Support for Custom CA in SSL Libraries for upload to Tenable.io

Summary

Customer self-signed certificates can now be applied at the scan policy level in Tenable.io through the Advanced Scan Template. This support for assigning custom certificates to scan policies in T.io will allow customers to use self-signed certificates for SSL authentication without triggering plugin 51192 as a vulnerability in their environments. There is no change to the existing self-signed certificates functionality in Security Center, Nessus Manager or Nessus scanners by adding the certificates to the trusted list at the scanner level. This new functionality supports securely applying the certificate to an individual user’s scan policy, as opposed to the entire scanner. Individual customer certificates are encrypted in transit and live in memory while the scan runs, then purged when the task is complete for security.

T.io users can configure custom certificates for a scan policy in the Settings >> Advanced >> General Settings >> Trusted CAs field by copying the custom CA text into the configuration setting. Please note, multiple certificates can be listed in this Trusted CAs field. Also, once the trusted CA gui element template update has been applied, it is available for the Scanner if accessed via API.

Impact

This will affect any customer who uses internally-signed certificates for SSL/TLS enabled services applied to scan target hosts inside their internal network and allow them to avoid triggering plugin 51192 on their T.io scans when using self-signed certificates on a scan policy.

Changes

T.io customers will have an additional Trusted CAs configuration setting to implement this feature. No changes to Security Center, Nessus Manager or Nessus scanners.

Target Release Date

Immediate