2.4 Ensure default self-signed certificate for ESXi communication is not used

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The default certificate is self-signed, not signed by a trusted certificate authority (CA). It should be replaced with a valid certificate issued by a trusted CA.

Rationale:

Using the default self-signed certificate may increase risk related to man-in-the-middle (MITM) attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Backup and replace the details of the SSL certificate presented by the ESXi host and determine if it is issued by a trusted CA:

Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with administrator privileges.

In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:

mv rui.crt orig.rui.crt
mv rui.key orig.rui.key

Copy the certificates you want to use to /etc/vmware/ssl.

Rename the new certificate and key to rui.crt and rui.key.

Restart the host after you install the new certificate.

Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.

Leverage VMware's SSL Certificate Automation Tool to install CA-signed SSL certificates. For more information on this tool, please see [http://kb.vmware.com/kb/2057340](http://kb.vmware.com/kb/2057340).

Impact:

Replacing the default certificate might cause vCenter Server to stop managing the host. Disconnect and reconnect the host if vCenter Server cannot verify the new certificate.




References:

https://kb.vmware.com/s/article/2111219

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-AC7E6DD7-F984-4E0F-983A-463031BA5FE7.html

See Also

https://workbench.cisecurity.org/files/2816