UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.


Overview

Finding ID Version Rule ID IA Controls Severity
V-243113 VCTR-67-000058 SV-243113r719582_rule Medium
Description
The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and properly secured.
STIG Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide 2021-04-16

Details

Check Text ( C-46388r719580_chk )
From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click "View Details".

Examine the "Issuer Information" block.

If the issuer specified is not a DoD-approved certificate authority (or other AO approved CA), this is a finding.
Fix Text (F-46345r719581_fix)
Obtain a DoD-issued certificate and private key for each vCenter in the system, following these requirements:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Ensure that the certificate includes all intermediates and root certificates. If it does not, export the entire certificate issuing chain up to the root in Base-64 format and concatenate the individual certificates onto the issued certificate.

From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click Actions >> Replace.

Supply the CA-issued certificate with the exported roots file and the private key.

Click "Replace".