The system must always verify SSL certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
VCENTER-000030	VCENTER-000030	VCENTER-000030_rule		Medium

Description
Without certificate verification, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system. When connecting to vCenter Server using vSphere Client, the client must check if the certificate being presented can be verified by a trusted third party. If it cannot be, the user is presented with a warning and the option to ignore this check. This warning should not be ignored; if an administrator is presented with this warning, they should inquire further before proceeding.

Description

Without certificate verification, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system. When connecting to vCenter Server using vSphere Client, the client must check if the certificate being presented can be verified by a trusted third party. If it cannot be, the user is presented with a warning and the option to ignore this check. This warning should not be ignored; if an administrator is presented with this warning, they should inquire further before proceeding.

STIG	Date
VMware vCenter Server Security Technical Implementation Guide	2013-01-15

Details

Check Text ( C-VCENTER-000030_chk )
When connecting to the vCenter Server, vSphere Client users must never ignore certificate verification warnings. The message box that appears when certificate verification issues a certificate warning "may" be ignored by the user, however, this is a clear warning of certificate verification issues. Lack of the message box is an indication that the certificate is from a trusted source. If a vCenter Server certificate cannot be verified by a trusted third party database, this is a finding.

Check Text ( C-VCENTER-000030_chk )

When connecting to the vCenter Server, vSphere Client users must never ignore certificate verification warnings. The message box that appears when certificate verification issues a certificate warning "may" be ignored by the user, however, this is a clear warning of certificate verification issues. Lack of the message box is an indication that the certificate is from a trusted source.

If a vCenter Server certificate cannot be verified by a trusted third party database, this is a finding.

Fix Text (F-VCENTER-000030_fix)
Check the vCenter Server/host for the presence of expired/revoked certificates. If found, remove all expired/revoked certificates. Example: The default path in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL. Back up the files rui.crt, rui.key, and rui.pfx, located in the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL folder and delete the files. These files will need to be recreated for new/updated certificates.

Fix Text (F-VCENTER-000030_fix)

Check the vCenter Server/host for the presence of expired/revoked certificates. If found, remove all expired/revoked certificates. Example: The default path in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL. Back up the files rui.crt, rui.key, and rui.pfx, located in the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL folder and delete the files. These files will need to be recreated for new/updated certificates.