TOC & Recently Viewed

Recently Viewed Topics

Upload a Custom CA Certificate

To upload a custom CA-signed certificate:

  1. Copy your PEM-encoded certificate into a text file.
  2. Name it Ensure you include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and everything in between. (If you need to upload multiple certificates, paste them all back-to-back.)
  3. Create a new text file named and include the following 2 lines:

    PLUGIN_SET = "201310161758";

    PLUGIN_FEED = "Custom";

    Note: The PLUGIN_SET date should be the same as the time the bundle is uploaded to SecurityCenter. It cannot be after the present date/time in SC.

    Note: The typical format for PLUGIN_SET is a string of numbers in the format YYYYMMDDHHMM for the regular feed so that format is copied here.

  4. Tar the 2 files into a .tar.gz archive. (7-Zip or running tar on a Mac does not work for this.)

    # tar -zcvf upload_this.tar.gz

  5. Upload the archive to SecurityCenter:
  6. Log in to SecurityCenter as an administrator user.

  7. Click Username > Plugins.
  8. Click Upload Custom Plugins.
  9. Click Submit.
  10. To verify the upload succeeded, click System > System Logs. You should see logs similar to the following:

  11. To verify your issue is resolved, run another scan including plugin 51192. Verify that Nessus has the custom plugin bundle by checking it's plugin directory.
Note: The file is overwritten every time it is uploaded. When adding additional CA certificates, start with a copy of the existing and append the new certificate. If there are multiple certificates in the file, it should look like this:












If this process does not work, check the following items:

The format

The CA certificate should be in PEM (Base64) format. To verify, open it in a text editor. The certificate should be between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. If you do not see those lines, it is in the wrong format and should be changed to PEM (Base64) format.

The /opt/sc/data/customNasl/ file

If the SecurityCenter installation is not on the Appliance, check the uploaded with the following command: # cat /opt/sc/data/customNasl/

The output should match the file that you checked in a text editor in step T1 above. If the file does not exist, the upload was not successful. If the file does not match, the most recent upload may not have been successful. Go over the steps above for creating and uploading upload_this.tar.gz and ensure it is done correctly.

The /opt/nessus/lib/nessus/plugins/ or \ProgramData\Tenable\Nessus\nessus\plugins\ file

If Nessus is not on the Appliance, navigate to the plugins folder and cat or type to verify it exists and matches the file contents verified in steps 1 and 2 above. If does not exist in the plugins folder, or does not match the most recent in SecurityCenter, it has not propagated to the scanner. Check Resources > Nessus Scanners in SecurityCenter to see if the scanner is still updating plugins. If it is in a Working state, try updating the active plugins in SecurityCenter to prompt a plugin push. If the plugin feed version has not incremented and the customer must push plugins immediately, see the following article: Force plugin update on scanner managed by SecurityCenter (Comparable to nessus-update-plugins -f).

The plugin output

Adding the custom CA certificate to does not resolve the issue if the service is missing intermediate certificate(s). If the service has a self-signed or default certificate (if not self-signed with the server name, it may be issued by a vendor name like Nessus Certification Authority) and not a certificate signed by their custom CA at all, the certificate is expired, etc.

Look at the detailed plugin output of 51192 to see exactly why the certificate is untrusted. If can fix it, the output states that the certificate at the top of the certificate chain is unrecognized, and the certificate it shows is either issued by the custom CA (matching the name exactly) or the actual custom CA self-signed certificate.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.