STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The ESXi host must use DoD-approved certificates.

DISA Rule

SV-239328r674913_rule

Vulnerability Number

V-239328

Group Title

SRG-OS-000480-VMM-002000

Rule Version

ESXI-67-000078

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Obtain a DoD-issued certificate and private key for the host following the requirements below:

Key size: 2048 bits or more (PEM encoded)

Key format: PEM; VMware supports PKCS8 and PKCS1 (RSA keys)
x509 version 3

SubjectAltName must contain DNS Name=<machine_FQDN>

CRT (Base-64) format

Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Start time of one day before the current time.

CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.

Put the host into maintenance mode.

Temporarily enable SSH on the host. SCP the new certificate and key to /tmp. SSH to the host. Back up the existing certificate and key:

mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak

Copy the new certificate and key to /etc/vmware/ssl/ and rename them to rui.crt and rui.key respectively. Restart management agents to implement the new certificate:

services.sh restart

From the vSphere Web Client, select the vCenter Server and click Configure >> System >> Advanced Settings.

Find the "vpxd.certmgmt value" and set it to "custom".

Check Contents

From the vSphere Web Client, select the host and click Configure >> System >> Certificate.

If the issuer is not a DoD-approved certificate authority, this is a finding.

If the host will never be accessed directly (VM console connections bypass vCenter), this is not a finding.

Vulnerability Number

V-239328

Documentable

False

Rule Version

ESXI-67-000078

Severity Override Guidance

From the vSphere Web Client, select the host and click Configure >> System >> Certificate.

If the issuer is not a DoD-approved certificate authority, this is a finding.

If the host will never be accessed directly (VM console connections bypass vCenter), this is not a finding.

Check Content Reference

M

Target Key

5326

Comments