Hi all,
Having scanned a host with nessus I happended upon this error: “The server’s X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.”
Whilst having a certificate signed by a known Certificate Authority (CA) is a basic SSL requirement, many organisations will have their own root CA.
The wonderful people at Tenable created a Nessus plugin for this problem back in December 2010. It basically supports custom CA’s, and allows you to add your own root CA into the Nessus scanners’ trusted list.
Simply do the following:
1. Save your root CA(s) public certificate in PEM format into a text file (You can put multiple certificates in the same file).
2. Rename that file to custom_CA.inc
3. Move this file to your plugins directory (/opt/nessus/lib/nessus/plugins on Linux, C:\Program Files\Tenable\Nessus\plugins\ on Windows and /Library/Nessus/run/lib/nessus/plugins on Mac OS X)
4. That’s it. There’s no need to restart Nessus. You’re free to re-scan.
Tune in to my next post when I will be talking about Nessus NIC compatibility errors (especially with VM’s), and also why, when wearing jeans to a strip club, you don’t get your money’s worth…
Gregs 