UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258928 VCSA-80-000195 SV-258928r961596_rule Medium
Description
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept public key infrastructure (PKI) certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. The default self-signed, VMware Certificate Authority (VMCA)-issued vCenter reverse proxy certificate must be replaced with a DOD-approved certificate. The use of a DOD certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted.
STIG Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62668r934440_chk )
From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click "View Details" and examine the "Issuer Information" block.

If the issuer specified is not a DOD approved certificate authority, this is a finding.
Fix Text (F-62577r934441_fix)
Obtain a DOD-issued certificate and private key for each vCenter in the system following the requirements below:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Export the entire certificate issuing chain up to the root in Base-64 format. Concatenate the individual certificates into one file with the ".cer" extension.

From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click Actions >> Import and Replace Certificate.

Select the "Replace with external CA certificate" radio button and click "Next".

Supply the CA-issued certificate , the exported roots file, and the private key.

Click "Replace".