanner. Remove the policies.db from the Nessus Scanner to ensure the deployment finishes successfully.

To remove the policies.db on a Linux system issue this command as root:

rm /opt/nessus/var/nessus/users/<UserName>/policies.db

 

To remove the policies.db on a Windows system, navigate to the C:\Program Files\Tenable\Nessus folder and remove the policies.db file. Actual location of the policies.db differs depending on the version of Windows that is running.

 

Next, create the user ID for the Nessus client, which is SecurityCenter in this case, to log in to the Nessus server with, key and certificate. This is done with the command C:\Program Files\Tenable\Nessus\nessuscli mkcert-client. If the user does not exist in the Nessus user database, it will be created. If it does exist, it will be registered to the Nessus server and have a distinguished name (dname) associated with it. It is important to respond y (yes) when prompted to register the user with the Nessus server for this to take effect. The user must be a Nessus admin, so answer y when asked. The following example shows the prompts and typical answers:

The certificates created contain the username entered previously, in this case admin, and are located in the directory as listed in the example screen capture above (e.g., C:\Documents and Settings\<UserAccount>\Local Settings\Temp\nessus-00007fb1). In the specified directory, the certificate and key files in this example are named cert_admin.pem and key_admin.pem.

Transfer Certificates and Keys to SecurityCenter

Transfer the cert_admin.pem and key_admin.pem files to a desired location on SecurityCenter, change into that directory and concatenate them as follows:

# cat cert_admin.pem key_admin.pem > nessuscert.pem

Note: The nessuscert.pem file will be used when configuring the Nessus scanner on SecurityCenter. This file needs to be copied to somewhere accessible for selection from your web browser during the Nessus configuration.

Configure Nessus Daemons

To enable certificate authentication on the Nessus server, the force_pubkey_auth setting must be enabled. Once enabled, log in to the Nessus server may only be completed by SSL certificates. Username and password login will be disabled. As the root (or equivalent) user on the Nessus server, run the following command:

C:\Program Files\Tenable\Nessus\nessuscli fix --set force_pubkey_auth=yes

Open the Nessus Server Manager GUI, click Stop Nessus Server and then click Start Nessus Server.

Change the Nessus Mode of Authentication

From the SecurityCenter web UI, go to Resources and then Nessus Scanners. Change the authentication mode from Password Based to SSL Certificate. During the setup of the Nessus scanner, select the previously created nessuscert.pem file for the Certificate field, then click Submit to confirm.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.