The vCenter Server Machine Secure Sockets Layer (SSL) certificate must be issued by a DOD certificate authority.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258928	VCSA-80-000195	SV-258928r934442_rule		Medium

Description
Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept public key infrastructure (PKI) certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. The default self-signed, VMware Certificate Authority (VMCA)-issued vCenter reverse proxy certificate must be replaced with a DOD-approved certificate. The use of a DOD certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted.

Description

Untrusted certificate authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept public key infrastructure (PKI) certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. The default self-signed, VMware Certificate Authority (VMCA)-issued vCenter reverse proxy certificate must be replaced with a DOD-approved certificate. The use of a DOD certificate on the vCenter reverse proxy and other services assures clients that the service they are connecting to is legitimate and trusted.

STIG	Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62668r934440_chk )
From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate. Click "View Details" and examine the "Issuer Information" block. If the issuer specified is not a DOD approved certificate authority, this is a finding.

Fix Text (F-62577r934441_fix)
Obtain a DOD-issued certificate and private key for each vCenter in the system following the requirements below: Key size: 2048 bits or more (PEM encoded) CRT format (Base-64) x509 version 3 SubjectAltName must contain DNS Name= Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Export the entire certificate issuing chain up to the root in Base-64 format. Concatenate the individual certificates into one file with the ".cer" extension. From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate. Click Actions >> Import and Replace Certificate. Select the "Replace with external CA certificate" radio button and click "Next". Supply the CA-issued certificate , the exported roots file, and the private key. Click "Replace".

Fix Text (F-62577r934441_fix)

Obtain a DOD-issued certificate and private key for each vCenter in the system following the requirements below:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Export the entire certificate issuing chain up to the root in Base-64 format. Concatenate the individual certificates into one file with the ".cer" extension.

From the vSphere Client, go to Administration >> Certificates >> Certificate Management >> Machine SSL Certificate.

Click Actions >> Import and Replace Certificate.

Select the "Replace with external CA certificate" radio button and click "Next".

Supply the CA-issued certificate , the exported roots file, and the private key.

Click "Replace".