The vCenter Server must enable revocation checking for certificate-based authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-243115 | VCTR-67-000060 | SV-243115r719588_rule | Medium |
| Description |
|---|
| The system must establish the validity of the user-supplied identity certificate using OCSP and/or CRL revocation checking. |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 vCenter Security Technical Implementation Guide | 2022-09-09 |
Details
| Check Text ( C-46390r719586_chk ) |
|---|
| From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. Under Smart card authentication settings >> Certificate revocation, verify that "Revocation check" does not show as disabled. If "Revocation check" shows as disabled, this is a finding. |
| Fix Text (F-46347r719587_fix) |
|---|
| From the vSphere Client, go to Administration >> Single Sign-On > Configuration >> Smart Card Authentication. Under Smart card authentication settings >> Certificate revocation, click the "Edit" button. By default, the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended, but this setting is site specific and should be configured appropriately. |