Specifications
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
70
Windows Vista and later:
C:\> copy \ProgramData\Tenable\Nessus\nessus\CA\cacert.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\ORIGcacert.pem
3. If the certificates to be used for authentication are created by a CA other than the Nessus server, the CA
certificate must be installed on the Nessus server:
Linux/Unix:
Copy the organization’s CA certificate to /opt/nessus/com/nessus/CA/cacert.pem
Windows 7 and later:
Copy the organization’s CA certificate to C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem
4. Configure the Nessus server for certificate authentication. Once certificate authentication is enabled, login using a
username and password is disabled.
Linux/Unix:
# /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes
Windows:
C:\> \program files\Tenable\Nessus\nessuscli fix --set force_pubkey_auth=yes
5. Once the CA is in place and the force_pubkey_auth setting is enabled, restart the Nessus services with the
service nessusd restart command.
After Nessus has been configured with the proper CA certificate(s), users may log in to Nessus using SSL client
certificates, Smart Cards, and CACs.
Create Nessus SSL Certificates for Login
To log in to a Nessus server with SSL certificates, the certificates must be created with the proper utility. For this process,
the nessuscli mkcert-client command-line utility is used on the system. The six questions asked are to set
defaults for the creation of users during the current session. These include certificate lifetime, country, state, location,
organization, and organizational unit. The defaults for these options may be changed during the actual user creation if
desired. The user(s) will then be created one at a time as prompted. At the end of the process the certificates are copied
appropriately and are used to log in to the Nessus server.
1. On the Nessus server, run the nessuscli mkcert-client command.
Linux/Unix:
# /opt/nessus/sbin/nessuscli mkcert-client
Windows (Run as a local Administrator user):
C:\> \Program Files\Tenable\Nessus\nessuscli mkcert-client
2. Fill in the fields as prompted. The process is identical on a Linux/Unix or Windows server.
Do you want to register the users in the Nessus server as soon as you create their
certificates ? [n]: y
-------------------------------------------------------------------------------
Creation Nessus SSL client Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL
client certificates for Nessus.
Client certificate life time in days [365]: