UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows reverse proxy must use DoD approved certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216877 VCWN-65-000058 SV-216877r612237_rule Medium
Description
The default self-signed, VMCA issued vCenter reverse proxy certificate must be replaced with a DoD approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and properly secured.
STIG Date
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2021-06-23

Details

Check Text ( C-18108r622446_chk )
From the vCenter server (and external PSC if appropriate) run the following command

Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|grep Issuer

Windows:
"C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe" entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|find "Issuer"

If the issuer is not a DoD approved certificate authority, or other AO approved certificate authority, this is a finding.
Fix Text (F-18106r366346_fix)
Obtain a DoD issued certificate and private key for each vCenter and external PSC in the system, following the below requirements:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Verify that the issued certificate includes the full issuing chain. If it does not, concatenate the Base-64 intermediates and root onto the issued machine ssl cert.

Export the entire certificate issuing chain up to the root in Base-64 format, concatenate the individual certs into one file that will be used in the next steps when prompted for the signing certificate.

Run the certificate-manager tool:

Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager

Windows:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat

Select option "1" to replace the machine ssl certificate. Select option "2" to specify existing certificate and private key. Supply the information as prompted remembering the signing certificate file built up previously.