Configure Tenable.sc to Allow SSL Client Certificate Authentication

You must configure the Tenable.sc server to allow SSL client certificate connections. For complete information about certificate authentication, see Certificate Authentication.

To allow SSL client certificate authentication:

  1. Open the /opt/sc/support/conf/sslverify.conf file in a text editor.
  2. Edit the SSLVerifyClient setting:

    Value Description

    none (default)

    Tenable.sc does not accept SSL certificates for user authentication.

    require

    Tenable.sc requires a valid SSL certificate for user authentication.

    optional

    Tenable.sc accepts but does not require a valid SSL certificate for user authentication.

    If a user does not present a certificate, they can log in via username and password.

    Note: Some browsers may not connect to Tenable.sc when you use the optional setting.

    optional_no_ca

    Tenable.sc accepts valid and invalid SSL certificates for user authentication.

    Tip: This setting does not configure reliable user authentication, but you can use it to troubleshoot issues with your SSL connection and determine whether there is an issue with the key or the CA.

  3. Edit the SSLVerifyDepth setting to specify the length of the certificate chain you want Tenable.sc to accept for user authentication. For example:

    • When set to 0, Tenable.sc accepts self-signed certificates.
    • When set to 1, Tenable.sc does not accept intermediate certificates. Tenable.sc accepts self-signed certificates or certificates signed by known CAs.

    • When set to 2, Tenable.sc accepts up to 1 intermediate certificate. Tenable.sc accepts self-signed certificates, certificates signed by known CAs, or certificates signed by unknown CAs whose certificate was signed by a known CA.
  4. Save the file.

    Tenable.sc saves your configuration.