VCTR-67-000058 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.

Information

The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and properly secured.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Obtain a DoD-issued certificate and private key for each vCenter in the system, following these requirements:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=<machine_FQDN>
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Ensure that the certificate includes all intermediates and root certificates. If it does not, export the entire certificate issuing chain up to the root in Base-64 format and concatenate the individual certificates onto the issued certificate.

From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click Actions >> Replace.

Supply the CA-issued certificate with the exported roots file and the private key.

Click 'Replace'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243113r879887_rule, STIG-ID|VCTR-67-000058, Vuln-ID|V-243113

Plugin: VMware

Control ID: 82c7880c2b5f94d88db1f6ec1547bc33d02c8646b9288b4a53c8436e6d604ca7