VCSA-70-000195 - The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.

Information

Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.

The DOD will only accept public key infrastructure (PKI) certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates.

The default self-signed, VMware Certificate Authority (VMCA)-issued vCenter reverse proxy certificate must be replaced with a DOD-approved certificate. The use of a DOD certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Obtain a DOD-issued certificate and private key for each vCenter in the system following the requirements below:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=<machine_FQDN>
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Export the entire certificate issuing chain up to the root in Base-64 format. Concatenate the individual certificates into one file with the '.cer' extension.

From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click Actions >> Import and Replace Certificate.

Select the 'Replace with external CA certificate' radio button and click 'Next'.

Supply the CA-issued certificate , the exported roots file, and the private key.

Click 'Replace'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(5), CAT|II, CCI|CCI-002470, Rule-ID|SV-256342r885637_rule, STIG-ID|VCSA-70-000195, Vuln-ID|V-256342

Plugin: VMware

Control ID: 3f17e5b6779aa91d190ef6e53d267cb41405167d04e85f9d46e1b5e555784eba