Prerequisites for Linking Tenable Sensor Proxy to Tenable Security Center

To successfully link standalone or Tenable Core instances of Tenable Sensor Proxy to Tenable Security Center, your Tenable Security Center SSL/TLS certificate must meet certain requirements. To determine if the current Tenable Security Center certificates meet those requirements, use the following procedure:

1. Log in to the Tenable Sensor Proxy or Tenable Security Center system via SSH.

2. Run one of the following commands, depending on which system you are logged into:

   • Tenable Sensor Proxy system

     openssl s_client -connect <securitycenter_hostname_or_ip>:443 < /dev/null 2> /dev/null | awk '/BEGIN/,/END/' | openssl x509 -noout -text | grep -A 1 'Subject Alternative’

   • Tenable Security Center system

     openssl x509 -noout -text -in /opt/sc/support/conf/SecurityCenter.crt | grep -A 1 'Subject Alternative Name'

3. Depending on what command output you see, proceed in one of the following ways:

   • If no output is shown when you run the command, see Regenerate the Tenable Security Center Server Certificate in the Tenable Security Center User Guide and regenerate the server certificate. After you regenerate the server certificate, proceed to Prepare for Linking.

   • If output like the following is shown but neither the hostname nor the IP address shown match the FQDN or IP address of the Tenable Security Center system, see Regenerate the Tenable Security Center Server Certificate in the Tenable Security Center User Guide and regenerate the server certificate. After you regenerate the server certificate, proceed to Prepare for Linking.

     X509v3 Subject Alternative Name:

     DNS:sc-host-name, IP Address:10.10.10.10

   • If the output is shown and the hostname and IP address shown match the FQDN or IP address of the Tenable Security Center system, proceed to Prepare for Linking.

Prepare for Linking

Based on details about your organization's Tenable Security Center certificate, you may need to perform additional checks and steps before or during the Tenable Sensor Proxy linking process:

• If you want to link standalone or Core SP to Tenable Security Center, and your organization has a public server certificate, proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Tenable Sensor Proxy in Tenable Core (for Tenable Core + Tenable Sensor Proxy installation/linking).

  During either installation/linking process, you do not need to specify a CA path when prompted.

• If you want to link standalone Tenable Sensor Proxy or Tenable Core + Tenable Sensor Proxy to Tenable Security Center, and your organization has a Tenable Security Center-generated server certificate, proceed to Install Sensor Proxy (for standalone Sensor Proxy installation/linking) or Configure Tenable Core + Tenable Sensor Proxy in Tenable Core (for Tenable Core + Tenable Sensor Proxy installation/linking).

  During either installation/linking process, you must specify /opt/sc/data/ca/TenableCA.crt as the CA path.

.

(Optional) Gather Information

• Determine origin of your Tenable Security Center server certificate.

• Determine creation date of your Tenable Security Center server certificate.

• Determine platform for Tenable Sensor Proxy (Tenable Core or standalone installation).

• Determine platform for Tenable Security Center (Tenable Core or standalone installation).

  • If Tenable Security Center system is on Tenable Core, determine the version and installation date of relevant Tenable Core packages.

To determine the origin of your Tenable Security Center server certificate:

1. On the Tenable Sensor Proxy system, run the following command:

   openssl s_client -connect <securitycenter_hostname_or_ip>:443 < /dev/null 2> /dev/null | awk '/BEGIN/,/END/' | openssl x509 -noout -issuer

2. On the Tenable Security Center system, run the following command as root/tns:

   openssl x509 -noout -issuer -in /opt/sc/support/conf/SecurityCenter.crt

   If the output from either of those commands contains:

   • CN=Locally generated Tenable Core CA

     • The certificate is Tenable Core-generated.

   • OU = "INSECURE Certificate Authority for Tenable, Inc."

     • The certificate is Tenable Security Center-generated.

   • Other value or values

     • The certificate is publicly or privately generated.

Linking Tenable Sensor Proxy to Tenable Security Center introduces a few

To determine the creation date of your Tenable Security Center server certificate:

1. On the Tenable Sensor Proxy system, run the following command:

   openssl s_client -connect <securitycenter_hostname_or_ip>:443 < /dev/null 2> /dev/null | awk '/BEGIN/,/END/' | openssl x509 -noout -startdate

2. On the Tenable Security Center system, run the following command as root/tns:

   openssl x509 -noout -startdate -in /opt/sc/support/conf/SecurityCenter.crt

To determine the version and installation date of the relevant Tenable Core packages:

1. From the Tenable Core + Tenable Security Center system run:

   rpm -q --qf 'Package: %{nvr}\nInstall Date: %{installtime:day}\n\n' {tc-certificate,tc-securitycenter}-{frontend,backend}

   The following is an example of the command output:

   Package: tc-certificate-frontend-24-1.tc8

   Install Date: Fri Feb 28 2025

   Package: tc-certificate-backend-24-1.tc8

   Install Date: Fri Feb 28 2025

   Package: tc-securitycenter-frontend-33-1.tc8

   Install Date: Wed Feb 19 2025

   Package: tc-securitycenter-backend-33-1.tc8

   Install Date: Wed Feb 19 2025