Upload a Server Certificate for Tenable Security Center

Required Tenable Security Center User Role: Root user

For information about Tenable Security Center server certificates, see Tenable Security Center Server Certificates.

Note: When uploading a certificate file to Tenable Security Center, you must use a PEM file. The custom certificate email address must not be SecurityCenter@SecurityCenter or subsequent upgrades cannot retain the new certificate.

Before you begin:

  • Save your new server certificate and key files as host.crt and host.key.

To upload a server certificate for Tenable Security Center:

  1. Log in to Tenable Security Center via the user interface.

  2. Back up the existing SecurityCenter.crt and SecurityCenter.key files located in the /opt/sc/support/conf directory.

    For example:

    # cp /opt/sc/support/conf/SecurityCenter.crt /tmp/SecurityCenter.crt.bak

    # cp /opt/sc/support/conf/SecurityCenter.key /tmp/SecurityCenter.key.bak

  3. To rename the host.crt and host.key files and copy them to the /opt/sc/support/conf directory, run:

    # cp host.crt /opt/sc/support/conf/SecurityCenter.crt

    # cp host.key /opt/sc/support/conf/SecurityCenter.key

    If prompted, type y to overwrite the existing files.

  4. To confirm the files have the correct permissions (640) and ownership (tns), run:

    # ls -l /opt/sc/support/conf/SecurityCenter.crt

    -rw-r----  1 tns tns  4389 May 15 15:12 SecurityCenter.crt

    # ls -l /opt/sc/support/conf/SecurityCenter.key

    -rw-r----  1 tns tns   887 May 15 15:12 SecurityCenter.key

    Note: If an intermediate certificate is required, it must also be copied to the system and given the correct permissions (640) and ownership (tns). Additionally, you must remove the # from the line in /opt/sc/support/conf/vhostssl.conf that begins with #SSLCertificateChainFile to enable the setting. Modify the path and filename to match the uploaded certificate.

    If necessary, change the ownership or permissions.

    1. To change the ownership, run:

      # chown tns:tns /opt/sc/support/conf/SecurityCenter.crt\

      # chown tns:tns /opt/sc/support/conf/SecurityCenter.key

    2. To change the permissions, run:

      # chmod 640 /opt/sc/support/conf/SecurityCenter.crt

      # chmod 640 /opt/sc/support/conf/SecurityCenter.key

  5. Restart the Tenable Security Center service:

    # service SecurityCenter restart

  6. In a browser, log in to the Tenable Security Center user interface as a user with administrator permissions.

  7. When prompted, verify the new certificate details.

What to do next:

  • If you uploaded a self-signed server certificate and plugin 51192 reports that the CA for your self-signed certificate is untrusted, upload the custom CA certificate to Tenable Nessus.