VCTR-67-000060 - The vCenter Server must enable revocation checking for certificate-based authentication.

Information

The system must establish the validity of the user-supplied identity certificate using OCSP and/or CRL revocation checking.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Administration >> Single Sign-On > Configuration >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, click the 'Edit' button.

By default, the PSC will use the CRL from the certificate to check revocation check status.

OCSP with CRL fallback is recommended, but this setting is site specific and should be configured appropriately.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243115r879887_rule, STIG-ID|VCTR-67-000060, Vuln-ID|V-243115

Plugin: VMware

Control ID: 56bf622625b3b9d7ec26135f0c48ae0e8847e01c194f939d6334d32b22d70178