UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must enable revocation checking for certificate-based authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-243115 VCTR-67-000060 SV-243115r719588_rule Medium
Description
The system must establish the validity of the user-supplied identity certificate using OCSP and/or CRL revocation checking.
STIG Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide 2021-04-16

Details

Check Text ( C-46390r719586_chk )
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, verify that "Revocation check" does not show as disabled.

If "Revocation check" shows as disabled, this is a finding.
Fix Text (F-46347r719587_fix)
From the vSphere Client, go to Administration >> Single Sign-On > Configuration >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, click the "Edit" button.

By default, the PSC will use the CRL from the certificate to check revocation check status.

OCSP with CRL fallback is recommended, but this setting is site specific and should be configured appropriately.