The vCenter Server must enable revocation checking for certificate-based authentication.

An XCCDF Rule

Description

<VulnDiscussion>The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) revocation checking. Satisfies: SRG-APP-000175, SRG-APP-000392, SRG-APP-000401, SRG-APP-000403</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258919r934415_rule
Severity: Medium
References: CCI-000185 CCI-001954 CCI-001991 CCI-002010
Updated: 8 months ago

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, click the "Edit" button.

Configure revocation checking per site requirements. OCSP with CRL failover is recommended.
Note: If FIPS mode is enabled on vCenter, OCSP revocation validation may not function and CRL bay be used instead.

By default, both locations are pulled from the cert. CRL location can be overridden in this screen, and local responders can be specified via the sso-config command line tool. See the vSphere documentation for more information.

The vCenter Server must enable revocation checking for certificate-based authentication.

Description

Remediation - Manual Procedure