UCF STIG Viewer Logo

The system must always verify SSL certificates.


Finding ID Version Rule ID IA Controls Severity
VCENTER-000030 VCENTER-000030 VCENTER-000030_rule Medium
Without certificate verification, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the user's credentials to the vCenter Server system. When connecting to vCenter Server using vSphere Client, the client must check if the certificate being presented can be verified by a trusted third party. If it cannot be, the user is presented with a warning and the option to ignore this check. This warning should not be ignored; if an administrator is presented with this warning, they should inquire further before proceeding.
VMware vCenter Server Security Technical Implementation Guide 2013-01-15


Check Text ( C-VCENTER-000030_chk )
When connecting to the vCenter Server, vSphere Client users must never ignore certificate verification warnings. The message box that appears when certificate verification issues a certificate warning "may" be ignored by the user, however, this is a clear warning of certificate verification issues. Lack of the message box is an indication that the certificate is from a trusted source.

If a vCenter Server certificate cannot be verified by a trusted third party database, this is a finding.
Fix Text (F-VCENTER-000030_fix)
Check the vCenter Server/host for the presence of expired/revoked certificates. If found, remove all expired/revoked certificates. Example: The default path in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL. Back up the files rui.crt, rui.key, and rui.pfx, located in the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL folder and delete the files. These files will need to be recreated for new/updated certificates.