UCF STIG Viewer Logo

The system's Update Manager must not use default self-signed certificates.


Finding ID Version Rule ID IA Controls Severity
VCENTER-000014 VCENTER-000014 VCENTER-000014_rule Medium
Self-signed certificates are automatically generated by Update Manager during the installation process, are not signed by a commercial CA, and do not provide strong security. The use of default certificates leaves the SSL connection open to MiTM attacks. Changing the default certificates to trusted CA-signed certificates mitigates the potential for MiTM attacks.
VMware vCenter Server Security Technical Implementation Guide 2013-01-15


Check Text ( C-VCENTER-000014_chk )
To examine the certificate configured for the Update Manager instance, start the Microsoft Management Console (MMC) snap-in and open the Windows Certificate Store. Navigate to the vCenter Server certificate and click the "Certificate Details" tab to display the certificate details. If unable to determine certificate details from the MMC, ask the SA if self-signed certificates on the Update Manager have been changed to certificates from a trusted certification authority.

If certificates from a trusted certification authority are not used, this is a finding.
Fix Text (F-VCENTER-000014_fix)
To replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA, perform the following steps: Begin by backing up the existing Update Manager certificates. Copy the new certificate files (rui.crt, rui.key, and rui.pfx) to the Update Manager SSL directory where Update Manager is installed. The default directory is C:\Program Files\VMware\Infrastructure\Update Manager\SSL. Stop the VMware vSphere Update Manager service. Change to the Update Manager installation directory. Run the file VMwareUpdateManagerUtility.exe. In the Options pane, click SSL Certificate. In the Configuration pane, select "Followed and verified the steps" and click Apply. After the operation completes, restart the VMware vSphere Update Manager service.