You are here: Additional Resources > Using a Custom SSL Certificate

Using a Custom SSL Certificate

SecurityCenter ships with its own default SSL certificate; however, in many cases it is desirable to obtain a custom SSL certificate for enhanced security.

Note: In the example below, two certificate files were received from the CA: “host.crt” and “host.key”. These file names will vary depending on the CA used.

Tip: The custom certificate email address must not be “SecurityCenter@SecurityCenter” or subsequent upgrades will not retain the new certificate.

Use the steps below to upload a custom SSL certificate to your SecurityCenter:

  1. Backup the current certificates that are located in the /opt/sc/support/conf directory. These files are named SecurityCenter.crt and SecurityCenter.key. In the example below, we are placing the files in /tmp.

    # cp /opt/sc/support/conf/SecurityCenter.crt /tmp/SecurityCenter.crt.bak

    # cp /opt/sc/support/conf/SecurityCenter.key /tmp/SecurityCenter.key.bak

  2. Copy the new certificates (e.g., host.crt and host.key) to the /opt/sc/support/conf directory and overwrite the current certificates. If prompted to overwrite, press “y”.

    # cp host.crt /opt/sc/support/conf/SecurityCenter.crt

    # cp host.key /opt/sc/support/conf/SecurityCenter.key

  3. Make sure the files have the correct permissions (644) and ownership (tns) as follows:

    # ls -l /opt/sc/support/conf/SecurityCenter.crt

    -rw-r--r--  1 tns tns  4389 May 15 15:12 SecurityCenter.crt

    # ls -l /opt/sc/support/conf/SecurityCenter.key

    -rw-r--r--  1 tns tns   887 May 15 15:12 SecurityCenter.key

    Caution: If an intermediate certificate is required, it must be copied to the system and given the correct permissions (644) and ownership (tns). Additionally, the line in /opt/sc/support/conf/vhostssl.conf that begins with #SSLCertificateChainFile must have the “#” removed from the beginning of the line to enable the setting. Modify the path and filename to match the certificate that was uploaded.

  4. Restart the SecurityCenter services:

    # service SecurityCenter restart

  5. Browse to SecurityCenter using SSL (e.g., https://192.168.1.5). When prompted to confirm the SSL certificate, verify the new certificate details.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.