Troubleshooting Issues with the custom_CA.inc File

If uploading a custom_CA.inc file does not resolve your issue, confirm your file meets the requirements described in custom_CA.inc Guidelines. Then, use these tips to continue troubleshooting.

The /opt/sc/data/customNasl/custom_CA.inc file

If the Tenable Security Center installation is not on the Appliance, check the uploaded custom_CA.inc with the following command: # cat /opt/sc/data/customNasl/custom_CA.inc.

The output should match the custom_CA.inc file that you checked in a text editor in step T1 above. If the file does not exist, the upload was not successful. If the file does not match, the most recent upload may not have been successful. Go over the steps above for creating and uploading upload_this.tar.gz and ensure it is done correctly.

The /opt/nessus/lib/nessus/plugins/custom_CA.inc or \ProgramData\Tenable\Nessus\nessus\plugins\custom_CA.inc file

If Nessus is not on the Appliance, navigate to the plugins folder and cat or type custom_CA.inc to verify it exists and matches the custom_CA.inc file contents verified in steps 1 and 2 above. If custom_CA.inc does not exist in the plugins folder, or does not match the most recent custom_CA.inc in Tenable Security Center, it has not propagated to the scanner. Check Resources > Nessus Scanners in Tenable Security Center to see if the scanner is still updating plugins. If it is in a Working state, try updating the active plugins in Tenable Security Center to prompt a plugin push. If the plugin feed version has not incremented and the customer must push plugins immediately, see the following article: Force plugin update on scanner managed by Tenable Security Center (Comparable to nessus-update-plugins -f).

The plugin 51192 output details

Adding the custom CA certificate to custom_CA.inc does not resolve the issue if the service is missing intermediate certificate(s). If the service has a self-signed or default certificate (if not self-signed with the server name, it may be issued by a vendor name like Nessus Certification Authority) and not a certificate signed by their custom CA at all, the certificate is expired, etc.

Look at the detailed plugin output of 51192 to see exactly why the certificate is untrusted. If custom_CA.inc can fix it, the output states that the certificate at the top of the certificate chain is unrecognized, and the certificate it shows is either issued by the custom CA (matching the name exactly) or the actual custom CA self-signed certificate.