STIGQter: STIG Summary: VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The vCenter Server for Windows reverse proxy must use DoD approved certificates.

DISA Rule

SV-216877r612237_rule

Vulnerability Number

V-216877

Group Title

SRG-APP-000516

Rule Version

VCWN-65-000058

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Obtain a DoD issued certificate and private key for each vCenter and external PSC in the system, following the below requirements:

Key size: 2048 bits or more (PEM encoded)
CRT format (Base-64)
x509 version 3
SubjectAltName must contain DNS Name=<machine_FQDN>
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Verify that the issued certificate includes the full issuing chain. If it does not, concatenate the Base-64 intermediates and root onto the issued machine ssl cert.

Export the entire certificate issuing chain up to the root in Base-64 format, concatenate the individual certs into one file that will be used in the next steps when prompted for the signing certificate.

Run the certificate-manager tool:

Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager

Windows:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat

Select option "1" to replace the machine ssl certificate. Select option "2" to specify existing certificate and private key. Supply the information as prompted remembering the signing certificate file built up previously.

Check Contents

From the vCenter server (and external PSC if appropriate) run the following command

Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|grep Issuer

Windows:
"C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe" entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|find "Issuer"

If the issuer is not a DoD approved certificate authority, or other AO approved certificate authority, this is a finding.

Vulnerability Number

V-216877

Documentable

False

Rule Version

VCWN-65-000058

Severity Override Guidance

From the vCenter server (and external PSC if appropriate) run the following command

Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|grep Issuer

Windows:
"C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe" entry getcert --store machine_ssl_cert --alias __MACHINE_CERT --text|find "Issuer"

If the issuer is not a DoD approved certificate authority, or other AO approved certificate authority, this is a finding.

Check Content Reference

M

Target Key

4030

Comments