Re: Using certificates between nessus-client and a nessus server...

[Mark Watts]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> On Tue, Dec 16, 2003 at 03:35:56PM +0000, Mark Watts wrote:
> > It's probably easier if I paste stuff verbatim:
>
> ..
>
> > # grep localstatedir /usr/bin/nessus-mkcert-client
> > localstatedir=/var/lib
>
> ...
>
> > # ls -l /etc/nessus/CA/
> > total 20
> > -rw-r--r--    1 root     root         1578 Dec 15 15:08 cacert.pem
> > -rw-------    1 root     root          891 Dec 15 15:08 cakey.pem
> > -rw-r--r--    1 root     root         4474 Dec 15 15:09 servercert.pem
> > -rw-------    1 root     root          887 Dec 15 15:09 serverkey.pem
>
> Lovely -- private keys and certs are mixed together in the same
> directory yet the script wasn't changed to reflect that! There are two
> ways to proceed.
>
> On one hand, you could leave the files where they are and simply answer
> "/etc/nessus/CA" when nessus-mkcert-client prompts you for the private
> directory.
>
> On the other, you could separate the private keys from the certs and
> adjust config files / scripts as necessary.  This entails creating the
> directory /var/lib/nessus/CA, ensuring its ownership / permissions look
> like "drwx------ 2 root root", editing /etc/nessus/nessusd.conf to set
> key_file to "/var/lib/nessus/CA/serverkey.pem", restarting the daemon,
> and perhaps updating nessus-mkcert to ensure $localstatedir points to
> "/var/lib" as well.
>
> The first approach is by far the simplest, but personally I prefer to
> keep private keys separate from certificates, especially when it's
> necessary that the directory be world-readable.

Ok, I decided that I'd separate the keys/certs...

I created /var/lib/nessus/CA and put the serverkey.pem and cakey.pem files 
into it, changing /etc/nessus/nessus.conf to reflect this.

On running nessus-mkcert-client, it then complains that:

        /var/lib/nessus/CA/cacert.pem: not found or not a file

Which is mighty odd, since nessus.conf is explicitly saying where that should 
be:

        cert_file = /etc/nessus/CA/servercert.pem
        key_file = /var/lib/nessus/CA/serverkey.pem
        ca_file = /etc/nessus/CA/cacert.pem

If I move cacert.pem to /var/lib/nessus/CA, then nessus-mkcert-client doesnt 
complain, even though the config file is telling it otherwise...

Am I doing this right?

Cheers (again)

Mark.

- -- 
Mark Watts
Senior Systems Engineer
QinetiQ TIM
St Andrews Road, Malvern
GPG Public Key ID: 455420ED

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/4CY8Bn4EFUVUIO0RArn+AJ90GN94GafJGLz5ce4TgLqwQaK8dQCfZyi/
rZjy1lOOSBInX62i2I1wJcM=
=6MwX
-----END PGP SIGNATURE-----

_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus