Check: VCTR-67-000058
VMware vSphere 6.7 vCenter STIG:
VCTR-67-000058
(in versions v1 r4 through v1 r1)
Title
The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority. (Cat II impact)
Discussion
The default self-signed, VMCA-issued vCenter reverse proxy certificate must be replaced with a DoD-approved certificate. The use of a DoD certificate on the vCenter reverse proxy assures clients that the service they are connecting to is legitimate and properly secured.
Check Content
From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate. Click "View Details". Examine the "Issuer Information" block. If the issuer specified is not a DoD-approved certificate authority (or other AO approved CA), this is a finding.
Fix Text
Obtain a DoD-issued certificate and private key for each vCenter in the system, following these requirements: Key size: 2048 bits or more (PEM encoded) CRT format (Base-64) x509 version 3 SubjectAltName must contain DNS Name=<machine_FQDN> Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Ensure that the certificate includes all intermediates and root certificates. If it does not, export the entire certificate issuing chain up to the root in Base-64 format and concatenate the individual certificates onto the issued certificate. From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate. Click Actions >> Replace. Supply the CA-issued certificate with the exported roots file and the private key. Click "Replace".
Additional Identifiers
Rule ID: SV-243113r879887_rule
Vulnerability ID: V-243113
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |