2.4 Do not use default self-signed certificates for ESXi communication

Information

The default certificates are not signed by a trusted certificate authority (CA) and should be
replaced with valid certificates that have been issued by a trusted CA.

*Rationale*

Using the default self-signed certificates may increase risk related to Man-in-The-Middle
(MiTM) attacks. Replace default self-signed certificates with those from a trusted CA, either
commercial or organizational.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Leverage VMware's SSL Certificate Automation Tool to install CA-signed SSL
certificates. For more information on this tool, please
see http-//kb.vmware.com/kb/2057340.

Impact-If the host has Verify Certificates enabled, replacing the default certificate might cause
vCenter Server to stop managing the host. Disconnect and reconnect the host if vCenter
Server cannot verify the new certificate.

Default Value-The prescribed state is not the default state.

See Also

https://workbench.cisecurity.org/files/145

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: VMware

Control ID: ced311ae1854d8d8767244797be024a7451235cc52114b5c7b73aa25d81753c0