Resolving Plugin 51192

You can resolve plugin 51192 via the following Tenable applications:

  1. Copy your PEM encoded certificate into a text file and name it custom_CA.txt.

    Note: Be sure to include everything between, and including, the ---BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    Tip: If you need to upload multiple certificates, paste each certificate back-to-back within the same file.

  2. Save the .txt file.

  3. Log into Tenable Vulnerability Management.

  4. Navigate to Settings > Vulnerability Management Scans.

  5. Create or edit a scan, and navigate to the scan's SettingsAdvanced menu.

  6. In the Trusted CAs text box, paste the text from the custom_CA.txt file.

  7. Click Save.

  1. Copy your PEM encoded certificate into a text file and name it custom_CA.txt.

    Note: Be sure to include everything between, and including, the ---BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    Tip: If you need to upload multiple certificates, paste each certificate back-to-back within the same file.

  2. Save the .txt file.

  3. Log into Tenable Nessus.

  4. Navigate to Settings > Custom CA.

  5. In the Certificate text box, paste the text from the custom_CA.txt file.

  6. Click Save.

  1. Copy your PEM encoded certificate into a text file and name it custom_CA.inc.

    Note: Be sure to include everything between, and including, the ---BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    Tip: If you need to upload multiple certificates, paste each certificate back-to-back within the same file.

  2. Save the .txt file.

  3. Create a text file named custom_feed_info.inc and include the following lines:
    PLUGIN_SET = "201310161758";
    PLUGIN_FEED = "Custom";

    Note: The plugin set date should be the same as the time you upload the bundle to Tenable Security Center. It cannot be after the present date/time.

    Tip: The typical format for PLUGIN_SET is a string of numbers in the format "YYYYMMDDHHMM" for the regular feed, so that format is copied here.

  4. Tar the two files into a .tar.gz archive:

    # tar -zcvf upload_this.tar.gz custom_feed_info.inc custom_CA.inc

    Note: You cannot use 7-zip or run tar on macOS for this step.

  5. Log into Tenable Security Center as an administrator.

  6. Navigate to Plugins > Upload Custom Plugins.

  7. Click Submit.

  8. On your machine, navigate to System > System Logs and verify the logs indicate that zero plugins have been updated.

    Tenable Security Center pushes the plugins to the appropriate scanners during its normal update process.

  9. To verify the issue is resolved, run another scan including plugin 51192. To verify that Tenable Nessus has the custom plugin bundle, check its plugin directory.

Notes

Updating Tenable Security Center plugins to initiate a plugin push to the Tenable Nessus scanners only works if the plugin feed downloaded by Tenable Security Center is newer than the plugin set on the Tenable Nessus scanners. If Tenable has not yet released a newer plugin feed, wait for the next plugin feed to be available before updating.

The custom_CA.inc file is overwritten every time it is uploaded. When adding additional CA certificates, start with a copy of the existing custom_CA.inc and append the new certificate. If there are multiple certificates in the file, it should look like this:

-----BEGIN CERTIFICATE-----
Lorem ipsum dolor sit amet
consectetuer adipiscing elit
Phasellus hendrerit Pellentesque
aliquet nibh nec urna.
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
Lorem ipsum dolor sit amet
consectetuer adipiscing elit
Phasellus hendrerit Pellentesque
aliquet nibh nec urna.
-----END CERTIFICATE----

Troubleshooting

If the above instructions do not work, check the following items:

Custom_CA.inc Format

The CA certificate should be in PEM (Base64) format. To verify, open it in a text editor. The certificate should be between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. If you do not see these lines, the file is in the wrong format. Change the file to PEM (Base64) format either through a conversion or through a fresh export.

Plugin Output

Other issues can be, for example, that the service is missing intermediate certificate(s), the service has a self-signed or default certificate (if not self-signed with the server name, it may be issued by a vendor name like "Nessus Certification Authority") and not a certificate signed by their custom CA, the certificate is expired, etc. Look at the detailed plugin output of 51192 to see exactly why the certificate is untrusted. If updating custom_CA.inc can fix the error, the output indicates that the certificate at the top of the certificate chain is unrecognized. The certificate it shows is either issued by the custom CA (matching the name *exactly*) or the actual custom CA self-signed certificate.