UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows must enable revocation checking for certificate based authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216879 VCWN-65-000060 SV-216879r612237_rule Medium
Description
The system must establish the validity of the user supplied identity certificate using OCSP and/or CRL revocation checking.
STIG Date
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2021-06-23

Details

Check Text ( C-18110r366351_chk )
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On > Configuration.

3. Click the "Smart Card Configuration" tab

4. Click the "Certificate Revocation Settings" tab

If "Revocation Check" does not show as enabled, this is a finding.
Fix Text (F-18108r366352_fix)
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On > Configuration.

3. Click the "Smart Card Configuration" tab

4. Click the "Certificate Revocation Settings" tab

5. Click the "Enable Revocation Check" button

By default the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended but this setting is site specific and should be configured appropriately.