2.7 Ensure expired and revoked SSL certificates are removed from the ESXi server

Information

By default, ESXi hosts do not have Certificate Revocation List (CRL) checking available, so expired and revoked SSL certificates must be checked and removed manually.

*Rationale*

Leaving expired or revoked certificates on your vCenter Server system can compromise
your environment. By default, each ESXi host does not have Certificate Revocation Lists
(CRL) checking available. Revoked certificates must be checked and removed
manually. Replacing certificates will avoid having users get used to clicking through
browser warnings. The warning might be an indication of a man-in-the-middle attack, and
only inspection of the certificate and thumbprint can guard against such attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Replace expired and revoked certificates with certificates from a trusted CA. Certificates can be replaced in a number of ways:
Replace a Default ESXi Certificate and Key from the ESXi Shell

1. Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
2. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:

mv rui.crt orig.rui.crt
mv rui.key orig.rui.key

3. Copy the certificates that you want to use to /etc/vmware/ssl.
4. Rename the new certificate and key to rui.crt and rui.key.
5. Restart the host after you install the new certificate.

Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the
host to exit maintenance mode.

Replace a Default ESI Certificate and Key by Using the vifs Command

1. Back up the existing certificates.
2. Generate a certificate request following the instructions from the certificate
authority.
3. At the command line, use the vifs command to upload the certificate to the
appropriate location on the host.

vifs --server hostname --username username --put rui.crt /host/ssl_cert
vifs --server hostname --username username --put rui.key /host/ssl_key

4. Restart the host.

Alternatively, you can put the host into maintenance mode, install the new certificate, and then use the Direct Console User Interface (DCUI) to restart the management agents. Replace A Default ESI Certificate and Key Using HTTP PUT
1. Back up the existing certificates.
2. In your upload application, process each file as follows:
3. Open the file.
4. Publish the file to one of these locations:

Certificates https://hostname/host/ssl_cert
Keys https://hostname/host/ssl_key

3. The locations /host/ssl_cert and host/ssl_key link to the certificate files in /etc/vmware/ssl.
4. Restart the host.

See Also

https://workbench.cisecurity.org/files/2168

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: Unix

Control ID: fd493883c2dab541b338becf3fefa0df700e3c6fa594c9c353bbd145f0833103