Detections
Analytics

2.7 Ensure expired and revoked SSL certificates are removed from the ESXi server

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By default, ESXi hosts do not have Certificate Revocation List (CRL) checking available, so expired and revoked SSL certificates must be checked and removed manually.

Rationale:

Leaving expired and revoked certificates on your vCenter Server system can compromise your environment. Replacing certificates will avoid having users get used to clicking through browser warnings. The warning might be an indication of a man-in-the-middle attack, and only inspection of the certificate and thumbprint can guard against such attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Replace expired and revoked certificates with certificates from a trusted CA. Certificates can be replaced in a number of ways:
Replace a Default ESXi Certificate and Key from the ESXi Shell

Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with administrator privileges.

In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:

mv rui.crt orig.rui.crt
mv rui.key orig.rui.key

Copy the certificates that you want to use to /etc/vmware/ssl.

Rename the new certificate and key to rui.crt and rui.key.

Restart the host after you install the new certificate.

Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.
Replace a Default ESI Certificate and Key by Using the vifs Command

Back up the existing certificates.

Generate a certificate request following the instructions from the certificate authority.

At the command line, use the vifs command to upload the certificate to the appropriate location on the host.

vifs --server hostname --username username --put rui.crt /host/ssl_cert
vifs --server hostname --username username --put rui.key /host/ssl_key

Restart the host.

Alternatively, you can put the host into maintenance mode, install the new certificate, and then use the Direct Console User Interface (DCUI) to restart the management agents.
Replace A Default ESI Certificate and Key Using HTTP PUT

Back up the existing certificates.

In your upload application, process each file as follows:

Open the file.

Publish the file to one of these locations:

Certificates https://hostname/host/ssl_cert
Keys https://hostname/host/ssl_key

The locations /host/ssl_cert and host/ssl_key link to the certificate files in /etc/vmware/ssl.

Restart the host.

See Also

https://workbench.cisecurity.org/benchmarks/12725

Item Details

References: CSCv7|16.8

Plugin: Unix

Control ID: 609c4aafb4f2067f7fa0e6a7338290df0831ecad398e298df1ade8cd9eb84c7e