ESXI-67-000078 - The ESXi host must use DoD-approved certificates.

Information

The default self-signed, VMware Certificate Authority-issued host certificate must be replaced with a DoD-approved certificate when the host will be accessed directly, such as during a VM console connection.

The use of a DoD certificate on the host assures clients that the service they are connecting to is legitimate and properly secured.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Obtain a DoD-issued certificate and private key for the host following the requirements below:

Key size: 2048 bits or more (PEM encoded)

Key format: PEM; VMware supports PKCS8 and PKCS1 (RSA keys)
x509 version 3

SubjectAltName must contain DNS Name=<machine_FQDN>

CRT (Base-64) format

Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Start time of one day before the current time.

CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.

Put the host into maintenance mode.

Temporarily enable SSH on the host. SCP the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key:

mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak

Copy the new certificate and key to /etc/vmware/ssl/ and rename them to rui.crt and rui.key respectively. Restart management agents to implement the new certificate:

services.sh restart

From the vSphere Web Client, select the vCenter Server and click Configure >> System >> Advanced Settings.

Find the 'vpxd.certmgmt value' and set it to 'custom'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-239328r674913_rule, STIG-ID|ESXI-67-000078, Vuln-ID|V-239328

Plugin: Unix

Control ID: f46ee6feec512e4b393193ed22b359e384291c1afe9f448cc419d7a7ff67b032