Vulnerability scan reports "Plugin ID 51192 SSL Certificate Cannot be Trusted" for vSphere ESXi server
search cancel

Vulnerability scan reports "Plugin ID 51192 SSL Certificate Cannot be Trusted" for vSphere ESXi server

book

Article ID: 393343

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The vulnerability scan report for ESXi host flags "Plugin ID 51192 SSL Certificate Cannot be Trusted"

Plugin 51192 will have an output similar to "The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority"

Environment

VMware vSphere ESXi

Cause

The Certificate Authority that signs the ESXI host certificate is unknown to the scan tools (Nessus, Qualys, or similar).

Resolution

You can safely ignore the scan results and ask your security team to whitelist the ESXi IP/FQDN from their security scanner provided that the ESXi host certificate is VMCA issued and valid.

If you wish to have the hosts not getting listed in the scan at all, you need to either

  • Replace the host certificates with the custom ones (signed by their Enterprise CA / Public CA whom they trust).

    or

  • Download the existing ESXi host certificate from the browser and import it to the scanning tool's certificate store.