*** Update ***

The ESXi 5 STIG for ESXi Server and vCenter Server is now at version 1 revision 3.  The only difference between revision 2 and 3 is the removal of some IAVM findings incorrectly included in the previous release.  The certificate requirements have still been pulled and the below information valid for revision 3.


Ok, so yesterday DISA released the ESXi 5 Version 1 Revision 2 of the STIG.  Now this is only Revision 2 of the ESXi 5 Server and vCenter Server STIG, not the VM.  That is still at revision 1.

Why did they do it?  Just one thing, the removal of  the rule The system must not use default self-signed certificates for <ESXi / vCenter> Communication.  So, if you want to follow the STIG, you no longer have to replace the default certificates provided, or you could replace them with an internal CA.

Why did they do this?  Well, there’s a reason, but not one I’m going to put here on a public blog.  If you’d like to know why just ask your SE.  I will have either already informed them, or they can reach out to me for the information internally.

4 thoughts on “ESXi 5 STIG Revision 3 is Out – Certificate Requirement Removed

  1. Hey Eric,

    Would I be able to reach out to you on this? I have asked our SEs about this in the past and never really got a solid answer.

  2. Eric, I am curious as well, pls send info….
    I was following old STIG and complied with the ESXi certs and the one thing that broke that is a real show stopper is upon doing a full clone Windows the process would stop and won’t go to the Sysprep Customization scripts created through vSphere. I was getting a certificates error (forgive me for not capturing the exact error).

Comments are closed.