TOC & Recently Viewed

Recently Viewed Topics

Upload Custom CA Certificate

  1. Copy your PEM encoded certificate into a text file and name it custom_CA.inc. Make sure you include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and everything in between. (If you need to upload multiple certificates, paste them all in back-to-back.)
  2. Create a text file named custom_feed_info.inc and include the following 2 lines:
    Note: The plugin set date should be the same as the time the bundle is uploaded to SecurityCenter. It cannot be after the present date/time in SC

    PLUGIN_SET = "201310161758";

    PLUGIN_FEED = "Custom";

    Note: The typical format for PLUGIN_SET is a string of numbers in the format "YYYYMMDDHHMM" for the regular feed so that format is copied here.

  3. Tar the 2 files into a .tar.gz archive, 7-Zip or running tar on a Mac will not work for this:

    # tar -zcvf upload_this.tar.gz custom_feed_info.inc custom_CA.inc

  4. Upload the archive.

SecurityCenter 4:

a. Log into SecurityCenter as admin

b. Go to Plugins -> Plugins

c. Click Upload Plugins

d. Change Plugin Type to Custom

e. Click Browse, then Choose File, and select your upload_this.tar.gz

f. Click Upload, then Add

SecurityCenter 5.x or 5.0:

a. Log in to SecurityCenter as admin

b. Click the admin's user name in the upper right-hand corner of the screen and select "Plugins"

c. Click "Upload Custom Plugins," then "Submit"

  1. Verify upload was successful

SecurityCenter 4:

a. Go to Status -> Logs

b. Change Source to Administrator and click Search

SecurityCenter 5:

a. Go to System -> System Logs

b. You should see logs similar to the attached screenshot

  1. (SecurityCenter 4 Only) Go to Plugins > Plugins and update plugins. A new plugin set will prompt SecurityCenter to push plugins out to the scanners. Once the update completes, go to Resources > Nessus Scanners and wait for the scanners to switch from Updating Plugins to Working. SecurityCenter 5 should push the plugins to the scanners at it's earliest convenience.
  1. Verify issue is resolved by running another scan including plugin 51192. You can verify that Nessus has the custom plugin bundle by checking it's plugin directory.
Note: The custom_CA.inc file is overwritten every time it is uploaded. When adding additional CA certificates, start with a copy of the existing custom_CA.inc and append the new certificate. If there are multiple certificates in the file, it should look like this:

-----BEGIN CERTIFICATE-----

blahblahblahblahblahblah732r

certificatestuffjsdhfgjklssahjkh

sefejhawklmkfjskmcjgkdsfmads

-----END CERTIFICATE----

-----BEGIN CERTIFICATE-----

blahblahblahblahblahblah79zc

morecertificatestuffsdg3a5tgh

fhdsthjgsfkdjt9845y6389fjsa3

-----END CERTIFICATE-----

Note: Step 6 above, updating SecurityCenter plugins to initiate a plugin push to the Nessus scanners, will only work if the plugin feed being downloaded by SC is newer than the plugin set on the Nessus scanners. If it is still the same plugin set because Tenable has not released a newer plugin feed yet, wait a few hours for the next plugin feed to be available and then update again, or wait for the scheduled plugin update to run overnight.

Troubleshooting

If this process does not work, check the following items:

  1. Custom_CA.inc format - The CA certificate should be in PEM (Base64) format. To verify, open it in a text editor. The certificate should be between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. If you do not see those lines, it is in the wrong format and should be changed to PEM (Base64) format.
  2. /opt/sc4/data/customNasl/custom_CA.inc - If the SecurityCenter installation is not on the Appliance, check the uploaded custom_CA.inc with the following command: # cat /opt/sc4/data/customNasl/custom_CA.inc

    The output should match the custom_CA.inc file that you checked in a text editor in step T1 above. If the file does not exist, the upload was not successful. If the file does not match, the most recent upload may not have been successful. Go over the steps above for creating and uploading upload_this.tar.gz and ensure it is being done correctly.

  3. /opt/nessus/lib/nessus/plugins/custom_CA.inc or \ProgramData\Tenable\Nessus\nessus\plugins\custom_CA.inc

    If Nessus is not on the Appliance, navigate to the plugins folder and cat or type custom_CA.inc to verify it exists and matches the custom_CA.inc file contents verified in steps 1 and 2 above. If custom_CA.inc does not exist in the plugins folder, or does not match the most recent custom_CA.inc in SecurityCenter, it has not propagated to the scanner. Check Resources > Nessus Scanners in SecurityCenter to see if the scanner is still updating plugins. If it is in a Working state, try updating the active plugins in SecurityCenter to prompt a plugin push. See note N2 above about plugin feed versions. If the plugin feed version has not incremented and the customer really has to push plugins right now, see the following article: Force plugin update on scanner managed by SecurityCenter (Comparable to nessus-update-plugins -f)

  4. Plugin ouput

    Adding the custom CA certificate to custom_CA.inc will not resolve the issue if the issue is something else - the service is missing intermediate certificate(s), the service has a self-signed or default certificate (if not self-signed with the server name, it may be issued by a vendor name like "Nessus Certification Authority") and not a certificate signed by their custom CA at all, the certificate is expired, etc. Look at the detailed plugin output of 51192 to see exactly why the certificate is untrusted. If custom_CA.inc will fix it, the output will say that the certificate at the top of the certificate chain is unrecognized, and the certificate it shows will be either issued by the custom CA (matching the name *exactly*) or the actual custom CA self-signed certificate.

    Delete this text and replace it with your own content.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.