The system must not use default self-signed certificates for ESXi communication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000140 | SRG-OS-99999-ESXI5-000140 | SRG-OS-99999-ESXI5-000140_rule | High |
| Description |
|---|
| Using the default self-signed certificates leaves the SSL connection open to Man-in-The-Middle (MiTM) attacks. Replace default self-signed certificates with those from a trusted CA. |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000140_chk ) |
|---|
| Connect to the ESXi host with a browser to https:// If the SSL certificate is not issued by a trusted CA, this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000140_fix) |
|---|
| From the vSphere client, place the host into Maintenance Mode. Navigate to the console of the server to enable SSH on the ESXi 5 host. Press F2 to log in to the Direct Console User Interface (DUCI). Click Troubleshooting options >> Enable SSH. Log in to the host and then navigate to /etc/vmware/ssl. Copy the files to a backup location, such as a VMFS volume. Login to the host with WinSCP and navigate to the /etc/vmware/ssl directory. Delete the existing rui.crt and rui.key from the directory. Copy the newly created rui.crt and rui.key to the directory using Text Mode or ASCII mode to avoid the issue of special characters ( ^M) appearing in the certificate file. Type "less rui.crt" to validate there are no extra characters. Exit Maintenance Mode to reboot the server. |