Manualshelf

Specifications

ManualsBrandsRed Hat ManualsOtherCERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE
61626364656667686970
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
69
The following table lists the location of the certificate files based on the operating system:
Operating System
Certificate File Locations
Linux
/opt/nessus/com/nessus/CA/servercert.pem
/opt/nessus/var/nessus/CA/serverkey.pem
FreeBSD
/usr/local/nessus/com/nessus/CA/servercert.pem
/usr/local/nessus/var/nessus/CA/serverkey.pem
Windows Vista and later
C:\ProgramData\Tenable\Nessus\nessus\CA\
Mac OS X
/Library/Nessus/run/com/nessus/CA/servercert.pem
/Library/Nessus/run/var/nessus/CA/serverkey.pem
Nessus 6 supports SSL certificate chains.
You can also visit https://[IP address]:8834/getcert to install the root CA in your browser, which
will remove the warning.
To set up an intermediate certificate chain, a file named serverchain.pem must be placed in the same directory as the
servercert.pem file. This file contains the 1-n intermediate certificates (concatenated public certificates) necessary to
construct the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the user’s browser).
Authenticating To Nessus with SSL Certificate
SSL Client Certificate Authentication
Nessus supports use of SSL client certificate authentication. This allows use of SSL client certificates, smart cards, and
CAC authentication when the browser is configured for this method.
Nessus allows for password-based or SSL Certificate authentication methods for user accounts. When creating a user for
SSL certificate authentication, the nessuscli mkcert-client utility is used through the command line on the Nessus
server.
Configure Nessus for Certificates
The first step to allow SSL certificate authentication is to configure the Nessus web server with a server certificate and CA.
This process allows the web server to trust certificates created by the Certificate Authority (CA) for authentication purposes.
Generated files related to certificates must be owned by root:root, and have the correct permissions by default.
1. (Optional) Create a new custom CA and server certificate for the Nessus server using the nessuscli mkcert
command at the command line. This will place the certificates in their correct directories.
When prompted for the hostname, enter the DNS name or IP address of the server in the browser such as
https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.
2. If a CA certificate is to be used instead of the Nessus generated one, make a copy of the self-signed CA
certificate using the appropriate command for your OS:
Linux/Unix:
# cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/ORIGcacert.pem