The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-243113 | VCTR-67-000058 | SV-243113r719582_rule | Medium |
| Description |
|---|
| The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and properly secured. |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2021-04-16 |
Details
| Check Text ( C-46388r719580_chk ) |
|---|
| From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate. Click "View Details". Examine the "Issuer Information" block. If the issuer specified is not a DoD-approved certificate authority (or other AO approved CA), this is a finding. |
| Fix Text (F-46345r719581_fix) |
|---|
| Obtain a DoD-issued certificate and private key for each vCenter in the system, following these requirements: Key size: 2048 bits or more (PEM encoded) CRT format (Base-64) x509 version 3 SubjectAltName must contain DNS Name= Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Ensure that the certificate includes all intermediates and root certificates. If it does not, export the entire certificate issuing chain up to the root in Base-64 format and concatenate the individual certificates onto the issued certificate. From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate. Click Actions >> Replace. Supply the CA-issued certificate with the exported roots file and the private key. Click "Replace". |