The vCenter Server must enable revocation checking for certificate-based authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258919	SRG-APP-000175	VCSA-80-000080	SV-258919r1015931_rule	2024-12-16	2

Description
The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) revocation checking. Satisfies: SRG-APP-000175, SRG-APP-000392, SRG-APP-000401, SRG-APP-000403

ℹ️ Check
If a federated identity provider is configured and used for an identity source and supports smart card authentication, this is not applicable. From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication. Under Smart Card Authentication settings >> Certificate Revocation, verify "Revocation check" does not show as disabled. If "Revocation check" shows as disabled, this is a finding.

ℹ️ Check

If a federated identity provider is configured and used for an identity source and supports smart card authentication, this is not applicable. From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication. Under Smart Card Authentication settings >> Certificate Revocation, verify "Revocation check" does not show as disabled. If "Revocation check" shows as disabled, this is a finding.

✔️ Fix
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication. Under Smart Card Authentication settings >> Certificate Revocation, click the "Edit" button. Configure revocation checking per site requirements. OCSP with CRL failover is recommended. Note: If FIPS mode is enabled on vCenter, OCSP revocation validation may not function and CRL bay be used instead. By default, both locations are pulled from the cert. CRL location can be overridden in this screen, and local responders can be specified via the sso-config command line tool. Refer to the vSphere documentation for more information.

✔️ Fix

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication. Under Smart Card Authentication settings >> Certificate Revocation, click the "Edit" button. Configure revocation checking per site requirements. OCSP with CRL failover is recommended. Note: If FIPS mode is enabled on vCenter, OCSP revocation validation may not function and CRL bay be used instead. By default, both locations are pulled from the cert. CRL location can be overridden in this screen, and local responders can be specified via the sso-config command line tool. Refer to the vSphere documentation for more information.